There has been some press in advance of last week’s Black Hat conference speaking of vulnerabilities in commercial-aircraft flight management systems and possible implications for the safety of flight, for example in a Reuters article by Jim Finkle from August 4. The article is technically fairly accurate on the claims made and the manufacturer’s response, but it also includes comments such as this
Vincenzo Iozzo, a member of Black Hat’s review board, said Santamarta’s paper marked the first time a researcher had identified potentially devastating vulnerabilities in satellite communications equipment.
“I am not sure we can actually launch an attack from the passenger inflight entertainment system into the cockpit,” he said. “The core point is the type of vulnerabilities he discovered are pretty scary just because they involve very basic security things that vendors should already be aware of.”
Which sort of says what the Black Hat program committee know about airworthiness certification of avionics: not very much, if anything at all. The phrases “potentially devastating” and “pretty scary” are to my mind completely out of place. I have also seen some public discussion of the vulnerability claims which suggests the sky could, or is at least theoretically able to, or maybe possibly theoretically able to, fall. I figure it is worth saying a couple words about it here.
This note may seem ponderous, but I think it is important to give the complete background and references. Aviation airworthiness certification is one of the more developed safety assessment regimes and some public discussion is obviously ignorant of it. For example, some contributions fail to make the basic distinction between a vulnerability (which could pose a hazard) and the possible consequences of exploitation of that vulnerability (the severity of the hazard).
This distinction is basic to safety and security analysis for half a century or more. Its necessity is easy to see. People can demonstrate hacking bank ATMs at security conferences and have them spill banknotes all over the stage. But that doesn’t mean the hacker has access to all the networks at the bank in question and can embezzle trillions from their transaction systems. Indeed, no one thinks it does. The vulnerability is that a bank ATM can be compromised; the severity is (at least) that it loses its contents, and maybe more (maybe hackers can gain access to the central control SW). A bank can routinely cope with losing all the bank notes in an ATM; by all accounts attempts at fraud in financial transaction systems are orders of magnitude more severe and have been for decades. Vulnerability and consequences are connected but separate, and both or either could be rightly or wrongly assessed in any given proposal.
It appears vulnerabilities do exist in the systems investigated by the company IOActive and its associate Ruben Santamarta, but the severities of any such vulnerabilities have already been assessed by regulators during airworthiness certification and have been found to be negligible or minor.
There is a White Paper on their work from the company IOActive. It concerns vulnerabilities in satellite-communications (SATCOM) systems in general, mostly about ships and land-equipment for the military. There is one aviation application, as far as I can see. They claim to have compromised Cobham Aviator 700 and Aviator 700D devices. This kit contains software certified to DO-178B Design Assurance Level (DAL) E, respectively DAL D, they say. They also say it is installed on the military C-130J.
The first paragraph of “Scope of Study” in the company White Paper says that the researcher(s) didn’t have access to all the devices, but “reverse-engineered” those to which they didn’t have access and found vulnerabilities in their reverse-engineered copies.
DAL D software is that installed on kit whose malfunction could have at most a “minor effect“. DAL E software is that installed on kit whose malfunction could have at most “no effect”. These are technical terms: the notion of “effect” is the aviation-certification term for the possible consequences of a failure and corresponds with the more common term “severity” used in other safety-related engineering disciplines. A good general reference on certification of aviation equipment is Chapter 4 of Systematic Safety, E. Lloyd and W. Tye, CAA Publications, London, 1982. Lloyd and Tye categorise a Minor Effect as one “in which the airworthiness and/or crew workload are only slightly affected” and say that “Minor Effects … are not usually of concern in certification”. They don’t include them in the risk matrix which they use to illustrate the certification requirements. The risk matrix shows the slightly differing characterisations of the FAA and JAA certification regimes. The JAA was the former de facto certification authority in Europe and has been subsequently replaced by EASA. Most countries accept FAA and EASA airworthiness certification as adequate demonstration of airworthiness.
The Cobham Aviator series is kit which may or may not be fitted to any specific aircraft. The Cobham WWW site contains a number of data sheets about the Aviator series. It appears to be available for (retro)fit to the Dassault Falcon bizjet series and apparently NASA Armstrong FRC has some: here is a related purchase order.
The airworthiness of the Cobham Aviator 700 and 700D systems is governed by 14 CFR 25.1309 in the US, and Certification Specification 25 (CS-25) clause 25.1309 in Europe. There is an FAA Advisory Circular defining the acceptable means of compliance with this regulation, which includes the definitions of effects and their allowable probabilities: AC 25.1309-1A System Design and Analysis, issued 21 June 1988.
