How to Hack a Bird: Radio Frequency & Mobile Devices
If Homeland Security remotely hacked a Boeing 757 via its RF communication system in 2016, then so can our enemies who supply our avionics on military aircraft.
My last substack connected U.S. military aircraft avionics to Israel’s Elbit Systems. Now, I want to explore the mechanism behind possibly hacking these birds.
The Common Helmet Mounted Display (CHMD) and Tracker System that the UH-60 Black Hawk pilots were using during the recent crash near Reagan National Airport was made by Israel’s Elbit Systems. It’s used day and knight to enhance situational awareness and survivability in all flight conditions. The system fully integrated into the avionics of the aircraft and provides critical information during flight.
But what happens if that helmet and tracker system is hacked?
In 2016, Homeland Security Remotely Hacked a Boeing 757
Dr. Robert Hickey was the program manager at the Cyber Security Division (CSD) of the Homeland Security Advanced Research Projects Agency at DHS S&T.
He served 28 years in the active-duty U.S. Air Force, Air Force Reserve, and Air National Guard. In 1986, he joined American Airlines as a pilot and retired in 2008.
In 2016, Dr. Hickey remotely hacked a Boeing 757 by accessing the aircraft’s systems through its radio frequency communications.
Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, DHS Says | Avionics International | November 8, 2017
A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a U.S. Department of Homeland Security (DHS) official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia.
“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.
“[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.” Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft’s systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, “you can come to grips pretty quickly where we went” on the aircraft.
The aircraft that DHS is using for its tests is a legacy Boeing 757 commercial plane purchased by the S&T branch. After his speech at the CyberSat Summit, Hickey told Avionics sister publication Defense Daily that the testing is with the aircraft on the ground at the airport in Atlantic City, New Jersey. The initial response from experts was, “’We’ve known that for years,’” and, “It’s not a big deal,” Hickey said.
So, the initial response from “experts” was they knew about this hacking security risk for years! They care more about their bottom line than the lives of American citizens.
Israel’s "AirHopper" RF Hack
A radio-frequency hack developed by researchers in Israel would let attackers steal data remotely from even air-gapped computers not connected to the internet. Sounds familiar, eh?
How Attackers Can Use Radio Signals and Mobile Phones to Steal Protected Data | WIRED | Nov 3, 2014
But these security measures may be futile in the face of a new technique researchers in Israel have developed for stealthily extracting sensitive data from isolated machines---using radio frequency signals and a mobile phone.
Dubbed "AirHopper" by the researchers at Cyber Security Labs at Ben Gurion University, the proof-of-concept technique allows hackers and spies to surreptitiously siphon passwords and other data from an infected computer using radio signals generated and transmitted by the computer and received by a mobile phone. The research was conducted by Mordechai Guri, Gabi Kedma, Assaf Kachlon, and overseen by their advisor Yuval Elovici.
The attack borrows in part from previous research showing how radio signals (.pdf) can be generated by a computer's video card (.pdf). The researchers in Israel have developed malware that exploits this vulnerability by generating radio signals that can transmit modulated data that is then received and decoded by the FM radio receiver built into mobile phones. FM receivers come installed in many mobile phones as an emergency backup, in part, for receiving radio transmissions when the internet and cell networks are down. Using this function, however, attackers can turn a ubiquitous and seemingly innocuous device into an ingenious spy tool. Though a company or agency may think it has protected its air-gapped network by detaching it from the outside world, the mobile phones on employee desktops and in their pockets still provide attackers with a vector to reach classified and other sensitive data.
Generally the most common method for infecting air-gapped machines is a USB flash drive or other removable media. Once one air-gapped machine is infected, the malware can spread to other machines on an air-gapped network. Data can be extracted the same way, though this is more of a challenge. The malware stores stolen data on the machine until a flash drive is inserted, at which point data is copied to the drive.
AirHopper, however, doesn't require repeated action like this once the malware is installed. An attacker only needs to get their malicious transmitter code onto the targeted machine and then either install the malicious receiver component on the victim's mobile phone or use the attacker's own mobile phone in the vicinity of the computer to receive the data and transmit it to the attacker's command-and-control server.
The malware can be programmed to store siphoned data on the infected machine for later transmission at specified hours or intervals. The researchers also devised methods for hiding the data transmission on the targeted machine to avoid detection, including transmitting data only when the monitor is turned off or in sleep mode and altering the FM receiver on the phone so that there is no audible tone when data is transmitted to it.
Although the distance for transmitting data from an infected computer to a mobile phone is limited---due to the limitations of the receiver in phones---attackers could use a stronger portable receiver, set up in a parking lot for example or installed on a drone flying overhead, to pick up data from greater distances.
Black Hawks Used to Operate Independently Before Elbit Systems
The average aircraft in the US Army's Black Hawk fleet is 23 years old. The older aircrafts' on-board systems operate independently of one another without sharing mission-critical information… Using scalable, open systems architecture Elbit Systems of America's helicopter upgrade solutions enable complete systems integration, resulting in a faster relay of information to pilots and crew, reduced pilot workload, and increased battlefield situational awareness.
While Donald Trump rails on about “DEI” in our military, maybe he should ask Bibi about hacking our bird’s avionics supplied by Israel when he visits February 4th?
There’s obviously and issue with Elbit Systems as avionics suppler for the U.S. military. Our supply chains should not rely on any government currently engaged in a genocide, attacking U.S. elections, and engaged in psychological warfare against American citizens. At some point, this reaches the level of treason.
You can follow me on X.com @DCinTejas—my DMs are always open—or email me at DCinTejas@proton.me. If you email just DM me, so I know to check it. Thanks! I’m now on Instagram (@divided.conquered).
-DeAnna Calderón
If Drumpf had any balls he would arrest Bibi on feb. 4, but no he and congress will give 57 standing ovaZIONS.
Good article. Bibi shows up within days of the DC Blackhawk event. I always wondered about Power Struggles with big players.