Hacking Air Force One...

[Gary Compton]

Now I know it's probably not possible but I need to suspend disbelief and make it believable. In my WIP I have an antagonist who has massive resources and plenty of capacity to create a complex worm. In my story he created the Stuxnet virus that took out Iran's nuclear program.

His Threat Intelligence Development Team have created variants of Stuxnet, one of which targets a plane's control system.

I'm thinking he hacks the wifi or the system on AF1 via a laser fired from a satellite and uploads the virus. My question is how do hackers hack websites and software. I've heard of DDoS attacks but how do they get into software like banks etc.

Some keywords and phrases would be helpful

 

[willwallace]

I would think the easiest way is to get someone to plug in a USB drive loaded with a virus into a computer aboard AF1. Whether the person does so knowingly or unwittingly doesn't matter in the end. That's how Stuxnet got into the Iranian system, if I remember correctly.

 

[Gary Compton]

That's too easy and I would imagine they have ways of dealing with that. Thanks for your input. Any other ideas?

 

[ratsy]

What about something different. Like embedding a Blu-ray with a virus, and slipping the copy of Frozen 'sans virus' into the presidents kids backpack. Blu-ray players are all wifi now and maybe that could be your link??

 

[Gary Compton]

I want it be invasive, Ratsy to show how technologically advanced the antagonists are. Something sc-fy ish. Tractor beam possibly.

 

[ralphkern]

Aircraft engines automatically download data while in flight for a wide variety of purposes. It's not for positioning fixes (however a lot of work is going on around that to try and use this method to find the missing Malaysian airlines aircraft) Maybe that's a route in. There may have to be a little handwavium as to how this translates into hacking the whole aircraft. I don't know about uploads etc, I presume there must be a mode to be able to patch the software of the computers mounted on the engines themselves. Possibly even in flight for fault finding/repair.

 

[jastius]

its actually quite possible, but what are they going to do with the plane?
i mean you still have pilots there.

do you want now tech or near future tech?
for now tech, every phone can be used as a modem. a tether. whereupon you can broadcast a wifi signal via a call in or hidden in a text file or media file.

the easiest way to do this is to copy an existing file and delete it and insert a replacement file, a doppleganger file ... one with the virus malware backpacked into the code.
this would allow them to take over the phone and from the phone get into the planes electronic systems via wifi signal..
because its now acting as a modem. it can smother the external wifi signal and send in dummy information.. an imitation web.

this would take out the planes guidence systems, get into the flight controls through the automatic pilot, because AF1 is drone flight capable. this would best be done during conditionss where visual confirmation was difficult if not impossilbe. night flights, bad weather and so on.
then when the pilots tried to regain control depressurize the plane. it will knock mostt people out flat.

this is feasible because here was a great deal of hoopde-do over obama's insistance at using a hackable phone.. namely a blackberry.

if you want to get into the government controls then you want the phone to be in the possession of a high ranking person. the higher, thee more security access they have.
then mount your wyrm and burn their systems...

gary i think you are just trying to get us to tell you how to get yourself a free plane, here...

 

[Gary Compton]

jastius, I want to take control so the pilots have no control. At the last minute I need something done by the Pentagon that takes back control?

 

[Gary Compton]

Did Obama have a Blackberry in 2010?

 

[Brian G Turner]

If you presume that AF1 is connected to the internet via a military satellite link, you could always have your bad guys take over the supply satellite? That could give the Pentagon time to wrest control back after.

 

[jastius]

jastius, I want to take control so the pilots have no control. At the last minute I need something done by the Pentagon that takes back control?

the autoomatic pilot wouldd give you control.
if you remember die hard two? whenthey played those tricks on th planes by feedingthe computers the wrong information? that kind of thing is possible..
also recently when the pilot was disabbled, an automatic pilot landed a plane.

. .err, then

i would suggest an EMF pulse to take out the automatic pilot out and have the human pilots retake control., i think obama still has a blackberry in addition to the iphone he was given.

 

[ralphkern]

Just adding the caveat that by Air Force 1, I presume you mean one of the two VC-25s which are the aircraft commonly referred to as Air Force 1. I say this as AF-1 is merely the call-sign of any US military aircraft that carries POTUS (the President Of The US). If he were to ever travel on a civilian aircraft, it would be Executive 1. (Any military aircraft other than a particular squadron of US Marine helicopters, the one carrying POTUS being referred to as Marine 1).

