Hacking airplanes, ships and IoT devices with Ken Munro

Nerding Out With Viktor

In this thrilling episode of Nerding Out with Viktor, host Viktor Petersson is joined by Ken Munro, a leading figure in cybersecurity and an expert in penetration testing. Together, they dive into the hidden world of aviation cybersecurity, shedding light on the challenges, discoveries, and unexpected vulnerabilities that exist within modern aircraft systems. With decades of experience and a passion for making aviation safer, Ken guides listeners through some of the most fascinating aspects of airplane hacking, responsible disclosures, and how his team tests aircraft security to uncover vulnerabilities.

The conversation kicks off with an exploration of how Ken entered the field of aviation cybersecurity, sharing tales of hacking decommissioned planes in a scrapyard—a unique method that allowed his team to practice without endangering passengers or active fleets. Ken provides insight into his early career in the antivirus industry, his background as a general aviation pilot, and how these experiences culminated in his journey into the world of aviation security. He talks about the infamous time he hacked airplane entertainment systems and even how, with the right setups, it’s possible to rickroll an entire flight!

Ken and Viktor then turn their attention to one of aviation’s most pressing security concerns: the electronic flight bag (EFB). EFBs, now commonly used in commercial cockpits, have replaced the hefty stacks of maps and manuals pilots once carried. Yet, while EFBs improve efficiency, Ken highlights the vulnerabilities in their design. For instance, by manipulating data within the EFB's performance calculators, attackers could mislead pilots about crucial factors like runway length or engine thrust. Ken explains the dire implications of these weaknesses and the sophisticated tactics used to secure these systems.

The episode also covers GPS spoofing, a technique used by some adversaries to mislead or disrupt an aircraft's navigation system. Ken describes the complexities of GPS spoofing and jamming, explaining how such attacks can confuse onboard navigation and leave pilots relying on outdated or incorrect data until they’re able to safely land. Ken’s research into GPS vulnerabilities has revealed the scope of these threats, particularly in areas of high political tension.

The discussion moves into the intricacies of responsible disclosure in the aviation industry, as Ken explains the delicate balance between informing manufacturers about security issues while respecting the time-consuming processes they require for safety certification. He shares examples of working with Boeing and Airbus, noting how long it can take to fix even minor vulnerabilities due to the rigorous testing needed to maintain passenger safety. Ken even praises Boeing for their commitment to addressing issues, despite the inevitable delay between discovery and patching.

Viktor and Ken wrap up by discussing the industry’s gradual shift towards transparency in handling disclosures and threats. They talk about the importance of collaboration between cybersecurity professionals, manufacturers, and government regulators to enhance aviation security continuously. Ken emphasizes that, while security is critical, safety remains paramount in aviation, which often means extended timelines for vulnerability patches.

For anyone fascinated by cybersecurity, aviation, or the hidden challenges of keeping the skies secure, this episode of Nerding Out with Viktor is an eye-opening deep dive into a world that affects millions of passengers daily. Ken Munro’s expertise, combined with Viktor’s curiosity and insights, makes for a compelling and informative conversation that reveals both the resilience and the risks of modern aviation systems. Don’t miss this must-listen episode on the cutting edge of cybersecurity and aviation.

To listen to explicit episodes, sign in.

Stay up to date with this show

Sign in or sign up to follow shows, save episodes and get the latest updates.

Select a country or region

Africa, Middle East, and India

Asia Pacific

Europe

Latin America and the Caribbean

The United States and Canada