Satcom on Planes Vulnerable

Security researcher Ruben Santamarta published a research paper detailing that that hundreds of airplanes from several airlines could have been hacked remotely from the ground through vulnerabilities in satellite communications systems. The latest research paper follows a paper published in 2014 by Santamarta in which the researcher described theoretical attack scenarios on satellite communications. Santamarta continued his research in November 2017 when he managed to passively collect from an airplane’s Wi-Fi network while on a trip. Santamarta noticed that several commonly used services, such as Telnet, HTTP, and FTP, were available for certain IP addresses. More worrying, some interfaces associated with the plane’s onboard satellite communications (satcom) modems were accessible without any authentication.

From Wakeup Call to the Last Call

The trip was definitely the spark which prompted further research. The research revealed the existence of various types of vulnerabilities, including insecure protocols, backdoors, and improper configuration that could allow attackers to take control of affected devices. In the latest research paper it was further found that the vulnerabilities could be exploited by remote hackers to take control of satcom equipment on commercial flights, earth stations on ships, and earth stations used by the U.S. military often deployed in conflict zones. Such an attack could have major implications for government and defense organizations, however, it is the potential impact on commercial airlines that need to be taken seriously.

satcom on planes vulnerable

To that extent, the researcher discovered that hackers could have targeted, remotely and from the ground, hundreds of planes from Southwest, Norwegian and Icelandair. What is further a worry is that in one instance an airplane’s sitcom terminal had already been compromised. The researcher discovered the terminal had been compromised from the ground by the Gafgyt IoT botnet via a compromised router. Before the InfoSec community could assume the worst Santamarta stated in the paper,

“There is no indication that this malware family either had success accessing the SATCOM terminal on any aircraft or that it was specifically targeting airborne routers, so we should consider this situation as a ‘collateral damage’. However, the astonishing fact is that this botnet was, inadvertently, performing brute-force attacks against SATCOM modems located onboard an in-flight aircraft,”

While it is important not to jump to conclusions surrounding the safety of planes the research highlighted important security concerns. In one of the vessels analyzed it was discovered that its Antenna Control Unit (ACU) was infected with the Mirai malware. In military and maritime craft remote attacks could present a safety risk. In an example provided such an attack hackers could theoretically attackers could disrupt communications and they can conduct cyber-physical attacks using high-intensity radiated field (HIRF), a radio-frequency energy strong enough to adversely affect living organisms and electronic devices. In military operations, remote attacks could abuse satcom systems to pinpoint the location of military units, disrupt communications, and conduct HIRF attacks.

Again this is a security concern, however, on airplanes, remote attacks on a planes satcom system do not pose a safety risk due to the isolation between various systems on board. However, a hacker could still intercept or modify in-flight Wi-Fi traffic, and hijack devices belonging to passengers and crew. IOActive disclosed the findings to affected vendors and organizations such as US-CERT and ICS-CERT, and while the aforementioned airlines and some of the affected equipment manufacturers have taken steps to address the issues, others have not been very open to collaboration.

Mirai and Gafgyt IoT Botnet Attacks Intensify

The publishing of the above-mentioned research paper seems to be well timed. The two malware variants found on satcom devices, namely Gafgyt and Mirai, are intensifying attacks. Researchers at Palo Alto Networks published an article detailing an increase in these botnet attacks. A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and internet of things devices that are infected and controlled by a common type of malware and are often used in Distributed Denial of Service (DDoS) attacks amongst others.

In July 2018, three new campaigns using these two botnets were detected. These campaigns were exploiting vulnerabilities in IoT devices, rather than weak credentials. The first detected campaign is associated with Omni, one of the latest evolutions of Mirai, and stands out in the crowd because of its exclusive use of exploits. Omni targets a broad range exploits which include two flaws in Dasan GPON routers that were made public in May (which have been targeted by botnets ever since), a Huawei router security bug, two command execution issues in D-Link devices, vulnerabilities in Vacron NVR devices, a JAWS Web server command execution, and a remote code execution in CCTVs and DVRs from over 70 vendors. The campaign had some other interesting characteristics which included two encryption schemes and prevents further infection of compromised devices through dropping packets received on certain ports. Another interesting character in this Omni campaign was that the malware did not attempt to propagate via credential brute-forcing.

The second campaign used many of the same exploits as in the first but did employ brute force credential attacks. The researchers also noticed that some of the samples included some brand new DDoS methods and that some of the newest samples completely removed the exploits and went back to exclusively attempting brute-force compromise. The third campaign, the security researchers reveal, was no longer attempting to infect devices with a Mirai variant, but was delivering malware built on the Gafgyt source code that also includes a layer-7 DDoS-targeting function.

The researchers at Pal Alto Networks concluded that the new attacks prove once again how attackers can build large botnets consisting of different types of devices and control them from a single C&C server. This advantage, added with the emergence of the potential for commercial airlines to be a target, may result in more campaigns using Mirai. Ever since the source code for Mirai was leaked in 2016 the malware has been used in the biggest DDoS attack in history. This trend may not become unpopular any time soon.