Anyway... the full capabilities of the VC-25's (I'll call 'em AF1 now to stop seeming like a smart alec) are unknown. But what is suspected is that they have a massive array of defensive systems, including hardening to EM pulses - They're designed to operate in a nuclear attack environment. (obviously not withstand a nuclear bomb, but at least as hardened to EM as a nuclear bomber). Plus, they fly with a heavy escort and can in-air refuel.

You could invent some kind of situation where the aircraft has a mode where by which it can be flown remotely as a drone. (which would make sense in real life in case the crew have been incapacitated). You could add an earlier subplot where the baddie has to obtain the command codes to do this. (Just thinking out loud, shady meetings in allyways with some muscley side-kick trying to obtain 'The (fill in impressive name here - but Icarus sounds cool) Codes') from some source. What these codes do being kept a mystery until your above described scene.

Maybe not as high tech as you'd like, but a bit more Tom Clancyish.

 

[jastius]

if they use the inboard systems to generate a modified emf, it would only disable the spy system.that is controlling the system. it would burn out the nexus that is operating from the phone.

 

[Kylara]

EMPs generally not a good idea as they actually destroy the electronics. No way of getting them back, you need brand new components. I'll ask the Oh, he likes thinking these sorts of puzzles through. We were having a chat last year about the best method for disabling heavily firewalled networked computers and he suggested you use the time code stuff as had inherent not secure base and easily exploitable and about 2 weeks later a bunch of hackers actually did that, was spooky! He of course had already thought of an easy fix and low and behold another week later that was pretty much spot on to what was released in updates
Interesting idea that I am sure he will like to have a think about!

 

[jastius]

A pulse shorting out the bugged phone is also possible through a modified waveform that while it would toast any small electronics such as the phone and any other spygear they had managed to infiltrate with, would not harm the planes major systems.

It would fry out anything with batteries though.. So everyone's watch is gone unless its a wind up.. All the kiddies games..
And if anyone has a pace maker, it wouldn't work.. So they would need nitro spray until they landed and could get an exterior battery hooked up..then surgury to replace ithe .battery,

 

[Ray McCarthy]

he hacks the wifi or the system on AF1 via a laser fired from a satellite and uploads the virus. My question is how do hackers hack websites and software. I've heard of DDoS attacks but how do they get into software like banks

a) Stupid Admins leaving holes.
b) Buffer overflow vulnerability, Giant string with payload pasted into a form that's not checked properly (too much SW is done no differently to 1970s)
c) SQL injection. A form that looks up a database.
d) Network vulnerability. Some buggy API or Service that shouldn't be exposed. (sending wrong size response when opening HTTPS session)
e) Insider information
f) A Software Trojan. A program that people download has been tampered with. In mainframe days they would send a tape with a demo of something for sale that loaded the trojan (late 1960s).
g) USB device Trojan. Send someone important inside a Keyboard, Mouse, Smart phone or PSU. This can silently install a Trojan via HID protocol. A USB stick relying on Autorun is less sure.
h) Physical access to the computer. All bets are off. No protection. BIOS and OS passwords do not protect. You take out HDD and write to it directly. Or even fit a Memory DIMM/SIM that as well as working as RAM, installs a root kit at power on. Or reflash the BIOS to load a root kit.

DDOS doesn't get "in" or infect at all! It's simply generating so much traffic that the real users can't get access. It requires 1000s of computers. A Botnet is 1000 to 500,000 computers that have trojan allowing remote control and using this to run a program in the background. The infected users will not notice anything.

plug in a USB drive loaded with a virus into a computer aboard AF1.

Unless "autorun" is enabled usually this won't work. Also a Flight computer may have no USB, it may not have an x86-x64 CPU. A virus or trojan has to be written for both a particular operating system AND the CPU type. Any "random" computer on AF1 will not be connected to flight system.

So you bribe someone working in the company that maintains the Flight Computer Software to install your Trojan. You bribe someone else to have essential maintenance / upgrade scheduled. People are the weak link. Almost ALL infections are not primarily due to vulnerable systems (all are), but due to poor user education, social engineering etc. Most data thefts are with help of inside employee.

If you presume that AF1 is connected to the internet via a military satellite link

Unless people have got really stupid lately, no command and control is connected to the Internet. Only random user's computers.

