The Seattle Times is reporting a Boeing manufacturing plant was hit with the ostensibly North Korean developed WannaCry ransomware even though the malware was unleashed over a year ago, and a patch has been available from Microsoft since March 2017:

Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, sent out an alarming alert about the virus calling for “All hands on deck.”

“It is metastasizing rapidly out of North Charleston and I just heard 777 (automated spar assembly tools) may have gone down,” VanderWel wrote, adding his concern that the virus could hit equipment used in functional tests of airplanes ready to roll out and potentially “spread to airplane software.”

VanderWel’s message said the attack required “a batterylike response,” a reference to the 787 in-flight battery fires in 2013 that grounded the world’s fleet of Dreamliners and led to an extraordinary three-month-long engineering effort to find a fix.

So an assembly plant was affected, but no word on how the WannaCry ransomware penetrated the operational network. This vital piece of information is necessary to better comprehend exactly what happened, why it happened, and how to prevent future similar breaches.

CSO reports on the US Department of Homeland Security remotely hacking a Boeing 757 as a proof-of-concept:

During a keynote address on Nov. 8 at the 2017 CyberSat Summit, a Department of Homeland Security (DHS) official admitted that he and his team of experts remotely hacked into a Boeing 757.

This hack was not conducted in a laboratory, but on a 757 parked at the airport in Atlantic City, N.J. And the actual hack occurred over a year ago. We are only now hearing about it thanks to a keynote delivered by Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.

“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” Hickey said in an article in Avionics Today. “[That] means I didn’t have anybody touching the airplane; I didn’t have an insider threat. I stood off using typical stuff that could get through security, and we were able to establish a presence on the systems of the aircraft.”

While the details of the hack are classified, Hickey admitted that his team of industry experts and academics pulled it off by accessing the 757’s “radio frequency communications.”

The United Airlines frequent flyer web site can be easily hacked to reveal passenger flight information thanks to, simply put, of shoddy programming logic (emphasis added):

“An attacker can get access to personal details such as email, phone number, flight details (origin, destination, date, time, seat) and even the boarding pass,” Yosi Dahan, co-founder and CEO of Turrisio Cybersecurity, told Motherboard in an email.

When logging into the United Airlines app to check in, a customer can either enter their booking confirmation code or MileagePlus ID and doesn’t need to give any other information, such as a password. MileagePlus is United Airline’s frequent flyer program. If the user’s flight is within 24 hours, their information will be displayed on the app.

MileagePlus IDs are very basic: they come in the format of two letters, followed by six digits. So instead of having to find out the ID of a particular customer, Dahan wrote a simple Python proof-of-concept script that could allow an attacker to grind through the possible combinations of IDs and automatically check if any flights were booked with them.

There is no indication that the app has actually been abused by criminals. But Dahan, who has previously written about the MileagePlus app security, envisioned that it could be possible to launch a social engineering attack with information gleaned this way. He suggested, for instance, that an attacker could call a victim and present them with information that only United Airlines should know, then scam them into handing over credit card details.

“This is the same type of vulnerability that weev [Andrew Auernheimer] was incarcerated over and yet as a penetration tester I have seen this type of vulnerability a lot,” Justin Seitz, author of two Python hacking books, said in an email. “Numerous mobile APIs that were never designed to see the light of day can be mined for information using 10 line Python scripts like you see in that proof of concept.”

Hot on the heels of other recent airline related cyber security incidents is news that American Airlines and travel reservation site Sabre were allegedly hacked by Chinese actors:

A recent cyberattack on American Airlines Group Inc. and Sabre Corp., a travel reservation processor for several airlines and hotels, is reported to be the actions of Chinese-linked hackers.

Three people with knowledge of the attacks claim that a connection to Chinese hackers was made after the incident was seen to be consistent with the recent hacking on insurer Anthem Inc. and the U.S. government’s personnel office, Bloomberg reported.

“We recently learned of a cyber-security incident. At this time, we are not aware that this incident has compromised sensitive protected information, such as credit card data or personally identifiable information, but our investigation is ongoing,” Sabre said in an email to Reuters, according to Tech Times.

American Airlines spokesman Casey Nortin said that the carrier found no evidence that customer data has been compromised.

