Transport Security

AIR TRANSPORT● 2.8 billion

– People flown in 2011.

● 38 million

– Number of flights in 2011

MARITIME TRANSPORT● 30,936

– Transport ships in 2011

● 8,7 billion tons

– Seaborne trade on 2012

Safety is NOT Security

New technologies, new threats......new requirements:

● IT Security profile– New systems– Automation

● Aviation profile– Specific knowledge– Own technologies– Standards

Part I– Traditional technologies

Part II– New risks and attack vectors

Agenda

Traditional technologies

Good old days

Older technologiesPrimary Surveillance

Radars (PSR)

✈ Detects presence of planes via the reflection of radio waves by the planes.

Secondary Surveillance Radars (SSR)

✈ Detects and measures the position of aircrafts, requests additional information from them.

Legacy systems Glass cockpit

Older technologies

New technologies

Risks and attacks

Attack overview

DISCOVERY

✈ ADS-B

GATHERING

✈ ACARS

EXPLOITATION

✈ Systems

THE TARGET

SOFTWARE

DISCOVERY - ADS-B

Automatic Dependent Surveillance-Broadcast

✈ Radar substitute

✈ Position, velocity, identification

GATHERING - ACARS

Aircraft Communications Addressing and Reporting System

✈ Digital data link for transmission of messages between aircraft and ground stations

EXPLOITATION - FMS✈Flight Management System– Typically consists of two units:

» A computer unit

» A control display unit

✈Control Display Unit (CDU or MCDU) provides the primary human/machine interface for data entry and information display.

✈FMS provides:

» Navigation

» Flight planning

» Trajectory prediction

» Performance computations

» Guidance

EXPLOITATION - Attack deliveryGround Service providers

● The “glue” of the aviation ecosystem

house

Software Defined Radio● A radio communication

system where hardware components are implemented by means of software.

Unmanned Aircraft Systems

COMMUNICATIONS– SATCOM

● Iridium● Ku-Band● C/S-Band

– VHF● :-)

NON-SEGREGATED AIRSPACE

● Civil aviation systems– COTS/MOTS– Vulnerable:

● Protocols● Systems

RemediationWhere to start from?

– ✈ NextGen Security● On-board systems security

audit

– ✈ Who is affected?● Manufacturers● Ground Service Providers● Airlines/Operators

Remember: Safety is NOT Security

hugo.teso@nruns.com

Additional resources

– RootedCon 2012● Slides: http://x90.es/7e4● Video: http://x90.es/7e5

– HITB 2013● Slides: http://x90.es/7e6● Video: http://x90.es/7e7