There has been some press in advance of previous week’s Black Hat
conference speaking of vulnerabilities in commercial-aircraft flight
management systems and possible implications for the safety of flight,
for example in
a Reuters article by Jim Finkle from August 4.
The article is technically fairly accurate on the claims made and the
manufacturer’s response, but it also includes comments such as this
Vincenzo Iozzo, a member of Black Hat’s review board,
said Santamarta’s paper marked the first time a researcher had
identified potentially devastating vulnerabilities in satellite
communications equipment.
“I am not sure we can actually launch an attack from the
passenger inflight entertainment system into the cockpit,” he said. “The
core point is the type of vulnerabilities he discovered are pretty
scary just because they involve very basic security things that vendors
should already be aware of.”
Which sort of says what the Black Hat program committee know about
airworthiness certification of avionics: not very much, if anything at
all. The phrases “
potentially devastating” and “
pretty scary”
are to my mind completely out of place. I have also seen some public
discussion of the vulnerability claims which suggests the sky could, or
is at least theoretically able to, or maybe possibly theoretically able
to, fall. I figure it is worth saying a couple words about it here.
This note may seem ponderous, but I think it is important to give the
complete background and references. Aviation airworthiness
certification is one of the more developed safety assessment regimes and
some public discussion is obviously ignorant of it. For example, some
contributions fail to make the basic distinction between a vulnerability
(which could pose a hazard) and the possible consequences of
exploitation of that vulnerability (the severity of the hazard).
This distinction is basic to safety and security analysis for half a
century or more. Its necessity is easy to see. People can demonstrate
hacking bank ATMs at security conferences and have them spill banknotes
all over the stage. But that doesn’t mean the hacker has access to all
the networks at the bank in question and can embezzle trillions from
their transaction systems. Indeed, no one thinks it does. The
vulnerability is that a bank ATM can be compromised; the severity is (at
least) that it loses its contents, and maybe more (maybe hackers can
gain access to the central control SW). A bank can routinely cope with
losing all the bank notes in an ATM; by all accounts attempts at fraud
in financial transaction systems are orders of magnitude more severe and
have been for decades. Vulnerability and consequences are connected but
separate, and both or either could be rightly or wrongly assessed in
any given proposal.
It appears vulnerabilities do exist in the systems investigated by
the company IOActive and its associate Ruben Santamarta, but the
severities of any such vulnerabilities have already been assessed by
regulators during airworthiness certification and have been found to be
negligible or minor.
There is a
White Paper
on their work from the company IOActive. It concerns vulnerabilities in
satellite-communications (SATCOM) systems in general, mostly about
ships and land-equipment for the military. There is one aviation
application, as far as I can see. They claim to have compromised Cobham
Aviator 700 and Aviator 700D devices. This kit contains software
certified to DO-178B Design Assurance Level (DAL) E, respectively DAL D,
they say. They also say it is installed on the military C-130J.
The first paragraph of “Scope of Study” in the company White Paper
says that the researcher(s) didn’t have access to all the devices, but
“reverse-engineered” those to which they didn’t have access and found
vulnerabilities in their reverse-engineered copies.
DAL D software is that installed on kit whose malfunction could have at most a “
minor effect“. DAL E software is that installed on kit whose malfunction could have at most “
no effect”. These are technical terms: the notion of “
effect” is the aviation-certification term for the possible consequences of a failure and corresponds with the more common term “
severity”
used in other safety-related engineering disciplines. A good general
reference on certification of aviation equipment is Chapter 4 of
Systematic Safety, E. Lloyd and W. Tye, CAA Publications, London, 1982. Lloyd and Tye categorise a Minor Effect as one “
in which the airworthiness and/or crew workload are only slightly affected” and say that “
Minor Effects … are not usually of concern in certification”.
They don’t include them in the risk matrix which they use to illustrate
the certification requirements. The risk matrix shows the slightly
differing characterisations of the FAA and JAA certification regimes.
The JAA was the former de facto certification authority in Europe and
has been subsequently replaced by EASA. Most countries accept FAA and
EASA airworthiness certification as adequate demonstration of
airworthiness.
The Cobham Aviator series is kit which may or may not be fitted to
any specific aircraft. The Cobham WWW site contains a number of data
sheets about the Aviator series. It appears to be
available for (retro)fit to the Dassault Falcon bizjet series and apparently NASA Armstrong FRC has some: here is a
related purchase order.
The airworthiness of the Cobham Aviator 700 and 700D systems is governed by
14 CFR 25.1309 in the US, and
Certification Specification 25 (CS-25)
clause 25.1309 in Europe. There is an FAA Advisory Circular defining
the acceptable means of compliance with this regulation, which includes
the definitions of effects and their allowable probabilities:
AC 25.1309-1A System Design and Analysis, issued 21 June 1988.
The specific definition of “Minor Effect” from AC 25.1309-1A is
Failure conditions which would not significantly
reduce airplane safety, and which involve crew actions that are well
within their capabilities. Minor failure conditions may include, for
example, a slight reduction in safety margins or functional
capabilities, a slight increase in crew workload, such as routine flight
plan changes, or some inconvenience to occupants.
