If you’re about to get on an aeroplane, you might want to wait until you land before you read this post. Because cyber security whiz Ruben Santamarta says he has devised a method that can give hackers access to a passenger jet’s satellite communications equipment through the passenger Wi-Fi and in-flight entertainment systems.
Santamarta will present his research to the Black Hat security conference in Las Vegas this week. Reuters says that his talk “is expected to be one of the most widely watched at the conference”. As with any of the announcements made at conferences like Black Hat, however, it’s important to realise that just because a security researcher can do it, doesn’t mean hackers are doing it, too. Santamarta also admits he’s not sure how practical the hack would be in the real world, but he is able to replicate it in a lab setting.
Furthermore, since the specific details of the exploit won’t be announced until Santamarta’s presentation later this week, we’re left guessing until then just how big of an issue this actually is. (Some of the details are included in a white paper Santamarta published earlier this year, however.) So there are plenty of caveats to go with his initial report.
The cause for concern is clear, though. If Santamarta’s claims check out, the exploit affects some of the most common satellite communications equipment on the market. These systems are used not only in aeroplanes but also ships, military vehicles, as well as industrial facilities like oil rigs, gas pipelines, and wind turbines. The hack targets the equipment’s firmware and gives hackers the ability to manipulate the avionics system, which in turn could affect navigation.
“In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it.” Santamarta says in the description to his talk. He told Reuters, “These devices are wide open. The goal of this talk is to help change that situation.”
The good news is that Santamarta plans on revealing the nitty gritty details of the exploit in his Black Hat presentation so that the companies that make the vulnerable equipment can fix the problems. The bad news is that the nitty gritty details include the fact that the exploit boils down to a password vulnerability. Because evidently we still haven’t learned our lesson about passwords. [Reuters, Black Hat]
Picture: The in-flight entertainment screen above is not actually a photo of the exploit. It’s just a Linux boot screen. Flickr/paulmmay