Hacking Planes. What Can We Learn On The Ground From Vulnerabilities In The Air?

who's got a sore head anyway right I here to talk about planes an area of passion for me I absolutely love flying little bit about me um who am I I'm Ken um I am some will say unlucky others might say a [ __ ] pilot um I've done crazy stuff like accidentally landing at the wrong airport I've had engines fail on me that was awkward cuz we were about to of the channel bad day um undercarriage got stuck up a few times that was bad one on my multi-engine flight test um I've only crashed into other airplanes three times but great don't fly with me I've told them um for ATC for example I was in there when

actually I was much closer to Heath I got a bit of trouble for that um fortunately for everybody here whilst I studied for my commercial written exams I never made it to an airline so you're safe from me um I ended up uh starting a pentest firm back in 2002 um and I continue to fly light aircraft general aviation or ga uh my passion is um doing crazy stuff in Planes uh I went to uh the baltics to learn to fly old Russian airliners which really bloody cool um multi-engine flights uh I my favorite plane of all time is a Cherokee 6 which is great and I flew that to corval and landed at the seventh most dangerous

runway in the world and nearly broke the plane but good let's not go into too much detail who are we um I I founded a firm called pentest Partners um back in 2010 um there are 150 of of us as of yesterday come a long way since um using a used desk in my garage many years ago um along the way we've learned a lot about hacking planes or not hacking planes um Boeing have um recognized that uh that experience have asked us to advise them which is great and we've also members of the Defcon Aerospace Village which I'll tell you all about a little bit later um sort of planes we worked on everything from light aircraft

through to bizjets through to Airbus and really big Boeing planes which are great fun and we've done research into lots of the different systems that airplanes use now before we start planes are really really hard to fix so one vulnerability we found took about a week to fix the code and about two years to recertify it so the vulnerability couldn't be rolled out until the code had been recertified every single possible combination of um consequence was checked because you don't want the blue screen of death in the air really bad place to need to reboot your system systems there was an incident on certain airplane types that yeah you did have to do that in the air

but we won't talk about that something weird about the media they seem to lose their [ __ ] when we talk about hacking planes you need to be really really careful it takes a long time to fix them and it's going to take a long time for organizations to actually get bugs fixed but there are misconceptions out there if you are sat back in the cabin you cannot hack the airplane Network going out there um there are pilots in control of the plane they can disable systems they can fly the plane manually even on the Airbus which is fly by wire there are backup systems over backup systems when everything goes wrong there are still backup systems to get the plane

safely onto the ground it just doesn't work like that so when I see press stories which frankly are quite misleading it makes me really angry because all that does is IT destabilizes industry it upsets the traveling public I wife is a terrible fly she's [ __ ] scared of it so the last thing I want to do is make my life harder for her when she's flying so we have to be really really responsible when we're talking about airplanes you've probably seen some famous um talks about um sorry media stories about hacking planes most of them are simply not based on fact most of them are tweets or comments that got a bit out of hand and went a bit

viral I know people I know feds have investigated some of these some of them just didn't happen so what's been going on why am I talking about planes biggest problem you've got with hacking air plane is well hey you can't go buy them off eBay very easily they're quite expensive but something changed in 2020 the world stopped a lot of airplanes got retired very quickly a lot of planes got laid up for periods of time and the breakers yards got backed up and actually there's one up the road from here in kemell not very far away um we drove past saw all the planes backed up just gave him a call said um those airplanes what are you going to do well

we taking them apart when you going to take them apart don't know we got loads backed up by two years at the moment all right if we give you some cash can we come and have a play I said yeah knock yourselves out so we gave him some money to cover the cost of the jeta1 to power the electronics and off we went and learned we had our choice of seven different 747s to play with how cool um there are some risks um avianx Bay typically run 400 volts very dangerous um voltages and currents it's hard to get access to systems you might get lucky but even the planes that being retired are really old good example of