The CS-25 definition is similar.
The general vulnerabilities IOActive claim to have found in the Cobham Aviator devices are listed in Table 1 of their report:
Backdoors
Weak Password Reset
Insecure Protocols
Hardcoded credentials
IOactive has informed US-CERT about the vulnerabilities it has found in the Cobham Aviator 700 and 700D kit. The
US-CERT entry in the Vulnerability Notes Database contains a rather more precise statement of the vulnerabilities found. The note says that the identified vulnerabilities are
CWE-327: Use of a Broken or Risky Cryptographic
Algorithm – CVE-2014-2943
IOActive reports that Cobham satellite
terminals utilize a risky algorithm to generate a PIN code for accessing
the terminal. The algorithm is reversible and allows a local attacker
to generate a superuser PIN code.
CWE-798: Use of Hard-coded Credentials – CVE-2014-2964
IOActive reports that certain privileged commands in the the satellite
terminals require a password to execute. The commands debug, prod,
do160, and flrp have hardcoded passwords. A local attacker may be able
to gain unauthorized privileges using these commands.
The Common Weakness Enumeration (CWE) derives from Mitre, and
an explanation of, for example, CWE-327 is to be found on the CWE WWW site, as is
an explanation of CWE-798.
IOactive says the following about the vulnerabilities of the Cobham 700 and 700D devices. I quote their report in full.
The vulnerabilities listed in Table 1 could allow an attacker to take
control of both the SwiftBroadband Unit (SBU) and the Satellite Data
Unit (SDU), which provides Aero- H+ and Swift64 services. IOActive found
vulnerabilities an attacker could use to bypass authorization
mechanisms in order to access interfaces that may allow control of the
SBU and SDU. Any of the systems connected to these elements, such as the
Multifunction Control Display Unit (MCDU), could be impacted by a
successful attack. More specifically, a successful attack could
compromise control of the satellite link channel used by the Future Air
Navigation System (FANS), Controller Pilot Data Link Communications
(CPDLC) or Aircraft Communications Addressing and Reporting System
(ACARS). A malfunction of these subsystems could pose a safety threat
for the entire aircraft.
This is the entire statement. IOActive is thus explicitly disagreeing with the regulators: they say the vulnerabilities “
could pose a safety threat for the entire aircraft”
whereas the regulators have determined during airworthiness
certification that the consequences of any malfunction of the Aviator
700 and 700D are “
No Effect”, respectively a “
Minor Effect”.
It is certain that regulator and vendor have a significant amount of
paperwork on file purporting to establish the severity of malfunctions
of the Cobham Aviator 700 and 700D kit. Much of that will refer in
detail to the kit, and therefore will contain proprietary information
and will not be available to the general public.
In contrast, IOActive has merely asserted, as above, its deviant view
of the severity, as far as I can tell without providing any reasoning
to back up its claim.
The vendor has provided the following statement to US-CERT:
Cobham SATCOM has found that potential exploitation of
the vulnerabilities presented requires either physical access to the
equipment or connectivity to the maintenance part of the network, which
also requires a physical presence at the terminal. Specifically, in the
aeronautical world, there are very strict requirements for equipment
installation and physical access to the equipment is restricted to
authorized personnel.
The described hardcoded credentials are only accessible via the
maintenance port connector on the front-plate and will require direct
access to the equipment via a serial port. The SDU is installed in the
avionics bay of the aircraft, and is not accessible for unauthorized
personnel.
Cobham SATCOM will continue to evaluate any potential
vulnerabilities with its equipment and implement increased security
measures if required.
In other words, they don’t think the discovered vulnerabilities
affect the use of its kit much at all, and presumably the regulator
agrees – that is, it has already agreed in advance during airworthiness
certification, and sees no reason to change its mind.
US-CERT judges
Impact
A local unauthenticated attacker may be able to gain full control of the satellite terminal.
Solution
The CERT/CC is currently unaware of a practical solution to this problem.
I would disagree with use of the words “
problem” and “
solution”
here. Indeed the entire categorisation seems to be somewhat puzzling.
Obviously the vendor could fix the vulnerabilities by using better
crypto in places, and by using device-access authentication that is not
hard-coded; that would surely constitute a “
practical solution”
and surely CERT is as aware of this as I am and the vendor is. It also
appears that neither vendor nor regulator sees the need to undertake any
action in response to the revelations. There is no record that the
airworthness certification of the kit has been withdrawn and I presume
it hasn’t been.
Summary: IOActive and US-CERT have said “
you’re using risky or broken crypto, and you’re hard-coding authentication”. Vendor and (implicitly) airworthiness regulator have said “
so what?”. End of Story, probably.
None of this is to say that airworthiness certification always gets
it right. Indeed, it is clear that every so often it is gotten wrong.
But it is a lot more effective than what people without any experience
of it seem to be assuming in discussion.
Community Hospital Systems (CHS), which operates just over 200
hospitals in 29 states, reported a data breach impacting about 4.5
million people on Monday. The incident, blamed on actors in China, was
made public via an 8-K filing with the U.S. Securities and Exchange
Commission.