Recommended
Recommended
More Related Content
What's hot
What's hot (9)
Similar to Spy vs SPI: Hacking the Stratus ADS-B Transponder
Similar to Spy vs SPI: Hacking the Stratus ADS-B Transponder (20)
More from Mayank Dhiman
More from Mayank Dhiman (9)
Recently uploaded
Recently uploaded (20)
Spy vs SPI: Hacking the Stratus ADS-B Transponder
- 1. Spy vs. SPI Hacking the Stratus ADS-B Transponder Mayank Dhiman Brown Farinholt Edward Sullivan March 13, 2014
- 2. Old school technology: Real-time Air Traffic Surveillance ● Radar-based ● Since the 1970s ● Provides location information ● Many disadvantages ○ Not very accurate for the altitude ○ Airplanes have to send their altitude to the ATC ○ Not real-time, sends information after a delay ○ Pilots don’t get much benefit e.g., which planes are nearby
- 3. ADS-B Augments Pilot’s view of nearby traffic
- 4. The Future: ADS-B ADS-B = Automatic Dependent Surveillance-Broadcast ADS-B Out: Your plane broadcasts its GPS coordinates (determined with a GPS device) to ground stations and other planes ADS-B In: Your plane receives broadcasted messages from other planes (about their locations) and from ADS-B towers (about weather, etc.) 1090 MHz
- 5. The Stratus and the Foreflight App GPS Satellite Broadcast ADS-B Towers Other ADS-B Equipped Planes ADS-BBroadcasts: iPad joins the unprotected wifi network created by the Stratus Your plane Stratus sits on dashboard of your plane Foreflight app on iPad displays cool interface for GPS, weather, maps, and locations of nearby planesLocationinfo Weatherinfo,otherplanes
- 6. How ADS-B packets are sent ● Plain-text ● No time-stamp ● Error-code “protected” ● Broadcast ● Contain “trivial” information like altitude, precise location and unique identifier of the airplane
- 7. Which means... ● No message authentication ● No message secrecy ● No message integrity ● Basically, anybody with a device which can talk ADS-B OUT can pose as any airplane
- 9. The Good ● Almost anybody can track airplanes in real-time via ADS-B IN ● Community efforts already underway e.g. www.flightradar24.com
- 12. The Ugly ● Trivial to make the MH370 plane reappear ● Attacker needs a device which can talk at the 1090 MHz frequency ● Attacker knows ADS-B packet format ● Attacker knows the airplane unique ID ● Attacker is located at a little bit above the ground level ● Can start broadcasting ADS-B OUT packets
- 13. ADS-B is literally the WORST!
- 15. The Firmware Update Process 2. iPad joins the unprotected wifi network created by the Stratus 1. Stratus sets up an unprotected wifi network 5. Foreflight App fetches a firmware update for the Stratus (usually via satellite link). 3. Foreflight App asks the Stratus about it’s current version 4. Stratus replies back with current version number 6. Foreflight App pushes the firmware update
- 17. Potential Attacks ● Our focus: - Replace legitimate firmware with malicious firmware ● Other attacks: - Spoof GPS data to Stratus traffic - Spoof ADS-B IN to Stratus traffic - Spoof Stratus to iPad traffic - Fuzzing the ADS-B device with bad GPS/ADS-B IN data - Physical Attacks (Swap iPad/Stratus) - Jamming/DoS (Throw noise at Stratus at 1090 MHz) - Bricking the device (Send bad data as part of firmware update process)
- 18. Threat Model (for Firmware Attacks) ● Attacker has reverse engineered the firmware update process ● Attacker is able to construct a malicious firmware ● Attacker is within the wifi-range of the Stratus to push a firmware update
- 19. Proposed Malicious Firmware ● Gets activated after a certain amount of time ● Sends out bad/in-correct GPS location and altitude to nearby planes via ADS-B OUT ● Shows in-correct locations and altitudes of nearby planes to the pilot via ADS-B IN ● End Goal: Cause Mid-Air Collision
- 20. Initial Firmware Analysis - Ripped from the Foreflight app (iPad) - Two chunks of data, packaged (encrypted..?) - Where might it be unpackaged?
- 21. Flash Dump: Active Reading - Micron Serial NOR Flash Memory - ARM and Flash speak SPI
- 22. SPI (Serial Peripheral Interface) - Simple data transfer protocol - Master (ARM) and slave (Flash) Chip Select MISO Clock MOSI
- 23. Bus Pirate - data protocol interpreter (can speak SPI) - replace ARM with Bus Pirate - READ commands
- 24. Issues with Active Reading - Resetting the ARM entirely disables board - Providing external power to Flash - Desoldering Flash from Stratus
- 25. Flash Dump v2: Passive Sniffing - Remember the firmware update? Firmware
- 26. Tools of the Trade Tektronix Oscope vs. Saleae Logic Analyzer
- 27. Triggering an Update ● All about firmware version number ● Version number difference triggers update ● Spoof lower version number packet to app
- 28. Captured Data ● Both machines return CSV, row per sample ● Tektronics = voltage at sample time ● Saleae = high or low at sample time
- 29. Let’s write some Parsers
- 30. Toolchain
- 31. Analyzing the Binaries ● Captured two binaries: boot-up and update ● Boot-up: - FPGA image - Possibly containing ARM instructions
- 32. Analyzing the Binaries (cont.) ● Firmware update: Two writes... packaged
- 33. Good News First? ● Good understanding of what happens internally during a firmware update ● Several reads during update after writing, possibly containing clues (read: keys)
- 34. Future Work aka More To Do!! ● All firmware on 512 MB flash encrypted? ○ Look for keys in short messages ○ Examine code in ARM chip’s 1 MB onboard flash ○ JTAG debugging protocol ○ Onboard flash might be read/write protected ○ Electron microscopy ● Once we get the unencrypted firmware … ○ Ready, set, IDA! ● Continue work on other potential attacks
- 35. Acknowledgements ● Devin Lundberg (esp. for Triggering Update) ● Kirill Levchenko ● Keaton Mowery ● David Kohlbrenner ● Hovav Shacham
- 36. Q & A
- 37. NextGen ● FAA (Federal Aviation Administration) Initiative to improve on Air-Traffic Control ● Shorten routes ● Reduce Traffic Delays ● Avoid Grid-Locks ● Save fuel and time ● Implementation in various steps by 2020
- 38. ADS-B Implementation Status Source: https://www.faa.gov/nextgen/implementation/