Cyber-hijacking Airplanes:

Similar documents
Applicability / Compatibility of STPA with FAA Regulations & Guidance. First STAMP/STPA Workshop. Federal Aviation Administration

Garrecht TRX 1500 Traffic-Sensor

NextGen and GA 2014 Welcome Outline Safety Seminars Safety Seminars

U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION. National Policy

Change to Automatic Dependent Surveillance Broadcast Services. SUMMARY: This action announces changes in ADS-B services, including Traffic Information

Advisory Circular. Automatic Dependent Surveillance - Broadcast

Hijacked from the Ground. Christopher S. Dye

Gogo Connected Aircraft Services

Initial 4D Trajectory Management via SwiftBroadband Iris Event Salzberg

28 January, 2010 New Delhi, India. Larry Coughlin. Airports Authority of India Automatic Dependent Surveillance-Broadcast (ADS-B)

The NextGen contribution to the near and mid-term safety. Steve Bradford NextGen Chief Scientist Date: June 12th 2017

Technical Standard Order

The organisation of the Airbus. A330/340 flight control system. Ian Sommerville 2001 Airbus flight control system Slide 1

COCKPIT. resource management. Getting the most out of your avionics potential

OVERVIEW OF THE FAA ADS-B LINK DECISION

Electronic visibility via ADS-B for small aircraft. John Korna, NATS

9/16/ CHG 213 VOLUME 3 GENERAL TECHNICAL ADMINISTRATION CHAPTER 61 AIRCRAFT NETWORK SECURITY PROGRAM

GTX 345 Transponder & ICAO IFR Filing. Charlotte County Composite Squadron FL Feb 2017 Maj Dick Morrell, Lt Tom Britton

Christchurch, New Zealand, April 2015

The Green Airplane and Cyber

Aircraft Information Systems Security

Display Systems. 1. General. A. Multi-Function Display (MFD) B. Primary Flight Display (PFD)

Captain John Martin Head of Flight Safety Programmes

New York Aviation Management Association Conference

NATA Aircraft Maintenance & System Technology Committee Best Practices. RVSM Maintenance

Emerging Locator & Flight Data Technology

Introduction Fly By Wire Aircraft & New Technology

New issues raised on collision avoidance by the introduction of remotely piloted aircraft (RPA) in the ATM system

ACN: Time / Day. Place. Environment. Aircraft Reference : X. Component. Person. Events. Date :

Space Based ADS-B. ICAO SAT meeting - June 2016 AIREON LLC PROPRIETARY INFORMATION

Glass Cockpits in General Aviation Aircraft. Consequences for training and simulators. Fred Abbink

Discuss issues observed during the trial and implementation of ADS-B including review items from ADS-B Problem report database ADS-B ISSUES

Back to Basics: Testing in Aircraft with Electronic Flight Instrument Displays

Revisions to this AML must be coordinated between the STC holder and the responsible Aircraft Certification Office (ACO), and require FAA approval.

FINAL REPORT BOEING B777, REGISTRATION 9V-SWH LOSS OF SEPARATION EVENT 3 JULY 2014

Operating Safely. A Fundamental Guide to FAA RADAR Operations. Federal Aviation Administration Near Airports

ADVANCED SURVEILLANCE IN ONE INTEGRATED PACKAGE

Non-Group RVSM Certification Presentation Topics

Services for Air Transport. The mobile satellite company

ADS-B (Automatic Dependent Surveillance Broadcast)

GENERAL INFORMATION Aircraft #1 Aircraft #2

Non-Group RVSM Certification Process. Anthony C. Wiederkehr FAA DER - Flight Analyst

Surveillance and Broadcast Services

A V I A T I O N P R O G R A M

INSTRUCTIONS FOR USING THIS SAMPLE FLIGHT MANUAL SUPPLEMENT

Taking your Pro Line 21 King Air into NextGen airspace. Pro Line 21 INTEGRATED AVIONICS SYSTEM FOR KING AIR

KEY FEATURES IN SHORT

The next generation of in-flight, real-time 3-D moving maps. Airshow 4000 MOVING MAPS

Publications and Training Solutions Course Syllabus:

In-Flight Entertainment and Connectivity

8 Things Every Aircraft Owner Needs To Know About The 2020 ADS-B Mandate. Contents INTRO: WHAT IS ADS-B EQUIPMENT, AND WHAT DOES IT DO?...

