[wucke13]

The observation that ARINC 429 can be tapped, and that an active wiretap can alter data on the bus is of little surprise. The technological challenge is not high, the bus is comparable to a serialport at ~115200 baud. Considering that the technology surfaced in the 1970s, it is of no surprise that physical access restriction is the only means of security.

More interesting IMHO would be what can be done to accelerate the adoption of new technologies (especially w/r/t cryptography) in avionics. This is more than anything a cultural problem; How to convince regulative bodies, how to satisfy processes, how to re-balance the proven-in-use argument (where stuff gets more favorable safety assessments when it has been used long enough) vs crypto-agility (where the same thing from today just tomorrow becomes insecure without changing itself, because of some external discovery).

The technology is there, but the aviation community is not yet. Another nice read in this domain is "Economy Class Crypto: Exploring Weak Cipher: Usage in Avionic Communications via ACARS"[1, 2]. I only say mono-alphabetic substitution cipher.

An interesting connection of Blockchain-tech, safety and security can be found in "Verifiable Computing in Avionics for Assuring Computer-Integrity without Replication" [3]. Here the authors leverages zero-knowledge proofs to prove to a downstream actuator that its commands are indeed correct results yielded by the application of the appropriate control law on the provided sensor inputs. However, this work is probably at least a decade away from being applicable in actual certified aircraft.

[1] https://link.springer.com/chapter/10.1007/978-3-319-70972-7_... [2] https://www.cs.ox.ac.uk/files/9693/fc-paper.pdf [3] https://publ.sec.uni-stuttgart.de/reinhartluettighuberliedtk...

[masfuerte]

I don't want the cockpit to lose contact with the engines during a flight because a certificate just expired. And even if this particular example isn't realistic, adding security to a system will necessarily add lots of new failure modes. It seems likely that it will be really hard to do this without making the system as a whole less reliable.

[GTP]

I know yoh mean this in a general sense, but I just whish to point out for everyone that in this scenario you don't actually need certificates: a MAC to prove authenticity is enough.

[baby_souffle]

>a MAC to prove authenticity is enough.

This would work in most cases, yes.

I think the point that 'masfuerte' was making is that simplicity and redundancy are _the_ bedrock of reliability.

Even if all the new hardware and software to implement this new security model on avionics busses is 100% open and audited by every laudable computer science / security specialist, it's just _more_ to possibly go wrong. That tends to change how people think about risk (weather rationally or not!)

[numpad0]

End result is the same: expired certificate getting rejected.

[GTP]

No, with a MAC function you don't have certificates in the first place ;)

[theamk]

Not really, you still need some system to distribute the shared key.

The paper's method suppresses original message then generates btand-new one, so if the key is easy to find out, then the spoofed message will have a correct MAC. Which means you need a cryptographically secure method to distribute the key, but you also have multiple consumers and you want to be able to replace broken devices too. This sounds like a non-trivial cryptosystem, and assymetric crypto + certificates is one possible solution.

[GTP]

Key distribution can be done manually at the factory where the plane is built. Which can also keep a keystore holding the key used for each plane. But we don't need to delve deep in this scenario, as ultimately op's point was that, by introducing crypto, you risk adding failure modes to the plane.

[constantcrying]

Why is the security of attacks against a data bus a relevant topic? An attacker who has access to the data bus can attack the plane in arbitrary ways, whatever he wants to do it is easy to imagine a way for him to accomplish what he wants, even if the bus were secure.

[wucke13]

For a local databus it has been relatively unimportant. However, there are radio data links in/out of the aircraft. The scope of data for these links is quite limited today, but likely to grow significantly in the future. There cryptographic properties become important, and a currently missing. An example would be ACARS.

Also in some aircraft types these data buses are unfortunately not so very hard to access (i.e. accessible from the cabin, with undetected access being even plausible in some cases). So some resilience might not hurt in these cases.

It's important that failure of critical systems is far less threatening than systems providing plausible, yet incorrect data. Redundancy and monitoring catches most of the former but not the latter.

[wobfan]

Yeah, exactly. Just drop all packets.