Cyber-Security Thoughts on Trump’s Laptop Ban



A while ago I left the U.S. to move to Dubai, and I’m currently affected by the travel ban. I would like to share some of my thoughts on the Cyber Security impact of Trump’s laptop ban.

Since Trump’s laptop ban, followed by the UK’s laptop ban emerged, many analysis concluded this ban was strongly motivated by economical reasons rather than security reasons. As brilliantly reminded by سلطان سعود القاسمي in his article for the Middle East Institue, the airports of Abu Dhabi, Dubai and Doha are part of the strictest in the World when it comes to security.

One of the main reasons I have moved out of San Francisco to Dubai was definitely due to the attractiveness of DXB as an airport and Emirates as an airline. DXB offers more than 200 direct flights (against 40 international cities at SFO), including flights to some of the most interesting and underrated countries in the World.

image

UK Government/US Government BBC

Assuming this law is carried out as a security measure, we certainly cannot rule out the possibility of an extension to further global airlines including outside the Arab World.

No technical details have been provided on how this ban would improve security. It is important to notice that the entertainment tablets provided in planes are basically computers mainly running on Linux Operating Systems which are similar to an Android phone.

Therefore, we expect airlines to increase capabilities of In-Flight Entertainment Systems (IFE) to their customers. One those capabilities is, but not limited to:

  • The ability of a passenger to work on an IFE as they would work on their own personal laptops. Think of it more like a “Workstation-As-A-Service”.

In addition to that, we would most likely see customers — especially frequent flyers — use their smartphones for work and entertainment more extensively than before during flights. Given the fact that chargers are already available on most modern planes. However, there are some concerns to such merit:

  • It is potentially problematic due to the means of potential increase of wireless-based data storage/transfer protocol such as Bluetooth based storage accessible from one's smartphone.
  • Customers plugging personal USB-based disk storage to non-trusted devices such as a the console entertainment.

From a hacker’s perspective, all the previous literature could be viewed totally different. Here are how I personally view them:

  • An increase of attack surface for users on their personal devices such as smart phones due to enabling protocols like Bluetooth for instance.
  • An increase of attack surface for airlines, as more services run on entertainment consoles and more passengers will interact with it. This leads to the need of huge efforts to process more untrusted data.
  • Less control on data, if someone have personal or confidential information that needs to interact with devices he/she do not own over wireless protocols then potential risks of having their data being leaked immensely increases.
  • Outsourcing privacy and security to more untrusted third parties, if someone’s data has to transit around, this is also a huge risk. We know entertainment systems on airlines are on a different network than the command and control of the plane, however entertainment consoles are on the same network. If a malicious user is on the same flight and has undisclosed vulnerabilities on the IFE such as the ones disclosed last year on Panasonic Avionics systems. Well, that’s not good.

One more thing to keep in mind with those entertainment systems is that due to the fact manufacturers assume nobody will look at them, they tend to carry numerous basic vulnerabilities like most of the embedded devices.

And several of these companies do not share the same pressure as other vendors such as Microsoft, Apple and Google — which means that their software gets less (never?) audited, and security is usually the last thing on their mind.

Ruben Santamarta (IOActive) released in December 2016 a series of vulnerabilities affecting Panasonic Avionics’ IFE, after disclosing it to the manufacturer almost 2 years before. All those vulnerabilities were very primitive and were the type of vulnerabilities you could expect in the 90s such as SQL Injection in the PHP backend.

image

SQL Injection Vulnerability found by Ruben Santamarta (IOActive)

Since IFE providers are not usually used to security audits, they are also generally very slow to provide updates. Furthermore, once updates are provided they are also very hard to deploy on a whole fleet.

Because of those recent laptop’s bans, we can surely expect not only an increase of vulnerability research and discovery on IFEs affecting the U.S. based IFE vendors such as Panasonic Avionics, but also new attack vectors as well. Given the fact that most of the U.S. airlines uses outdated IFEs (due to old planes) — it is not surprising that they would actually be the first ones to be targeted. Unfortunately, irony could be so ironic sometimes!

image

PS: If you are in the region and want to learn more about what real cyber-security is about, see you in Dubai on April 26–27 at OPCDE!