Throughout November and December last year, Ruben Santamarta was sat in front of his computer peeking inside the technical bowels of hundreds of aircraft flying thousands of meters above him. That included commercial aircraft operated by some of the biggest airlines in the world. He believes it may’ve been the first time anyone had hacked planes from the ground by taking advantage of weaknesses in satellite equipment.
The cybersecurity researcher could, if he’d been so inclined to break the law, have hacked those onboard systems, snooped on the on-board Wi-Fi and carried out surveillance on all connected passenger devices. Fortunately, the safety systems on the planes were not at risk, thanks to the ways in which modern aircraft segment networks.
Santamarta, a researcher at cybersecurity company IOActive, was able to spy on all those planes due to vulnerabilities in satellite communications equipment, such as antennas sending data up to aircraft and the modems within. All could be exploited remotely, without needing physical access to the hardware. In his words, Santamarta found various ways to turn satellite communications kit into “radio frequency weapons.”
He isn’t saying just what equipment until he details his attacks in full at the Black Hat conference in Las Vegas on Thursday. (Forbes is aware of the affected technology, and will update this article once Santamarta has given his talk). Relevant airlines, satellite communications vendors and government agencies were contacted about the vulnerabilities, IOActive said. Most have fixed the problems uncovered by Santamarta. Some remain vulnerable.
Amongst the various airlines that had aircraft containing vulnerable kit were Southwest and Norweigian Airlines, according to the rezearcher. At the time of publication Norwegian hadn’t provided comment about Santamarta’s findings.
A Southwest spokesperson said it learned of the issues via the US-CERT, an emergency response team sponsored by the U.S. government and contacted its Wi-Fi partners, Global Eagle, which fixed the issues back in December. They reiterated there was no threat to fliers safety.
Two of the manufacturers that produced and shipped the satellite and onboard Wi-Fi tech, Hughes and Global Eagle, did respond.
“The Hughes system comes equipped with a number of safeguards that guard against unauthorized access,” a Hughes spokesperson said. “Hughes works closely with customers on security matters and delivers service providers documentation on how to configure their system to guard against potential vulnerabilities, which is regularly reviewed and updated. Customers who have questions should contact their service providers to ensure the appropriate and latest safeguards are in place.”
A Global Eagle spokesperson said the company’s infotainment and Wi-Fi systems were separated from safety systems, confirming there was no threat to passengers’ lives.
“In our case, there was a configuration error that we corrected within two hours of notification last December,” said Doug Murri, VP for operations at Global Eagle. “We have implemented additional layers of security to prevent similar actions.”
Uncloaking military bases
The weaknesses in satcom kit also allowed Santamarta to spy on cargo ships and uncover supposedly-hidden military bases. When he spoke with Forbes in mid-July, a number of those bases were yet to have cloaked themselves.
Another severe threat is that of radio frequency attacks that could cause physical harm to individuals and electronics. Satellite communications technology can transfer energy via radio frequencies. Santamarta hypothesized it should be possible to cause some kind of physical damage to systems by applying that energy to specific parts of an aircraft or ship. It may even be possible to cause physical burns to a person, if the RF energy was powerful enough, though IOActive decided not to test that hypothesis.
Santamarta could also combine his plane attacks with those tested out by colleague Josep Pi Rodriguez. The latter focused on an operating system called WingOS, which is used across aircraft to manage Wi-Fi access points. Rodriguez told Forbes it’d be possible to gain a foothold on a plane’s in-flight network via Santamarta’s hacks from the ground, before exploiting the (now patched) WingOS vulnerability. From there, a hacker could start snooping on all passenger devices. Rodriguez is detailing his findings later this week at the Def Con conference in Las Vegas, in a talk titled ‘Breaking Extreme Networks WingOS: How to Own Millions of Devices Running on Aircraft, Government, Smart Cities and More.’
But Pete Cooper, a nonresident senior fellow at the Atlantic Council and formerly of the U.K. Ministry of Defence, played down the severity of the attacks. He noted that even if the hackers can acquire access to an antenna, they’d have to rely on it having a permanent connection to a plane. For the average user, Cooper told Forbes, the threat over Wi-Fi was not much different from that affecting anyone who’d connected to the internet in a Starbucks. Anyone connecting to public Wi-Fi is in increased danger of being hacked by malicious types on the network.
Though many of the vulnerabilities uncovered by Santamarta have been fixed by the vendors, he fears other loopholes remain, leaving open the possibility of ground-based aircraft hacks. Indeed, he told Forbes that not all the issues have been patched.
“I think there are still [open] attack vectors,” he said, noting it wouldn’t be easy for the myriad vendors to address the problems. That’s largely because the problems are fewer vulnerabilities than inherent design problems. “In certain cases, it’s more of a design issue. It’s not going to be easy.”