Re: [SystemSafety] GAO report on FAA cybersecurity vulnerabilities ... and an instance

From: Peter Bernard Ladkin < >
Date: Mon, 27 Apr 2015 06:29:46 +0200

Hash: SHA256

On 2015-04-20 10:15 , RICQUE Bertrand (SAGEM DEFENSE SECURITE) wrote:
> I am rather skeptical. The avionics are on ARINC bus, and even if it is connected through a
> firewall to an IP network (why ?) I don't see it can be possible to enter an avionics box.

Firewalls aren't necessarily invulnerable. Why, Sony had firewalls! It didn't stop one of the world's poorest states distributing their private internal communications to the world. And you don't need to hack into a box to influence critical control. You just need to add/alter/remove messages on a communications network.

My opinion about physical separation, or an "air gap" as it's called, is hardly unique amongst security people, in fact it's the norm.

What do you think is so special about ARINC buses? ARINC committees are not necessarily renowned for their digital-security expertise. Are ARINC 429 and ARINC 629 buses perfectly secure? That rather depends on your threat model, I would say :-) .

At the time of MH 370 I spent a little time educating myself about the SAFEbus (ARINC 659). One of the designers is here, and the other on another mailing list, and there are also other avionics specialists here who have worked with it who were helpful. I am fairly convinced that SAFEbus is impervious to spurious messages and message loss, because it has a form of ID-less slot-based one-to-one communication protocol whose scheduling is unique to the individual aircraft and must be known in advance - it's not practically detectable through experimentation.

Two pieces of flight-critical kit have exhibited failure modes, generating pilot-uncommanded pitch excursions; one on the Boeing 777 in 2005 out of Perth, and the other on the Airbus A330, in 2008 also near Perth (twice!). Both of these occurred after the respective aircraft types were more than a decade in service. Such anomalies are inadvertent failures, and the conditions under which they occur have a random (therefore statistical) nature.

But security penetrations do not have a statistical nature. Firewalls as as "fit for purpose" as anything else (I grant it is likely fair to assume that avionics firewalls are a little more robust than Sony's). The likelihood of penetration is (in my terminology) quasi-Boolean - it is largely dependent upon a competent penetrator having a go at the kit, and whether such a penetrator is having a go or not at a specific time is not a statistical quantity in any reasonable sense.

I don't know why you would think penetrating an avionics box should be necessary. All that's necessary to disturb operations is to affect the messages on the communications buses. Take a look at Ross Anderson's Cambridge group's experiments with actual bank ATMs. The protocols of the ATMs supposedly use quasi-real nonces belonging to pseudo-one-time pads, but the group found that a significant number of ATMs *in their neighborhood* were vulnerable to replay attacks!

A number of years ago, Ross and colleagues discovered that the lauded chip-and-PIN protocol used in European bank cards was broken, and wrote an award-winning paper saying so and showing how. Of course, they had already informed banks in plenty of time about the vulnerability, to give them time to fix it. And the banks had done nothing. They said "that's not a practical attack". So a little time later, a student build a piece of HW to exploit the attack, and successfully demonstrated it on video at a local bank branch (with of course the organisational cooperation of the branch). The response of the banks was to try to pressure the university to suppress the M.Sc. dissertation. They didn't succeed.

Now, banks are relatively digital-security-aware organisations, since they lose untold sums in "wire fraud" every year and have done for decades. Nevertheless, as the examples show, they do some odd things, such as trying to ignore pervasive security problems. Is avionics different? Much of the avionics flying around today has not necessarily been co-designed by security experts. Even were the protocols to have been designed by security-aware people, the threat model is changing - attacks are possible today that would have been regarded as implausible at the time of design. There is an FAA survey of data-transfer technology in DOT/FAA/AT-09/27 at Which of those protocols do you imagine are *not* vulnerable to attack?

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Je suis Charlie
Tel+msg +49 (0)521 880 7319

-----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJVPbs6AAoJEIZIHiXiz9k+l6EH/2IrI7eV1p/vVSpB1cRc1cRW sapr/CY/wPI2FjBsVeddYtVZNbIYFELq3wsSlIyB42SNXlxWRp/2vJE2CsYr2tq7 Psc92hmNaVNqY/KG+hdqpa3nBZE5IhyHEHUm2KM8LBgVq9IUKINS5V0iQwoNlixN sHAX7G7KxAOQisXL9Cg4VVu739+H7H2USNNQXFp9xc2iz204FoDX25j8WFl7lBXD zN3ZKLuJPNZtV+K8YMPNcSqr+pyrla2uw58HbkXwiFUob9pIuw/P1VK22m8udbuS iqlLvp/e7Th+rhjgNqWVQ7vlHEfUUv3jLOfL3Wuw9l0QXPuARJuNbgvuyk7pFaE= =Vudg

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Mon Apr 27 2015 - 06:30:01 CEST

This archive was generated by hypermail 2.3.0 : Wed Feb 20 2019 - 20:17:07 CET