Fasten your seatbelts and join us for an enthralling episode on airplane cybersecurity, as our hosts Marco and Sean dive into a captivating conversation with expert Ken Munro.
Guest: Ken Munro, Partner at Pen Test Partners [@PenTestPartners]
On LinkedIn | https://www.linkedin.com/in/ken-munro-17899b1/
On Twitter | https://twitter.com/TheKenMunroShow
____________________________
Host:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
BlackCloak | https://itspm.ag/itspbcweb
Brinqa | https://itspm.ag/brinqa-pmdp
SandboxAQ | https://itspm.ag/sandboxaq-j2en
____________________________
Episode Notes
"Fasten your seatbelts and join us for an enthralling episode on airplane cybersecurity, as our hosts Marco and Sean dive into a captivating conversation with expert Ken Munro."
Welcome to another exciting episode of ITSPMagazine Coverage of RSA Conference USA 2023, in San Francisco. Your hosts, Marco Ciappelli and Sean Martin, dive deep into an intriguing conversation with Ken Munro, a cybersecurity expert who shares a fascinating COVID story that led to some groundbreaking research on airplane cybersecurity. This episode is one you won't want to miss, and we encourage you to think about the conversation, share it, and subscribe to the podcast. If you happen to be at RSA Conference 2023 in San Francisco, be sure to visit the Aerospace Village!
When COVID-19 hit, the aviation industry experienced an unexpected outcome: an abundance of airplanes were retired earlier than anticipated. This led Ken and his team to explore airplane cybersecurity by accessing these grounded planes and learning about their systems. He shares his insights on the various networks found on airplanes and how these components interact with each other.
Our hosts dive into the burning question: can you hack an airplane from the passenger cabin? Ken assures us that it's not possible, as safety systems are carefully segregated from passenger entertainment systems. However, he does acknowledge that hacking could be possible in specific scenarios that require physical access to the plane's inner workings.
Ken's unique perspective as both a cybersecurity expert and a light aircraft pilot brings an engaging angle to this conversation. He emphasizes the importance of having pilots on board, as they have a vested interest in landing the plane safely. The thought of autonomous planes raises concerns, as pilots provide that crucial human element in critical situations.
So buckle up and join Marco, Sean, and Ken as they take you on an informative journey exploring the world of airplane cybersecurity. This episode will leave you thinking about the intricate systems that keep us safe while traveling through the skies. Don't forget to share this captivating conversation with others and subscribe to the podcast for more exciting episodes! And if you're at RSA Conference 2023 in San Francisco, make sure to visit the Aerospace Village to immerse yourself in this fascinating world.
____________________________
Resources
Session | Joining Forces with the White Hat Researchers: Aviation Industry Lessons: https://www.rsaconference.com/USA/agenda/session/Joining%20Forces%20with%20White%20Hat%20Hackers%20Boeing%20%20Pen%20Test%20Partners
Session | Vulnerability Disclosure: The People Factor: https://www.rsaconference.com/USA/agenda/session/Vulnerability%20Disclosure%20The%20People%20Factor
Previous RSAC Presentations: https://www.rsaconference.com/experts/ken-munro
Learn more, explore the agenda, and register for RSA Conference: https://itspm.ag/rsa-cordbw
____________________________
For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverage
Are you interested in telling your story in connection with RSA Conference by sponsoring our coverage?
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/podcast-series-sponsorships
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Be sure to share and subscribe!
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Sean Martin 00:05
Marco Shan when the pilot deflates
Marco Ciappelli00:15
what happened is now it sounds like you're talking to me from the other side of the Moon. Like getting a delay. Well, you know, try again try again. You know, we're just fighting a blind spot I guess. That's what happened when?
Sean Martin 00:32
What happens when the pilot deflates?