“American has worked with outside cyber-security experts who checked digital signatures, IP addresses and the style of attack, and there’s no evidence to suggest a breach similar to that experienced by the U.S. Office of Personnel Management,” Norton said in an email to Reuters.

No industry is safe from breaches, especially these days thanks to the ease and sophistication of the cyber operations.

The same Chinese malicious actors responsible for the OPM hack have also breached United Airlines, exfiltrating flight data, manifests, and other potentially valuable information to be cross-checked against their ever-growing dossier on American citizens activities (emphasis added):

The previously unreported United breach raises the possibility that the hackers now have data on the movements of millions of Americans, adding airlines to a growing list of strategic U.S. industries and institutions that have been compromised. Among the cache of data stolen from United are manifests — which include information on flights’ passengers, origins and destinations — according to one person familiar with the carrier’s investigation.

It’s increasingly clear, security experts say, that China’s intelligence apparatus is amassing a vast database. Files stolen from the federal personnel office by this one China-based group could allow the hackers to identify Americans who work in defense and intelligence, including those on the payrolls of contractors. U.S. officials believe the group has links to the Chinese government, people familiar with the matter have said.

That data could be cross-referenced with stolen medical and financial records, revealing possible avenues for blackmailing or recruiting people who have security clearances. In all, the China-backed team has hacked at least 10 companies and organizations, which include other travel providers and health insurers, says security firm FireEye Inc.

The theft of airline records potentially offers another layer of information that would allow China to chart the travel patterns of specific government or military officials.

United is one of the biggest contractors with the U.S. government among the airlines, making it a rich depository of data on the travel of American officials, military personnel and contractors. The hackers could match international flights by Chinese officials or industrialists with trips taken by U.S. personnel to the same cities at the same time, said James Lewis, a senior fellow in cybersecurity at the Center for Strategic and International Studies in Washington.

“You’re suspicious of some guy; you happen to notice that he flew to Papua New Guinea on June 23 and now you can see that the Americans have flown there on June 22 or 23,” Lewis said. “If you’re China, you’re looking for those things that will give you a better picture of what the other side is up to.”

Another security related article from the WSJ, this time about how a US FAA convened panel intends to prevent cyber attacks against airplanes and the airline industry:

When it comes to protecting flight-critical software from hackers, Mr. Sinnett said, the systems can accept only “specific bits of information at specific preordained times, and it is all preprogrammed.” As a result, he added, “there’s no way for the flight-control system to pull in something” from an unauthorized source.

Such software and cockpit interfaces aboard commercial jets are tested extensively and have such a wide array of embedded safeguards that they are considered virtually impregnable to direct attack by industry outsiders, according to these experts.

Yet that hardly means airliners are beyond the reach of hackers. The biggest current risks, experts believe, stem from aircraft links to ancillary ground networks that routinely upload and download data when planes aren’t flying—including information used for maintenance, sending various software updates and generating flight plans before takeoff like those that affected LOT earlier this month.

“Where we are weak,” says Patrick Ky, executive director of the European Aviation Safety Agency, is in ensuring that a maintenance or air-traffic control system can’t be hacked and used as a conduit to get at aircraft. “What is not being done today,” he said, “is to have a view of aircraft operations in their entirety,” recognizing all the potential outside hazards.

It is good to read how the airline industry recognizes they have cyber security shortcomings and are actively engaged in closing those gaps. If only more industries followed in their footsteps.

Reuters on the Polish national airline hit by a cyber attack highlighting how all carriers are at risk (emphasis added):

He said the problem was most likely caused by what is known as a Distributed Denial of Service (DDoS) attack — when a hacker deluges an organization’s system with so many communication requests that it overloads the server, and it can no longer carry out its normal functions.

“This was a capacity attack, which overloaded our network,” said the spokesman, Adrian Kubicki.

Ruben Santamarta, a researcher on airline’s cyber-security, said there were not enough details on the LOT attack to properly assess what happened. But he said it highlighted the vulnerability of passenger jets when they are on the tarmac preparing to fly.

“There are multiple systems at ground level that provide critical services for airlines and aircraft, in terms of operations, maintenance, safety and logistics,” said Santamarta, who is principal security consultant for Seattle-based security research firm IOActive.

Santamarta last year said he had figured out how to hack into the satellite communications equipment on passenger jets through their WiFi and inflight entertainment systems.