May 18 2015

Crashing a plane through IFE?

4549185468_d28a2709e2_zThis week end, Chris Roberts made the headlines of the media.  He was presented as the hacker who succeeded to control a plane by hacking the In-Flight Entertainment  (IFE) system. This is not the first time that planes are supposed to be controlable by hackers.  In 2013, a researcher claimed to control the flight management system with an Android phone.  As usual, not properly analysed documents were used to create a false sense of truth.  I have seen mainly two big “pieces of evidence’ that demonstrated it must be true.

  • It is written in an FBI affidavit that Roberts hacked IFE and controlled a plane.  He was arrested, and his electronic material seized.
  • The US Government Accountability Office (GOA) stated in a report that it was feasible.

I decided to read these “evidences”.  As FBI arrested Roberts, the FBI agent wrote an affidavit.  Some interesting facts:

  • Roberts was two times interviewed by FBI about vulnerabilities on IFE: 13 February 2015 and 5 March 2015.  During these interviews, Roberts explained his operating mode as well as his tools.  He  claimed to have entered about twenty times in Panasonic and Thales IFE.  He claimed that one time he was able to access the avionics system.
  • He stated that he then overwrote code on the airplane’s Thrust Management Computer while aboard a flight.  He stated that he successfully commanded the system he had accessed to issue the “CLB” or climb command.  He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane…

  • The affidavit does not state that he provided any proof of this statement.
  • In February, FBI agents advised him that accessing the IFE without authorization may be a violation and may result in prosecution.  He acknowledged this fact.
  • On 15th April, Roberts twitted that he may “play” with the avionics once more.
  • United Airlines informed FBI who then arrested Roberts.
  • Investigation showed that two boxes used by IFE were tampered.  One of these boxes was at his seat (3A) and the second one was one row in front of him (2A)
  • … showed that the SEBs under seats 2A and 3A showed signs of tampering.  The SEB under 2A was damaged.  The outer cover of the box was open approximatively 1/2 inch and one of the retaining screw was not seated and was exposed.

  • It is interesting to note that the “opened” box was one row in front on a first class seat.

Despite was media infers, the affidavit does not present any proof that he hacked the IFE and even less that he accessed the avionics.

The governmental report from GOA is even less conclusive.  The statement is

Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems.

This broad statement cannot be challenged.   It is Law 8.  The same can be said from any car automotive systems.  Nevertheless, this does not mean that avionics can be accessed from IFE.

In other words, there is no real evidence that Roberts hacked the avionics.  It may be possible that Roberts hacked the IFE network with physical access to the network carrying video.  Most of the wired IFE systems may assume that the physical network is trusted.   It is usually expected that the attending crew would spot a user tampering the hardware.  Fortunately, the IFE and the avionics are air-gapped. I know the Airbus and Thales security teams. They would never have accepted the risk to not air gapping the systems.  All the IFE systems I was exposed to were air-gapped from avionics.  Roberts did never explain how he would have succeeded to cross the air gap.  (Current attacks on air gap, use either file sharing in the cloud, contaminating files exchanged over USB thumbs or sophisticated side channels such as audio or thermal)

Conclusion:  don’t panic when you see a guy with a computer in a plane.


image credits: by-sa Sarah Klockars-Clauser 2010

May 12 2015

How people perceive hacking

People make decision following mental models that they have of how a system works.  Security is not different from other fields.  Experts or technically well-informed people may have mental models that are reasonably accurate, i.e. the mental model fits reasonably with the real world behavior.  For normal users, the problem is different.  Wash Rick identified several mental models used by normal users when handling security in a paper entitled “Folk Model of Home Computer Security”. For instance, he extracted four mental models describing what viruses are:

  • Viruses are bad; people using this mental model have little knowledge about virus and thus believed they were not concerned. They thought to be immune.
  • Viruses are buggy software; viruses are normal software that are badly written. Their bugs may crash the computer or create strange behavior.  People understood that they needed to download and install such viruses.  Thus, their protection solution was only to install trusted software.
  • Viruses cause mischief; viruses are pieces of software that are intentionally annoying. They disrupt the normal behavior of the computer.  People do not understand the genesis of virus.  They understand that the infection comes from clicking on applications or visiting bad sites.  Their suggested protection is to be careful.
  • Viruses support crime; the end goal of viruses is identity theft or sifting personal and banking information. As such, people believe that viruses are stealthy and do not impair the behavior of the computer.   Their suggested protection is the regular use of anti-virus software.

