IATC - CAN Bus in Aviation - Patrick Kiley

up for our second presentation here can the can bus fly risk of can bus networks with avionics systems Patrick Kiley is going to be here he's going to tell you all about it Patrick take it away hey I'm no idea where that date came from so just ignore that so my name is Patrick Kiley I've spent about 18 years in the information security industry specialized in hardware and transportation security about ten years ago I got interested in hacking cars and because we have such a short time and running late I'll just keep this the story short but my first experience is I had a BMW that I decided I wanted an iPad an iPod interface to it and I

nearly managed to brick the car so I learned from that point that was a fun experience working with tools are written in a different language but I learned a lot and I have hopefully won't Brook any more cars on my way to doing cool stuff so what we're going to talk about just gonna give you a little primer on avionics equipment and then just a real quick primer and canvas I realize this audience probably knows most about it but it's relevant to the later stuff and then we're going to talk about some of the basic instrumentation how it comes through canvas and and how we can hack it and then a really funky version of a multi packet can bus that

doesn't follow any standard whatsoever and then a couple conclusions and and will be about our day so primary Navion on avionics this is basically just to introduce you to some of the terms that we'll use later so we're not speaking above and I apologize if there any aviation people in the room that this is this is a really low level so airplane components you have components that control roll which is left and right which is Bank rudder which is actually twisting around the y-axis is like what you'd use in a car on the ground those are combined together to actually change an aircraft's direction elevators will basically make you what make you go up and down in the sky flaps flaps are

devices that provide additional lift for takeoff and landing and basically allow you to operate at lower air speeds to make landing and takeoff safer and then trim trim is a term you'll you're here using aircraft and that's basically used equalize pressure so when you're trying to climb out and you're under a certain power configuration you'll actually trim out control pressure so you're not having to constantly pull back on a control it basically equalizes that out so it keeps you a bad attitude and then when you level off it at speed you'll adjust turn again we'll have a different trim for landing etc trims just neutralize any pressure so you don't have to keep constant pressure imagine if you were

trying to go around a turn constantly just having to keep a steering wheel constantly in an angle you tire out pretty quickly and that would get pretty annoying that basically equalizes it out so you're really only need minimal control of inputs to maintain attitude and having now we're gonna get into aviation components so these are the components of an avionics system a modern glass cockpit aviation system the first one you'll see is an acronym called a hrs that's attitude heading reference system that's basically the the gyroscopes in the aircraft that detect acceleration and position in space so if we're we're an aircraft and we're tilted up or tilted down or left or right it'll display that

appropriately on the instrumentation displays magnetometer just a very technical term for a compass basically detects your the direction that you're traveling in the direction that you're pointing engine telemetry so as opposed to cars aircraft have a lot of engine telemetry they have temperature probes on just about every single component of the aircraft you'll have a bunch of different temperature sensors a bunch of different pressure sensors multiple different fuel sensors both flow rate and fuel level and you'll have something called a navcom now--come is basically a combination radio and navigation receiver a lot of older navigation aids actually work within the air band and they transmit pulses that are able to be picked up on certain frequencies so you

can actually tell where you are in relation to these navigation aids but those it's the same device that you used to communicate via voice also receives those radio broadcasts on the same air band so they typically the devices that capture those are the same device and they're called a navcom transponder so you know everyone has seen a display where you have a radar and you have a radar scope and you see all the little blips on a scope what a transponder does is that actually enhances that signal so you don't need to send out as strong a radial pulse when a radial pulse sweeps across an aircraft the aircraft will respond with the specific encoded message that will

identify the aircraft's name and number through what's called a standard like an ICAO as well as a squawk code that has been given to it by aircraft traffic control and the aircraft's altitude now in a DSP it also actually responds to with a bunch of GPS information telling it where it is in space so you even need a less more powerful signal and the aircraft is now responsible for telling you telling the air traffic control system where it is in space GPS receiver pretty simple it's where I am in space but they have to be very sensitive ones because they actually have to be accurate down to feet because aircraft can actually use those to navigate

through clouds all the way down through clouds they can actually land on a runway moving about a hundred miles an hour and nailed exactly where they need to land on that runway without having to be able to see it at all electrically controller so that's basically a device that will interface the controls within the cockpit of an aircraft with the flaps and trim system I spoke to already and then an autopilot autopilot some on modern especially larger aircraft are very intelligent devices you can actually have it fly the entire course for you if you want it'll actually maintain the aircraft saddle - they'll making maintain descent rate at a specific speed and a descent rate as

