Cyber Threats to the Aviation Industry – 2014

2014 © SenseCy ○ PO Box 395 Bnei Zion 60910, Israel ○ Tel +972-9-7482180 Israel ○ [email protected]

Executive Summary

The following report presents an overview of cyber threats faced by the aviation industry today.

The identified threats stem from the current nature of aviation industry systems, which are interconnected and interdependent, the lack of consolidated regulations, and new technologies that present previously unknown risks.

The industry faces major risks on all of its fronts: from the air traffic control systems, to the aircraft themselves, to the airline companies and airports and border crossings.

2016 © SenseCy ○ PO Box 8551, Poleg, Netanya 4250711, Israel ○ Tel +972-9-7482180 Israel ○ [email protected] 1

Table of Contents

1. Introduction ...... 3

1.1. Major Threats to the Aviation Industry ...... 3

1.1.1. Air Traffic Control ...... 4 1.1.2. Aircraft ...... 5 1.1.3. Airlines: Website and Networks ...... 5 1.1.4. Airports and Border Authorities ...... 5

2. Real-Life Examples of Aviation Cyber Threats ...... 6

2.1. Air Traffic Control ...... 6

2.1.1. Researcher Hacks Aircraft Controls with Android Smartphone ...... 6

2.2. Aircraft ...... 7

2.2.1. Inflight WiFi Vulnerabilities ...... 7 2.2.2. Malware Implicated in Fatal Spanair Plane Crash ...... 8

2.3. Airlines: Website and Networks...... 9

2.3.1. Sykipot ...... 9 2.3.2. Malaysian Aviation Company Air Twitter Account Hacked ...... 9 2.3.3. DDoS Attack on Israel Airports Authority Site ...... 10 2.3.4. El-Al Website Hacked...... 10 2.3.5. Conficker Worm Grounds French Navy Fighter Jets ...... 11

2.4. Airports and Border Authorities ...... 12

2.4.1. Cyberattack against Turkish Passport and Control System ...... 12 2.4.2. Dubai International Airport Website Breached ...... 14 2.4.3. WiFi Vulnerabilities at Airports...... 14

3. Conclusion ...... 16

4. Appendix 1 – Analysis of RedHack ...... 17

2016 © SenseCy ○ PO Box 8551, Poleg, Netanya 4250711, Israel ○ Tel +972-9-7482180 Israel ○ [email protected] 2

1. Introduction

The aviation industry depends on one of the world's most complex and integrated technological systems – one increasingly at risk from threats from cyberspace.1 1.1. Major Threats to the Aviation Industry

The American Institute of Aeronautics and Astronautics (AIAA) recently called for cybersecurity threats to be referred to the international commercial aviation industry. James Albaugh, AIAA president-elect and a former top executive at Boeing, says cyberthreats should be taken seriously because of the increasingly networked character of the world of commercial aviation and proposed that an integrated approach be taken.

On August 13, the AIAA officially released a Decision Paper entitled “A Framework for Aviation Cybersecurity”, outlining existing and evolving cyberthreats to the commercial aviation enterprise and noting the lack of international agreement on cybersecurity in aviation. There is no common overall coordination of efforts seeking a global solution.2

According to the report, the global aviation system is a potential target for a large-scale cyberattack with attackers focusing on malicious intent, information theft, profit, “hacktivism”, nation states, etc. The aviation industry lacks a common strategy to combat these cyber threats.

1 http://www.flightglobal.com/news/articles/aviation-group-calls-for-coordinated-cyber-security-389032/ 2 http://www.aiaa.org/uploadedFiles/Issues_and_Advocacy/AIAA-Cyber-Framework-Final.pdf

2016 © SenseCy ○ PO Box 8551, Poleg, Netanya 4250711, Israel ○ Tel +972-9-7482180 Israel ○ [email protected] 3

Much of the AIAA report is based on the U.K. Centre for the Protection of National Infrastructure (CPNI) report. Last year, the CPNI published a report entitled “Cyber Security in Civil Aviation”3 whose key findings were:

 “The cyber world of interconnected and interdependent systems has increased the vulnerability of aircraft and systems and therefore the potential impact that breaches in security can have. More attention is therefore due to this complex but containable problem.  Cybersecurity vulnerabilities have the potential to jeopardize civil aviation safety and efficiency.  Currently, the growing threat to keeping the aviation industry safe and secure from attacks lies in cyberspace.” Risks to civil aviation from malicious cyberactivity are increasing, owing to:

 Safety versus security: safety issues do not include malicious cyberactivities  New technology and lack of experience  Consolidation: interconnected and interdependent systems The major threats as detailed by the report and as we see them are:

1.1.1. Air Traffic Control

 Air Traffic Control (ATC) is becoming more automated and less manually managed. The increased use of Unmanned Aerial Vehicles (UAVs) has raised concern over communication between ground control stations and aircraft. Solutions are Internet-based and therefore introduce new cyber security issues, exposing the sector to new vulnerabilities that did not previously exist that can jeopardize civil aviation safety and efficiency.  The ATC system is especially susceptible to attack – several security researchers disclosed in conferences such as DEF CON and BlackHat that they were able to exploit vulnerabilities in the systems. The Automatic Dependent Surveillance-Broadcast (ADS-B) has been a major target for WhiteHat hackers speaking at the conferences, Brad Haines for example, who claims that the system is unencrypted and unauthenticated and can be eavesdropped and corrupted,4 provides a ‘Ghost is in the Air (Traffic)’ presentation that shows how ADS-B can be exploited,5 and demonstrates a take-over of the system using a Smartphone.6

3 http://www.cpni.gov.uk/documents/publications/2012/2012020-cyber_security_in_civil_aviation.pdf?epslanguage=en- gb 4 http://www.youtube.com/watch?v=CXv1j3GbgLk 5 http://media.blackhat.com/bh-us-12/Briefings/Costin/BH_US_12_Costin_Ghosts_In_Air_Slides.pdf 6 http://conference.hitb.org/hitbsecconf2013ams/materials/D1T1%20-%20Hugo%20Teso%20- %20Aircraft%20Hacking%20-%20Practical%20Aero%20Series.pdf

2016 © SenseCy ○ PO Box 8551, Poleg, Netanya 4250711, Israel ○ Tel +972-9-7482180 Israel ○ [email protected] 4

1.1.2. Aircraft

 The latest aircraft developments increase the potential for cyber vulnerabilities when Commercial Off-The-Shelf (COTS) software and hardware solutions are introduced into aircraft parts, increasing risk.  Interconnected systems that permit communication of all routine air traffic commands between ATC and the aircraft.  Aircraft operators: Increased exchanges of communication with the aircraft increases its vulnerability.  eEnabled aircraft: Although ‘Connexion by Boeing’ was abandoned, the industry is seeking new solutions to provide an onboard Internet connection, which could introduce new risks and challenges in cyber security. According to the report, new eEnabled aircraft, such as the Boeing B787, Airbus A380 and A350 and Air Traffic Management (ATM) systems designed by SESAR, NextGen and Carats projects renders the situation critical as these projects are already entering service and the interconnected and interdependent aircraft systems are increasingly vulnerable.

1.1.3. Airlines: Website and Networks

 The threats include risks to web applications, such as the Sykipot backdoor tool, which collects intelligence information and can cause damage to the companies; or the exploitation of Twitter accounts that may harm the company’s reputation.  The industry is also a target for politically motivated cyberattacks. We have noted several discussions on forums and social networks mentioning attacks on airport authority sites and other aviation industry targets.

1.1.4. Airports and Border Authorities

 Attacks on border control systems, such as the incident in Turkey in September that caused delays. We believe these examples are only the beginning, and that the threat will continue to spread to other areas of the aviation industry.

2016 © SenseCy ○ PO Box 8551, Poleg, Netanya 4250711, Israel ○ Tel +972-9-7482180 Israel ○ [email protected] 5

2. Real-Life Examples of Aviation Cyber Threats

The risks are not only theoretical. As portrayed below, some of the aforementioned security concerns have already been realized by hackers in real-life. 2.1. Air Traffic Control

2.1.1. Researcher Hacks Aircraft Controls with Android Smartphone

A presentation7 at the ‘Hack in The Box’ security summit in Amsterdam in April 2013 has demonstrated that it is possible to take control of an aircraft’s flight systems and communications using an Android smartphone.

The presentation, made by Hugo Teso, a security researcher and commercial airline pilot who developed a specialized attack code dubbed SIMON, along with an Android application called PlaneSploit that can take full control of the flight systems and the pilot’s display monitors. The hacker can also change the heading and speed of the aircraft using the handset, and modify anything related to the navigation of the plane.

Teso found that the ADS-B has no security at all and he could passively eavesdrop or actively interrupt aircraft communications.