Wash extracted four mental models used to understand hackers.

  • Hackers are digital graffiti artists; hackers are skilled individuals that enter in computers just for mischief and show off. They are often young geeks with poor morality.  This is the Hollywood image of hackers.  The victims are random.
  • Hackers are burglars; Hackers act with computers as burglars act with physical properties. The goal is financial gain.  The victims are chosen opportunistically.
  • Hackers are criminals targeting big fish; these hackers are similar to previous ones but their victims are either organizations or rich people.
  • Hackers are contractors who support criminals; these hackers are similar to the graffiti hackers but they are henchmen of criminal organizations. Their victims are mostly large organizations.

When applying these mental models, it is obvious that some best practices will never be used by end users, regardless of their pertinence.  Most of them do not understand these practices or feel they are not concerned by these practices.  For instance, users who believe that virus are bad or buggy software cannot understand the interest to install an anti-virus.  Users assimilating hackers to contractors believe that hackers will never attack their home computers.  Better understanding the mental model of users highlights where awareness is needed to adjust user’s mental model to the reality.  It helps also to design efficient secure solutions that may seem to fit the mental model although they fight in the real model.


Wash, Rick. “Folk Models of Home Computer Security.” In Proceedings of the Sixth Symposium on Usable Privacy and Security, 11:1–11:16. SOUPS ’10. New York, NY, USA: ACM, 2010. .

May 01 2015

Smart Bottle

JW_Blue_Smart_Bottle_3Diageo and Thin Films have recently demonstrated a smart bottle.   The seal of the bottle contains a NFC tag.  This tag not only carries unique identity of the bottle, but it detects also whether the seal was opened or is still closed.  This smart tag allows interesting features:

  • As for traditional RFID tags, it enables the follow up of the bottle along the delivery chain.
  • As it uses NFC, the seal allows a mobile phone app to identify the bottle, and thus create a personalized experience (interesting features for privacy: it is possible to track who purchased the bottle (at the point of sale with the credit card) and see who actually drinks it (was it a gift?))
  • As it detects if the seal has been broken, it is a way to detect tampering of the bottle during the distribution chain.  This may thwart some forms of piracy and counterfeiting.
  • The tag is also a way to authenticate the origin of the product.  It may have interesting application for expensive rare bottles to verify counterfeiting.
  • It does not yet tell if you drank too much.  This will be the next application associated to the smart glass that will detect what you drink and how much 

See thinfilm brochure opensense

Apr 27 2015

CANS 2015 submissions

The 14th International Conference on Cryptology and Network Security (CANS 2015) will be at Marrakech in December.  The submission deadline is 19 june 2015.  The topics of interest are rather broad:

  • Access Control for Networks
  • Adware, Malware, and Spyware
  • Anonymity & Pseudonymity
  • Authentication, Identification
  • Cloud Security
  • Cryptographic Algorithms & Protocols
  • Denial of Service Protection
  • Embedded System Security
  • Identity & Trust Management
  • Internet Security
  • Key Management
  • Mobile Code Security
  • Multicast Security
  • Network Security
  • Peer-to-Peer Security
  • Security Architectures
  • Security in Social Networks
  • Sensor Network Security
  • Virtual Private Networks
  • Wireless and Mobile Security

The accepted papers will be published in Springer LNCS.  It is an IACR event.

Apr 14 2015

France: charter of good practices in online advertising

On 23 March 2015, the representatives of the French advertising industry signed a charter of good practices to fight piracy.  This charter is an initiative of the French minister of culture and communications.

My highlights of the three page long charter:

1- the signing companies establish and implement clear and transparent recommendations to prevent pirate sites to deal with them.

2- these recommendations will be published and widely disseminated

3- The signatories implement the means at their disposal, each according to its role to prevent of advertisements on pirate sites.   Each signatory may use its own blacklist and own mitigation techniques.

4- A Committee will monitor and publish the results.

Most of the revenues of pirate sites are coming from advertisement.  Unfortunately, legitimate businesses sometimes advertise on these pirate sites.   With the current automatic auctioning systems, often these brands are even not aware where they advertise.  This practice has three consequences:

  1. It provides revenue to pirate sites
  2. It gives some feeling of legitimacy to these sites as famous brands advertise there.   People may be less suspicious on the legality of a site advertising known brands than the same site advertising Russian brides.
  3. It tarnishes the reputation of the advertising brand.

The text of the charter is available here.  Of course, it is in French.


