On Apache Log4j2 Exploitation in Aeronautical, Maritime, and Aerospace Communication
Juvonen, A., Costin, A., Turtiainen, H., & Hämäläinen, T. (2022). On Apache Log4j2 Exploitation in Aeronautical, Maritime, and Aerospace Communication. IEEE Access, 10, 86542-86557. https://doi.org/10.1109/ACCESS.2022.3198947
Julkaistu sarjassa
IEEE AccessPäivämäärä
2022Oppiaine
TietotekniikkaSecure Communications Engineering and Signal ProcessingTekniikkaMathematical Information TechnologySecure Communications Engineering and Signal ProcessingEngineeringTekijänoikeudet
© The Authors 2022
Apache Log4j2 is a prevalent logging library for Java-based applications. In December 2021, several critical and high-impact software vulnerabilities, including CVE-2021-44228, were publicly disclosed, enabling remote code execution (RCE) and denial of service (DoS) attacks. To date, these vulnerabilities are considered critical and the consequences of their disclosure far-reaching. The vulnerabilities potentially affect a wide range of internet of things (IoT) devices, embedded devices, critical infrastructure (CI), and cyber-physical systems (CPSs). In this paper, we study the effects and feasibility of exploiting these vulnerabilities in mission-critical aviation and maritime environments using the ACARS, ADS-B, and AIS protocols. We develop a systematic methodology and an experimental setup to study and identify the protocols’ exploitable fields and associated attack payload features. For our experiments, we employ software-defined radios (SDRs), use open-source software, develop novel tools, and develop features to existing software. We evaluate the feasibility of the attacks and demonstrate end-to-end RCE with all three studied protocols. We demonstrate that the aviation and maritime environments are susceptible to the exploitation of the Log4j2 vulnerabilities, and that the attacks are feasible for non-sophisticated attackers. To facilitate further studies related to Log4j2 attacks on aerospace, aviation, and maritime infrastructures, we release relevant artifacts (e.g., software, documentation, and scripts) as open-source, complemented by patches for bugs in open-source software used in this study.
...
Julkaisija
Institute of Electrical and Electronics Engineers (IEEE)ISSN Hae Julkaisufoorumista
2169-3536Asiasanat
CVE-2021-44228 log4j log4shell vulnerability exploitation experimentation proof-of-concept aviation avionics ACARS ADS-B maritime AIS aerospace satellite langaton tiedonsiirto tietoliikennesatelliitit langaton viestintä Java meriliikenne lentoliikenne verkkohyökkäykset lennonvarmistus Apache haavoittuvuus kyberturvallisuus
Julkaisu tutkimustietojärjestelmässä
https://converis.jyu.fi/converis/portal/detail/Publication/156493259
Metadata
Näytä kaikki kuvailutiedotKokoelmat
Lisätietoja rahoituksesta
This work was supported in part by the Finnish Grid and Cloud Infrastructure (FGCI) (persistent identifier urn:nbn:fi:research-infras-2016072533); in part by the Decisions of the Research Dean on Research through the Faculty of Information Technology, University of Jyväskylä, in April 2021 and April 2022; and in part by the Finnish Cultural Foundation under Grant 00221059. The work of Hannu Turtiainen was supported by the Finnish Cultural Foundation/Suomen Kulttuurirahasto (https://skr.fi/en) for supporting his Ph.D. Dissertation Work and Research under Grant 00221059. The work of Timo Hämäläinen was supported by the Faculty of Information Technology, University of Jyväskylä (JYU), for partly supporting his Ph.D. supervision at JYU during (2021–2023). ...Lisenssi
Samankaltainen aineisto
Näytetään aineistoja, joilla on samankaltainen nimeke tai asiasanat.
-
On the (In)Security of 1090ES and UAT978 Mobile Cockpit Information Systems : An Attacker Perspective on the Availability of ADS-B Safety- and Mission-Critical Systems
Khandker, Syed; Turtiainen, Hannu; Costin, Andrei; Hämäläinen, Timo (Institute of Electrical and Electronics Engineers (IEEE), 2022)Automatic dependent surveillance-broadcast (ADS-B) is a key air surveillance technology and a critical component of next-generation air transportation systems. It significantly simplifies aircraft surveillance technology ... -
GDL90fuzz : Fuzzing “GDL-90 Data Interface Specification” Within Aviation Software and Avionics Devices : A Cybersecurity Pentesting Perspective
Turtiainen, Hannu; Costin, Andrei; Khandker, Syed; Hämäläinen, Timo (Institute of Electrical and Electronics Engineers (IEEE), 2022)As the core part of next-generation air transportation systems, the Automatic Dependent Surveillance-Broadcast (ADS-B) is becoming very popular. However, many (if not most) ADS-B devices and implementations support and ... -
Generative Diffusion Model-Based Deep Reinforcement Learning for Uplink Rate-Splitting Multiple Access in LEO Satellite Networks
Wang, Xingjie; Wang, Kan; Zhang, Di; Li, Junhuai; Zhou, Momiao; Hämäläinen, Timo (IEEE Computer Society Press, 2024)This work studies the joint transmit power control and receive beamforming in uplink rate splitting multiple access (RSMA)-based low earth orbit (LEO) satellite networks, using both generative diffusion model and proximal ... -
Cybersecurity attacks on software logic and error handling within ADS-B implementations : systematic testing of resilience and countermeasures
Khandker, Syed; Turtiainen, Hannu; Costin, Andrei; Hämäläinen, Timo (Institute of Electrical and Electronics Engineers (IEEE), 2022)Automatic Dependent Surveillance-Broadcast (ADS-B) is a cornerstone of the next-generation digital sky and is now mandated in several countries. However, there have been many reports of serious security vulnerabilities in ... -
A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices
Jokela, Patrik (2023)Tutkimuksessa tarkastellaan IoT laitteiden tietoturvaa ja niiden haavoittu-vuuksia tapaustutkimusmenetelmää käyttäen. IoT laitteiden määrä on kasvanut räjähdysmäisesti ja jopa normaalit kodinkoneet alkavat olla yhdistettynä ...
Ellei toisin mainittu, julkisesti saatavilla olevia JYX-metatietoja (poislukien tiivistelmät) saa vapaasti uudelleenkäyttää CC0-lisenssillä.