one of the 747s we looked at last flu in March 2020 one of the systems was running windows nt4 with a build dat of 1997 you find really old stuff on planes um powering the systems is difficult because it's dangerous the protocols we'll go into protocols a bit later on the second half of the talk decoding can be a nightmare one of the decoders is upwards of 30,000 bucks just to decode and inject um but you do start to see um some of the line replaceable units that you'll find in avionic Bay start to pop up on eBay so you can for example go and buy 15 20y old components that are no longer certified but you can start to

learn from them we've got racks of lus um sat in the office so how do planes work well there is an increasing amount of connectivity on airplanes so you'll find things like the infl entertainment in the the passenger section you'll see Wi-Fi connectivity connected via satcoms or downward facing LTE uh up front you've got the flight management systems are becoming increasingly connected um using electronic flight bags we'll talk about in a minute um when you walk on on board into an Airbus typically if you look left you'll see the flight attendance panel that's got an increasing amount of connectivity particularly on the a350 on larger planes you'll see what's called a c CMT or cabin management terminal and when

your infl entertainment system doesn't work and they go and reboot it they're using the CMT to reboot it increasingly on Airbus you're starting to see fomax so maintenance access in the air on the ground you'll find data loaders which are dedicated um systems for um uploading signed code back onto the lus and increasingly we're just starting to see the concept of a quick access recorder now being done wirelessly so tadine big avionics manufacturer now do wireless wirelessly accessed quick access recorders so you can quickly up and download maintenance data so you can keep planes flying and in the air safely but there are two three really important parts of the plane Network the bit in

the back the bit we sit in the dirty bits passenger information entertainment services domain P SD which is separated from the AISD or Airborne Information Services domain which is what the cab the cabin crew use completely segregated from the ACD or aircraft control domain which is the bit up front the upy Downy Lefty righty bit right completely isolated there is only one connection on some older planes which is a one-way data diode which is the information from flight management computer to update your moving map you cannot hack back that way it doesn't work it's one way so what sort of things go wrong let's look at some of the problems that have happened with it related um connectivity

for planes this is one Raven a regional operator in the northwest of the US um Ransom where hit took out their maintenance system took out their backup system they couldn't prove their planes were air Worthy they couldn't fly they went bankrupt Bad Day right stuff goes wrong let's look at some of the connectivity so electronic flight bags you have a look left into the cockpit when you boarded you see most the pilots will be carrying a little tablet can be an iPad can be a Droid tablet occasionally a Windows uh Windows tablet those tablets do all sorts of really really interesting things back in the day I used to carry a great big flight case around with which had all my charts

my maps with me it had my tech clogs with me it had my my Approach placeat we don't do that anymore because it's really inefficient way of carrying paper around it's heavy and they get out of date really quickly whereas electronic charts can be updated every single month on What's called the aax cycle where everybody always has bang up to- dat paper charts rather than I kid you not literally just to paste updates onto our paper charts anyway what sort of crazy things go wrong um American Airlines they had an outage there was an issue with Jefferson who are a provider of approach plates um so that's how you arrive at an airport and there was a really interesting

incident uh where the approach plate for uh Reagan National which is the um the national airport in Washington not Dallas um it's Reagan National and there was an issue with the Jefferson approach plates um application where two approaches um for the same approach were published at the same time it caused the application to corrupt and it stopped all the American Airlines flights moving that day because they couldn't they didn't have the right what the the the system to approach properly Southwest there had an instant so they lost their weather feed now I know we think weather look out of the window yeah great yeah but we need to know have the weather up there and our destination right kind of

useful right have they got a crosswind is it in limits what's the pressure altitude their weather feed system went down so none of their planes went that morning this is interesting this is from an instant report involving a UK Airline the airplane type this uh operator is very well known for flying Airbus a320s but they have a few 321s as well and there were a sink isue at the very last minutes where the plane type was changed from a 320 through a 321 which is longer but the weight and balance application set up the passenger loading for the 320 which meant all the passengers on 3210 were loaded towards the front and it created an out of balance situation

where it was to nose heavy so none of this was picked up so the plane piled off down the runway pilot got to VR rotation speed pull back on the stick nothing happened was quite a short Runway right it was within performance all safe but plane now wasn't going to go and take off pilot this is why we have Pilots we don't automate flights when oh better do something up with this I gave full tog of power take off go around power um 100% And the reason the plane got into the air was not because it increased speed it was because of the rotational moment of the engines because they hang off the wings and basically

