Your search keyword '"Timo Hamalainen"' showing total 4 results

1. GDL90fuzz: Fuzzing - GDL-90 Data Interface Specification Within Aviation Software and Avionics Devices–A Cybersecurity Pentesting Perspective

Author

Hannu Turtiainen, Andrei Costin, Syed Khandker, and Timo Hamalainen

Subjects

GDL-90, ADS-B, attacks, cybersecurity, pentesting, resiliency, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

As the core technology of next-generation air transportation systems, the Automatic Dependent Surveillance-Broadcast (ADS-B) is becoming very popular. However, many (if not most) ADS-B devices and implementations support and rely on Garmin’s Datalink 90 (GDL-90) protocol for data exchange and encapsulation. This makes it essential to investigate the integrity of the GDL-90 protocol especially against attacks on the core subsystem availability, such as denial-of-service (DoS), which pose high risks to safety-critical and mission-critical systems such as in avionics and aerospace. In this paper, we consider GDL-90 protocol fuzzing options and demonstrate practical DoS attacks on popular electronic flight bag (EFB) software operating on mobile devices. Then we present our own specially configured avionics pentesting platform and the GDL-90 protocol. We captured legitimate traffic from ADS-B avionics devices. We ran our samples through the state-of-the-art fuzzing platform American Fuzzy Lop (AFL) and fed the AFL’s output to EFB apps and the GDL-90 decoding software via the network in the same manner as legitimate GDL-90 traffic would be sent from ADS-B and other avionics devices. The results showed worrying and critical lack of security in many EFB applications where the security is directly related to the aircraft’s safe navigation. Out of the 16 tested configurations, our avionics pentesting platform managed to crash or otherwise impact 9 (56%). The observed problems manifested as crashes, hangs, and abnormal behaviors of the EFB apps and GDL-90 decoders during the fuzzing test. Our developed and proposed systematic pentesting methodology for avionics devices, protocols, and software can be used to discover and report vulnerabilities as early as possible.

Published

2022

2. On the (In)Security of 1090ES and UAT978 Mobile Cockpit Information Systems–An Attacker Perspective on the Availability of ADS-B Safety- and Mission-Critical Systems

Author

Syed Khandker, Hannu Turtiainen, Andrei Costin, and Timo Hamalainen

Subjects

Cybersecurity, attacks, ADS-B, ATC, ATM, UAT978, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Automatic dependent surveillance-broadcast (ADS-B) is a key air surveillance technology and a critical component of next-generation air transportation systems. It significantly simplifies aircraft surveillance technology and improves airborne traffic situational awareness. Many types of mobile cockpit information systems (MCISs) are based on ADS-B technology. MCIS gives pilots the flight and traffic-related information they need. MCIS has two parts: an ADS-B transceiver and an electronic flight bag (EFB) application. The ADS-B transceivers transmit and receive the ADS-B radio signals while the EFB applications hosted on mobile phones display the data. Because they are cheap, lightweight, and easy to install, MCISs became very popular. However, due to the lack of basic security measures, ADS-B technology is vulnerable to cyberattacks, which makes the MCIS inherently exposed to attacks. Attacks are even more likely for the MCIS, because they are power, memory, and computationally constrained. This study explores the cybersecurity posture of various MCIS setups for both types of ADS-B technology: 1090ES and UAT978. Total six portable MCIS devices and 21 EFB applications were tested against radio-link-based attacks by transmission-capable software-defined radio (SDR). Packet-level denial of service (DoS) attacks affected approximately 63% and 37% of 1090ES and UAT978 setups, respectively, while many of them experienced a system crash. Our experiments show that DoS attacks on the reception could meaningfully reduce transmission capacity. Our coordinated attack and fuzz tests also reported worrying issues on the MCIS. The consistency of our results on a very broad range of hardware and software configurations indicate the reliability of our proposed methodology as well as the effectiveness and efficiency of our platform.