Marco Ciappelli00:37
I don't know that's a question that people that are watching the video probably can kind of like figure out right now and that people listen to the podcast that like what the hell is Sean talking about? Yeah, we are in we are an airplane on the set of the movie our plan if you remember that one of the classics that I can't pass out, you know, whenever I saw it, I have to watch it. I don't know why. Being Yeah, being a kid of the 80s you have to you have to it's it's the rule is the law. But I know the answer to
Sean Martin 01:12
the riddle you want it? Yeah. Technology takes over. Let the pilot deflate. Who cares? Everything's gonna fly itself. securely.
Marco Ciappelli01:26
Ouch. I don't know. Maybe the guest wants to say something about this right away. can feel free to jump in. Feel free to jump in on this.
Ken Munro01:38
So what why the heck do I have auto the auto pilot sat behind me? Well, first of all, let you I'm I'm a huge fan of airplane the movie too. But also, I'm a pilot myself. And when we started looking at airplane cyber, I found a custom auto and I had to have him mostly to get some gags but you know what? People can up to see us it's trade booze, and everyone just wants to photograph with the autopilot, right?
Marco Ciappelli02:05
My night is a big character. He's kind of like, you know, like sometimes you have those. This TV show bring an example like the Mandalorian. I don't know if you're a fan of that. But it became all about baby Yoda. Grog. Whoo. Right. But it wasn't the plan. It's just like it to cover I think, like, out of do the same thing. for blind people. People love him. They know who is maybe they don't remember the actors? I don't know.
Ken Munro02:30
So I have to confess he does have a little air leak and the the team that manufactured him, of course put the top up valves in the right place. So it does leave some awkward moments when you find it. I don't know getting a little floppy, have to spend a private moment reinflating him.
Sean Martin 02:48
He's a Hollywood approved. Construction absolutely follows a set. Well listen, folks are listening, listening and watching. They can see your name on the screen. Not your last name, though. And those only listen, I have no idea who you are, perhaps unless they can recognize your voice, which I'm impressed that they can do that. But I'm thrilled to have you on again, Ken Monroe from pen test partners. We met you many years ago at BlackHat. DEF CON, I guess, more more appropriately in Las Vegas, and have paid attention to what you're doing with with your own work. And with that of the aerospace village and thrilled to have you on the show today. Maybe a few words for our audience who haven't connected with you at kin, who you are what you're up to why in the world of cyber you kind of touched on a little bit but with cyber and aerospace.
Ken Munro03:41
Yeah, for sure. So this this is kind of a COVID story actually. One of the the awful things that happened to the aviation industry during the COVID lockdowns. A lot of airplanes got retired a lot a lot sooner than people thought. A lot of the 747 fleet for example, nearly the whole world over was retired, which meant that all the airplane scrap yards, the boneyards, they got backed up airplanes have value the bits have got value. That that June July of the first COVID locked down We rang a boneyard and said hey, what's going on? They said well, we've got several years work lined up to take these airplanes apart. So we said well, what happens to them in the meantime and they said nothing. said look if we if we gave you some some money, can we power them up and learn about the cybersecurity of airplanes like yep, come on, knock yourselves out. So put some fuel in there started the APU got some ground power on airplanes that are perfectly serviceable and like March of 2020 we're powered up and we got to have a crack at them. And we learned a shedload about airplanes cyber.
Sean Martin 04:52
That's a that's an incredible story. I had no idea that was going on. Now where these not that it really matters but with these boneyards in The UK or yeah, in America where
Ken Munro05:02
we have a few, I think we've got three or four locations where airplanes get parted out over here. It's fascinating talking to boneyards themselves, because like you probably know most airplanes are, are owned by finance companies. And there's a spreadsheet for each airplane, or the current cost of all the parts used is added up. And as soon as the cost of the parts exceeds the cost of the airframe, it gets, gets parted out, gets broken up. So it's incredible. Those Yeah, just headed down to a boneyard and got our hands dirty, literally. Yeah.
