Pen-tester Banned from flights !!

dbit

I think he was doing them a favor, So they plug they're ears and jump up and down saying "no no no" there is nothing wrong with our info sec , ban him , problem gone !!!
https://www.yahoo.com/tech/s/researcher-denied-flight-tweet-poking-united-security-145259840--finance.html

dbit

Does anyone think he was pushing for Creds , being that he is a "Certified" tester, or from a reputable body ?

dbit

A Ban on laptops?,...... and scanning for high performance rooted phones? soon to be added to the list of airport checks ?

BoB_BoT

More likely bans on all those who speak their mind. So the malicious "quiet" hackers won't even be looked at, but if you blog/tweet/post about it, you're on the ban list.

dbit

Pardon the pun, but this could induce more Error 404's and planes not found !.

dbit

What really freaks me out about this is that he found Two, not just one way in , the on-board Wifi and modules under the seats that have multi media functionality , he alleged that he can pull data from the planes main Bus , see fuel consumption's, temps , ...... deploy masks even turn off engines and silence cockpit alarms to the fact. ( doubt that though as every airliner has triplicate electronics systems its the law for avionics)

He must be wiring RX ,TX to something to gain access to the under-seat units . But to be outright banned from flights indicates that there is an air of truth to some of it at least . This guy is going to have to drive around US for quite some time to come .

BoB_BoT

Well that's the thing, by law the systems need to be separate, they can't use the same bus for entertainment as the use for the engine control etc..

Unless he's directly tapping into the bus that's controlling the engine, masks, oxygen etc... which again, I can't imagine being easily accessible in the cabin.

I wonder has he put forward his penetration techniques to the airline to allow them to verify/fix the issue.

The other side of it is, he "jokingly" said he could deploy the oxygen masks, what sort of gob****e posts that on twitter. He may as well have said, "I'm going to turn off the engines mid flight", the fear that surrounds flying has people on edge and the smallest suggestion of interfering with a plane will make authorities jump on you. He might be clever enough to pen test / hack, but he's not clever enough to keep his mouth shut on global platform.

dbit

BoB_BoT wrote: »

Well that's the thing, by law the systems need to be separate, they can't use the same bus for entertainment as the use for the engine control etc..

Unless he's directly tapping into the bus that's controlling the engine, masks, oxygen etc... which again, I can't imagine being easily accessible in the cabin.

I wonder has he put forward his penetration techniques to the airline to allow them to verify/fix the issue.

The other side of it is, he "jokingly" said he could deploy the oxygen masks, what sort of gob****e posts that on twitter. He may as well have said, "I'm going to turn off the engines mid flight", the fear that surrounds flying has people on edge and the smallest suggestion of interfering with a plane will make authorities jump on you. He might be clever enough to pen test / hack, but he's not clever enough to keep his mouth shut on global platform.

Agreed hence my "Does anyone think he was pushing for Creds"

syklops

dbit wrote: »

Agreed hence my "Does anyone think he was pushing for Creds"

He was on his way to speak at RSA, he didn't need additional creds.

dbit

syklops wrote: »

He was on his way to speak at RSA, he didn't need additional creds.

So why make the ridiculous tweets , he is supposed to be a professional after all.

syklops

dbit wrote: »

So why make the ridiculous tweets , he is supposed to be a professional after all.

Presumably he underestimated their response and response times. He sent the tweet as he sat in his seat, four hours later the feds were waiting for him when the plane landed.

dbit

Yes, I agree Syklops . But for a pro in the industry to do something like this, was he just seeking attention? as doing a lot of digging on the topic i cannot see how civilian accessed systems cross to the control and system buses of the plane. Certifications on planes are EXTREMELY strict and governance over the practices are the same.

Most commercial jets use the Arinc 429 system and i can assure you no one is getting into that local or remote.

syklops

dbit wrote: »

Yes, I agree Syklops . But for a pro in the industry to do something like this, was he just seeking attention? as doing a lot of digging on the topic i cannot see how civilian accessed systems cross to the control and system buses of the plane. Certifications on planes are EXTREMELY strict and governance over the practices are the same.

