At the Black Hat enterprise security convention this week, Ruben Santamarta, Principal Security Consultant, IOActive, unveiled research flagging up vulnerabilities in the satellite communication systems (SATCOM) used on aeroplanes and ships, and by the military.
Attacks could see hackers connecting to satellite antenna remotely, through the internet, then exploiting software security weaknesses to gain access to devices, the report warns.
The paper, which builds on Santamarta’s previous research from 2014, is entitled Last call for SATCOM security.
Santamarta says his latest research shows it’s not only theoretical but proven to be possible to hack into on-board Wi-Fi networks and devices remotely using satellite equipment.
In aerospace, Santamarta found that while the security risks are high, the safety risks around SATCOM are not critical at the moment – for example, the research suggests a hacker could potentially hack into passengers’ devices when they are connected to the in-flight Wi-Fi but people’s lives or physical safety are unlikely to be at risk. The loopholes discovered would not allow a hacker to control the plane’s avionics system.
However, in the military there could be a risk of military units’ location being identified more easily. With both maritime and military scenarios, the threat of “cyber-physical attacks” is opened up. Hackers could reposition an antenna and increase its output, generating a high-intensity radiated field (HIRFs) which could cause malfunctions in critical navigation systems or even health damage, the research paper says. Santamarta likened it to the principle behind microwave ovens.
Santamarta said the safety risk is not as high for the aviation sector.
The paper notes: “The industry has done a good job of putting strong design and testing standards in place that would protect critical flight systems from HIRF attacks using airborne Satcom equipment.”
“[Aviation] should be commended for identifying an emerging threat,” it adds.
Not an option
Following the research, IOActive worked with the aviation industry on the issues it had found.
“We can confirm that the affected airlines are no longer exposing their fleets to the Internet,” the paper says.
It concludes: “[These] technologies have a significant impact on society, for good. It is everyone’s responsibility to keep it in that way, as the alternative scenario, where safety risks are possible, is certainly not an option.”