EMP
These are really really hard to generate and indiscriminately destroy electronics unpredictably. At lowest level CPUs and Memory chips fail.
Regular ICs
Discrete transistors
Valves / Tubes (the filaments/heaters burn out)
A highest level pulse, PCB tracks, fuses and thinner wires all burn out.

The lowest level of "frying" CPUs and RAM can be achieved with backpack sized gear, but you'd have to be less than 0.5m away and the device would need external wiring to pickup the pulse. Equipment designed to cope with the plane being hit by lightening would probably have pulse filtering, transorbs, gas discharge tubes etc. on all in/out wiring and be quite immune.

 

[Gary Compton]

How would you do it then Ray?

 

[Kylara]

So the OH was, as expected, interested in the idea. He actually watched a talk on this sort of stuff recently. He can't find the exact talk but this black hat one is similar

(The one he was talking about was using a vxworks test harness to attach to the plane engines and spoofing being a bus depo to trick the engine in a bus into connecting to you to give statistics info etc etc)

Briefly, according to OH (sorry if a little disjointed, I am C&P from our chat:

hack into the wifi via lasers is ridiculous. but, hacking wifi via lasers isn't a believable as I don't think there are IR systems on board, and if there are it certainly wont be transmitting back to you. then using that to bridge to wifi would be an unnecessary step as you are already in the control network.

hack idea: ok well make a phonecall, pretend to be an airtraffic control to airforce 1, once the connection is established force a stack overflow in the audioprocessing to bridge onto the system bus of the place, forcing the connection to stay active and giving you access to the planes systems. airtraffic control may even have a data connection when they do voice comms, it may be all digital now so that attack vector is plausible. you would need to connect the datastream to tunnel say a VxWorks test harness over, as that's a system commonly used in engine control systems and bits like that.

Phone call would need to be continuous - if you want to remote control it you need a connection to something. Unless you pre program a set of instruction and upload that. connection has to be some method of communication, either this SCADA thing, a satphone phonecall, the airtraffic control stuff

Pentagon would need to sever the connection. well they could try and jam it, flood the spectrum with noise until the call fails. they could try and reboot the communications system maybe. well planes systems aren't meant to turn off so I assume its probably tricky to get the system to restart, if not near impossible

to keep a plane in the air there are many computers, each programmed by separate people separate companies and separate hardware, these people are not allowed to talk under any circumstances. these computers must all agree on a course of action, etc, so that level of fault resilience does not lend its self to being turned off and on again. heh. so tricky to break the connection

 

[jastius]

Isnt the restriction on cell phone use on A plane due to a cell phones capability of interfereing with the radio frequency signals of the plane equipment?

RF interference can supercede the intrumentation input.

 

[psychotick]

Hi,

Knowing little about this world, I still recall hearing somewhere that the most effective hacks are not actual hacks. They're freaks. (I don't make up these terms.) Freaking is where you actually trick people into giving you passwords and access - you know, ringing people up saying you're with IT etc and asking them for their passwords so you can "fix the system". Once you have access, then you can start hacking.

My thought would be that these planes have downtime. Times when they're being serviced etc. And once you have access, that's when you slowly and carefully start rewriting the software that runs them. Perhaps by having the programs regularly download themselves for updates to your own special server. Then you take control only when everythings in place.

Also one other thing occurs to me. Modern planes are what they call fly by wire. (I keep thinking that means there's a very big wire between the ground and the plane like the old model aircraft I used to fly!) The important thing is that fly by wire means that when the pilot touches the controls to move an actual thing like a flap, there is no direct connection. It's like going from a pre-seventies car with direct braking to servo assisted braking. You hit the pedal and the pedal triggers an electronic servo and the servo applies pressure to the brakes. It should be possible therefore to completely rewrite the software so that the pilot's controls no longer control the actuators and servos, and instead they respond directly to the hacking software. I.e. remote control.

How they get around that I don't know. Modern passenger planes can't actually be run directly through internal wires and pulleys etc as far as I know. They're just too big for a pilot to have any meaningful power over a plane simply by brute strength. So manual control really doesn't mean that. It just means that the flight program is overridden by the pilot's commands through the controls. The whole thing is still mediated by actuators and servos and computers which in theory could be remotely controlled.

Cheers, Greg.