FLIGHT SAFETY Technology and the Human Factor. A pilot s perspective by Prof. dr ir J.A. Mulder Delft University of Technology

Safety Enhancement RNAV Safe Operating and Design Practices for STARs and RNAV Departures

International Civil Aviation Organization

Progressive Technology Facilitates Ground-To-Flight-Deck Connectivity

Cover...0. Page #...0 TOC Index.0. Inside Back Cover..0. Outside Back Cover 0

Hazard Identification Questionnaire

ARINC Project Initiation/Modification (APIM)

U.S. NAVY CNS/ATM Program Status

First Review Meeting of AFI VSAT Network Managers (AFI VSAT Review/1) (Dakar, Senegal, 3 to 5 October 2011) SUMMARY

ADS-B Rule and Installation Guidance

RAAC/15-WP/14 International SUMMARY REFERENCES. A Safety

International Civil Aviation Organization Automatic Dependent Surveillance Broadcast (ADS-B) Study and Implementation Task Force

Form 91 Application for Approval of an EFB System

SERVICE LETTER COMMUNICATIONS - LINK CPDLC AND VHF ACARS CONFIGURATION VERIFICATION

Subject: Automatic Dependent Surveillance-Broadcast (ADS-B) Operations and Operational Authorization

Entered into Service in February Total Time Since New: 2,450 Hours. Cycles: 750

Global Avionics Training Specialists, LLC

Cyber risks in aviation

Notice of Requirement

FLIGHT DISPATCH MANUAL

Instructions for Continued Airworthiness GDL 84/88 Part 23 AML STC as installed in. (Make and Model Airplane)

Space Based ADS-B. Transforming the Way you See the Sky September 23, /22/2015

The benefits of satcom to airlines. Prepared by Helios for

SITUATIONAL AWARENESS

Avionics CyberThreat. Airplanes Are Hard!

Publications and Training Solutions Course Syllabus:

Flight Evaluation Schedule For GPS IFR Approval Primary Means Enroute, Terminal and Non-Precision Approach

Bombardier Challenger 300 & Challenger 350

Aerospace Engineers. Toll-free: Tel:

NEMSPA Opportunity to Improve

Pre-Solo Written Exam

National Transportation Safety Board Washington, D.C

The INs and OUTs of ADS-B

IATA Paperless Aircraft Operations Conference Review of e-operation initiatives since SWISS

Beech Baron 58 Flight Manual READ ONLINE

International Civil Aviation Organization. Automatic Dependent Surveillance Broadcast (ADS-B) Study and Implementation Task Force

EE Chapter 12 Design and Maintenance of Aircraft System

LONG-RANGE STATE AIRCRAFT FLEET REPLACEMENT PLAN

MetroAir Virtual Airlines

WELCOME TO THE AGE OF THE CONNECTED AIRCRAFT

The Airline Training Pilot By Tony Smallwood

Flight Space of Commercial Aircraft

BFR WRITTEN TEST B - For IFR Pilots

Pitot/Static System. Avionics. Single ADC LEFT PITOT TUBE AIR DATA COMPUTER RIGHT PITOT TUBE COPILOT ASI PILOT COPILOT ASI VSI PILOT

SPECIAL PROCEDURES FOR IN-FLIGHT CONTINGENCIES IN OCEANIC AIRSPACE OF SEYCHELLES FIR

CHC P310 Operation Procedure

TRAFFIC TRANSPONDER / WEATHER. ADS-B compliance is just the beginning. Aviation Products

Adding your Aircraft to a 14CFR 135 Operating Certificate

SERVICE BULLETIN TITLE NAVIGATION - ENHANCED SURVEILLANCE TRANSPONDER STRAPPING MODIFICATION

Transcription:

Cyber-hijacking Airplanes: Truth or Fiction? Dr. Phil of Bloomsburg University @ppolstra http://philpolstra.com Captain Polly of University of <redacted> @CaptPolly

Why This Talk? Lots of bold claims concerning the feasibility of cyber-hijacking Bold claims get lots of press Most people don't know enough to evaluate these claims Whether you feel safer or even more scared should be based on facts

Who is Dr. Phil You may know me as a hardware hacker, but I'm also... Holder of 12 aviation ratings, all current, including: Commercial Pilot Flight Instructor Aircraft Mechanic Inspection Authorization holder Avionics Technician Have thousands of hours of flight time Aircraft builder Have worked on the development of avionics found in modern airliners Have access to airliner manuals, current and former airline pilots

Who is Captain Polly Former airline pilot for a major US carrier Thousands of hours in airliners and small aircraft Aviation professor Head of college simulator program Spouse of a current airline pilot

What you will learn How some of the common aircraft systems really work, including: ADS-B ADS-A ACARS Transponders Collision avoidance GPS Autopilots Avionics buses and networks Attacks being presented by others

Some commonly discussed attacks Hacking into the avionics via the entertainment network Hacking ADS-B Hacking engine systems Hacking ACARS

Let's get this out of the way to start You cannot override the pilot All aircraft feature unhackable mechanical backup instruments You can affect the autopilot operation If pilot(s) notice they will disconnect Anything you attempt will likely result in alerts

