“Bored” hacker compromises airline in minutes

Access to an entire company's documents available in plain text.
24 January 2023

“computer is boring” by otrocalpe is licensed under CC BY-NC-ND 2.0.

Getting your Trinity Audio player ready...

“Like so many of my hacks this story starts with me being bored…” So begins the blog post that exemplifies one of the biggest problems facing cybersecurity professionals, that of internet connected devices that are left visible, often with default or simple passwords their only protection from malicious actors. Who needs an AWS vulnerability scanner or similar high-end tool, when a “bored” hacker will do the job so much more easily?

As is common with many journeys down rabbit holes on the internet, this one starts with a search engine. But not a search engine like Bing, Google or DuckDuckGo. Shodan and ZoomEye are two search engines that crawl the internet, not for website servers full of content to index, but for other devices that are just as contactable: IIoT devices, storage hubs, security cameras, network access points, and all manner of other pieces of technology. If it connects to the internet directly (or sometimes, indirectly), it can be found, cataloged and displayed to anyone who’s conversant with those search engine’s slightly obscure terminologies.

It was through these online databases that maia arson crimew was looking, when she came across some words and phrases that seemed familiar: “ACARS”, mentions of “crew”. The ZoomEye search engine (the Chinese equivalent of Shodan) had found plenty of exposed and badly-configured Jenkins servers – it often does – and poring through their contents gave maia access to the repositories that built, in this case, around 70 instances of servers. (Jenkins is an application used to create and deploy servers at scale.)

After just a few minutes, maia stated that she was “staring at […] a navtech sftp [sic] server filled with incoming and outgoing ACARS messages.” The Aircraft Communications Addressing and Reporting System (ACARS) is how aircraft and ground stations communicate with one another via radio or satellite, in real time. While that information’s availability was enough to cause some alarm, other credentials found hard-coded in Jenkins configuration and log files yielded much greater access to a particular airline’s systems (not named here).

Half an hour later, she had full access to the company’s AWS repositories. There’d been no powerful AWS vulnerability scanning required – all the required details were hard-coded into Jenkins configs. Among the thousands of documents there was a full copy of the infamous TFA no-fly list – the list of passengers that for whatever reason are to be denied access to any plane on US soil. The contents of the list have caused controversy quite apart from any other issues around cybersecurity. Speaking to dailydot.com, Hina Shamsi, director of the National Security Project at the American Civil Liberties (ACLU) said, “Over last 20 years, the US citizens that we’ve seen targeted for watchlisting are disproportionately Muslim and people of Arab or Middle Eastern and South Asian descent. Sometimes it’s people who dissent or have what are seen as unpopular views. We’ve also seen journalists watchlisted.”

Among the contents of the airline’s S3 buckets (storage repositories hosted on AWS), maia also found extensive personal records of pilots and other air crew members, including their home addresses, phone numbers, ID details, pilot license numbers and more besides. Also among the documents left poorly protected were image records of refunds made, flight plan details, and airplane maintenance details and schedules.

At one stage, the enormity of how easy it had been to completely “own” an airline sank in for maia. Armed with just “the patience” to trawl through a few dozen exposed Jenkins instances, maia had not had to get involved in any serious hacking: the information was there for the taking with logon credentials hard-coded ready to be pasted in. “It dawned on me just how heavily i had already owned them within just half an hour or so. hardcoded [sic] credentials there would allow me access to navblue apis [sic] for refueling, canceling and updating flights, swapping out crew members and so on.” NAVBLUE provides flight and crew planning software to the aerospace industry.

Had the “hack” of the airline’s systems been carried out by a malicious actor, the information easily unearthed could have been, for instance, sold to the highest bidder for the purposes of disruption, or even terrorism. The fact that the airline industry can be so easily compromised should make any passenger think twice before boarding an aircraft every detail of which may well be effectively public domain.