The COVID-19 pandemic has brought much of the world to its knees and sent ripples across all regions and industries. One consequence of the pandemic has been the elimination of large gatherings—meaning no in-person conferences or conventions. Events like Black Hat and Microsoft Inspire made the shift to transition to streaming online—which is great, but does not make up for the networking between peers or the serendipitous conversations that typically occur, affectionately referred to as “Hallway Con.” IOActive is stepping up to try and fill that void with the IOActive Labs Blog and a new guest blog series.
John Sheehy, SVP of Research and Strategy for IOActive, launched the initiative with a blog post describing the need to continue the value of Hallway Con as we struggle with the pandemic. Sheehy explains, “IOActive is helping reclaim hallway con by making some of that valuable content available in a pandemic-friendly format on our blogs and in webinars. We recently launched our Guest Blog series with a post focused on emerging threats in intermodal transportation from Urban Jonson, an accomplished contributor to hallway con and leader of the Heavy Vehicle Cyber Security (HVCS) working group at NMFTA.”
Hacking Electronic Baggage Tags
The first post for the IOActive Labs effort to share innovative research is a post titled “Breaking Electronic Baggage Tags – Lufthansa vs British Airways” from Ruben Santamarta, Principal Security Consultant at IOActive.
Ruben does some reverse engineering of the electronic baggage tags (EBT) used by British Airways and Lufthansa to determine if or how they can be exploited or compromised. He describes in detail how the tags work and communicate, and what information is shared. With the British Airways TAG, Ruben found a flaw that allows anyone with physical access to the EBT to forge arbitrary bag tags and update the EBT device without any further interaction from British Airways. He provides proof of concept code in the blog post.
When notified of the issue, British Airways responded to say that they believe there are checks in place that would prevent the unauthorized bag from getting through, and that they consider the scenario to be a low risk.
With the Lufthansa EBT, Ruben discovered that the microcontroller unit (MCU) does not implement a secure channel when communicating with the secure element. This leaves the potential for a malicious component to provide arbitrary content that will get rendered because the MCU has no way to validate whether or not it actually came from the secure element.
Lufthansa was notified of the potential risk. Similar to British Airways, Lufthansa maintains that luggage that is manipulated would be identified and transferred to a verification process and that the risk is very low.
Ruben sums up the research with, “I agree, there are serious limitations to turning these issues into a serious attack scenario; however, time will tell how these technologies evolve. Hopefully this kind of research will help to close any security gaps before a more significant attack vector can be discovered.”
Innovation and Collaboration
Cybersecurity conferences are filled with great keynotes and informative breakout sessions. However, most people who attend such events will readily agree that much—perhaps most—of the value of attending comes from the networking and conversations that happen in the hall.
This effort by IOActive to provide an online forum where security researchers and developers can share information tries to capture some of those benefits. Check out the IOActive Labs Blog for innovative security research and an opportunity to casually engage and collaborate the way you would if or when large cybersecurity conferences become a thing again.