US military swoops into DEF CON seeking a few good hackers for debut aviation pwning village
Faulty F-15s, at-risk airbases and much more
DEF CON For the first time, Vegas's annual DEF CON hacking conference has an "aviation hacking village", and the US military is scouting around there for a few good hackers to find bugs that its own hackers have missed.
"We've got some great hackers on our team and we're proud of them," Dr Will Roper, assistant secretary of the Air Force for Acquisition, Technology and Logistics, told The Register. "But we may not have the best, and that's why we're here. There's a big pool of talent out there and bringing in fresh eyes could show us stuff that we've missed."
Setting up the village and getting the necessary security clearances has been "eight months of pain," one of the organisers told us, but judging by the scrum it's certainly popular.
Low-key efforts have been underway for over a year now, and saw a carefully selected and vetted team of non-military US hackers let loose on a F-15 fighter's systems back in November.
They found 22 software vulnerabilities in the aircraft's operating system. While the aircraft isn't internet-connected in the air yet, it will be: the new F-35 is intended to act as a data hub for other aircraft and the military wanted to make sure that this wasn't going to cause issues. There's also the worry that after the plane lands, malware nasties might be installed.
In the second round, a team of hackers is currently poring through the F-15's systems to, firstly, check the old vulnerabilities have been fixed, and, secondly, find new ones that could cause problems in the future.
You can't try this at home, kids
For infoseccers keen on trying their hand at aircraft hacking, the military has brought in Lego models of helicopters and cargo planes. These are linked to Arduino boards running avionics control systems, allowing anyone to come over and plug their laptops into them and try a bit of hacking.
The models are run by engineers at the Naval Air Station Patuxent River (PAX), who provide a basic instruction guide on the operating systems and then let the hackers loose. The idea is to find out vulnerabilities that could be exploited by a suicidal passenger in flight, or from devices installed by corrupt or turned engineers on the ground.
"Many aviation systems were built in the '60s and '70s and are very trusting," explained PAX engineer Nick Ashworth. "They have been designed due to lessons paid in blood – PAX is full of streets named after flyers who have died on the job – but we want to make them better."
Testing of individual avionics systems is also being carried out at the village. Red-teamers Pen Test Partners are in the village with a bunch of commercial aviation equipment salvaged from scrap yards and bought on the second-hand markets.
Ken Munro, a consultant for the biz, wants hackers to break out their equipment and see what new holes can be found in existing systems. This can be used to apply fixes and provide insights for the next generation of designs.
It's also not just aircraft that are being tested at DEF CON, but the facilities that support them. A Lego model of a US airbase is in position for hackers to test their mettle against because the military is worried that industrial control systems are at risk.
We've lost control again
Scott Thompson, a supervisory control and data acquisition (SCADA) engineer from military contractor CACI, explained that the control systems used to handle things like an airbase's power supply and infrastructure management systems are ancient in computing terms, in some cases 30 years old.
"We've found this software on the majority of our airbases and it's not secure," said Thompson. "The manufacturers are unwilling to alter the code to close up vulnerabilities because they work. So we're looking to build security systems around them to lock off potential threats." ®