Published

2022

3. On Apache Log4j2 Exploitation in Aeronautical, Maritime, and Aerospace Communication

Author

Artturi Juvonen, Andrei Costin, Hannu Turtiainen, and Timo Hamalainen

Subjects

log4shell, CVE-2021-44228, General Computer Science, log4j, vulnerability, satellite, avionics, experimentation, langaton tiedonsiirto, proof-of-concept, ACARS, General Materials Science, Electrical and Electronic Engineering, kyberturvallisuus, haavoittuvuus, AIS, tietoliikennesatelliitit, lentoliikenne, General Engineering, aerospace, Apache, meriliikenne, maritime, aviation, langaton viestintä, verkkohyökkäykset, lennonvarmistus, exploitation, ADS-B, Java

Abstract

Apache Log4j2 is a prevalent logging library for Java-based applications. In December 2021, several critical and high-impact software vulnerabilities, including CVE-2021-44228, were publicly disclosed, enabling remote code execution (RCE) and denial of service (DoS) attacks. To date, these vulnerabilities are considered critical and the consequences of their disclosure far-reaching. The vulnerabilities potentially affect a wide range of internet of things (IoT) devices, embedded devices, critical infrastructure (CI), and cyber-physical systems (CPSs). In this paper, we study the effects and feasibility of exploiting these vulnerabilities in mission-critical aviation and maritime environments using the ACARS, ADS-B, and AIS protocols. We develop a systematic methodology and an experimental setup to study and identify the protocols’ exploitable fields and associated attack payload features. For our experiments, we employ software-defined radios (SDRs), use open-source software, develop novel tools, and develop features to existing software. We evaluate the feasibility of the attacks and demonstrate end-to-end RCE with all three studied protocols. We demonstrate that the aviation and maritime environments are susceptible to the exploitation of the Log4j2 vulnerabilities, and that the attacks are feasible for non-sophisticated attackers. To facilitate further studies related to Log4j2 attacks on aerospace, aviation, and maritime infrastructures, we release relevant artifacts (e.g., software, documentation, and scripts) as open-source, complemented by patches for bugs in open-source software used in this study. peerReviewed

Published

2022

4. Cybersecurity Attacks on Software Logic and Error Handling Within ADS-B Implementations: Systematic Testing of Resilience and Countermeasures

Author

Syed Khandker, Hannu Turtiainen, Andrei Costin, and Timo Hamalainen

Subjects

vulnerabilities, ATC, cybersecurity, 1090MHz, lentoliikenne, Aerospace Engineering, countermeasures, avionics, 978MHz, datalink, ATM, pentesting, aviation, experimental platform, Electrical and Electronic Engineering, UAT, lennonjohto, EFB, kyberturvallisuus, verkkohyökkäykset, lennonvarmistus, ADS-B, 1090ES

Abstract

Automatic Dependent Surveillance-Broadcast (ADS-B) is a cornerstone of the next-generation digital sky and is now mandated in several countries. However, there have been many reports of serious security vulnerabilities in the ADS-B architecture. In this paper, we demonstrate and evaluate the impact of multiple cyberattacks on ADS-B via remote radio frequency links that affected various network, processing, and display subsystems used within the ADS-B ecosystem. Overall we implemented and tested 12 cyberattacks on ADS-B in a controlled environment, out of which 5 attacks were presented or implemented for the first time. For all these attacks, we developed a unique testbed that consisted of 13 hardware devices and 22 software that ran on Android, iOS, Linux, and Windows operating systems, which result in a total of 36 tested configurations. Each of the attacks was successful on various subsets of the tested configurations. In some attacks, we discovered wide qualitative variations and discrepancies in how particular configurations react to and treat ADS-B inputs that contain errors or contradicting flight information, with the main culprit almost always being the software implementation. In some other attacks, we managed to cause Denial of Service (DoS) by remotely crashing/impacting more than 50% of the test-set that corresponded to those attacks. Besides demonstrating successful attacks, we also implemented, investigated, and report herein some practical countermeasures to these attacks. We demonstrated that the strong relationship between the received signal strength and the distance-to-emitter might help verify the aircrafts advertised ADS-B position and distance. For example, our best machine learning models achieved 90% accuracy in detecting spoofed ADS-B signals, which may be effectively used to distinguish ADS-B signals of real aircraft from spoofed signals of attackers. peerReviewed