Hugo also demonstrated the use of a smartphone to redirect aircraft navigation systems by hacking the Aircraft Communications Addressing and Reporting System (ACARS), which he also reported has no security at all.

The FAA claimed that the hack would not work on real certified airplane systems, as he only used simulation systems. Nevertheless, Teso’s presentation exposed some of the vulnerabilities in the aviation systems’ cybersecurity.8

7 http://conference.hitb.org/hitbsecconf2013ams/materials/D1T1%20-%20Hugo%20Teso%20- %20Aircraft%20Hacking%20-%20Practical%20Aero%20Series.pdf 8 http://www.forbes.com/sites/andygreenberg/2013/04/10/researcher-says-hes-found-hackable-flaws-in-airplanes- navigation-systems/

2016 © SenseCy ○ PO Box 8551, Poleg, Netanya 4250711, Israel ○ Tel +972-9-7482180 Israel ○ [email protected] 6

2.2. Aircraft

2.2.1. Inflight WiFi Vulnerabilities

In 2008, the FAA reported that the computer network in the Boeing 787 Dreamliner’s passenger compartment was connected to the aircraft’s control, navigation and communication systems - a cause for grave security concern. This connection renders the plane control system vulnerable to cyberattack. Boeing advised that they would address the issue.9 Such a connection would cause a security concern partly due to new phone applications, such as Gogo Text&Talk, which are already providing passengers with in-flight WiFi, allowing them to send and receive text messages while airborne.10 However, this service lacks encryption capabilities11 and is no more secure than any other public network, and can pose a security threat to passengers using the service.12

Today, airlines aspire to provide their passengers with better connectivity, using an onboard WiFi connection or developing eEnabled aircraft, but these abilities must be separated from the aircraft operations. Risks to connected aircraft include:13

9 http://www.wired.com/politics/security/news/2008/01/dreamliner_security; http://www.flightglobal.com/blogs/runway-girl/2010/01/us-faa-warns-of-747-8-vunerabi/ 10 http://www.businessinsider.com/now-you-can-text-in-flight-gogo-2013-11 11 http://hytechlawyer.com/?p=2027 12 http://www.forbes.com/sites/marcwebertobias/2011/06/27/insecure-wifi-at-30000-feet/ 13 http://speedbird-ncl.com/2010/01/27/a-case-for-aircraft-security/

2016 © SenseCy ○ PO Box 8551, Poleg, Netanya 4250711, Israel ○ Tel +972-9-7482180 Israel ○ [email protected] 7

2.2.2. Malware Implicated in Fatal Spanair Plane Crash

In 2008, Spanair flight 5022 crashed just after take-off, killing 154 people. According to the Spanish government’s Civil Aviation Accident and Incident Investigation Commission (CIAIAC), the disaster occurred because the central computer system used for monitoring technical problems in the aircraft was infected with a Trojan horse. The computer was supposed to emit an alarm signal on the monitor if it recorded three technical problems, and on the fateful take-off, it failed to alert the pilots. The plane attempted to take off with its flaps and slats retracted and no audible alarm sounded due to failure of the systems delivering power to the take-off warning system, following two earlier events that were not reported by the automated system. The malware could have entered the systems in several ways, for example, by third party devices or through remote VPN connection.14

14 http://www.nbcnews.com/id/38790670/#.UohgZhA4Qll, http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF- 8&layout=1&eotf=1&u=http%3A%2F%2Fwww.elpais.com%2Farticulo%2Fespana%2Fordenador%2FSpanair%2Fanotaba%2 Ffallos%2Faviones%2Ftenia%2Fvirus%2Felpepiesp%2F20100820elpepinac_11%2FTes&sl=es&tl=en

2016 © SenseCy ○ PO Box 8551, Poleg, Netanya 4250711, Israel ○ Tel +972-9-7482180 Israel ○ [email protected] 8

2.3. Airlines: Website and Networks

2.3.1. Sykipot

Sykipot is a tool that serves as a backdoor that an attacker can use to execute commands on the affected system. It is being used to gather intelligence about the civil aviation sector in the U.S. Like most targeted attacks, Sykipot infects using spear-phishing techniques by sending emails with malicious attachments. The attachments contain exploits that target various applications like Adobe Reader and Microsoft Office. However, since July 2012, this particular tactic has been waning. Attackers favor drive-by exploits that target the operating system itself or applications like web browsers and Java. Once Sykipot is running on the victim’s machine, it establishes an SSL connection to a C&C server where more malicious files are then downloaded and installed. The capabilities of the Sykipot framework allow it to run arbitrary code and commands.15

Lately, as identified by Trend Micro, Sykipot has been observed gathering intelligence on the U.S. civil aviation sector. The intentions of this campaign are unclear as yet. Sykipot has a history of targeting U.S. Defense Initial Base (DIB) and key industries over the past six years.

