At Black Hat, IOActive researcher Ruben Santamarta presented remote attacks on the modem used in aircraft communications and on antennas for satellite communications. However, there would be no threat to aircraft safety.
Santamarta says he became interested in the security of Wi-Fi networks on airplanes when he examined his network traffic on a flight in November of last year and found that he had been assigned a public IP address. In addition, he saw that his address received several scans from the internet. Once landed, he searched for the relevant IP ranges via the Shodan search engine and found aircraft from three different airlines that could be found via the internet in this way. They all had a modem, or mdu, from the same manufacturer.
He then took a closer look at this device by finding out its firmware and examining it. He found that there was a backdoor that allowed him to open a shell in the VxWorks software running on the modem. However, this did not give him access that could jeopardize the safety of aircraft. He did state that it was possible to attack, for example, the devices of passengers and crew members, but did not elaborate on this. He also mentioned during the presentation that he also found an IoT botnet called Gafgyt, which was trying to attack the modem. However, it failed to infect the OS.
He also looked at antennas that are used for satellite communication, for example with aircraft and ships. These too appeared to be approached and taken over via the internet. That wasn’t difficult, according to Santamarta, who illustrated his point by stating that he “could have gotten root access in a hundred different ways.” Here too he encountered another botnet, one of the systems was infected with the Mirai malware. He showed in a demo that it is possible to remotely control such an antenna and direct it to locations of your choice.
According to Santamarta, this paves the way for so-called cyberphysical attacks, which can cause damage to electronic equipment or people nearby, for example. He explains that this is possible, for example, at a distance of up to 25 meters with a certain type of antenna. That risk does not exist with aircraft, but it does exist on ships such as cruise ships, for example. His findings would also have implications for military targets, which could be located using the devices that can be found via the internet. As no solution had yet been found, he was unable to provide further details.
Santamarta concludes by saying that he went through a complex disclosure process, which involved several Certs. However, he was unable to reach the antenna manufacturer. The researcher warned about this type of attack in 2014.
Update, 15:07: White paper is now online.