CyberWarfare / ExoWarfare

SatCom Hacks: Hundreds of Planes Exposed to Remote Attacks

“the astonishing fact is that this botnet was, inadvertently, performing brute-force attacks
against SATCOM modems located onboard an in-flight aircraft”


A researcher has discovered that hundreds of airplanes from several airlines could have been hacked remotely from the ground through vulnerabilities in satellite communications systems.

Back in 2014, IOActive Principal Security Consultant Ruben Santamarta published a research paper describing theoretical attack scenarios on satellite communications. The expert resumed his research in November 2017, after taking a look at the in-flight entertainment system during a Norwegian flight.

After passively collecting traffic from the airplane’s Wi-Fi network, Santamarta noticed that several commonly used services, such as Telnet, HTTP and FTP, were available for certain IP addresses, and some interfaces associated with the plane’s on-board satellite communications (satcom) modems were accessible without authentication.

Further research into satcom systems revealed the existence of various types of vulnerabilities, including insecure protocols, backdoors, and improper configuration that could allow attackers to take control of affected devices. The expert disclosed his findings this week at the Black Hat security conference in Las Vegas.

Specifically, Santamarta has found security holes that can be exploited by remote hackers to take control of satcom equipment on commercial flights, earth stations on ships, and earth stations used by the U.S. military in conflict zones.

In the case of commercial aviation, the researcher discovered that hackers could have targeted, from the ground, hundreds of planes from Southwest, Norwegian and Icelandair.

Worryingly, in the case of one airplane, the researcher discovered that its satcom terminal had already been targeted from the ground by the Gafgyt IoT botnet via a compromised router.

“There is no indication that this malware family either had success accessing the SATCOM terminal on any aircraft or that it was specifically targeting airborne routers, so we should consider this situation as a ‘collateral damage’. However, the astonishing fact is that this botnet was, inadvertently, performing brute-force attacks against SATCOM modems located onboard an in-flight aircraft,” Santamarta wrote in his research paper.

Even more worrying is the fact that one of the vessels analyzed by the expert already had its Antenna Control Unit (ACU) infected with the Mirai malware.

In the military and maritime sectors, remote attacks on satcom systems could pose a safety risk. For instance, in the case of ships, attackers could disrupt communications and they can conduct cyber-physical attacks using high-intensity radiated field (HIRF), a radio-frequency energy strong enough to adversely affect living organisms and electronic devices. In the case of the military, malicious actors could abuse satcom systems to pinpoint the location of military units, disrupt communications, and conduct HIRF attacks.

On the other hand, remote attacks on an aircraft’s satcom equipment do not pose a safety risk due to the isolation between various systems on board. However, a hacker could still intercept or modify in-flight Wi-Fi traffic, and hijack devices belonging to passengers and crew.

IOActive disclosed the findings to affected vendors and organizations such as US-CERT and ICS-CERT, and while the aforementioned airlines and some of the affected equipment manufacturers have taken steps to address the issues, others have not been very open to collaboration.

In addition to Santamarta’s presentation at Black Hat, IOActive Senior Security Consultant Josep Pi Rodriguez, will on Sunday give a talk at the DEF CON conference on vulnerabilities discovered in the Extreme Networks embedded WingOS.

According to the researcher, the flaws he has identified can be exploited to hack millions of devices found in aircraft, government agencies, and smart cities.