The new Sykipot attack campaign is targeting potential participants in the 2013 IEEE Aerospace Conference, a conference attended by aviation experts, academics, military personnel and industry leaders, by sending them rogue emails.16

2.3.2. Malaysian Aviation Company Air Twitter Account Hacked

On October 21, the Twitter account of Malaysian Aviation Company Malindo Air was hacked. The hacker posted a fake announcement on behalf of the company stating that they were giving away 100,000 free seats. The company then posted that their Twitter account had been hacked.

Even after the company’s post, the hacker was still in possession of the account and he reposted his message. These kind of simple hacks into social network accounts can cause substantial financial and marketing damage.17

15 http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/ 16 http://gadgets.mobiletradar.com/Variant-of-Sykipot-malware-targets-of-attack-aviation-industry/ 17 http://www.middleeast-internet-monitor.com/?p=4922

2016 © SenseCy ○ PO Box 8551, Poleg, Netanya 4250711, Israel ○ Tel +972-9-7482180 Israel ○ [email protected] 9

2.3.3. DDoS Attack on Israel Airports Authority Site

A Tunisian hacker claimed that the Israeli Airports Authority website was the target of a DDoS attack that caused flight delays and added that more attacks would be launched on November 5 (as part of an organized #OpIsrael cyberattack against Israel).18

2.3.4. El-Al Website Hacked

The Israeli national airline, El-Al, has been a major target for politically oriented cyberattacks. In 2012, El-Al’s website was temporarily shut down by the “Nightmare Group” hackers. Internal systems and flight schedules were not affected.19 In August 2013, the “Qods Freedom” group also claimed they hacked El-Al’s website amongst other targeted Israeli websites and took down the site in a planned DDoS attack.20

18 https://www.facebook.com/events/494463360661639/ 19 http://www.tgdaily.com/security-features/60817-hackers-target-tel-aviv-stock-exchange 20 http://pastebin.com/5Ecd2hzn; https://www.facebook.com/pages/Qods-freedom/459932157415148

2016 © SenseCy ○ PO Box 8551, Poleg, Netanya 4250711, Israel ○ Tel +972-9-7482180 Israel ○ [email protected] 10

2.3.5. Conficker Worm Grounds French Navy Fighter Jets

Conficker, a worm that has infected millions of computers worldwide, infected the French Navy network on 2009, forcing it to cut connectivity to stop it from spreading, and to ground its Rafale fighter jets. It was probably introduced through an infected USB drive. The worm spreads through file sharing and removable drives, such as flash drives or cameras, and then copies itself to PC when clicking on a rogue option added by the virus to the Auto play dialog box of the infected drive.21 It can spread throughout LAN but can be blocked by firewalls. Microsoft has issued a patch to the vulnerability exploited by Conficker three months before the incident.22

21 http://www.microsoft.com/security/pc-security/conficker.aspx 22 http://www.computerworlduk.com/news/security/13261/conficker-worm-torpedoes-french-navy/

2.4. Airports and Border Authorities

2.4.1. Cyberattack against Turkish Passport and Control System

The following paragraphs present the main findings of an investigation that we conducted regarding an alleged cyberattack on the Passport Control system used at Turkish airports and border crossings.

The investigation includes an analysis of the malfunctions discovered in the General Directorate of Security Police's Intra-net (PolNet) system, previous alleged cyberattacks against the General Directorate of Security Police, and relevant information regarding the Turkish RedHack hacker group that appears to be connected to the event. The report also contains an analysis of previous attacks carried out by RedHack against the General Directorate's websites.

The research was conducted in several languages (mainly Turkish) and employed proven Terrogence methodologies for collecting Web Intelligence (WEBINT), including accessing password-protected forums and closed hacker group platforms.

