AVIATION SECURITY AT OXFORD
  • Home
  • People
  • Research Activities
    • Papers
    • Talks
  • Blog
  • Projects
  • About

Blog

It's not just websites...

11/9/2018

0 Comments

 
You might have seen that British Airways recently suffered a significant breach, in which a lot of customer data was stolen.  As with many of these large-scale phishing attacks, payment processing was targeted by malicious code being injected through third party resources - a great write up can be found over at RiskIQ.

Unfortunately, this is not the only way in which airlines leak payment data. Many airlines have a habit of transmitting full sets of credit card data in-the-clear via ACARS, an avionic data link. We touched upon this in an arXiv paper some time ago, and they go a little something like this (with details redacted, of course):
FR200
PLS VERIFY CREDIT CARD
1234 5678 1234 5678 EXP 10/10
USD 852
Credit card data on ACARS
We saw numerous instances of this from a handful of airlines, with only one doing it consistently. We are not sure who the cards belong to, or why they are being sent over ACARS, but they tend to be larger transactions, having local currency values above £500.

We should probably briefly explain what ACARS is. The Aircraft Communications Addressing and Reporting System (ACARS) is a general purpose ground-to-air data link used heavily by airlines to manage fleets and in some cases, interact with air traffic control.

It is served over Very High Frequency (VHF), satellite (SATCOM) and High Frequency (HF) links, which makes it incredibly easy to collect with an RTL-SDR and acarsdec or JAERO. You can start gathering ACARS messages for about £10, and you can do it very well for around £150.
Picture
Representation of ACARS, from our paper 'Undermining Privacy in the Aircraft Communications Addressing and Reporting System (ACARS)'
It's been in use in some form since the late 1970s, but more recently usage has become varied and far beyond original intentions. As well as the serious usage, it is often used to get updates on sports results, or other goings on. A random example from collected messages might be:
HI DONT SPOSE U KNOW
ARSENAL MAN U SCORE AND
FRENCH ELECTION WINNER
CHEERS
ACARS for fun
What does this mean for security? Well, not much and not great. There is no standardised security, so by default everything is sent in the clear.  An industry standard in the form of ACARS Message Security (AMS) does exist but we are yet to see it used.

We have seen some efforts at 'encryption', but these were astoundingly weak - think substitution ciphers, a single digit numbers static keys, and all keys shared across all aircraft. We wrote a bit about this here.

And so we come back to our original point about credit card details. We cannot quite figure out why card details are sent via ACARS, but we do know that this is more widespread than our original observation; other members of the community have seen it at scale. Check Simon Proud's Twitter thread below out for more information.

Every day I see messages transmitted by airlines that contain passenger credit card details.

This one, for example, provided all the info (card #, expiry, name, CVC) needed to make purchases online with someone else's card.

This needs to change, passengers deserve data security pic.twitter.com/sHJoK83SU0

— Simon Proud (@simon_sat) July 29, 2018

We disclosed to the airline we saw regularly sending this data, and they made changes to fix it. However, it seems that this is endemic in ACARS usage, and it is not going away. And other airlines are still at it, and it does not take much to collect this data.

It doesn't stop there - airlines send lots of other less sensitive passenger data via the link, too. Passenger lists, free-text messages containing crew names, and in some cases medical information or visa related issues.

Clearly, sending private data via ACARS needs to stop - malicious observers would not even need to insert code into websites to steal credit card data in this instance.

It seems to be caused by a vast gulf of understanding and practice between the point of design and the point of use. Engineers and designers know the shortcomings, but this isn't communicated through to crew or company. 
Until we address that, achieving reasonable security and privacy in many aviation data links will be fraught.

If you found this kind of stuff interesting, we have written about privacy issues on ACARS a lot. You can find more information on our publications page and our most recent paper can be found here.
0 Comments



Leave a Reply.

    Archives

    September 2018
    May 2018
    April 2018
    January 2018

    Categories

    All
    Ads B
    Ads-b
    Military
    Privacy
    Research

    RSS Feed

Copyright © 2018
  • Home
  • People
  • Research Activities
    • Papers
    • Talks
  • Blog
  • Projects
  • About