well as just you know keep you flat in the sky if you want to just keep going along the same same direction but they're typically controlled by servos that are directly connected to the control surfaces and the pilot cannot turn it on and off and we'll have an autoplay control panel in their system that they can use to adjust everything so any questions about avionics I've covered because it kind of cover a little bit more when I start talking about how we can hack this stuff okay so quick intro to canvas canvas was a networking standard developed in the 80s primarily for use in automobiles it's a shared medium and the best way I can describe it is it's basically the

way we were on the internet when it was initially created everybody could talk to everyone else and everybody trusted what everyone else was saying it's a shared medium so it's like in being on an Ethernet hub you can see all the other messages on the canvas it's really it's just two wires that are twisted together with termination resistors on each end and every device on the can bus is just tapped into that and they can see everybody else's messages it's very inexpensive because you can basically just take two wires route it to all your components and that is your communication medium it's not complicated doesn't involve switching gear or or anything to basically act as

a multiplexer it just it it is connected up and it works it's very resistant to EMI because it basically uses differential signaling not going to get too far into that but basically just have to know it will work in high noise environments so problems with it or any device on the can bus is going to trust any message it sees if it's actually looking for that message so we have an inherent problem with that that kind of trust model because you basically are trusting all the components that on your bus is if you're a bad guy and you actually get on that bus you can pretty much do what you want so messages the way they're constructed is they have

basically an ARB ID which is like an address and data so an address is not like a sender or receiver it's just an address any device can send a message out on the can bus with a specific R by D and then within the ARB idea within the data packet it'll actually have the data that it's willing to send which will typically be like signal levels so will have things like oil pressure air speed attitude or any of the other various components something that can tell something you turn on and off so hacking avionics so a couple of years ago I went to air show down in Florida called Sun n fun was actually right prior to a sans

conference and just happened do a line up nicely and t-butyl background on myself I've taken pilot training I've gotten to a point of soloing then some life stuff happened so so I've actually been in control of an aircraft myself it's always been something I've been passionate about I've always liked airplanes and aircraft and aviation it's one of the reasons why I got involved the aviation village this year which anyone going to Def Con should definitely check out it's gonna be our first year it's gonna be a lot of fun yeah but I was at this airshow and I was looking at some people that were actually building an aircraft like what I'm building it's called a cozy mark

poor if anyone's curious it's basically the derivative of a Burt Rutan design with the elevator the part that makes the aircraft go up and down it's on the front there's some unique it's a unique shape it looks really cool I've always liked it so they had just put into a modern glass cockpit system in this aircraft and they're talking about how it uses CANbus and from my experience in hacking cars I knew about CANbus you know what the problems with CANbus I said hmm I wonder if this is subject to the same problems that automotive can bus is which you know you have the trust level than everything else and so I started on this path we got some

avionics equipment and we did the research on it and then we started Jen a very long two-year process working with the vendor and DHS and the appropriate authorities to actually release this and in a very responsible manner and it was it was good because we actually established a lot of contacts in the industry we learned how to do this and hopefully we paved the way that other people can actually do this research because all the stuff that I had done people had done some stuff everyone knows about a tweet that was sent out that was on board a flight that they may have gotten someone in trouble I don't know if you're here in the room Chris

but I've never actually met you in person so and we wanted to basically hey you know say hey you know we're on our protest we want to be your friends we want to actually make this secure so that the bad guys can actually do this and actually cause you know loss of life or property here so we went through this process we did the disclosure and then just last week we released our paper on a research on our blog if you go to rapid Evans blog you can see it it's as it's talking about canvas and avionics but we learned a lot and hopefully we actually paved the road for everyone else to be able to do this responsibly

and actually do this research because canvas is only one segment of of a bus Network used within avionics there could be a bunch of other ones we know that there's Ethernet out there there's the airing standards and I couldn't find any research that anyone done on any of these so you know have had it fine to find a project you like go at it and and do the research and and work with the appropriate authorities and get that information out there so we can actually make these networks just as secure as the other networks that that were that we're working on so anyway so here are the caveats if you're gonna access canvas you will require direct access to