Mar 13 2015

RowHammer: A powerful new attack

In 2014, a group of researchers from Carnegie Mellon University and Intel published a new kind of disturbance attack on DRAM: rowHammer [1]. At the difference of SRAM (static), DRAM (dynamic) need regular refreshing to keep their memory. DRAM are organized by rows. Indeed, when reading or writing to an address, the circuit access the full row rather than only one specific cell. Cells are susceptible to inter-cell crosstalk (like any electronic elements). The researchers discovered the fast, repetitive reading of two rows they could generate a high rate of disturbances that produce errors in the memory. The actual code to produce errors is simple and short. It is a simple loop that reads two addresses, flushes the registers and the instruction cache. A typical 1 million iterations takes less than one second. The code does not need to be root. They tested 129 different DDR3 DRAM commercial modules. They induced errors in 110 modules.

Thus, they demonstrate that with simple software, it was possible to wreck DRAM memory.

This month, Google researchers went one step further. They used the rowHammer technique to create actual fault injection. On a standard x86-64 bit machine, they demonstrated two exploits [2].

  • Native Client (NACl) is a sandboxing system that allows only a limited subset of instructions. They were able to have ‘blacklisted’ instructions to execute in the NACl environment.
  • They succeeded to escalate the privilege to Kernel privilege on a standard Linux.

Of course, these exploits have some limitations. The escalation was done only on a Linux machine without some sandboxing mechanisms. Nevertheless, they highlight that rowHammer may become a powerful fault injection tool. The interesting part of rowHammer is that it is purely software.

Currently, they have only experimented rowHammer on standard DRAM commercial modules. This may be an interesting way to bypass some trusted execution environment that isolate the DRAM space.

DRAM for servers should be more resistant to rowHammer as Error Correction is embedded in the chip. Nevertheless, error correction can only correct a limited amount of simultaneous errors. It may be possible perhaps to also overflow the correction. If rowHammer would be possible on DRAM for servers, then it may be a potential interesting attack vector in the public cloud. The attacker may either bypass the sandbox or impair the memory of another user of the same server.

We may see in coming months more studies and exploits around rowHammer. Will it have the same impact than side channel attacks? To be surveyed…

The two papers are worthwhile to read. Read them in the chronological order.

[1]    Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, K. Lai, and O. Mutlu, “Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors,” in Proceeding of the 41st annual international symposium on Computer architecture, 2014, pp. 361–372.

[2]    C. Evans, “Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges,” Project Zero, 09-Mar-2015.


Feb 23 2015

Lenovo, Superfish, Komodia: a Man In The Middle story

Lenovo has made this week the headlines with the alleged malware: superfish.   Lenovo delivered  some PCx loaded with “bloatware” Superfish.  Superfish provides solution that performs visual search.  Seemingly, Superfish designed a software that allowed to place contextual ads on the web browsing experience.   To perform this highjacking, superfish uses a software stack from Komodia:  SSL Digestor.  According to the site of Komodia:

Our advanced SSL hijacker SDK is a brand new technology that allows you to access data that was encrypted using SSL and perform on the fly SSL decryption. The hijacker uses Komodia’s Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.

How does Komodia do the decryption without triggering the certificate validation of the browser?   The CERT has disclosed on Thursday the trick with its vulnerability note VU#529496.

Komodia Redirector with SSL Digestor installs non-unique root CA certificates and private keys, making systems broadly vulnerable to HTTPS spoofing

Komodia install stealthily its own root certificate within the browsers’ CA repository.   The stack holds its private key. This allows to ‘self-sign’ certificate to forge SSL connection.  The software then generates a typical Man In The Middle.   Despite the private key was encrypted, it was possible to extract some corresponding private keys (easy to guess the password; komodia).  This means that as long as the root key is not erased from browsers’ repository, an attacker may use the corresponding private key.  The attacker may sign malware that would be accepted by the machine, and generate phony certificates for phishing.   In other words, other principals than Superfish may use the hack for infecting Lenovo computers.

Lenovo provided a patch that removed the Superfish application.   Unfortunately, the patch does not erase the malicious certificate.  Microsoft provided such patch, and Mozilla should soon revoke it.

This is a perfect example of supply chain attack. The main difference is that the supplier voluntarily infected its product.    Do never forget law 4: Trust No One.

PS:  at the time of writing, the Komodia site was down, allegedly for a DOS.  It may also be because too many people try to visit the site.

Older posts «