You might have seen that British Airways recently suffered a significant breach, in which a lot of customer data was stolen. As with many of these large-scale phishing attacks, payment processing was targeted by malicious code being injected through third party resources - a great write up can be found over at RiskIQ.
Unfortunately, this is not the only way in which airlines leak payment data. Many airlines have a habit of transmitting full sets of credit card data in-the-clear via ACARS, an avionic data link. We touched upon this in an arXiv paper some time ago, and they go a little something like this (with details redacted, of course):
We saw numerous instances of this from a handful of airlines, with only one doing it consistently. We are not sure who the cards belong to, or why they are being sent over ACARS, but they tend to be larger transactions, having local currency values above £500.
We should probably briefly explain what ACARS is. The Aircraft Communications Addressing and Reporting System (ACARS) is a general purpose ground-to-air data link used heavily by airlines to manage fleets and in some cases, interact with air traffic control.
It is served over Very High Frequency (VHF), satellite (SATCOM) and High Frequency (HF) links, which makes it incredibly easy to collect with an RTL-SDR and acarsdec or JAERO. You can start gathering ACARS messages for about £10, and you can do it very well for around £150.
It's been in use in some form since the late 1970s, but more recently usage has become varied and far beyond original intentions. As well as the serious usage, it is often used to get updates on sports results, or other goings on. A random example from collected messages might be:
What does this mean for security? Well, not much and not great. There is no standardised security, so by default everything is sent in the clear. An industry standard in the form of ACARS Message Security (AMS) does exist but we are yet to see it used.
We have seen some efforts at 'encryption', but these were astoundingly weak - think substitution ciphers, a single digit numbers static keys, and all keys shared across all aircraft. We wrote a bit about this here.
And so we come back to our original point about credit card details. We cannot quite figure out why card details are sent via ACARS, but we do know that this is more widespread than our original observation; other members of the community have seen it at scale. Check Simon Proud's Twitter thread below out for more information.
We disclosed to the airline we saw regularly sending this data, and they made changes to fix it. However, it seems that this is endemic in ACARS usage, and it is not going away. And other airlines are still at it, and it does not take much to collect this data.
It doesn't stop there - airlines send lots of other less sensitive passenger data via the link, too. Passenger lists, free-text messages containing crew names, and in some cases medical information or visa related issues.
Clearly, sending private data via ACARS needs to stop - malicious observers would not even need to insert code into websites to steal credit card data in this instance.
It seems to be caused by a vast gulf of understanding and practice between the point of design and the point of use. Engineers and designers know the shortcomings, but this isn't communicated through to crew or company. Until we address that, achieving reasonable security and privacy in many aviation data links will be fraught.
If you found this kind of stuff interesting, we have written about privacy issues on ACARS a lot. You can find more information on our publications page and our most recent paper can be found here.