A Spanish cyber-security researcher said he had figured out how to hack satellite communications systems on commercial jets through their Wi-Fi and inflight entertainment systems.
Using reverse engineering, Ruben Santamarta, a consultant with cyber security firm IOActive, managed to gain access to specialised software used to operate communications equipment aboard aircraft. Gaining access to those systems could theoretically be used by a hacker to tamper with avionics and disrupt satellite communications.
Santamatra will present his findings at the Black Hat hacking conference in Las Vegas this week. If confirmed, the findings will raise further security concerns in the aviation industry, which has been plagued by a series of tragic disasters this year.
"These devices are wide open. The goal of this talk is to help change that situation," said Santamarta.
The researcher admits his experiment has only been conducted in laboratory conditions and may not be as easy to replicate in real-life settings. However, he said, the manufacturers should be aware of the possible short-coming in order to address them before malevolent agents learn how to exploit them.
Santamarta published a 25-page research report in April that detailed what he said were multiple bugs in firmware used in satellite communications equipment made by Cobham, Harris, Hughes, Iridium and Japan Radio Co for a wide variety of industries, including aerospace, military, maritime transportation, energy and communications.
The report laid out scenarios by which hackers could launch attacks, though it did not provide the level of technical details that Santamarta said he will disclose at Black Hat.
Representatives for Cobham, Harris, Hughes and Iridium said they had reviewed Santamarta's research and confirmed some of his findings, but downplayed the risks.
For instance, Cobham, whose Aviation 700 aircraft satellite communications equipment was the focus of Santamarta's research, said it is not possible for hackers to use Wi-Fi signals to interfere with critical systems that rely on satellite communications for navigation and safety. The hackers must have physical access to Cobham's equipment, according to Cobham spokesman Greg Caires.
"In the aviation and maritime markets we serve, there are strict requirements restricting such access to authorized personnel only," said Caires.
A Japan Radio Co spokesman declined to comment, saying information on such vulnerabilities was not public.
Harris spokesman Jim Burke said the company had reviewed Santamarta's paper. "We concluded that the risk of compromise is very small," he said.
Iridium spokesman Diane Hockenberry said, "We have determined that the risk to Iridium subscribers is minimal, but we are taking precautionary measures to safeguard our users."
One vulnerability that Santamarta said he found in equipment from all five manufacturers was the use of "hardcoded" log-in credentials, which are designed to let service technicians access any piece of equipment with the same login and password.
The problem is that hackers can retrieve those passwords by hacking into the firmware and then use the credentials to access sensitive systems, Santamarta said.
Hughes spokeswoman Judy Blake said hardcoded credentials were "a necessary" feature for customer service. The worst a hacker could do is to disable the communication link, she said.
According to Vincenzo Iozzo, a member of Black Hat's review board, Santamarta's paper represents the first time a researcher has identified potentially devastating vulnerabilities in satellite communications equipment.
"I am not sure we can actually launch an attack from the passenger inflight entertainment system into the cockpit," he said. "The core point is the type of vulnerabilities he discovered are pretty scary just because they involve very basic security things that vendors should already be aware of."
The annual Black Hat conference has been the venue where cutting-edge cyber-security findings have been presented since its inception in 1997. In 2009, Charlie Miller and Collin Mulliner demonstrated a method for attacking iPhones with malicious text messages, prompting Apple to release a patch. In 2011, Jay Radcliffe demonstrated methods for attacking Medtronic insulin pumps, which helped prompt an industry review of security.