Incident Summary

On September 5, 2013 at around 1 pm, entrances and exits to and from the international Turkish border were suspended due to a problem in the Police Intra-net system (PolNet).23 The Turkish hacker group RedHack announced on the same day via its Twitter account that they had hacked the official website of the General Directorate of Police (EGM).24

RedHack announced that the EGM website is inaccessible

23 PolNet is the Computer Network and Information System of the Turkish National Police: http://www.egm.gov.tr/EN/Pages/PolNet.aspx 24 https://twitter.com/TheRedHack/status/375614494090608640

Two days later, on September 7, RedHack claimed responsibility for a cyberattack against the PolNet System.25 The police, however, denied the hackers’ claim, arguing that the site was shut down for a “controlled” deactivation due to the transfer of a data center.26

RedHack stated that the EGM system connects to both PolNet and the Internet via an unsecured network that it was able to reach via the file share system, through which it reached the main servers. When RedHack hacked the EGM site, the EGM panicked and pulled the plug, causing the passport system to stop working.

There have been attacks on the PolNet system and malfunctions at airports in the past, including twice in December 2012 (December 17 and December 23). Because of the malfunctioning system, long queues were observed at Passport Control in the Arrivals terminal. Cyberattack was not mentioned as a cause for previous malfunctions prior to July, 2013.

On July 26, 2013, the PolNet database system temporarily broke down, affecting systems at both Atatürk and Sabiha Gökçen International airports. The Hurriyet Daily News blamed the problems on an unnamed computer virus and an alleged cyberattack.27 No claim of responsibility or blame was attributed to the alleged cyberattack. This cyber attack is another one in a line of reported attacks targeting vital infrastructure.28 Appendix No. 1 presents an analysis of the RedHack group.

25 https://twitter.com/TheRedHack/status/376319436296179712/photo/1 26 http://www.gagrule.net/?p=9606 27 http://www.theregister.co.uk/2013/07/31/istanbul_airport_chaos_malware_blamed/ 28 http://thehackernews.com/2013/07/Istanbul-airport-cyber-attack-virus.html

2.4.2. Dubai International Airport Website Breached

In April 2013, hackers from the “Hackers of Portugal Cyber Army” and “HighTech Brazil HackTeam” groups claimed to have breached the Dubai International Airport official website that is hosted on the dubaiairport.com domain, causing an online leak of email addresses and the hashed passwords of staffers. The passwords are very weak and encryption can be easily broken. The motivation remains unclear.29

2.4.3. WiFi Vulnerabilities at Airports

Airports worldwide are now providing WiFi Internet access to mobile users, while at the same time the airports are increasingly employing private WiFi networks for baggage management and tracking, as well as passenger ticketing. An AirTight Networks report from 2008 found that critical airport systems are vulnerable to WiFi threats, with 80% of them OPEN/WEP. Unsecured access points included 59% non-hotspot access points with names such as ‘SFOPRIVATE’, ‘KIOSKWIRELESS’

29 http://news.softpedia.com/news/Hackers-Claim-to-Have-Breached-Dubai-International-Airport-347010.shtml; http://www.ehackingnews.com/2013/04/dubai-airport-site-hacked.html; http://www.leakedin.com/2013/04/23/potential-leak-of-data-email-addresses-list-3198/

and “e-Baggage Trial AP1’. AirTight research discovered, for example, that the baggage management system at SFO Airport can be easily compromised.30

30 http://www.airtightnetworks.com/fileadmin/pdf/AirTight-Airport-WiFi-Scan-Analysis.pdf

3. Conclusion

This report demonstrates some of the cyberthreats confronting the aviation industry today.

We believe that the aviation industry is facing major threats from cyberspace and these threats encompass large areas of the industry and may become a greater burden for it, compromising the safety of the passengers, and causing financial and commercial damage to the associated companies.

4. Appendix 1 – Analysis of RedHack

RedHack first made a name for themselves by hacking the Ankara Police Department's official site in 2012, and later hacked approximately 350 police department websites, rendering them temporarily inoperable.31

RedHack is a Turkish Marxist–Leninist computer hacker group founded in 1997. The group has claimed responsibility for hacking institutions that include the Council of Higher Education, the Turkish police force, the Turkish Army, Türk Telekom, and the National Intelligence Organization. The group's core numbers are said to be 12 but the group has over 708,000 followers on Twitter as of September 14, 2013.32

RedHack has made a number of attacks against governmental websites in the past, including the Finance and Interior ministries, as well as the Religious Affairs Directorate. The police, however, denied the hackers’ claim arguing that the site was shut down for a “controlled” deactivation due to the transfer of a data center.33

31 http://onedio.com/etiket/redhack/503fc95bcc161f8ec1342468 32 http://en.wikipedia.org/wiki/RedHack 33 http://www.gagrule.net/?p=9606