IoT malware found hitting airplanes’ SATCOM systems

In 2014, IOActive researchers revealed security vulnerabilities they found in the most widely deployed satellite communications terminals and presented potential scenarios attackers could exploit once SATCOM systems have been compromised in the aviation, maritime, and military sectors. In 2018, they demonstrated that some of these theoretical scenarios are, unfortunately, still actually possible.

Ruben Santamarta, principal security consultant with IOActive, presented this latest research at this year’s Black Hat conference in Las Vegas, and showed that it’s possible for remote attackers to take control of airborne SATCOM equipment on in-flight commercial aircrafts, earth stations on vessels and those used by the US military in conflict zones.

“Hundreds of commercial airplanes from airlines such as Southwest, Norwegian, and Icelandair were found to be affected by these issues. Today, it is still possible to find vessels that are exposed to the Internet, leaving them vulnerable to malicious attacks,” he shared.

The way in

The many vulnerabilities found include backdoors, insecure protocols, and network misconfigurations.

Possible attacks include:

satcom systems security

While for the aviation industry some of these attacks carry just security risks (attacker can intercept, manipulate, or disrupt non-safety communications or move further into other networks), in the maritime and military sectors there are also safety risks.

“For the military sector, a safety risk may be considered when adversarial forces are able to more easily pinpoint the location of military units. On the other hand, the maritime and/or aviation industries can identify hazards because of the effects of SATCOM-generated HIRFs, which may provoke malfunctions in critical navigation systems or even health damages to persons exposed to this kind of non-ionizing RF,” Santamarta noted.

Other interesting discoveries

During this continuing research, they discovered IoT malware – the Mirai bot, to be exact – on a random vessel with equipment exposed to the Internet. The bot infected the Antenna Control Unit (ACU).

Also, while taking a look at a plane’s in-flight entertainment system during a Norwegian flight from Madrid to Copenhagen, Santamarta noticed two unexpected behaviors: the IP address assigned to passengers’ devices was routable and something – an external host – was performing network scans on these routable IPs.

“This raised a red flag, so I spent the flight mapping the internal network, passively collecting evidence and performing an initial analysis of the network traffic that was captured. Once the flight landed, a simple network scan against those ranges revealed that multiple common services such as Telnet, WWW, and FTP were available for certain IPs,” he said.

Ultimately, he discovered a backdoor on the plane’s satellite modem data unit (MDU) and a public IP trying to connect to the Telnet service.

“The offender host appeared to be a compromised router from Argentina. Further analysis revealed this router was part of the Gafgyt IoT botnet, scanning for new potential targets,” he shared.

“There is no indication that this malware family either had success accessing the SATCOM terminal on any aircraft or that it was specifically targeting airborne routers, so we should consider this situation as a ‘collateral damage’. However, the astonishing fact is that this botnet was, inadvertently, performing brute-force attacks against SATCOM modems located onboard an in-flight aircraft.”

More details about their research are available in this exhaustive whitepaper.