Cyber Terror & Aircraft

Title: Drones Vulnerable To Terrorist Hijacking, Researchers Say
Date: June 25, 2012
Source: Fox News

Abstract: A small surveillance drone flies over an Austin stadium, diligently following a series of GPS waypoints that have been programmed into its flight computer. By all appearances, the mission is routine.

Suddenly, the drone veers dramatically off course, careering eastward from its intended flight path. A few moments later, it is clear something is seriously wrong as the drone makes a hard right turn, streaking toward the south. Then, as if some phantom has given the drone a self-destruct order, it hurtles toward the ground. Just a few feet from certain catastrophe, a safety pilot with a radio control saves the drone from crashing into the field.

From the sidelines, there are smiles all around over this near-disaster. Professor Todd Humphreys and his team at the University of Texas at Austin's Radionavigation LaboratoryDescription: have just completed a successful experiment: illuminating a gaping hole in the government’s plan to open US airspace to thousands of drones.

They could be turned into weapons.

“Spoofing a GPS receiver on a UAV is just another way of hijacking a plane,” Humphreys told Fox News.

In other words, with the right equipment, anyone can take control of a GPS-guided drone and make it do anything they want it to.

“Spoofing” is a relatively new concern in the world of GPS navigation. Until now, the main problem has been GPS jammers, readily available over the Internet, which people use to, for example, hide illicit use of a GPS-tracked company van. It’s also believed Iran brought down that U.S. spy drone last December by jamming its GPS, forcing it into an automatic landing mode after it lost its bearings.

While jammers can cause problems by muddling GPS signals, spoofers are a giant leap forward in technology; they can actually manipulate navigation computers with false information that looks real. With his device -- what Humphreys calls the most advanced spoofer ever built (at a cost of just $1,000) -- he infiltrates the GPS system of the drone with a signal more powerful than the one coming down from the satellites orbiting high above the earth. 

Initially, his signal matches that of the GPS system so the drone thinks nothing is amiss. That’s when he attacks -- sending his own commands to the onboard computer, putting the drone at his beck and call.

Humphreys says the implications are very serious. “In 5 or 10 years you have 30,000 drones in the airspace,” he told Fox News. “Each one of these could be a potential missile used against us.”

Drones have been in widespread use in places like Iraq, Afghanistan and Yemen, but so far, GPS-guided unmanned aerial vehicles have been limited to the battlefield or southern border patrols and not allowed to fly broadly in U.S. airspace. 

In February, under pressure from the Pentagon and drone manufacturers, Congress ordered the FAA to come up with rules to allow government and commercial use of UAVs over American soil by 2015. The plan could eventually see police drones keeping watch over U.S. cities, UAVs monitoring transmission lines for power companies, or cargo plane-size drones guided by GPS pilotlessly delivering packages across the country. FedEx founder Fred Smith has said he would like to add unmanned drones to his fleet as soon as possible.

The new rules have raised privacy concerns about a "surveillance society," with UAVs tirelessly watching our every move 24/7. But Humphreys’ experiments have put an entirely new twist on the anxiety over drones.

“What if you could take down one of these drones delivering FedEx packages and use that as your missile? That’s the same mentality the 9-11 attackers had,” Humphreys told Fox News.

It’s something the government is acutely aware of. Last Tuesday, in the barren desert of the White Sands Missile Range in New Mexico, officials from the FAA and Department of Homeland Security watched as Humphrey’s team repeatedly took control of a drone from a remote hilltop. The results were every bit as dramatic as the test at the UT stadium a few days earlier. 

DHS is attempting to identify and mitigate GPS interference through its new “Patriot Watch” and “Patriot Shield” programs, but the effort is poorly funded, still in its infancy, and is mostly geared toward finding people using jammers, not spoofers.

The potential consequences of GPS spoofing are nothing short of chilling. Humphreys warns that a terrorist group could match his technology, and in crowded U.S. airspace, cause havoc.

“I’m worried about them crashing into other planes,” he told Fox News. “I’m worried about them crashing into buildings. We could get collisions in the air and there could be loss of life, so we want to prevent this and get out in front of the problem.”

Unlike military UAVs, which use an encrypted GPS system, most drones that will fly over the U.S. will rely on civilian GPS, which is not encrypted and wide open to infiltration. Humphreys warns it is crucial that the government address this vulnerability before it allows unmanned aerial vehicles broad access to U.S. airspace.

“It just shows that the kind of mentality that we got after 9-11, where we reinforced the cockpit door to prevent people hijacking planes -- well, we need to adopt that mentality as far as the navigation systems for these UAVs” (Fox News, 2012).

Title: Hackers Could Haunt Global Air Traffic Control: Researcher
Date: July 27, 2012
MSN News

Abstract: Air traffic control software used around the world could be exploited by hackers to unleash squadrons of ghost planes to befuddle those entrusted to keep the skies safe, a security researcher said Thursday.

Cyprus-based Andrei Costin demonstrated his findings at a Black Hat gathering of cyber defenders that ends Thursday in Las Vegas.

