Slashdot Mirror
Crashing an In-Flight Entertainment System
rabblerouzer writes "Hugh Thompson, who was interviewed by Slashdot on the dangers of e-voting, now has a cool blog entry on how he was able to bring down the gaming/movie console on an airplane. He calls it one of the most interesting examples of a software 'abuse case' he has ever seen." Fortunately the IFE system is totally disjoint from the avionics.
Spelling mistakes, grammatical errors, and stupid comments are intentional.
0. Install wireless NIC to In-Flight Entertainment System
1. Connect to wireless WAN and Internet
2. Install web server and post link to slashdot
3. Short sell airline stock
4. ???
5. Profit!
------ Take away the right to say fuck and you take away the right to say fuck the government.
No kidding... It was in the late 80s on a new electronic scoring system they had just installed.
I made a trivial and totally unintentional mistake in the set-up (punching in
number of players, their names, etc) and it brought down the whole system.
$7.95/mo, 200 GB disk, 2TBxfer, MySQL, PHP, RoR.
Hugh Thompson, who was interviewed by Slashdot on the dangers of e-voting, now has a cool blog entry on how he was able to bring down the gaming/movie console on an airplane
/. to it?
What, did they link
The real title: How to crash a personal blog Summary: Post a link to it on /.
Well, gee. I hope that that little map of the Atlantic Ocean with my plane superimposed on it only has read privileges on /dev/autopilot :).
Don't blame me, I voted for Baltar.
So an article about hacking into insecure software is hosted on a site that displays information about its internals whenever there's high load... Fantastic.
If a job's not worth doing, it's not worth doing right.
Wow, 5 entire copies of TFA in the comments so far... Do you people not browse the comments before you post?
Carefull, this may encourage people to actually RTFA...
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
It doesn't have to be an "attack", it can be something as simple as a stuck switch or a book placed on top of a keyboard. On an airplane, you have to consider the two-year-old who wants to play with the pretty buttons.
Mea navis aericumbens anguillis abundat
I'm not so sure I'd want to put my name out there as "the guy who brought down the computers on a plane". He'll be lucky not to land on the no-fly list, I think.
Care about privacy? Read this!
It's called a 'fencepost' bug, or 'off-by-one' bug.
:)
:)
Dam lazy programmers not using Assert() these days...
(And yes, I am one, programmer that is, not lazy
SwissAir 111 went down because the in-flight entertainment & gambling system had been rushed into service, and due to its design overheated and burned down the plane in-flight. This was its design: a separate computer for each seat. The computers (presumably single cards) were located in the ceiling near the front of the passenger compartment. So were the avionics wires. The entertainment/gambling devices overheated, caught fire and the plane crashed near Nova Scotia. Greed. SwissAir is no more.
Okay, I *am* an avionics programmer. Here's some background.
FAA regulations categorize software in 5 different levels of criticality, depending on how a failure of the software would affect the safety of the plane. Level "A" software is reserved for things like the "low fuel" alarm, which could potentially knock the plane out of the air on failure, to level "C" for things like the cabin pressurization system where the pilots can take emergency actions to compensate, to level "E" for things like the microwave in the kitchen.
(Beware: I gloss over a few details for clarity.)
The higher levels of software criticality have progressively higher levels of standards for testing. In the case of level-A software, each individual line of code must be examined for correctness in the context of the rest of the code. Each line of code must be executed as part of testing and actively shown to be correct, and each line of code must be individually code reviewed by another engineer.
At the higher levels of software, limit testing is required for all function arguments and if-statements. Multiple-clause if statements such as "if A and B but not C" must be tested for all combinations of the subject clauses, and so on.
In addition to this, all avionics software I've worked on makes a distinction between showing erroneous information and showing *no* information (or, working incorrectly versus not working at all). If the digital altimeter goes blank, the pilots will notice and can take corrective action. If the altimeter is reading the wrong information, then that's a critical failure which could cause an accident.
Thus, avionics software innards are heavily checked throughout execution to ensure proper operation, and any failure causes the system to immediately go offline. All function arguments are ASSERT'ed for correct range, all calculations are checked for range and accuracy, &c.
The entertainment system, and in particular a game within the entertainment system, is almost certainly a level-E software component, and so is not required to go through such rigorous testing. The hardware has to be shown to not interfere with the avionics and that's about it.
On a recent Air Canada flight the flight attendant actually came on the PA to tell everyone that the in-flight entertainment system was being turned on for our use. She then proceeded to tell us to be sure we didn't push 4 of the buttons on the main screen or else the screen at your seat would crash and they would be unable to fix it in flight. I thought it strange that a computer entertainment system installed in an aircraft would be a "work in progress" instead of just installing a full-functional system. Among the buttons we were not to touch? Weather and Flight tracking...of course.
Okay, who entered the number 5 and kept pushing +? Congratulation, you just crashed the server.
Carbon based humanoid in training.
http://mirrordot.org/stories/78b27588587fb8b086acd 346451d845a/index.html
Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
Ooh... so close. There are people that read slashdot articles. There are also people that post to slashdot discussions. I'll simply leave it as an exercise to the reader to figure out what the intersection of those two groups is.