Force the nose up yeah bad day that fight landed safely but could so easily have gone so much wrer um this is another interesting one so we do um what we call takeoff performance calculations um you might not be aware that we very rarely use full power when we take off in a commercial plane why well it wears the engines it burns a lot of fuel so is expensive and also sticks out a lot of carbon dioxide so we don't want to do that so we do what's called a performance calculation with our electronic flight back and what that does is we spit into it for example length of the runway weight of the plane

uh pressure altitude wind lots and lots of different things and that tells us and spits out our um our VP speeds so V1 that's the point if an engine go engine fails we can put the brakes on and um stop before the end of the runway VR rotation speed V2 the point at which we can safely climb away with one engine and the gap between V1 and V2 if something goes wrong you go over the end of the runway Bad Day right anyway so this is Lisbon airport and they done some work on the runway intersection markings because they were doing some Runway works and all the intersection markings defined how much runway you had

so it's quite rare you might use the full the full end of the runway on the short airliners will use a um uh a displaced intersection Pilots misunderstood the Nam conventions and put the running intersections into their performance calculator so they told the performance calculator they're at the full um length of the runway whereas in fact they were a displaced intersection so the forance calculator goes hey you've got 3,000 meters of Runway we only need about 55% power for that they actually needed about 88 and what happens they pile off down the runway great so all fine went to rotate nothing happens carry on a bit further oh this is getting a bit edgy now all of eight

fights this affected took off safely and climbed away safely but they were too low they they um busted What's called the screen height or the safety height that was investigated very quickly and fixed but it could easily have gone so much further wrong um this is this year earlier this year a Alaska had a a ground stop they had two tail strikes there was a bug in their performance calculator for their electronic flight bags it two St tail strikes within a few minutes of each other because the performance calculator was mishandling the um the weight data um that happened again a related incident to weight and balance on April 17th the bit I was most impressed with actually

was the way that Alaska handled this they saw the tail strikes thought something's wrong ground stopped the entire fleet to work out what had happened really cool but it can get a whole lot worse than that uh this is the backside of a uh a Spanish operator I believe u ripped the backside out of their plane because they calculated their weight as being 100,000 lighter than it was uh so instead of taking off they just dragged the backside out of the tail caused a huge amount of damage and very sadly there had been fatalities related to um performance calculation issues this was in Halifax um in novaia and very sadly a freight 747 miscalculated their weight didn't apply

enough power and never properly took off went straight through the ILS into a burm and very sadly the plane called fire crashed and everyone died thank goodness it was only a freight operation but but still very very sad so other crazy stuff this is keto airports in South America it's a very challenging approach because it's surrounded by Hills lot of rollover wind um lot very difficult approach and there' be some cases where Pilots use their electronic flight bags to calculate not only their takeoff but also their Landing so they'll choose the Auto Land settings sorry the auto Brak settings and the reason you wouldn't go full all the time is it's quite um Dynamic and also wears

the brakes so you choose the auto Brak setting that you need in this case they miscalculated it they chose the wrong setting piled off the end of the wrun way and that was the end of the airplane so where I'm getting to with all this is could we cause such an incident with a cyber a cyber hack and the answer is we believe so so back to those electronic flight bags the various things that they do um the first major problem we keep finding is a lack of forethought and real lockdown on those efbs so we've seen UK and European and US operators with no pin on the flight bag with a really simple pin I know one very large

