16 August 2018

INTERNET-OF-THINGS (IOT) MALWARE DISCOVERED TRYING TO ATTACK SATELLITE SYSTEMS OF AIRCRAFT AND SHIPS; BLACK HAT 2018 SPEAKER DETAILS HIS SUCCESSFUL HACK OF AN IN-FLIGHT COMMERCIAL AIRCRAFT WIFI NETWORK


Kelly Jackson Higgins posted an August 9, 2018 article on the security and technology website DarkReading.com, with the title above. For those of you not familiar, the most elite and talented cyber hackers and security sleuths have been gathering every year since 1997, in Las Vegas, Nevada, to discuss the latest cyber security threat landscape, as well as the latest technology designed to ferret out, mitigate, and prevent hacks, as well as how to quickly reconstitute networks, restore trust, reverse engineer, and build resiliency. This year’s 2018 Black Hat, which will conclude this weekend, has already revealed how DeepLocker, artificially-enhanced malware, can change its signature and pattern, hides and/or goes dormant when it believes it may be under surveillance, and is essentially a digital version of a chameleon. I posted an article yesterday on this blog on DeepLocker, if you want additional detail.

Yesterday’s (Thur/Aug. 9, 2018) Black Hat Conference was highlighted by a chilling description of how one cyber security expert was recently able to successfully hack into a commercial airliner’s, in-flight, WiFi network. Ms. Higgins describes how Ruben Santamarta [an elite, cyber security expert] “was flying from Madrid to Copenhagen in November 2017 on a Norwegian Airlines flight, when he decided to inspect the plane’s WiFi network security. So, he launched Wireshark from his laptop and began monitoring the [flight’s] network.” Mr. Santamarta is Principal Security Consultant at IOActive.

Santamarta “noticed some weird things happening,” Ms. Higgins wrote. “First off,” she adds, “his internal IP address was assigned a public, routable IP address, and then more disconcerting, he suddenly noticed random security network scans on his laptop computer. It turned out the plane’s modern data unit, or MDU, was exposed and rigged with the Swordfish Backdoor; and, a router from a Gafgyt Internet-of-Things (IoT) botnet was reaching out to the satcom modum on the in-flight aircraft, scanning for new bot results.”

“The IoT botnet code didn’t appear to have infected any of the satcom terminals on the plane, or others,” according to Mr. Santamarta; “but, it demonstrated how exposed [vulnerable] the [in-flight] equipment was to potential malware infections,” Ms. Higgins warned. “This botnet was not prepared to infect VxWorks. So fortunately it was no threat to the aircraft,” Mr. Santamarta said. 

Mr. Santamarta provided the Black Hat audience with additional details of “how he was able to exploit vulnerabilities in popular satellite communications systems that he had first reported in 2014,” Ms. Higgins wrote. “The flaws — which included backdoors, insecure protocols, and network misconfigurations — in the equipment affect hundreds of commercial airplanes, flown by Southwest, Norwegian, and Icelander airlines. Satcom equipment used in the maritime industry and the military — were also affected by the virus,” Mr. Santmarta warned.

Mr. Santamarta emphasized that “while the [these] vulnerabilities could allow hackers to remotely wrest control of an aircraft’s in-flight WiFi, there are no [known] safety threats to airplanes with such attacks. The attack can’t reach a plane’s safety systems due to the way the networks are isolated and configured,” Ms. Higgins wrote. “But,” she added, “an attacker could access not only the in-flight WiFi network; but, also the personal [mobile] devices of the passengers and crew.”

Mr. Santamarta also “found flaws in satellite earth stations and antenna on ships, and in Earth stations used by the U.S. military in conflict zones. It can disrupt, intercept, and modify” satcom operations from the ground.”

“Meantime,” Ms. Higgins wrote, Mr. Santamarta “found a Mirai botnet-infected antenna control unit on a maritime vessel.:” “There’s malware already infecting vessels,” Mr. Santamarta warned.

I wrote an article last month on the potential that a malicious hacker, or terrorist could deliberately crash a commercial airliner. My article was based in part on a joint U.S. Department of Homeland Security (DHS) and Pacific Northwest National Laboratory — a research arm of the U.S. Department of Energy — study that concluded that it was only a matter of time before a terrorist or malicious hacker could remotely hack into a commercial aircraft’s in-flight WiFi network and potentially, deliberately crash the aircraft. 

After I posted that article, an experienced commercial airline pilot from one of the major U.S. carriers commented that “this could never happen. even if they hijacked the entertainment system, all we’d have to do is turn it off, or pull the CB’s.” He added that “a pilot can always override the autopilot system and disconnect it one of several ways…take power off it and its just not capable any longer. There have been several times I had to click off the auto pilot because it wasn’t doing what I either expected, or wanted it to do. As of yet, we don’t allow artificial intelligence into the cockpit and hopefully never will  but I’m sure there are gamers out there and movie tykes concocting such notions.”

After receiving the comment above, I updated my article to reflect this pilot’s observations; but, I added “I am not a pilot and defer to his expertise — though the observation that “this could never happen,” often seems to surprise us in nasty ways we did not envision or anticipate.”

My guess is that the major airlines are most certainly aware of this vulnerability; and, have likely been taking measures to mitigate and/or prevent this kind of horrific event. But, how aware of this threat are the major foreign commercial airline companies?; and, are they also attempting to mitigate this threat? How far along are they? How big a problem is this? This is one more reason it is important that we find the missing Malaysian commercial flight, MH370 which crashed somewhere in the Indian Ocean back in 2014. While the possibility and potential for this kind of terrible act has likely been substantially reduced since these original vulnerabilities were discovered some three/four years ago/or more — this threat has likely….not totally been eliminated. As with anything that is connected to the Internet, one must always assume that your systems/networks can be breached/compromised. Assuming otherwise…..invites disaster, and a potentially nasty strategic surprise. 

One other elephant in the room: How will artificially-enhanced malware factor into this kind of scenario. As horror writer Stephen King once wrote: “God punishes us for what we cannot imagine.” RCP, fortunascorner.com

No comments: