On Apache Log4j2 Exploitation in Aeronautical, Maritime, and Aerospace Communication
Juvonen, A., Costin, A., Turtiainen, H., & Hämäläinen, T. (2022). On Apache Log4j2 Exploitation in Aeronautical, Maritime, and Aerospace Communication. IEEE Access, 10, 86542-86557. https://doi.org/10.1109/ACCESS.2022.3198947
Published in
IEEE AccessDate
2022Discipline
TietotekniikkaSecure Communications Engineering and Signal ProcessingTekniikkaMathematical Information TechnologySecure Communications Engineering and Signal ProcessingEngineeringCopyright
© The Authors 2022
Apache Log4j2 is a prevalent logging library for Java-based applications. In December 2021, several critical and high-impact software vulnerabilities, including CVE-2021-44228, were publicly disclosed, enabling remote code execution (RCE) and denial of service (DoS) attacks. To date, these vulnerabilities are considered critical and the consequences of their disclosure far-reaching. The vulnerabilities potentially affect a wide range of internet of things (IoT) devices, embedded devices, critical infrastructure (CI), and cyber-physical systems (CPSs). In this paper, we study the effects and feasibility of exploiting these vulnerabilities in mission-critical aviation and maritime environments using the ACARS, ADS-B, and AIS protocols. We develop a systematic methodology and an experimental setup to study and identify the protocols’ exploitable fields and associated attack payload features. For our experiments, we employ software-defined radios (SDRs), use open-source software, develop novel tools, and develop features to existing software. We evaluate the feasibility of the attacks and demonstrate end-to-end RCE with all three studied protocols. We demonstrate that the aviation and maritime environments are susceptible to the exploitation of the Log4j2 vulnerabilities, and that the attacks are feasible for non-sophisticated attackers. To facilitate further studies related to Log4j2 attacks on aerospace, aviation, and maritime infrastructures, we release relevant artifacts (e.g., software, documentation, and scripts) as open-source, complemented by patches for bugs in open-source software used in this study.
...
Publisher
Institute of Electrical and Electronics Engineers (IEEE)ISSN Search the Publication Forum
2169-3536Keywords
CVE-2021-44228 log4j log4shell vulnerability exploitation experimentation proof-of-concept aviation avionics ACARS ADS-B maritime AIS aerospace satellite langaton tiedonsiirto tietoliikennesatelliitit langaton viestintä Java meriliikenne lentoliikenne verkkohyökkäykset lennonvarmistus Apache haavoittuvuus kyberturvallisuus
Publication in research information system
https://converis.jyu.fi/converis/portal/detail/Publication/156493259
Metadata
Show full item recordCollections
Additional information about funding
This work was supported in part by the Finnish Grid and Cloud Infrastructure (FGCI) (persistent identifier urn:nbn:fi:research-infras-2016072533); in part by the Decisions of the Research Dean on Research through the Faculty of Information Technology, University of Jyväskylä, in April 2021 and April 2022; and in part by the Finnish Cultural Foundation under Grant 00221059. The work of Hannu Turtiainen was supported by the Finnish Cultural Foundation/Suomen Kulttuurirahasto (https://skr.fi/en) for supporting his Ph.D. Dissertation Work and Research under Grant 00221059. The work of Timo Hämäläinen was supported by the Faculty of Information Technology, University of Jyväskylä (JYU), for partly supporting his Ph.D. supervision at JYU during (2021–2023). ...License
Related items
Showing items with similar title or keywords.
-
GDL90fuzz : Fuzzing “GDL-90 Data Interface Specification” Within Aviation Software and Avionics Devices : A Cybersecurity Pentesting Perspective
Turtiainen, Hannu; Costin, Andrei; Khandker, Syed; Hämäläinen, Timo (Institute of Electrical and Electronics Engineers (IEEE), 2022)As the core part of next-generation air transportation systems, the Automatic Dependent Surveillance-Broadcast (ADS-B) is becoming very popular. However, many (if not most) ADS-B devices and implementations support and ... -
On the (In)Security of 1090ES and UAT978 Mobile Cockpit Information Systems : An Attacker Perspective on the Availability of ADS-B Safety- and Mission-Critical Systems
Khandker, Syed; Turtiainen, Hannu; Costin, Andrei; Hämäläinen, Timo (Institute of Electrical and Electronics Engineers (IEEE), 2022)Automatic dependent surveillance-broadcast (ADS-B) is a key air surveillance technology and a critical component of next-generation air transportation systems. It significantly simplifies aircraft surveillance technology ... -
Cybersecurity attacks on software logic and error handling within ADS-B implementations : systematic testing of resilience and countermeasures
Khandker, Syed; Turtiainen, Hannu; Costin, Andrei; Hämäläinen, Timo (Institute of Electrical and Electronics Engineers (IEEE), 2022)Automatic Dependent Surveillance-Broadcast (ADS-B) is a cornerstone of the next-generation digital sky and is now mandated in several countries. However, there have been many reports of serious security vulnerabilities in ... -
A Quantitative Analysis of Vulnerabilities and Exploits in Home IoT Devices
Jokela, Patrik (2023)Tutkimuksessa tarkastellaan IoT laitteiden tietoturvaa ja niiden haavoittu-vuuksia tapaustutkimusmenetelmää käyttäen. IoT laitteiden määrä on kasvanut räjähdysmäisesti ja jopa normaalit kodinkoneet alkavat olla yhdistettynä ... -
Multi-Connectivity for User Throughput Enhancement in 5G Non-Terrestrial Networks
Majamaa, Mikko; Martikainen, Henrik; Sormunen, Lauri; Puttonen, Jani (IEEE, 2022)To meet the increasing throughput and reliability demands, satellites may be used to complement the Fifth Gener-ation (5G) Terrestrial Networks (TNs). To increase the efficiency of the satellite communications involved, ...