the canvas so you have to have physical aircraft access on an aircraft that should be hard on a small aircraft of an uncontrolled field and won't be as hard as if it was you know maybe down at McCarran going on one of the airliners aircraft but it does require physical access however that should not be the only control you can't basically build an entire system that is this critical and say our physical access is our one and only control around this system not something when it's this flight critical to life safety and property and everything else and really what we discovered there was no defense in depth on the these systems that we looked at

we actually looked at multiple vendor systems when we did this research so a couple of ways to get access you know you're either an authorized person wanting to do bad or you've snuck on somehow and you've attached to a device to these two wires and can be powered by itself you don't need ground you only need can high and can low and now you're a trusted device on this network you can do this with a small Raspberry Pi that has some telemetry link or you can use something that's basically looking for logic you know looking for particular conditions that we melt like altitude GPS and once you the movie speed you know that kind of scenario

which you get above certain speed arm and then do your bad stuff or you can actually compromise the devices directly on the canvas so we have devices now you're seeing toiletry more and more I was just looking at a system before coming in here that uses specific Wi-Fi SSID is to do code up links and and data up links and this was on a small business jet system so the the Wi-Fi equipment was built right into the avionics and it had a hard-coded SSID and hard-coded passphrase it's actually right out there you can find it if you look you know what you're looking for so getting right into it let me show you some example messages so what I have

right here are the arbitration ID and this is what's called an extended can ID because it's a 1 0 3 4 2 2 0 0 that's in hex and then we have bytes 1 & 2 or de actually by 22 and 3 de 4 7 1 4 so what I found is that from this are by d de 4 7 1 4 mint oil pressure now this is on the system that i dealt and i just built up the 12 entry of oil pressure and i set up a little variable resistor on my mic it's like you actually simulate the various oil pressure conditions but a nominal oil pressure for the system was was the data the second half of this

message actually the first part that you see the the b2 is static and then you can actually see it change here later this is as I switch the message and switch the messages down if you notice actually the numbers going up we're on this is the most significant byte and you can see it's going to 67 470 so oil the numbers increasing but the oil pressure is actually decreasing and why is it going backwards this is my one and only joke on this and I'll skip this because it's backwards it was just it was set up that way here's another example this is a few you notice it uses the same arbitration ID but now our first three bytes are de

4 7 1 1 so instead of 1 1 it was 1 4 so the the payload can actually identify the device that's actually giving the data and then our data is actually in the second half of the message this is a static one that's changing you can see some small changes as it actually decreases here but it didn't decrease so much to actually change the the most significant byte here so if we want to spoof these messages all we have to do is create the false reading that we want and this is actually a piece of software it's different than one I use in the reports I wanted to recreate it using a different tool it's a tool called

vehicle spy by intrepid control systems it's really good when you're wanting to reverse engineer can so we basically just take these levels and we send them statically out on the wire and we send them out at a rate that is faster than what the system itself is sending to them if you go back you actually get well the screen doesn't actually show the timing but what you need to do is actually look at how common the instrument sends it out and you need to send your message out more common than that because the most recent message wins if you're thinking about telemetry you're not going to trust the message that send messages really go you're

going to trust the most recent one for your most recent signal so if you're sending out a message more often than the basic instrument you win so quick demo

okay so this is a close up of my instrumentation kit and you can actually see this is these are the two variable retention burners I put in to control the oil pressure because I didn't actually have an oil pressure sending unit but it's the same thing it just it's a it's a resistance that changes and you'll see as it adjust manually what happens to the signals you can see the uh-oh and you can't see past the quick time yeah and you see both slew the fuel level and the oil pressure drop as I'm as I'm adjusting them down so now we're gonna drop the oil pressure just with a can message she would have to go

over here and let me okay so now I'm just gonna send this from the system and you see a drop on its own oh wait that's wrong one

all right I recorded the wrong video I sorry I did this right before but it worked so I'm gonna show you on the autopilot one should I show you on the fix that one

okay so this is the actual telemetry system you can actually see as I'm sending the messages out so the engine telemetry oil you can see the messages come out and you'll actually see a second one come out along with it with a static byte and where's that guy and you'll see it come on to the bus at a more common more frequent level but that's basically the system as it's showing it next as it's recording it I'm check the video ganks I know I grabbed the right one I think I do have it I think I just recorded it wrong let's try this

yeah no I did record the video correctly I just played the wrong one ah you're still gonna come over here okay way okay you can see a drop on its own haven't touched the instrumentation up there that just from sending canned messages out on the wire yay I did do it correctly okay