Attacking avionics networks Older aircraft use ARINC 429 networks Not connected to anything useful Require specialized hardware Newer aircraft use a modified version of Ethernet known as ARINC 664 or AFDX

ARINC 664 and AFDX Built on Ethernet, but... Can't just start sending packets Never wireless Some security in place Not connected to entertainment system Not connected to in-flight wifi

Meet ARINC 664 aka AFDX Based on ARINC 629 First created by Boeing for 777 Allows the use of common off the shelf (COTS) components vs ARINC 429 which is proprietary Built on Ethernet, but not the same Uses redundant channels Assigns time slices to avoid collisions and make it deterministic

ARINC 664 Virtual Links Unidirectional logical pipe 1 and only 1 sender 1 or more receiver Timeslicing is used to avoid collisions Bandwidth Allocation Gap (BAG) determines size of timeslice Jitter (max latency min latency) determined by number of VL and BAG

AFDX Connections

ARINC 664 in real life

Tight Integration with ARINC 664

Entertainment Systems Connected to output ports on GPS and FMS or through a Network Extension Device (NED) Never connected to ARINC 429/629/664 Remember that the avionics network is never wireless and not compatible with your friendly TCP/IP

Boeing 777 Confusion Boeing asked for a special condition to allow the passenger information network to be connected to other networks such as the aircraft information network FAA granted this special condition on 11/18/13 provided that a network extension device (NED) was used and certain conditions were met

777 Confusion (contd) FAA specified: The applicant must ensure that the design provides isolation from, or airplane electronic system security protection against, access by unauthorized sources internal to the airplane. The design must prevent inadvertent and malicious changes to, and all adverse impacts upon, airplane equipment, systems, networks, or other assets required for safe flight and operations.

Meet NED the Network Extension Device Essentially a gateway that goes between ARINC 429/629/664 and IP Like any gateway each path must be programmed FMS does not receive input from NED Cannot send bogus commands to FMS If NED is compromised may be possible to impersonate another device

Example NED implementation Shameless used from http://www.teledynecontrols.com/productsolution/ned/blockdiagram.asp

MH370? A Boeing 777 Uses ARINC 629 Not 664 we've been discussing Really not Ethernet The 777 is essentially the only plane to use ARINC 629 Harder to hack than ARINC 664

Airliner Entertainment System Connection Redacted from online slides

Hacking In-flight Wireless <video on attacking avionics networks via in-flight wireless>

Attacking ADS-B/ADS-A Can create phantom aircraft No security in protocol Could create fake weather reports Could be jammed Not likely to affect TCAS

ADS-B (broadcast) Piloted in Alaska Intended to improve flying where RADAR coverage is limited Part of a Free Flight system planned for the future Provides traffic and weather where available Used by small planes to broadcast position information

ADS-A (addressable) What the airlines use (contrary to what you may have heard) Related to ACARS ADS-B == cable-ready TV ADA-A == addressable cable box with pay-per-view, etc Allows specific airplanes to send/receive messages Allows lower separation outside of RADAR coverage Airliners use neither ADS-B or ADS-A for collision avoidance

TIS-B Collision Avoidance Provided by ATC Requires a mode S transponder (ADS-B in) Only available in some areas Not authoritative Does not use ADS-B signals ATC does not automatically relay every ADS-B signal they receive

Collision Avoidance (contd) TCAD TCAS Used in small planes Provides information Not authoritative What the big boys (biz jet and up) use

TCAS Uses transponders in the area Can actively interrogate other transponders Authoritative Pilot can use even if other aircraft not in sight

Transponders Supplement primary RADAR Mode S used in ADS-B Airliners have at least 2 Signals are used for collision avoidance

Attacking ADS-B <video of ADS-B attack in simulator>

If you could attack ADS-B <video of what ADS-B attack would look like if it really worked>

Attacking engine systems Engine monitors are output only Information is recorded for maintenance Some information may be sent via ACARS to airline and/or manufacturer Some engine control systems are electronic All have purely mechanical backup Most only trim mechanical system electronically

ACARS Can be used to send messages to/from ground Messages to/from people or systems Used for Weather Delays Updated flight plans Maintenance information

Attacking ACARS Could create a bogus flight plan update Could create bogus weather Hypothetically could create fake messages from plane to ground Not a practical way to take over an airplane

ACARS Attack <video showing a bogus flight plan update via ACARS>

Closing Thoughts Nearly every protocol used in aviation is unsecured There is certainly the potential to annoy ATC and/or small aircraft Increasing automation while continuing with unsecured protocols is problematic Airliners are relatively safe (for now)

Questions? Come see us after or hit us on Twitter at @ppolstra or @CaptPolly

2024 © travelsdocbox.com Privacy Policy | Terms of Service | Feedback