Marco Ciappelli05:35
So here here request, right. So you're talking about you're going and do autopsy on a body that is already, you know, not alive anymore. And I'm going a little morbid here. But you know, the picture that I'm thinking is, if they're ready to retire, they're in a, you know, in a yard where they don't fly anymore? Aren't they? already old? Aren't we talking about? How, how are you doing cybersecurity research on the new technology? Because I'm guessing I would say, well, that's the way they used to do it. How about now? So tell me, tell me about that.
Ken Munro06:13
That's that's a massive challenge, actually. So the biggest problem is you can't go and pen test an airplane doesn't work, don't get permission, quite rightly so. And also it's airplanes software is certified, obviously, it has to be super safe. And just turning up and throwing some scans at an airplane, you could risk the safety of that airplane. So we have to work on airplanes that have been retired. But you know, an airplane that's 10 years old, there's still a lot of them flying around. So something is 10 years old is still not quite state of the art, but it's still very, very current. You probably know that the first eight Airbus A 380s are being parted out right now. Lots of 740 sevens, I think, I think the newest 747, we worked on being 27 years old. But we worked on an A 320 and a Boeing 737 that were just over 10 years old. So yeah, it's they're old. But lots of those airplanes are still flying with exactly the same components in them. So I think it's still valuable research. I love to get hold of some brand new equipment. Yeah, just going out and buying a brand new 730 sevens kind of not not in our budget, right?
Marco Ciappelli07:19
And that's another question. Shawn, if you don't mind on it, because I have a personal experience here, which is when I got lucky to get to see the, the Armstrong Flight Center here in in LA in Pasadena. And they were about to take off with the DC 10. That they were just telling me that he was 50 years old, but they transform it into it's a lab is a weather lab, they were flying to a wire to check out storms and stuff like that. And I was like, wow, you you trust this plane for that it's 50 years old. It's like yeah, well, it's really nothing is really 50 years old on this one, because you constantly update. So is that part of the trick? Why, you know, all these airplanes, they keep flying and why is more relevant, still relevant to to look into retired airplane.
Ken Munro08:14
So I can think of a 747 we were looking at that was last flying in the middle of March 2020. We got access to it about a year after it was retired. But even then some of the components, so some of the avionics were almost brand new, because they'd been replaced. So airplanes get upgraded, they get fixed, they get latest systems applied, often a bit piecemeal. So this bit fails to get a new one of those, because it's expensive to refit an airplane. But yeah, you're right. So you do see really old airplanes, flying with some quite current equipment in them.
Sean Martin 08:48
And not too deep. But talk to us a little bit about the quality infrastructure, or the ecosystem of these components. Because you're talking about some of them being updated, some of them being old, but in between it are the networks and the protocols and and the actual traffic. And then obviously, the data itself. And I presume that there's a lot of common wisdom that you can gain, regardless of what version a component is. Right. So maybe what are some of the components? And how does that picture look to you?
Ken Munro09:23
Yeah, so there was three broad types of network on an airplane. So the bit up front that does, the pilots interact with it as the flight controls, it's called the aircraft control domain. And that is a super safe, super secure part of the airplane. It's not really linked to anything else. Whilst you can get a feed of your airspeed if you're in flight entertainment system, so you know where you are. There's actually a one way data diode between the dirty bit of the plane back where we sit, and the pilots where it's super safe up front. Now there are broadly three types of networks so most airplanes use a protocol that were protocol called Air Link 49, which isn't really a network as such, it's more of a lot of point to point wiring. So you got a lot of a lot of pins coming out of the various avionics. And they'll have a path where they go to another avionics or into the cockpit. But that means you get a lot of weight of wires, right? It's been around for a long time. It's used on most airplanes that you go on. There is another protocol that's called Eric 69. That's used almost exclusively by the Boeing's triple seven. That was an evolution it was it's an inductively coupled bus network. And that was a big step forward to try and reduce the weight of cabling, but it kind of didn't go any further than the triple seven. And now we have in the Airbus A three at the Boeing 787. We have a network that's probably more familiar to the ones that you and I are familiar with, which is called AF dx. And that's actually an Ethernet based network doesn't use IP as such, but it does use SNS, but it'd be much more familiar to us all, as regular ground based network engineers. So yeah, there are there are some very distinct network types on planes depending on what type of airplane you're flying and how old it is to a point to.
