Vulnerability disclosure in aviation

We joined Boeing and United Airlines on a panel recently at the RSA Conference to talk about vulnerability disclosure in the aviation world. The engagement we are now seeing between researchers and industry is a powerful force for positive change. Hopefully this will start to reduce the number of highly misleading airplane vulnerability reports seen in the press, and build trust between research communities and aviation OEMs / operators.

Indeed, this is one of the primary goals of the Aerospace Village, a group we are proud to support.

What have we learned along the way and what prompted both Boeing and United to confidently share a platform with us?

90 days doesn’t work

Over the last few years we’ve disclosed around 200 vulnerabilities per year on average. Generally, we follow Google Project Zero’s 90 day approach to vulnerability disclosure. Where a vendor engages in a positive dialog and asks for more time to remediate with good reason, we have always agreed. However, if a vendor stonewalls both us and trusted journalists we ask to intervene and encourage, they get 90 days before publication, where we perceive that public interest is best served through publication.

This simply doesn’t work in aviation.

Most aviation software is certified to ensure it is safe to fly. You want absolute assurance as a passenger and operator that critical flight safety software isn’t going to reboot or crash mid-flight. The ‘blue screen of death’ has a whole new meaning when in flight! That requires very careful functional testing to assure software stability in an enormous number of scenarios. In flight software outages are so rare that they are often newsworthy when publicly investigated and published by safety authorities.

Safe certification takes time.

So, the vulnerability you found and disclosed might only take a few days to fix the code, but could take a year or two to be re-certified.

Boeing talked publicly about the process they go through when receiving a vulnerability report. The vulnerability is carefully investigated to determine if it could affect flight safety. A flight safety event could be of critical importance and could even result in grounding of a fleet. Fortunately this is exceptionally rare.

If not immediately flight safety critical, priority can be agreed. Rushing the remediation process and pushing out a fix carries risk. One could solve one vulnerability and unintentionally introduce a new, worse issue. Airplanes systems are remarkably complex and take time to ensure they are safe.

So, don’t expect to disclose a vulnerability in aviation and present a talk about it at the Hacker Summer Camp 3 months later.

Disclosure routes

Most aviation organisations have a published Vulnerability Disclosure Program (VDP). Use it!

United’s VDP is quite cool. Whilst it is limited in scope to the united.com web site and related mobile apps, they offer Award miles to researchers. What’s not to like?

Our experience of disclosing vulnerabilities to aviation organisations has been largely positive. There have been some issues though:

One closed down a vulnerability report as a ‘product improvement’ despite it offering vectors to tamper with safety-critical data presented to pilots. We’re escalating that one currently.

Another ignored us, effectively stonewalling an important security flaw.

Stonewalling. What to do

If the organisation involved won’t respond, interact or otherwise acknowledge a vulnerability report, there are plenty of options that don’t involve publication.

The OEM may have relationship with them, as they may be a supplier or part of the ecosystem. Boeing have kindly interceded on our behalf in the past to ‘encourage’ a vendor to take a vulnerability seriously.

Alternatively, you might try the Aviation ISAC. This is a great grouping of aviation organisations with a common interest in improving cyber security in the sector. The ISAC has a huge network of contacts in the space and will take on the job of helping you with disclosure if you are struggling. Historically, the ISAC had a run-in with a couple of researchers when asking for non disclosure agreements, but has moved on hugely since then.

We would gladly help any researcher struggling too. Drop us a line and we will do our best to make introductions.

Safety vs Security / Engineering vs Cyber

We’ve had some entertaining discussions in the past. Many working in cyber inside aviation organisations also feel the pain of trying to build bridges with engineering teams. Safety is (rightly) king; cyber can often be an irritation. ‘That couldn’t possibly happen’ ‘operators don’t do things like that’. Fortunately attitudes are starting to change.

I recall one disclosure conversation where the organisations VDP team had set up a call with the engineering head responsible for the ‘thing’ we had found a vulnerability in. The engineering guy was clearly irritated that they had been brought in to the discussion and did everything they could to dismiss the vulnerability.

Fortunately, several of us at PTP are pilots and are familiar with airline operator standard operating procedures (SOP), airplane minimum equipment lists (MEL) and relevant aviation safety regulation. The engineering guy argued that the vulnerability would be picked up in a cross check and therefore was mitigated. We showed the MEL, relevant regulation and discussed SOP of at least one large operator that proved the vulnerability breached legal cyber-safety requirements.

Change takes time. Cyber is new to many in engineering who have spent years building amazing flying things. Take time to engage constructively and be prepared to stand your ground, supported by evidence and facts. Everyone will be better off for it.

Culturally, if can also be hard for those in engineering to receive news that the ‘thing’ they spent years building isn’t perfect. Whilst those of us in cyber will be used to finding vulnerabilities and flaws in systems, services, and products, it can be unsettling for those in engineering to receive the same.

As we said in our panel session at RSA “It’s difficult to hear that your baby has security flaws”.

Conclusions

Aviation cyber is different. It’s taken us several years of disclosures to figure out how best to engage with and work with the aviation industry.

The media often lose their minds around aviation hacking stories. Few are based on fact.

It’s very easy to unintentionally undermine confidence of the travelling public through misunderstood security research. Flying is safe. Let’s work to make it even safer.