Why airline companies are vulnerable today to cyber threats more than ever before?

If you were one of the “lucky few” who managed to get through the terminal gates this summer, you’ve probably noticed the severe lack of human capital, the endless flight delays, the cancellations, and the big lottery game of “am I going to get my luggage?”. But ironically enough, the aviation industry has a bigger fish to fry. In recent years, many hackers, cybercriminals groups, and state-sponsored actors are pushing the envelope to get a grip on the holy grail of the aviation network. The great comeback of tourism and face-to-face business trips together with new regulations opened up new opportunities for hackers.

Would passenger Hacker please come to the information desk?

There is no shortage of reasons why a hacker should “specialize” in aviation intrusion. The scale goes all the way from laying its hand on an endless quality, and up-to-date database (names, IDs, address, CC numbers, departure information, etc.) and up to causing a major system disruption, encrypting information, or even harming critical infrastructure that might result in flights delays, cancellation or even heaven forbid injuries and worse. Any successful campaign regardless of its intentions will result in millions of dollars in losses, a reputation crisis for both airlines and airports, negative media exposure, governmental interference, and in some cases criminal charges.

Airlines have become a clear target for hackers not only because of the valuable passengers’ data they hold but also because the industry become digital and therefore potentially vulnerable to sophisticated attacks. For example, any file uploaded at the airline’s portal can potentially be malicious. Cyberattacks happen through files sent both from COVID-related file upload portals and via regular email. Therefore, the aviation industry must verify that all the files their employees access are safe and malware-free.

When governments enthrone the new prime target of hackers

Due to countries’ updated health regulations, airlines were required to collect and enforce passengers’ well-being documentation as a requirement before traveling. To answer the demand, a big percentage of the airlines introduced an online portal/mobile app where passengers can easily upload their files before boarding. Such documents include health declarations, COVID certifications, recovery documents, and more.

With no intention, airlines marked a huge target on their head that can be utilized by hackers to upload commonly looking office, PDF, or image files with a malicious code hidden inside any by doing so exploit undetected vulnerabilities to access their internal network.

Do you have any malware to declare?

In recent years, the aviation industry struggles with an increasing amount of cyberattacks from all fronts; Many hackers like to perform DDoS attacks such as the one that occurred at the website of Bradley International Airport in Connecticut, USA. In 2018 British Airways suffered from a data breach that impacted around 420,000 passengers and involved login details, Credit card payment information, and private travel booking details being compromised. It was only two months after the campaign that someone realize the was a data breach. BA was liable for a serious privacy violation, which also translated into a $650,000,000 class-action lawsuit threat that pointed to compensation rights of the GDPR (General Data Protection Regulation). More incidents include a Hong Kong-based airline that reportedly lost 9.4 million passenger records, a UK-based airline that lost 9 million customer records to hackers, and an Indian airline breach, were 4.5 million customers records, including sensitive data such as credit card information and frequent flyer data were exfiltrated and leaked.

Hackers 101: Breaching Airline’s network for Dummies

According to Cyber-Security Challenges in Aviation Industry report, one of the biggest cyber threats the Aviation industry should face is hackers’ attempts to smuggle “innocent-looking files”, which will gain unauthorized access to the victim’s operational network and IT infrastructure. A short skim of the leading airlines’ websites, reveals the full blueprint of potential exploitations by hackers:

  1. Airlines require passengers to have proof of their COVID-19 documentation as part of their domestic and international flights.
  2. The required records may include digital vaccination certificates, official proof of a negative test result, health declaration, and more.
  3. Most airlines, ask to upload the documents through the airline’s website or mobile device app and limit the action to roughly 8 to 72 hours before the time of departure. This relatively short time restriction multiple by the daily number of passengers indicates that deployment of heavily, timely consume tools such as sandbox, are not applicable.
  4. To review and validate the information, a human being or an automatic tool must open those documents one by one to inspect. That holds severe jeopardy to the airline’s smooth operation.
  5. Many airlines mandate document upload and check as a requirement to accomplish the check-in process and issue a digital boarding pass.
  6. A sophisticated hacker can also leverage the fact that for EU DCC (EU Digital COVID Certificate), the submission of the QR code is sufficient, to include an innocent-looking file with a QR code that redirects to a rogue URL link containing a malicious payload.
  7. As part of the upload mechanism, many documents are uploaded to the portal in encrypted form, which makes detection with legacy solutions even more challenging.
  8. Another potential issue is that by design some airlines delete the file up to 48 hours after the date of departure. This means that in case of a malicious file that manages to breach into the network, it will be increasingly difficult to trace back the source for forensic reasons

For being a frequent flyer we would like to offer you a free VIP data breach upgrade

The massive amount of data that airlines store in their systems is all the incentive needed for hackers to scheme custom-made sophisticated spear-malware attacks that aim at a specific user of a specific company.

Last year Microsoft Security Intelligence published an insightful thread about an aviation-themed cyber campaign they were monitoring. The email’s content, jargon, and even the “banal” footer warning seem highly reliable. The email body as well as the PDF attachment contains legitimate information such as cargo itineraries, flight information, invoice numbers, and more identifications. The combination of sophisticated social engineering with spear-phishing techniques lures the user into opening the PDF files. Once clicked, the hidden embedded script executes an “AsyncRAT” payload that is espionage on the destination machines, establishes a backlink to the hacker’s server, and exfiltrates sensitive data.

The attacker’s emails, as shared by Microsoft leave no room for interpretations – this is a custom-made, spear-phishing cyber campaign targeting hand-picked users.

Thank you for hacking us and we hope to see you again in one of our next file uploads.

Using off-the-shelf digital software products make airline companies’ and passengers’ life simpler. On the other hand, it makes hackers’ life much easier to find vulnerabilities and exploits in critical systems such as aircraft navigation, air traffic control systems, passenger reservation, and check-in. Airlines must introduce processes and preventative cybersecurity tools to protect passengers’ data from being exfiltrated while ensuring continuous and smooth operation.

Have a safe and pleasant flight.