In an increasingly technology-focused world, aviation security is becoming a critical problem.
This is not necessarily in reference to protesters disrupting flights or drones that are able to bring prominent airports to a grinding halt for days over the holiday season.
Instead, the use of networked systems and tech solutions to do everything from managing your booking to bags and planes themselves has opened new pathways for cyberattackers.
Connectivity lies in the heart of the aviation industry today. I recall a flight four years ago, in which the accidental slice-through of a single fiber cable servicing an airport led to widespread chaos, missed flights and bags, queues a mile long, and the use of pen and paper to check-in passengers.
The use of connected and smart solutions has led to a complex aviation environment and one that can be abused, theoretically causing everything from ground planes to the destruction of scheduling systems.
We’ve already seen ransomware operators black out screens at Bristol Airport. Heathrow Airport was fined £120,000 by UK regulators after an employee lost a USB stick containing thousands of confidential and sensitive files relating to aviation security staff. Boeing 737 Max jets have been grounded in the past pending investigations into their cybersecurity posture.
See also: Travelers kinda hate robots at airports
Standard malware and human error are not the only factors that may compromise airport security. Instead, attackers have a wide pool of systems on offer to enter airport networks, relied upon and required by staff both on the ground and in the sky.
This week, Pen Test Partners published the results of an investigation into how vulnerable our airports may be to attack, having tested a wide selection of systems and controls for weaknesses.
Access: While obtaining a crew pass during the test wasn’t possible, these RF cards — often making use of mag stripes and PIN codes — may be stolen or replicated through tools such as Proxmark, giving threat actors access to areas they should not have.
“The biggest single challenge is the sheer volume of different entities that need access: passengers, crews, airline staff, security personnel, police, customs, and other government agencies, freight, meal service and many more,” the company says.
Building management systems (BMS): BMS is used to manage access control to key buildings and rooms, electronically controlling who can enter where. The team was able to purchase a controller through eBay and found that some BMS are vulnerable to remote exploit and authentication bypass.
HVAC: While potentially more irritating than dangerous if tampered with, Pen Test Partners found that airport air conditioning is usually controlled remotely by third-parties and this could be a potential avenue for exploit — especially if connected to more valuable systems.
Check-in desks: While publicly messing with a self-service kiosk is unlikely to go unnoticed, many check-in desks are rented by airlines from the airport, and the software running on them can be outsourced to private companies. The compromise of one link in this chain could lead to system failures.
Baggage: According to the researchers, most baggage systems are either partially or fully autonomous, backed by industrial controllers and Windows operating systems.
“Whilst the baggage system itself is rarely directly exposed on an airport network, usually residing on a dedicated serial network, interfaces to it are sometimes exposed,” the team says.
Flight displays: As previously highlighted by the Bristol Airport incident, flight displays do seem to be a weak link. During the penetration test, the researchers were able to inject their own flight on to a display.
CCTV, Wi-Fi: Security issues surrounding cameras and Wi-Fi networks — especially when public — are well-documented. In the case of CCTV in the airport experiment, the researchers were able to recover private encryption keys, and when it comes to Wi-Fi, an aviation security concern is the possible spoofing of a network to lure staff or aviation devices into connecting to honeypots.
Going airside: In some cases, biometric data — such as face scans — are not automatically verified; instead, they are sent to nearby border officers for inspection. The networks facilitating these exchanges are not always segregated and may be visible on corporate networks.
Scanners, x-ray machines, and concession spaces, too, are also networked. In the latter case, access to wider airport systems can be possible.
Planes and machinery: Pen Test Partners says control and billing systems for ground power necessary to keep planes running are networked, whereas fuel delivery is less so — but is also becoming increasingly automated.
“The pilot’s Electronic Flight Bag can be used to specify the fuel load required, which is sent through an API to a tablet carried by the fueller, having been reviewed back at the airline’s flight operations for weight and balance,” the team note.
Airside vehicles: Vehicles are often equipped with ADS-B to keep them on the radar, but the problem is that this protocol is not encrypted or authenticated, potentially leading to compromise through rogue signals, thereby placing phantom vehicles on busy runways.
Instrument landing systems: Also known as ILS, these systems are widely used for aircraft to navigate on the ground. Unfortunately, they are also able to be spoofed.
TechRepublic: Financial industry spends millions to deal with breaches
Docking systems: Automated docking systems that use infrared to direct planes to their final destination are in use and are not invulnerable to exploit, as the team found when they were able to change a plane’s signature from an A380 to an A320.
The overall complexity of the aviation environment is staggering, but the same simple principles apply to its security as to the enterprise.
Software patching schedules, the monitoring of endpoints for suspicious behavior, and staff training help, but given that one compromised system has the potential to impact the operations of an entire airport, operators need to go further.
Pen Test Partners says that the segregation of networks, the isolation or containment of systems unable to be properly secured, and the principles of least privilege should be a priority for airports worldwide to mitigate the risk of cyberattacks.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0