Sean Martin 11:09
And then the network connects to. So you talked about the avionics, which are an imagined the hubs so that, that kind of shift in the switches in an IT world perhaps. And then there are endpoints, engines and sensors on the engines, and maybe an overview of that kind of paint a picture.
Ken Munro11:32
Yeah, so there's a lot of information coming to and from, there's a lot of cabling little wiring, if you get the avionics bay of a any current airplane, it is absolutely round full of big, heavy, expensive boxes, each one of which got a particular function product like the SP computer or on the flight control computers, each one's got a really heavy, expensive boxer called Line Replaceable Units. Each one weighs 2030 kilograms, and the cold Line Replaceable because it means that if something goes wrong, the engineer on the ground can come along with new one, pull it out, put the new or put the new one back in, and you're flying again straightaway. And then they're sent off to be repaired. So you're not delaying the airplane because something's gone wrong. They all communicate the warranty operate, they will have some pretty robust networks on them, to make sure that when the pilot says go down, the airplane goes down right. Now, of course, that's what everyone's speculated about for years was can I hack the airplane from my seat back in the cabin? Alright, that's what everyone wants to know. Right? Yeah,
Marco Ciappelli12:34
let's talk about that. I don't know. This is actually the topic of what you're presenting at RSA. So
Ken Munro12:40
yeah. No, you can't? No.
Marco Ciappelli12:42
So the podcast? No.
Ken Munro12:46
But why would be very boring.
Marco Ciappelli12:50
Yeah, my wife.
Ken Munro12:51
Okay, so first of all, so those networks are very carefully segregated. So back in the cabin is called the passenger information, entertainment services domain, it's really long, but it's the dirty bit where we sit, we watch movies, we can stream from the Internet, we can send our emails, it's dirty. It's, it's not considered trustworthy at all by the airplane manufacturers or operators, right, that's for us to do whatever we want to do on our tablets and our laptops. It doesn't connect into the safety systems, right? It is basically isolated, there is often some interfacing into the sort of the halfway house, which is something that some of the systems the cabin crew can use. So for example, on a 747, there was a little cupboard under the stairs where there's a cabin management terminal where the the chief crew member in the cabin can send ground messages and stuff. And often more modern planes will say flight attendants panel, and one of those will be more featured. But even that is still doesn't really talk to the the safety systems on the plane. So there's a there's a very distinct separation, and quite rightly so I think we'd all be quite concerned if we could sit there instead of watching a movie go, Hey, let's let's control the plane, right?
Marco Ciappelli14:03
I know, maybe there'll be people, sometimes they think they can because they show you like the camera in front of the plane or from the tail or the. And then like, oh, wow, I'm really actually getting into the action here. But it's just the Ethan Hollywood thing. Right. So is there a way to hack a plane though? Well, yeah,
Ken Munro14:21
there's been a bunch of media stories over the years about the concept of doing this. And there's been some really interesting work done, but still doesn't, to my mind. Make an aeroplane hackable from the passenger cabin. If you're going to do something to affect an airplane, you need to be in a position, the physical trust. Okay, so yeah, so there's cabling that runs through the cabin walls and the overheads and stuff. If you were extremely skilled and had all the right equipment and could get into the overhead space or the walls without anybody noticing, kind of maybe but I just don't see that as a practical attack. I suppose if you were a row ground engineer and you had access to avionics bay, you could cause some problems. But really, the airplane would probably throw some errors and the pilots wouldn't want to take off. So, to all intents and purposes, you just don't hack an airplane from the passenger cabin. It's not how it works. But over the last few years, we've spent quite a bit of time looking at the systems that feed information to the pilots. Now, the point you made that you raised at the very beginning, we don't need pilots, right? You know, we've taken planes can fly. Yeah, they can. They can fly themselves, until it's when stuff goes wrong is you really, really want someone upfront, who's got a vested interest in that airplane landing again, right? That's why I personally really don't like the idea of an autonomous plane. Because one of the pilots up front, the someone who's vested interest is absolutely getting me on the ground safety, I should say, I'm actually an airplane pilot myself, I fly light aircraft. It's one of my passions. So actually, bringing cyber and flying together has been a wonderful intersection for me. So can you pack a plane?