“This is for information only,” Costin said as he outlined how someone with modest tech skills and about $2,000 worth of electronics could vex air traffic controllers or even stalk celebrities traveling in private jets.

“Everything you do is at your own risk.”Costin’s target was an ADS-B system in place for aircraft to communicate with one another and with air traffic control systems at airports.

The system, which has been rolled out internationally in recent years in a multi-billion dollar upgrade, was designed to better track aircraft so airport traffic can flow more efficiently.

A perilous flaw is that the system is not designed to verify who is actually sending a message, meaning that those with malicious intent can impersonate aircraft either as pranks or to cause mayhem, according to Costin.

“There is no provision to make sure a message is genuine,” he said.

“It is basically an inviting opportunity for any attacker with medium technical knowledge.”Air traffic controllers faced with a signal from a fake airplane resort to cross-checking flight plans, putting relevant portions of air space off limits while they work.

“Imagine you inject a million planes; you don’t have that many people to cross-check,” Costin said. “You can do a human resource version of a denial of service attack on an airport.”Denial of service attacks commonly used by hackers involve overwhelming websites with so many simultaneous online requests that they crash or slow to the point of being useless.

Aviation agencies are adept at identifying and locating “rogue transmitters” on the ground, but not at countering signals from drones or other robotic aircraft becoming more common and available, according to the researcher.

Another danger in the new-generation air traffic control system, according to Costin, is that position, velocity and other information broadcast by aircraft isn’t encrypted and can be snatched from the air.

“Basically, you can buy or build yourself a device to capture this information from airplanes,” Costin said.

He listed potential abuses including paparazzi being able to track private jets carrying celebrities or other famous people.

Costin showed how a friend was able to identify a plane broadcasting the identification numbers of Air Force One, the military jet used by the US president, and plot it on a map on an iPad.

“It can be a very profitable business model for criminals to invest a small amount of money in radios, place them around the world” and then sell jet tracking services or information about flights, the independent researcher said.

“If it was Air Force One, why does Air Force One show itself?” Costin wondered aloud.

“It is a very high profile target and you don’t want everyone to know it is flying over your house.”There are websites with databases matching aircraft registration numbers with listed owners (MSN News, 2012)

Title: South Korea Developing 'Kamikaze' Attack Drone
Date: October 9, 2012
Fox News

Abstract: A suicide drone capable of a strike in North Korea, is under development in South Korea.

The "Devil Killer" can reach speeds of approximately 250 mph, thanks to an electric motor, has a length of about 5 feet and a fuselage to match, and a wingspan just over 4 feet, according to state-funded Korea Aerospace Industries The company has been working on the drone with Hanyang University and Konkuk University.

Korea Aerospace offered a progress report on the drone project at the Joint Chief of Staff’s joint weapons system development seminar, Korea Times reported The event at a club in Yongsan, Seoul, was attended by South Korean defense firms as well as 400 military officials, arms sellers and experts, according to Yonhap, South Korea’s news agency.

Reports as to the explosive payload, endurance and range have been inconsistent.

But some facts are known: Intended to be portable, it has foldable wings and weighs 55 pounds. The drone is pre-programmed with a route and using a video camera and GPS device, the drone can automatically identify targets. The company says it can either undertake an automatic strike or a manually executed one.

Like Aerovironment’s Switchblade, a leading U.S. version of this sort of kamikaze drone, if the drone can’t acquire its target, it can be redirected to another mission.

Tensions between North Korea and South Korea continue to remain high. In 2010, North Korea shelled South Korean Yeonpyeong Island, resulting in sixteen South Korean marines and three civilians being injured.

The scuttlebutt is that the Devil Killer could strike a target 25 miles away in about 10 minutes. If correct, South Korea could launch the Devil Killer from the very same island targeted in 2010 to attack North Korea’s Kaemori Base within 4 minutes.

After further testing and development, the Devil Killer is expected to be deployable by 2015.

What about drone development on the other side of the Korean border? There have been reports that North Korea is also determined to develop a drone with suicide capability.

Some experts believe the North Korean program is based on the American MQM-107D Streaker. Earlier this year, South Korea’s Yonhap news agency reported that North Korea acquired a fleet of Streakers from Syria (Fox News, 2012).

Title: 17 Flights Diverted From Manila Airport Due To Air Traffic Facility Problem; Glitch Repaired
Date: October 9, 2012
Fox News

Abstract:  Officials say 17 flights have been diverted from Manila's international airport due to an air traffic equipment glitch.

Planes diverted Tuesday from Manila include five international flights of Asiana Airlines, Thai Airways, China Southern Airlines, Philippine Airlines and Zest Airway from South Korea, Thailand and China.

A Manila International Airport Authority advisory says the planes were diverted "due to air traffic facility problem." It did not elaborate and officials authorized to explain could not immediately be reached for comment.

The flights were diverted to airports at the former U.S.-run Clark Air Base north of Manila, and in central Cebu and Iloilo cities.

Jen Franco of the airport's public affairs office says the glitch was repaired shortly after noon. All 17 diverted flights later flew to Manila airport (Fox New, 2012).

