Pilot
© Thinkstock
The satellite communications equipment of passenger jets can be hacked through their wireless internet and inflight entertainment systems, claims one prominent cybersecurity researcher who has promised to reveal the details of his work Thursday at the annual Black Hat hacking conference in Las Vegas, Nevada.

According to Reuters reporter Jim Finkle, IOActive consultant Ruben Santamarta plans to discuss vulnerabilities he has discovered in aerospace satellite communication systems - a presentation that "is expected to be one of the most widely watched at the conference" and "could prompt a review of aircraft security."

The 32-year-old Santamarta told Reuters he discovered the flaws in the communication systems by reverse engineering their firmware - in other words, decoding the software used to operate the equipment. Theoretically, hackers could use the onboard WiFi or inflight entertainment system to hack into its avionics equipment, allowing them to potentially disrupt the aircraft's navigation and safety systems.

The systems specifically mentioned in the study were created by Cobham, Harris, Hughes Network Systems, Iridium Communications and Japan Radio. While Santamarta told Fingle that the hacks have only been tested in controlled environments (such as IOActive's Madrid laboratory) and could be difficult to replicate under real world condition, he said that he decided to publicize his findings to encourage manufacturers to patch these security issues.

"Since the specific details of the exploit won't be announced until Santamarta's presentation later this week, we're left guessing until then just how big of an issue this actually is. The cause for concern is clear, though," said Adam Clark Estes of Gizmodo.

"If Santamarta's claims check out, the exploit affects some of the most common satellite communications equipment on the market," Estes added. "These systems are used not only in airplanes but also ships, military vehicles, as well as industrial facilities like oil rigs, gas pipelines, and wind turbines. The hack targets the equipment's firmware and gives hackers the ability to manipulate the avionics system, which in turn could affect navigation."

Ubergizmo's Adnan Farooqui said that some of Santamarta's findings have already been confirmed by Cobham and Iridium, although both manufacturers assure passengers the security risks are minimal. In fact, Cobham said that a hacker would have to actually be in the cockpit in order to gain access to its communications equipment.

Likewise, Harris representative Jim Burke told Reuters the company had reviewed the paper and had determined "the risk of compromise is very small," and Iridium's Diane Hockenberry added that the firm had determined "the risk to Iridium subscribers is minimal, but we are taking precautionary measures to safeguard our users."

One of the vulnerabilities discovered by Santamarta, Finkle said, was that the equipment from all five companies required the use of hardcoded log-in credentials, which allow service technicians access to any piece of equipment using the same login and password. Unfortunately, hackers can retrieve those passwords by hacking into the equipment's firmware, and then use those credentials to access sensitive systems.

Black Hat review board member Vincenzo Iozzo noted that Santamarta's study marked the first time a researcher had identified significant vulnerabilities in satellite communications equipment, and that the "vulnerabilities he discovered are pretty scary just because they involve very basic security things that vendors should already be aware of."