UK airline that uses the Pilot's birthday not that we could find that out I'm sure um we find a lack of MDM in place so a lack of lockdown in some cases on smaller operators Pilots told to Source their own electronic flight bags by going to the electronic store wow and also we see challenges a breakdown of coms between um flight operations and also with uh Pilots they don't understand each other they don't sort the same language and we think about locking down devices Pilots thinking about how they use it and a great example of that is we saw one operator thought I know what we'll do we'll get our iPad electronic flight backs and we'll use face ID and then

cause chaos because a lot of Pilots like using mirrored sunglasses oops that cause problems and another really serious issue is um the electronic flight bag one of its functions is to provide What's called the emergency quick reference hambur sorry the um QR and in the event of an incident the first thing that happens is is we'll probably go we'll for example in a depressurization instant like losing a door plug maybe first thing we'll do is we will automatically do a a dive a crash dive to breathable altitude so typically 10,000 ft U so we'll do that um check from memory and then as soon as we get stable 10,000 ft we'll go back to the eqr on our efb and check through

whether we did it correctly and what the follow-up procedures are that's really difficult if you've got a pressure mask on if you're breathing oxygen because you've got depressurization going on and there's often a breakdown in coms between flight operations and it security operations on the ground there are loads of things that flight bags do they're all there for um efficiency safe dispatch and safety critical matters really really good devices but if we don't get their security right we can cause problems so let's talk about some vulnerabilities we found in efvs okay first one we found was in Boeing's op that's your on board Performance Tool the um performance calculator spits out VSP speeds you put

loads of data in I've played with one of their installed ones on a Triple 7 as well what did we find all the data is in there unsurprisingly s like databases and there was no local signing at all obviously this is a local attack which means you have to have access to that efb for a short period of time um so what it meant is for example Heath throw uh 27 right is uh 3,658 M change it 10,000 M which makes the performance calculator think you've got a really long Runway obviously that's a course error I might spot that as a pilot but if it was in position of interplay of number num I might miss it as a result

it spits out the correct the incorrect VSP speeds and the consequence is either a tail strike or a mway Excursion I love that phrase Runway Excursion sounds sounds fine doesn't it crash right [Music] okay Boeing a brilliant I know they've had a lot of bad press over the years they were actually really really good at handling vulnerabilities um we disclosed it is September 2020 it took two years to get fixed we understand why that was and then they did coordinate disclosure with us really really cool love B um this is an installed efb from a uh 747 it was kind of an aftermarket fit Believe It or Not There are aftermarket products you can't go down to halers to

get one of these but yet you do get aftermarket products um this was a second efb as you can see it's a Windows tablet really poorly locked down great password fantastic um they were Network together so we two of them so often we'll have two devices for redundancy on in a cockpit so we'll have one efb second efb we do concurrent checks you cross Checkers Pilots with your co-pilot um unfortunately these were Network together which meant you could compromise both devices from one so it kind of defeated the value of that cross check um yeah they had USB port on it with a sticker on it said don't use it great fantastic okay um more up to date um

this is Airbus we haven't actually fully um disclosed this vulnerability it has been fixed though this is airbus's um charting package um it's called flym smart lpcg less paper cockpit so we' use less paper great love them um NG Next Generation they had essentially exactly the same vulnerability as Boeing had in opt um frustratingly Boeing really really receptive Airbus hate to say it they were a bit of a nightmare it took us three years to get them to get this bner birti fixed in the end so they actually we went through the disclosure process couple of years and finally came back and said that fixing this vulnerability according our risk assessment would be a product

Improvement oh okay uh so I then spoke to an airline who used it and said yeah why don't you have a chat with the regulator so we um got in touch with asasa European Aviation safety agency and said we found this vulnerability what do you think we think it violates one of um one of your RS and I said yeah we agree hold my beer two days later vulnerability got fixed uh another one in Airbus this has been fied Airbus did accept this as a honorability this is the um a similar package it is the updator for the um the various software packages um what happened with this one uh oh yes so it was application they'd

intentionally disabled AED application Transport Security which meant you could man the middle now yeah man the middle yeah but actually this really interesting way that Pilots behave an airline operators work is they always fly the same route and they always stay in the same hotel which means you know where the pilots from that airline are going to be at any point in time so actually a man- in the middle attack becomes a bit more plausible what it meant is we could tamper with the updates and force um Duff data into the performance calculators that is fixed um then Lanser um Lanser also have a subsidiary the fter SI systems that write applications for flight bags really cool organization