Marco Ciappelli16:04
You know, you don't want to hear the speaker coming up and say, I'm thinking about your plan again, like, is there anyone on this team that knows how to land the plane? You don't want to hear that? Right?
Ken Munro16:17
You really don't want to hear actually could a light aircraft pilot with with minimal training land? A large passenger? Probably not. Understanding how the systems works takes a lot of learning. Once you understand the systems, yes, it's not too it's not actually too difficult. You could set up for an auto land take a bit of work. But once you understand the systems is doable. Just arriving upfront, having the pilot of the small propeller plane, no chance. Absolutely no chance. It's just gonna go wrong, sadly.
Sean Martin 16:52
So let me ask you this kin this, this may be a bit philosophical. But so currently, the the pilot pilots, as you pointed out, have a vested interest in that plane. Unless Unless they're kind of wacky in and they don't give a crap and they want to go down anyway. But so if we take them off off the plane, there is now no vested interest. from a human perspective, do we do we increase the risk for people flying on autonomous planes? Owner? Do we always need a person even if they absolutely do nothing? And never ever ever make a decision? But they're just there? For insurance for the passengers? Company as somebody on the plane?
Ken Munro17:41
Yeah, so yeah, plain autonomies is perfectly possible already. It's been done, it can be done. What worries me though, is it let's take a comparison with automotive, right? We can connect vehicles. And we do connect vehicles. And there are security issues with those connected vehicles. And we try to make them autonomous, and they don't always do so well. And every time the next level of autopilot comes up, people take videos of cars doing silly things, right? If we can't get cars, right, how do we expect to get airplanes, right? So we're already connecting airplanes? And I'll talk to that in a little bit. How sure are we that least when we've got a pilot upfront, and it all goes wrong, that pilot can put us back on the ground, even with almost all the instruments shot to pieces because they aren't working? The pilot can still get us down in almost every case. And I have great comfort in that
Sean Martin 18:36
as Dubai. So we've talked a bit about being on board. And so the to two or three separate networks, and you kind of have to have physical access. You're talking maybe you're gonna go there anyway, but being connected. So there's air to ground ground to air, air to air, I don't know if plane to plane or plane to satellites. What and obviously, we're talking about aerospace village here as well. It's a full ecosystem that not just one plane, right? So whole air traffic control and all kinds of fun stuff.