The specific definition of “Minor Effect” from AC 25.1309-1A is
Failure conditions which would not significantly reduce airplane safety, and which involve crew actions that are well within their capabilities. Minor failure conditions may include, for example, a slight reduction in safety margins or functional capabilities, a slight increase in crew workload, such as routine flight plan changes, or some inconvenience to occupants.
The CS-25 definition is similar.
The general vulnerabilities IOActive claim to have found in the Cobham Aviator devices are listed in Table 1 of their report:
Weak Password Reset
IOactive has informed US-CERT about the vulnerabilities it has found in the Cobham Aviator 700 and 700D kit. The US-CERT entry in the Vulnerability Notes Database contains a rather more precise statement of the vulnerabilities found. The note says that the identified vulnerabilities are
CWE-327: Use of a Broken or Risky Cryptographic Algorithm – CVE-2014-2943 IOActive reports that Cobham satellite terminals utilize a risky algorithm to generate a PIN code for accessing the terminal. The algorithm is reversible and allows a local attacker to generate a superuser PIN code.
CWE-798: Use of Hard-coded Credentials – CVE-2014-2964 IOActive reports that certain privileged commands in the the satellite terminals require a password to execute. The commands debug, prod, do160, and flrp have hardcoded passwords. A local attacker may be able to gain unauthorized privileges using these commands.
IOactive says the following about the vulnerabilities of the Cobham 700 and 700D devices. I quote their report in full.
The vulnerabilities listed in Table 1 could allow an attacker to take control of both the SwiftBroadband Unit (SBU) and the Satellite Data Unit (SDU), which provides Aero- H+ and Swift64 services. IOActive found vulnerabilities an attacker could use to bypass authorization mechanisms in order to access interfaces that may allow control of the SBU and SDU. Any of the systems connected to these elements, such as the Multifunction Control Display Unit (MCDU), could be impacted by a successful attack. More specifically, a successful attack could compromise control of the satellite link channel used by the Future Air Navigation System (FANS), Controller Pilot Data Link Communications (CPDLC) or Aircraft Communications Addressing and Reporting System (ACARS). A malfunction of these subsystems could pose a safety threat for the entire aircraft.
This is the entire statement. IOActive is thus explicitly disagreeing with the regulators: they say the vulnerabilities “could pose a safety threat for the entire aircraft” whereas the regulators have determined during airworthiness certification that the consequences of any malfunction of the Aviator 700 and 700D are “No Effect”, respectively a “Minor Effect”.
It is certain that regulator and vendor have a significant amount of paperwork on file purporting to establish the severity of malfunctions of the Cobham Aviator 700 and 700D kit. Much of that will refer in detail to the kit, and therefore will contain proprietary information and will not be available to the general public.
In contrast, IOActive has merely asserted, as above, its deviant view of the severity, as far as I can tell without providing any reasoning to back up its claim.
The vendor has provided the following statement to US-CERT:
Cobham SATCOM has found that potential exploitation of the vulnerabilities presented requires either physical access to the equipment or connectivity to the maintenance part of the network, which also requires a physical presence at the terminal. Specifically, in the aeronautical world, there are very strict requirements for equipment installation and physical access to the equipment is restricted to authorized personnel.
The described hardcoded credentials are only accessible via the maintenance port connector on the front-plate and will require direct access to the equipment via a serial port. The SDU is installed in the avionics bay of the aircraft, and is not accessible for unauthorized personnel.
Cobham SATCOM will continue to evaluate any potential vulnerabilities with its equipment and implement increased security measures if required.
In other words, they don’t think the discovered vulnerabilities affect the use of its kit much at all, and presumably the regulator agrees – that is, it has already agreed in advance during airworthiness certification, and sees no reason to change its mind.
A local unauthenticated attacker may be able to gain full control of the satellite terminal.
The CERT/CC is currently unaware of a practical solution to this problem.
I would disagree with use of the words “problem” and “solution” here. Indeed the entire categorisation seems to be somewhat puzzling. Obviously the vendor could fix the vulnerabilities by using better crypto in places, and by using device-access authentication that is not hard-coded; that would surely constitute a “practical solution” and surely CERT is as aware of this as I am and the vendor is. It also appears that neither vendor nor regulator sees the need to undertake any action in response to the revelations. There is no record that the airworthness certification of the kit has been withdrawn and I presume it hasn’t been.
Summary: IOActive and US-CERT have said “you’re using risky or broken crypto, and you’re hard-coding authentication”. Vendor and (implicitly) airworthiness regulator have said “so what?”. End of Story, probably.
None of this is to say that airworthiness certification always gets it right. Indeed, it is clear that every so often it is gotten wrong. But it is a lot more effective than what people without any experience of it seem to be assuming in discussion.