uh they had a similar charting application with a simil of honorability but it did sign the contents with an as key but the key was 1 2 3 4 5 6 7 8 9 10 anyway what that meant is you could tamper and I I'll walk this through I think we've got time you could tamper with the approach plate so I'll walk through what's going on here this tells me how to arrive at an airport so what I do is arrive at 5,000 ft at DME distance 14 mi from the B ra V that's navigation L at my if initial fix okay I can then descend safely to 4,600 ft to DME 12.4 miles from approach D top of descent I

then um approached on a bearing of 170 deg down to my safety height 3,900 ft to my final fix safety height 3,00 3,900 ft at DM 9 I can then approach to my minimum descent altitude the middle marker at dm4 at which point I either commit to land or I go away and fly and try again you can Tamp with all that and make it all wrong so planes crash into the ground oops it's all been fixed we're fine they were really really cool still took two years to fix it but love hands were really really good and did a great job of fixing it I love it last place I want to go with cockpit

systems is those tablets have always been isolated right so I will take the data I will ke it in manually I'll cross check it with my co-pilot increasingly we're now seeing integration we're starting to see integration with cockpit systems and one of the very first planes to do was with the Airbus a350 amazing plane love it but they actually have a a Windows laptop in the cockpit which integrates with those two outer screens it can do everything that a portable efb can do but can present it on the outer screens and that efb has integration using a press call called aring 324 which is a plain text protocol that spits data into flat Management Systems interesting hey I've been trying

so hard to get a hold of one of those efbs to play with but I'm really working hard with a couple of Airlines say go on have a play Let's go anyway uh regulation is quite interesting because that's what got Airbus to fix one of the bugs in iasa so Europe they've actually got really good RS uh so we've had what's called AMC 2025a yeah more tlas than cyber brilliant um which controls a lot of what goes on in electronic fightback security FAA completely different there are no RS over portable electronic flight bags you do what you want wow okay ca obviously post brexit things are a bit weird but you do have SG safety

regulation guide 1849 which covers uh a degree of security Assurance on portable electronic flight backs I think there are huge holes in the regs I think we've got a long way to go IA I'll bring out what's called part is next year which is a much better compliance framework which I think will really help improve cyber security across the aviation sector now I thought we talk a little bit more and have a bit of fun and use that to explain some of the principles of avionic networks and how they work so I thought we'd talk about hacking planes in the movie right who doesn't love a bit of Jeopardy right we love a bit of

Cliff Cliffhanger right so why would I spend my time critiquing an interesting and engaging plot well I'll be honest with you I I find myself shouting at my TV when you see plane hacking shows it makes me really cross uh so I thought it would be interesting to dispel some of the myths I still hear over he people oh yeah they that play it's really easy it's like it's not it's really bloody hard so let's take apart a few movies now where are we going to start best play hacking movie of all come on die hard too yippy Kay go Bruce so let's look at the plot behind has anyone not seen Die Hard 2 all right

you're screwed I'm going to mess make a real mess of the plot for you okay so what happens right some terrorists involved and they decide that they're going to compromise the instrument Landing system at dullas that's IAD um that's the uh the Washington DC's International Airport the plot goes roughly there's a snowstorm across the whole of the East Coast resulting in what's called Category 3 Autoland conditions cat 3 Autoland so I've got no visibility I can't see the runway lights so I program three channels on our autopilots to do a safe approach it even does the flare for me right actually the hard bit in cat 3C is getting from the runway to the terminal that's quite hard so that's

what cat 3C looks like um problem is that making movies in fog doesn't work very well so that's a massive plot hole in itself and the plot is basically is the instrument Landing system intersection is 200 feet lower than it should be and what that is supposed to do is it causes airplanes to crash into Runway and disintegrate and blow up in Flames great so first things first we don't even take off into a situation like that we will always have in our instrument flight rules flight plans we will have an alternate and by law we have to know that the conditions are clear there we can um hold divert hold Land by law we