Ken Munro19:12
Yeah, so that's where things start to get interesting for us is we actually hired a couple of pilots who had been laid off during COVID. So not only we see planes laid off, obviously pilots were having a hard time too. Whilst we know how airplanes fly with our half flies down, we know how navigational systems work. What we weren't fully familiar with was were how, what we call the standard operating procedures in major airlines. We didn't understand them fully. Because we don't drive big airplanes every day. We don't know how how they use, how they operate, how they're interfaced, and one of the big things that we learned all about was the concept of an electronic flight bag. Now you probably remember back in the day, you'd see a pilot walking around the airport to an airplane with a great big black briefcase right That briefcase contain all the charts or maps, which contains all the what we call approach plates. So how to fly the approach, the ground maps of the airport scene how to get there, and lots and lots of other things like weights and balance, maintenance logs, all these these important things, and they're heavy. And all those navigational maps and things that get out of date every 30 days, because something changes somewhere around the world. So we have to keep getting new ones on paper. So Airlines for very good reasons of efficiency, and also weight, started introducing tablets instead. So all those heavy paperbacks and navigational almanacs have been replaced by a tablet. And, of course, that brought in a whole new set of interesting security issues for us. And that's where we spent the last couple of years really digging deep. Now, this is a bit where things get a bit freaky. So I said, you can't hack a plane, right? Well, you can't. But you can influence what the pilots do, potentially. And you can feed them data that might lead them to do the wrong things. And a great example of one of the most important apps on a flight bag is called perf, or performance. Now, when you're sat at the end of the runway just about to take off, you might be surprised to know that pilots very rarely useful power, they don't use full thrust, because it's expensive in terms of fuel, it pumps a lot of carbon dioxide, and it makes a lot of noise, and it wears the engine. So you use the right amount of power for the runway you've got. So let's say your say your airplanes light, you haven't got a full passenger load, the winds down the runway, you're fairly low at sea level, the runway is nice long, you might use nearly 50% the available power because you don't need it right. So airplane turns off go safely into the sky. But if you were high, at a high airport on a hot day with a full load of people and a relatively short runway, you might be absolutely caning the engines, but you don't do it very often. And the way that the pilots work out how much power to use is called a performance calculation. And they'll take in lots of data like the wind, the runway, the way there's 15, or 20 Different things that you're you're pumping into a calculator that say, well, on this particular airplane, on this particular day, you're going to use 87% power. And then off you go, everyone's happy. What we've discovered as security problems with those tablets, and those apps that allow you to tamper with the calculator. So what happens is the pilots do their calculations, they get tamper data, and then get the wrong amount of thrust and pile off down the runway. And once you're past V one, you can't stop, you then get to via the rotation speed. But then you realize you don't have enough speed. So you try to rotate anyway. And instead of flying away, what instead happens is actually the pilot smacks the backside of the airplane. And that can do a little bit damage. There was a case relatively recently where they bust the pressure hole. So they got to altitude roads, they couldn't pressurize had to come back. And there is one very sad case where a pilot made a mistake. And actually an airplane went off the end of the runway, killing everyone on board. Fortunately, I suppose it was a freighter, so the loss of life was comparatively small, but still horrible. Whichever way you look at it. So we'd be finding I'm
Sean Martin 23:18
driving New York from LA.
Ken Munro23:23
Well, let me give some confidence. So yes, pilots make mistakes, right. But our procedures are really good. They're really well drilled and pilots will spot these problems, right. So if something's not right, they know what to do they know how to fix it. But the problem is, is no airplane incident happens by itself. It starts from a cascade. And what we're seeing is these sort of influences by giving pilots wrong data has the potential start a cascade at every point, something goes wrong, someone's distracted, something else was wrong. And instead of taking off, the plane goes off the end the runway, or in the case of an approach doesn't land on it properly.
Marco Ciappelli24:02
Wow. Mine, it makes you think about a lot. A lot of things actually, even when you don't fly, you know, work remotely, all of a sudden is not just protecting the environment where you are work, but in protecting all the other point of access. And that's what you're talking about, like you know, it could be that it could be I'm thinking satellite data could be altered as well and many other things. So, of course, we're here talking about RSA Conference 2023 You're going to be there with our friends. Of course the aerospace village was started right talk with Steve already talk with a bunch of other people are going to be their company that I bring in there on their own things to entertain and educate and teach to the people coming to the village. So tell us what, what are you going to talk about there? Okay, what are you doing at RSA
Ken Munro25:00
So one of the problems we have is all these interesting vulnerabilities we find, which basically mislead the pilots, we can't do these for real on a real airplane, because you run the risk of causing a crash, which is kind of not what we're about, right, we're about making things safer. So we went out and had some custom flight simulators built, which allow us to recreate all these vulnerabilities in a real world environment that's safe. So we've taken this with pilots, we've we've fed them the incorrect data as a result of the hacks, and then see what they do in a very realistic simulator. And on each occasion, they've either gone off there on the runway, or realize there's a problem rotated too early, added some extra power, potentially had a what we call the tail strike. So the great thing that we can do is we can bring these simulators to RSA, and we can let people experiencing and fly the planes themselves. So most people actually just want to land one. But the real exercise is actually we take them through landing or taking off in a plane that's been tampered with. So they can see and experience how it actually feels. So see what a pilot has to experience themselves. So come and land our flight simulator, see if you can do it, see if you can put it on the runway.