Most commercial jets use the Arinc 429 system and i can assure you no one is getting into that local or remote.

He was maybe just alluding to his talk, which was on this very topic.

Also, pardon me of being sceptical of "governance". I've worked in places which ticked all the boxes from a GRC point of view, but which I wouldn't ever have considered secure.

The whole point of pen testing is after a product has been built, you test it. And you keep testing it until you are sure no-one else can do anything with the system once it hits the masses. He researched the issue and found stuff and that what was in his talk. Hopefully the feds got him to give his talk to them before they let him go.

dbit

Good points made there , only i still think he was very silly to take that approach , issues detected or not post 9/11 its not the brightest thing in the world to do, for one he is supposed to exude professionalism. That was not a professional move .

dbit

Seems its actually being taken very seriously :-
http://www.wired.com/2015/04/fbi-tsa-warn-airlines-tampering-onboard-wifi/

I love this part lmfao :-
Report any evidence of suspicious behavior concerning aviation wireless signals, including social media messages with threatening references to Onboard Network Systems, ADS-B, ACARS, and Air Traffic Control networks.

So the staff will run about with net scanners now lols.

Or :-
oberts sent out his joke tweet in response to a report released last week by the Government Accountability Office indicating that unsecured connections between the passenger Wi-Fi networks and the avionics systems on some Boeing and Airbus planes could make it possible for a hacker to gain access to navigational controls and commandeer a plane.

Can we have a vulnerability airline model number list please he he he he.

dbit

Some new models have rj45's under seats WTF ! i see what your saying about governance a little clearer now.

dbit

Excuse me sir are you hacking this flight ?

No no i use a wifi transceiver to the port under the seat nothing to see here move along.

Khannie

syklops wrote: »

Presumably he underestimated their response and response times. He sent the tweet as he sat in his seat, four hours later the feds were waiting for him when the plane landed.

That's the most frightening part of all of this. That their response time was that amazingly fast.

dbit wrote: »

Some new models have rj45's

Etihad planes come with network ports and wifi on board. I've seen their entertainment system boot and it's running an old version of Linux. I wouldn't have the gumption to give them an oul' pentest though.

dbit

Khannie wrote: »

That's the most frightening part of all of this. That their response time was that amazingly fast.



Etihad planes come with network ports and wifi on board. I've seen their entertainment system boot and it's running an old version of Linux. I wouldn't have the gumption to give them an oul' pentest though.

So why did they airlines not respond to him?, he did try several times to notify them and got no response, Does it from on board the plane and immediately arrested.

I wouldn't bother (to try) myself either as the penalties it suggests make me sad.

Hotblack Desiato

dbit wrote: »

So why did they airlines not respond to him?

Because he's a complete spoofer, most likely

dbit

Hotblack Desiato wrote: »

Because he's a complete spoofer, most likely

Airlines were issued warnings from FBI on the back of what he told them.

syklops

Hotblack Desiato wrote: »

Because he's a complete spoofer, most likely

Have you read anything about this story?

Hotblack Desiato

Yes. Have you read what people in the aviation industry think of it?

Hotblack Desiato

dbit wrote: »

Airlines were issued warnings from FBI on the back of what he told them.

The FBI do not have jurisdiction or competence in this area.

dbit

Hotblack Desiato wrote: »

The FBI do not have jurisdiction or competence in this area.

LOL OK OK they did not arrest him off of a flight (The FBI) ( The FBI are powerless in state security matters lmfao), and these are not the droids you are looking for !.

Hotblack Desiato

The FBI do not certify aircraft or avionics, the FAA do. You might as well ask a toaster designer to build you a suspension bridge. This guy's claims are being treated with derision in aviation forums, he doesn't know what he's talking about, he was looking for a little publicity and got more than he bargained for...

dbit

Hotblack Desiato wrote: »

The FBI do not certify aircraft or avionics, the FAA do. You might as well ask a toaster designer to build you a suspension bridge. This guy's claims are being treated with derision in aviation forums, he doesn't know what he's talking about, he was looking for a little publicity and got more than he bargained for...

Who said FBI regulate avionics and engineering design concepts then ? FBI deal with security risks , this is one.