can't even go there are also a lot of options right we wouldn't have even gone if the whole of the east coast of the US was covered in the snowstorm that would been predicted we knew it was happening all right there are so many other runways we could have landed on that is east coast of us you got Washington you could just about get a heavy into Ragan National it's bit short but in an emergency you've got Baltimore up there you've got all sorts of other a um runways you can go so that Jeopardy doesn't work you don't have to go to dullas you can go somewhere else then I've been working in aviation for gosh since 1996 and I've

never seen the altitude wheel at a controller's desk whoa and I've also I love this they spent so much time doing it they use a light pen it's really nicely done to drag the instrument Landing system down wow that doesn't happen right it just doesn't work like that but I don't if you noticed they've actually really expensive real time working on the approach so you can see the various marker beacons you can see the Glide slope but it's all cobblers anyway so they've dropped the intersection down 200 ft would it work would you crash no your descent rate on instrument lanting system depending on your head or Tailwind is between 6 to 7 to 800 ft per

minute you can land a plane at 700 ft a minute it's a heavy Landing it's going to involve an engineering inspection you're probably not going to damage the plane it'll certainly fly again and it certainly won't explode into flame so that bit doesn't work the instrument Landing system well technically hacking in ILS is bloody difficult you can put out Rogue signals you got to have a hell of a lot of power and it's going to be really obvious what you're doing some will be out there looking transmitters look like that can you mess around with them so you've probably seen those at the end of the runway that is the localizer so that's that gives you the

center line the runway um there's another antenna which gives you the Glide slope which is you fly down about 3° so can you tamper with the Glide slope yes you can typically Glide slope is 3° um sh the G is four um for reasons on one of the approaches um London City Airport you probably know coming in over Canary Warf they have a 5 and a half degree approach it used to be 6.7 till theym safely did it at 5 and a half which is great but what they're doing in in um die hard is that they're changing the runway intersection point that means moving the ILS array so you'd have to dig a hole 200 feet deep and put the ILS

in there in order to affect their attack so effectively that's the Run way latest dad you had to do that and you put the RS yeah kind of awkward attack the other problems you have with the attack is we also use a radio radio altimeter so when we're doing cat 3C we need very very precise data about our altitude even more precise in our barometric altimeter so the rout Works a bit like a submarine ping sends out a radio ping brings back a signal gives us a very precise height which means we can very um carefully flare and land safely yes there are issues with with um uh uh radial temperatures you probably saw a story

about potential interference with 5G there's also a couple of us universities looking at rad out spoofing but the practicality of that tack would basically mean driving along the runway at airplane speed pointing a radio radio antenna at the plane to convince it to flare too high yeah no uh we also use DME so on an approach we'll do at least one cross check over DM using distance measuring equipment to make sure we're at the right point on the approach uh we'd also use um integratory monitoring we use our barometric altimeter to do a cross check too and also the Integrity of the instrument Landing system is monitored by ATC so just none of this works unfortunately so all right how

would I have done it how are you going to hack a plane and make it crash into the ground well you've got the Die Hard 2 version or a potential option and actually just take the RS offline and instead of um coming down a Precision approach use what's called a non-precision approach using other instruments for example your VR so um that's radio Aid um and potentially distance measuring equipment and believe it or not it actually happened this is an instant report from an approach into to sheld gal in Paris uh there was confusion between the controller and the cockpit around the barometric alterer pressure setting one said one11 the other said one01 and the the it was misunderstood misinterpreted

the instrument Landing system was offline for maintenance and the airplane approached with the wrong pressure setting meaning it was 300 ft lower than it thought it was it was queried by the controllers ground proximity was disabled because it is when you're on approach otherwise it would just give you alerts because you're Landing they came within 6 feet of crashing into the ground a mile from the threshold crazy right it's real this is what happens when you take instrument Landing systems offline and people do weird things so there are real issues there what would I do a lot of approaches particularly at smaller airports now are um GPS uh there was an incident relating to the the