Marco Ciappelli26:13
I'm there. It's fun. Actually, I'm reading. I'm a big fan of NASA history. And I'm reading Apollo eight. Now, but read other before but actually, last night, I was listening, because I listened to the book about all the stuff that they used to throw at them both at the control center and the oldest simulation because obviously, if you can tamper with the plane, even less you want to tamper with the you know, with the Saturn five, or any other like, you know, big big thing that the landlord anything. And they were just talking about that how it's a constant pre flight for months and months of turning these off, screw around with something and how did the pilot react? How did the command center react? And I think the now thinking that was 6819 6867 or even earlier than that, and the possibility now it's incredible what you can do with virtual reality where you can do with simulation, I'm assuming it's, it's incredible.
Ken Munro27:16
So it's a really interesting point you raised there. It's about it's about simulation and testing. And one of the things that I think the aviation industry needs held up on a pedestal for is the fact that when something goes wrong, they share it. So when there's a problem on any airplane, any pilot instance, as long as the pilot flags it up voluntarily, there's no consequence for what they've done. So it means that every issue can be investigated to find out what went wrong. Yep, people have bad days. But it's usually something else that precipitated that they were overworked. They were too tired. That transfer didn't turn up something went wrong on the airplane, some information was wrong. And I love about the airplane industry. Aviation is wonderful because they share everything publicly. There's no blame attributed. And I think we could learn a lot about that in the cyber industry on the ground. What if we could share information about breaches without fear of retribution? What if someone's breached and immediately shares all the IOCs so everyone else can be there to defend and look for it. So yeah, someone has an issue, but everyone else learns from it really, really quickly. And I think that aviation industry is amazing because of it.
Sean Martin 28:25
I love that and talking about learning, one of the big things about the aerospace village, and I want to get your thoughts on this is the ability for somebody who knows nothing and somebody who knows a lot about something else to come in and say, here's what I know about my space. Let me see how I can apply that to aerospace or I want to break in to the world of cybersecurity and Aerospace is a passion of mine. Here's a great way to to make that entry. Talk to me about the team that you're bringing together your self and how you kind of help the community grow and share again, share information with each other, to help move things forward. Specifically around the aerospace village.
Ken Munro29:07
We love giving back. Right? Our view is just keep paying it forward. Because anything that we've learned, it might stimulate someone for someone else to learn something cool. I remember the very first time we got the village together at DEF CON 2028 2727. Crikey. And it was great. We told us to go along some things that we have stuff we bought from eBay, some bits and pieces we had when we were learning about them. And then what I loved is that people would rock up and said, Hey, I used to manufacture those in when I was an apprentice back 20 years back, and they'd be telling us things about the technology that we have. So we were learning to. So it's really key for us. We just want to keep that two way exchange. It's also really cool that industry is engaged as well. That's a really nice feature of the village is I think the aviation industry were a little bit unsure of security researchers there have been some kind of unhealed for media stories that I think that kind of spooked the industry a bit, their security researchers know we don't talk to them. But actually what the village has done is just broken down those boundaries. And now it's wonderful to see Boeing and other large organizations getting involved and getting involved in the village and helping support to the point where at RSA this year, we're doing a joint panel with Boeing, united, the aviation ISEC. And ourselves, you could not have seen that happen in 2019. And look how far the industry has come in something as simple as four years with some help from the village as well.