get back to our presentation so the same thing so now we have telemetry we know we can spoof telemetry that's going to cause a pilot to react you know he sees the oil pressure drop right away he's gonna look for emergency airfield he's going divert and now we have something a little bit more scary and active and this is basically how the autopilot system on this particular system works you have a static message for a steady state which it's sending these out at a common rate about ten times a second and then when you engage the roll and pitch servos because I only had two for this kit you send this message come out basically this means engage servos and

this actually this three is is two single bits to engage the two different servos if I disconnect one server from the system and remove it from the configuration you'll see zero one zero one so each individual bit in the hex message represents a servo to tell it to turn on and off and then when you disable it it's just zero one again and then zero zero saying no servos and that Allah turn the autopilot system on and off

okay little zoomed out you can see my two servos attached to the top I'm going to engage them and this is through the interface right here you'll see me actually reach over and turn them on see because I actually am telling to do something you'll see the servo start to a switch and the other circle is resistant to me moving it and now I'm gonna do that through Ken this is really hard to do at this angle

okay and without touching at all I'm just sending a can message and the servos are going on and off and what I'm doing is I'm actually manipulating the attitude having sensor to actually get the servos to I deflect in a particular way go and replay that one more time so you can see the instrumentation change as I'm manipulating the gyros so you imagine you have a pilot in charge of the snella sudden the controls are fighting himself and he's telling the autopilot to turn off there's a usually a button right on the control stock or a button up on the display to tell it to turn off and they're not turning off because the bad guy sending a message

saying stay on stay on stay on and how terrifying that could be really the only solution at this point is actually find the circuit breaker for it and actually pull power from the servos assuming it's been wired appropriately to do that

so the next thing is just to kind of give you a quick intro to how the one system that we looked at used a really complicated can messaging seam scheme and what we can do with it this had a single arbitration ID but it was like a multi packet message it was like a fragmented IP message and then it used a separate but similar arbitration ID for data that can was contained over the next civil frame so the first one the header included the payload size and bytes as one location and then this basically contained all the data from the attitude heading reference system so this is basically the sensor that's telling the instrumentation exactly how

that aircraft is oriented in space it also had the airspeed angle of attack altitude temperature because you need to use the temperature to actually calculate all those other ones saying there were basically two different messages there are 60 byte messages 50 times per second and 52 byte messages 10 times per second the magnetometer and the GPS sensor also sent similar types of messages this is an example so we have and then the gray is basically everything that's changing these are values stayed static and the messages assuming this was one that meant something at the hotel it was terminated but three see which basically equates to 60 bytes you'll see if you count it out there exactly 60 bytes here

these individual sensors also with you know most significant bit on the right or byte on the right contained all the information that told the avionics the aircraft's orientation and speed that the air altitude and if you imagine if you're a pilot and all of a sudden your instrumentation is telling your aircraft you're pitching up you're going to want to pitch down actually you know compensate for that if that's the only instrumentation that you have it's it's going to be difficult no typically aircraft have backup instrumentation but some of the more modern ones they trust everything that's actually coming in over this bus if you imagine you're in IMC which stands for instrument meteorological conditions and so you're

in the clouds you have no reference to the horizon or if it's nighttime you have a reduced reference to the horizon and if your aircraft is actually telling you you're a thousand feet higher than what you actually are you could be headed for a bad day very quickly and then the way you would actually attack this so basically you read in the header you store the message size as a variable you read the subsequent data frames into array and then you replace it's just that segment of the data that you want and dump it back out on the wire because it's a more recent message you'll be trusted and you just have to do that more common than

the existing system or wait until the the legitimate message comes in and immediately send your message afterwards because there's a bit of a timing thing there but it's definitely a legitimate attack I had it working out sore somewhat in Python but it would get kind of flaky because I'm a horrible coder but basically you could use this to do really really bad things on an aircraft and it's it's obviously a very scary attack vector now on one of the systems they only use the single arbitration ID to carry all those values that was trivial to hack but even a more complicated one where they've they've put a couple of controls in I don't know if they consider this a security

controller it was just the way they they did it if I had to guess they basically received this and they used a different method to transmit this data and they down port it so it actually worked in canned so it was easier to implement but some recommendations we can't really say basically there's a problem okay I see it will stop now the recommendation is to quick glance sorry I'd never done that didn't see it over there so we'll fix this up and if you have questions please come see me afterwards I'll hang out for a couple minutes thank you [Applause]