Title: Crashing Passenger Jet With Android Phone?
Date: April 11, 2013

Abstract: There’s now another reason to be aerophobic after a German hacker demonstrated how to remotely hijack and bring down an airplane using an app for the Android phone.

The presentation called ‘Aircraft Hacking: Practical Aero Series' by Hugo Teso has become the highlight of the Hack In The Box security conference in Amsterdam on April 10-11, terrifying most of those, who attended it. 

Teso, who currently works as a security consultant at the German n.runs IT-company, has used his experience of being a commercial pilot to create the software, which grants him full control of a passenger aircraft.

It took the researcher three years to come up with the PlaneSploit app for Android based on his SIMON code, which proved that – despite the tightened security in airports and on-board – air carriers are completely defenceless when it comes cyber-attacks.  

Teso’s presentation revealed that the Automated Dependent Surveillance-Broadcast (ADS-B), which is a surveillance technology for tracking planes, is unencrypted and unauthenticated.

He said that the possible attacks on this system can “range from passive attacks (eavesdropping) to active attacks (message jamming, replaying, injection)”.

Meanwhile, the US government demands all aircrafts to be equipped with ADS-B by the 2020.

It turned out that the Aircraft Communications Addressing and Reporting System (ACARS), which is used for exchanging messages between aircraft and stations via radio or satellite, is also extremely vulnerable. 

"ACARS has no security at all. The airplane has no means to know if the messages it receives are valid or not. So they accept them, and you can use them to upload data to the airplane that triggers these vulnerabilities. And then it's game over," Teso is cited as saying by The Independent.

The hacker added that just a little knowledge is required to read and send ACARS messages as it’s sometimes as easy as ordering goods from an online store.

Teso has demonstrated how to upload Flight Management System (FMS) data through ACARS, using a lab of virtual airplanes, which are based on real aircraft codes.

Once he got into the system, he was able to manipulate the steering of a Boeing jet in autopilot mode, saying he could also change the plane's course, crash it, make oxygen masks fall out and etc.

"You can use this system to modify approximately everything related to the navigation of the plane. That includes a lot of nasty things," the hacker told Forbes.

Another problem, which Teso pointed out during his presentation, is that lots of aircraft computers run outdated software, which doesn’t meet modern safety requirements.

The hacker said that during his research he only experimented with second-hand flight system software and hardware as hijacking a real plane during a flight was “too dangerous and unethical.”

Thankfully, the PlaneSploit is proof-of-concept software, which will not be making its way to the app stores
(RT, 2013).

Title: New Terrorist Magazine Targets Obama, Drones, Calls For Drone Hackers
Date: May 8, 2013
ABC News

Abstract: President Barack Obama appears with a bull’s-eye on his head in a new English-language magazine published online apparently by Islamist militants, who also urge Muslims around the world to try to hack and manipulate American drones.

“Wanted Dead Only. Barack Obama Mass Murderer. Reward: in the Hereafter,” reads the full page poster that depicts a darkened image Obama as a target.

Elsewhere in the 80-page tome, the magazine calls upon the “Ummah,” the community of Muslims all over the world, to hack and manipulate U.S. drones, identifying drone attacks as “one of the utmost important issues that the Ummah must unite to come up with an answer to.”

“This is a call to anyone in the Islamic Ummah with knowledge, expertise and theories regarding anti-drone technology. [...] These drones can be hacked and manipulated as evidenced by the efforts of the Iraq Mujahideen” says the article, possibly in reference to the reported interception of video feeds from U.S. predator drones by Iraqi militants in 2009.

While the magazine doesn’t explicitly say what the jihadi hackers should to with the drone, there is a significant difference between accessing unencrypted videos captured by a drone and actually commandeering a drone, according to Richard Clarke, former counter-terrorism advisor to the White House and current ABC News consultant.

“Taking over the controls of a drone is beyond the capabilities of members of such militant organizations,” said Clarke. “For that to happen they need to hack into the private encrypted network of the Pentagon or physically overpower the links between the drone and GPS with airplanes, which these organization do not have.”

In February, The Associated Press found an al Qaeda guide with 22 tips on avoiding drones, which was left behind by militants driven out of the Malian city of Timbuktu. The tip sheet referenced similar software reportedly used by the Iraqi militants in 2009 to intercept the drone’s surveillance images.

The new color magazine is entitled “Azan – A Call to Jihad” and was discovered online on May 5, though the issue itself is dated March 2013.

Azan, call to prayer in Arabic, holds a striking resemblance to Inspire, the English-language magazine published by Al Qaeda in the Arabian Peninsula (AQAP), though no militant organization has claimed responsibility for the publication yet.

Nevertheless, the magazine’s header reads “Taliban in Kuhrasan” an indication that it might be published by islamists in Pakistan and Afghanistan. Kuharasan is an ancient term for the region spanning Afghanistan, Northwest Pakistan, parts of Iran, Turkmenistan and Uzbekistan.

An American intelligence official told ABC News that the intelligence community was aware of the publication and that analysts are currently “evaluating Azan as they would any jihadist publication advocating international terrorism” (ABC News, 2013).