Sean Martin 30:36
Super cool. And so you mentioned those devices, you have the simulator or simulators. What other things can people get their hands on, besides auto?
Ken Munro30:52
Yeah, so we've got the simulator, we'll also be bringing along some some LRU, some Line Replaceable Units, so people can get their hands on some of the physical hardware that you find in airplanes, the places you can't ever go because they're down in the avionics bays under, under under the floor. And we'll bring some of those along so you can see what they do and how they work and take them apart. Yeah, they're quite old. But you know, trying to buy new new kit is frighteningly expensive. So we've got some kits. And hopefully, we'll have some little CTFs for people to play with that we've written. So you can see how some of the aviation technology in the passenger cabin works as well.
Marco Ciappelli31:26
That's really cool. And you have to talk, right?
Ken Munro31:29
Yeah, we got we got some talks. So the talk we're giving a Boeing and united the panel is all about how both Boeing united and ourselves and others have engaged with security research community, instead of being scary individuals who hack planes, right? Actually, you know, we've when we find vulnerabilities, we go and talk to the manufacturers about them. It's quite interesting in aviation, it takes a long time to fix bugs. Now, if you found a bug in it, and a consumer router, or whatever, you probably expect to give the vendor 90 days to fix it, right? That's what Google Project Zero do. It's a reasonable timeline to get a bug fixed in aviation, it takes two years. Now, it's not because they didn't want to do it quickly. It's because it might take a week to fix the bug that takes nearly two years to recertify the software to make sure it's safe. So that's a really interesting understanding that I think a lot of researchers hadn't, hadn't got got clued into it, yeah, you find something. But it's gonna take a long time to get it fixed, for reasons of safety. So I think there was some researchers got really excited about the fact the families by bugs, they weren't being fixed, the manufacturer was being slack. They weren't, it just takes time to get recertified.
Marco Ciappelli32:43
Understand, understandable, understandable, big machines, a lot of stuff going on, and you want to do it right. You know, so I'm excited. I remember when we met you back in at DEF CON, and making a, you know, thinking about what you said about involving the manufacturer evolve involving the legislator, I remember Shawn and I were there when actually they would walk in a bunch of people from Washington, through the hill, you know, the car hacking village and the the aerospace village, which at the time, I think it was the ideation village still call that. And so it's exciting, I think big steps, I am excited to be there. I want to invite and that's why we do all this pre event conversations so that we can, you know, make people interested in what you guys are doing there and be like, Hey, I'm there for to work with the company to meet the people at the Expo. But you know, this, this sounds something I want to put my hands on. So we invite everybody to, to come and visit you guys and get to chat. And again, an incredible team of people we were lucky to know most of you and always available to share, always available to introduce the topic to people that don't really know much about it. And Shawn is going to be obviously during RSA Conference, April 24, to the 27th San Francisco at the Moscone Center. And that's where their spirits village is going to be.
Sean Martin 34:20
We'll be there I think we're planning to to work with Steve and the crew to capture some stuff from the floor, right from the sandbox. And so stay tuned for some of that. And hopefully, if you're listening, we'll get a chance to meet you meet you there as well. So Ken, thanks for giving us an overview. Super insightful. I'm not sure how we never got before but great, great insights and definitely makes me think and hopefully our audience as well, so they can all come chat with you.
Ken Munro34:53
Great stuff. Look, thank you so much. And please come on. Have a fly by flight simulator and see if you can land a plane
Marco Ciappelli35:00
Are you go I'm gonna fly the paper the paper? Probably
Sean Martin 35:04
better that the Boeing paper claimants Yes.
Marco Ciappelli35:09
All right, everybody, stay tune, listen and watch all the other pre banter and of course during the event we have a lot going on as well. And Subscribe. Stay tuned and share with your friends, family co worker, anybody you know? Yeah, of course.
Sean Martin 35:29
Alright, thanks everybody. See you there. Take care