conflict going on between Russia and Ukraine um involved a lot of spoofing going on particularly in um areas around the Middle East but also in Estonia and fin had to cancel their flights into an airport called Tatu um because of GPS spoing issues and if you want to go into more detail of that I give a talk at Defcon about GPS spoofing not just affecting uh approaches but also grounding an airplane making it inoperable come back to that another time let's talk about another shouty TV moment let's talk about a Netflix documentary very sad instant MH370 the loss of the Malaysia Airlines plane very sad um what made me really cross was the fact that I think Netflix were

exploiting um cynicism about this um episode one awful but the commonly accepted theory is was pilot murder suicide then they had this episode two which is about a Russian special ops team that took control of the plane from the avionics Bay to distract everyone from what was going on with the invasion of Crimea at the time great so here's broadly what they' suggested happen so there was a triple 7 uh 300 are uh unusually it does have access to avionics Bay from inside inside the passenger cabin it's just up by the the Ford um station behind the cockpit so the idea was a Russian special ops team crashed the distraction one of them and jumped into the avionics

Bay connected their Windows laptop to the avionics and then changed where the plane plane went the bit the work you could turn off the cab and pressurization caused the pilots to die caused the crew the passengers to die they then took control of the plane I zoomed in on this spent quite a bit bit time they're using a UF bios exploit and DNS exfiltration against avionics it's always DNS and then some weird [ __ ] about in Marat and apparently they flew the plane North and apparently they landed in one of the STS anyway so let's let's take that one apart because it annoys me um so if you did have a depressurization event at 36,000 ft number one is the

pilot would instantly recognize that and they were punch in um for the plane to descend and a crash dive to 10,000 ft they might pass out while it was doing that crash dive it would take a few minutes to get there it's a horrible experience if you've ever been in there the rubber jungle comes out but you get there and the pilots at 10,000 ft would wake up again even if their own masks was disabled because someone was down down below just wouldn't work some of the modern air buses if they sense depressurization auto crash dive unless you interrupt it for safety reasons they also chose the wrong plane these so-called Russian special ops team

is the trip 7 300 does have fly by wire however the outboard spoilers are connected physically to the flight control so even if someone was somehow messing around with the avionics and causing the plane to move you'd still have a degree of control the other thing talking about Aviation networks is they chose the wrong airplane to do their hack on the Triple 7 is really really unusual because it's um it uses an unusual um avionics protocol so most of the planes that you've been in 320 737 757 767 you name it use a protocol called aring 429 it's not really a network as such it's a pointto point protocol however that Revol involves a lot of

wiring now in order to save cable weight and save fuel uh new protocols emerged um aring 69 was developed specifically for the trip 7 it's an inductively coupled bus Network so you can typically hand couplers I have some um boltons the massively reduces the cabling weight on the airplane for some reason it wasn't a particular success so it's only used on the 7 um later planes uh 787 Dreamliner Airbus 8380 use a different protocol called aring 664 afdx which is ethernet based doesn't use IP but it is ethernet based sound intriguing right so they chose the wrong plane to Target that's one of my colleagues Alex that is a $30,000 aring 629 decoda which we had to

buy specifically for this job crazy right so they chose the wrong plane to hack the other things you don't just plug into avionics and hack them doesn't work um the lus the avionics won't take updates they're signed believe it or not that's the data loader from the 737 uses floppy discs uh one of the 747s I was on that was flying in March 2020 also uses floppy discs crazy stuff how'd you do it I wouldn't right so I want to go to the last very last one now which is um scorpion this is 2014 do you remember the TV show any remember the pilot episode yeah good horrific show absolutely not not like Mr Robot which I thought was quite cool

let's look at scorpion right so this is nuts there's some jumped up plot where there's some software on the plane that ATC need on the ground in order to allow the plane to land I'm like what okay so anyway so what they do is they bring the airplane down its ground effect on the runway and then get a Ferrari and drive along um at 140 M sorry 160 mph so ground effect for a plane like that sort of heavy is going to be about 140 knots so 160 m hour so they drive along the Runway giving them himself about 25 seconds and then they dangle a cable down from the undercarriage to the car where the yeah

