British satellite company, Inmarsat, have responded to SATCOM security concerns raised by cyber security expert, Ruben Santamara, principal security consultant from IOActive Security Services at the Black Hat conference last month, following the publication of a security vulnerabilities white paper.
Santamara explained that some SATCOM systems have vulnerabilities that could allow hackers access to aircraft systems and backed up his claims with proof of how he was able to gain access to Inmarsat’s SwiftBroadband SATCOMS through ‘backdoors’. “If we can compromise the SDU,” he said, “we can access the MCDU through the Arinc 429 bus. We can finally reach a critical device in the cockpit.”
Ken Bantoft, vice-president of SATCOM technology and development at SATCOM Direct, argued that the 429 bus has read-only access to the bus, delivering position reporting data and said “You cannot inject data. Transmit and receive are on independent buses. At worst you know where you are.”
Inmarsat emailed their response in terms of SATCOM systems connections and said, “This is really a question that should be directed to the airframe manufacturers. Cyber security on the internal aircraft and network buses is something that airframe manufacturers take very seriously. They have their own stringent cyber-security requirements so that the bus design and avionics connected are implemented in such a way that makes the breaches like the one outlined by IOActive an impossibility.”
Rockwell Collins, who recently signed an agreement with Inmarsat as a value-added reseller of systems said, “Today’s certified avionics systems are designed and built with very high levels of redundancy and security. Simulating these conditions in a lab or virtual environment is not analogous to certified aircraft and systems operating in regulated airspace. The security of these systems is a top priority that we are addressing through collaboration with industry regulators, customers and suppliers. In addition to meeting today’s security needs, we have ongoing research in enhanced security features to respond to evolving security threats.”