psyit gets a laptop plugs it in downloads the software and sends it to ATC and now the plane can land great this is fantastic so that's the avionics Bay for this airplane I've never seen eBay looks anything like that they're tiny they're small they're hurt you don't want to be down there in turbulence and the co-pilot opens a hatch on the side of the avionics Bay that's what they really look like um and then connects an ethernet cable into one of the avionics and then dangles a cable so that's the one they were using RJ45 that's a real Aviation ethernet connector you don't use them in avionics you might use them on the inflite entertainment that's

called quadrax um that's what yeah real avionic Bays look like they're small horrible and painful places to be you cannot go from the avionics Bay to the undercarriage well you can on 747 we'll talk about that um but you climb down 160 mph Breeze it just doesn't work right and then you dangle an ethernet cable it goes that way not down right anyway um there's some bloopers as well the undercar handle you see it's actually up that didn't work and then somehow they makes to film it with a a lights feel light in the middle of the runway crazy [ __ ] and then given this pilot has just done the most incredible ground effects um you know a couple of

feet up and down all the way down the center line of the runway in the last stage of the uh the the segment he then buzzes the tower whoa this is a pilot with insane skills why would he Buzz the tower anyway all right was the really a script in there no absolutely not but I've made a little video we had a bit of funding us I'm hoping it's going to play for you let's see if it's going to behave right so yeah we mercilessly edited this so there this is the 747 there is genuinely a hatch in the avionics Bay that leads down to the undercarriage so you can see that there is also amazingly one system with an

RJ45 you yeah we mock this up it doesn't work um so we parked a car it's not moving really honest so then we got a laptop out in our best hacking skills then uploaded some software to the airplane um and what we successfully managed to do was we compromised the entertainment system and managed to upload scorpion the segment to the infl entertainment system we were having a laugh right just to prove how ridiculous it was um and yeah so plane hacking is hard um there's a lot of very unusual systems in there please don't hack planes right don't go and get on board your next flight and think you can hack a plane right you'll

get arrested right it's not a good thing to do if you have permission so there are a few airfields around you can Co up um I'm hoping to do an open session on one of the 747s sometime next year uh it's quite expensive do but it's really really good fun it's a baptism of fire but there's lots of stuff you can break on the S4 planes are complicated they have massive technical debt as I said we found systems with build dates from 97 on some of these planes if you do find something don't be a dick right you can really disable as industry by some sharing stuff that's not fair and appropriate we can help you with

disclosure we know how to disclose we know the various communities we know the various operators they will listen if you approach them in the right way there is also quite a bit of research going on it's a small community right now but my favorite thing is the Defcon Aerospace Village which we're a co-founder of together with four other organizations where we bring researchers together to share knowledge to learn to understand and really pay it forward in terms of making Aviation cyber security a little bit better if you want to learn a bit more there is absolutely loads about this on our blog including some recent talks from Defcon where we talked all about GPS spoofing and also some of the

other vulnerabilities we found thanks for listening

I think we might have one or two minutes for questions anyone got a question good anybody never want to fly again question here oh no you don't want to fly again sorry any other questions out there about ships they're a lot easier to yeah completely different network protocols uh so again we do quite a bit in transport we know quite a bit about ships there's a load about hacking ships in our blog too gosh uh quick summary of ships is they use different protocols uh serial protocols Nima 0183 typically found on Commercial vessels if you're going onto a um super yot or you'll find it's using anir 2000 which is electrically compatible with can so it's

basically a car uh but yeah same problem you're going to have is getting ships getting components is very very difficult to get hold of vessels to go and have a uh hack of yeah just a quick one do I need to put my phone on flight M no load of old cobblers that is so look there was one um reported incident donkey's ears to go where somebody's phone went off and at the time there wasn't as good electronic shielding so it was more of a just in case so I think the autopilot tripped off in sync with someone's phone getting off but nowadays those components are really well shielded in life light of um phone so

yeah don't turn well do turn your phone off because your battery will last longer but don't yeah anyway cool nice one thank you