But seriously, those who generally read the article have less of a chance of getting a post higher up in the discussion that those who just jump in (Whether they jump in due to a high level of comfort in the subject, or sheer bravado.) This means that people who post early are more likely to have their post read. They are also much more likely to get a response, as there are people who want to use advantage of the nested system and get their post to show up higher on the page. Also, early posts are generally highly moderated, which I guess can be sort of a thrill to some people. So, the system is self reinforcing. Bringing trolls into the mix greatly amplifies the situation, especially FP! trolls.
I fly across the pacific a few times every year and they always warn people to take it easy and be patient with the IFE "or it will crash" - which is certainly true - without trying I managed to spend 10 hours staring at a Windows CE "some thing bad happened" dialog box .... couldn't even turn the damn thing off when I wanted to sleep
Interesting. I went to swissair111.org and read up on the incident. They are now reporting that "MICHAIL ITKIS, CEO OF INTERACTIVE FLIGHT TECHNOLOGY CHANGES NAME TO MIKE SNOW". So apparently we need an extra step in the old cliche:
FATMOUSE + YOU = FATMOUSE
I was coming back from a conference wearing a hat with a promenent penguin on it, when our in-flight system crashed. As it was re-booting it was obvious to some of the more tech-minded passengers that it was running through the Linux boot sequence. I started hearing calls of "lynch the guy with the penguin hat", from the seats behind me...
TFA
One of the most interesting examples of a software "abuse case" came to me rather abruptly on an airplane flight from Las Vegas to Orlando in mid 2005.
Each seat in the airplane had a small touch screen monitor built into the head rest of the chair in front, and on this particular airline, passengers could watch a variety of television channels and play a few simple games. One such game looked remarkably similar to the classic strategy game Tetris, where players use their skills to manipulate falling blocks on a screen to try and form horizontal lines. I'm a big fan of Tetris; for a few months in 1998 I was borderline obsessed with it. I would start looking at everyday objects and start mentally fitting them together with other tings in the room to form weird line configurations. One of the options on this particular airborne version of Tetris was to alter the number of blocks one could see in advance on the screen before they started falling.
To give myself the biggest advantage in the game, I pressed the + control as many times as it would allow and got to the maximum value of 4. I then put on my "bad guy" hat on and asked: How *else* can I change the value in this field? Near my armrest was a small phone console; you know, the one where you can make very important calls for a mere $22 per minute. I noticed that the phone had a numeric keypad and that it also controlled this television monitor embedded in the seat in front of me.
I then touched the screen in front of me to highlight the number "4" in the options configuration shown in Figure 1. I tried to enter the number 10 into that field through the phone keypad with no luck: it first changed to the number "1" followed by the number "0". Frustrated, I then made the assumption that it would only accept single digit values. My next test case was the number "8"; no luck there either, the number didn't change at all. I then tried the number 5: success! '5' is an interesting test case, it's a "boundary value" just beyond the maximum allowed value of the field which was '4'. A classic programming mistake is to be off by 1 when coding constraints. For example, the programmer may have intended to code the statements:
0 value 5
When what actually got coded was
0 value = 5
I now had the software exactly where I wanted it, in an unintended state; the illegal value 5 was now in my target field. I then turn my attention back to the screen and hit the + button which, to my complete surprise, incremented the value to 6! Again, an implementation problem, the increment constrain probably said something like "if value = 4 do not increment." In this case, the value wasn't 4 but 5 so it happily incremented it to 6! I then continue to increment the value by pressing the + button until I get to 127 and then I pause for a moment of reflection. 127 is a very special number; it is the upper bound of a 1 byte signed integer. Strange things can happen when we add 1 to this value, namely that 127 + 1 = -128! I considered this for a moment as I kicked back a small bag of peanuts and in the interest of science I boldly pressed the + button once more. Suddenly, the display now flashes -128 just for an instant and then poof...screen goes black.
Poof...screen of the person next to me goes black.
Screens in front of me and behind me go black.
The entire plane entertainment system goes down (and thankfully the cascading system failure didn't spill over to the plane navigation system)!
After a few minutes of mumbling from some of the passengers, a fairly emotionless flight attendant reset the system and all was well. I landed with a new-found respect for the game of Tetris and consider this to be the most entertaining version of it I have ever played.
.
I suspect it might be fairly common for seat-back computers to crash?
I don't know enough about Linux to understand what it said on my screen when it was trying (and failing) to boot back up again:
http://washedashore.com/misc/inflight_error.jpg
(This was April 23, 2005, on a flight from Bucuresti Romania to NYC.)
-Ben
sure, it wasn't critical - and I'd hate to have him get on a no-fly list or get fined or be banned from that airline.. or whatever.
:P
But this isn't just some kid accidentally hitting that remote, changing things to 5, then playing.. or then realizing they can hit up a few more times.. and then playing.
This guy actually knew, in his mind, what was going on.. Not only that... at the point where things would go wrong, he actually paused, sat back, made the change that might make things go wrong and enjoyed the half-expected result.
That's intent, right there. If nothing else, he should be slapped around for making the rest of the cabin annoyed because their in-flight entertainment was interrupted for no good reason whatsoever - causing a flight attendant to be occupied with a task he/she should not have been occupied with, etc. etc.
If this guy wants to have fun with mucking about with systems, have him get his own in-flight entertainment system, or apply for a job at a place that makes these things / the software
That said.. yay that he found the bug.. I hope they fixed it now.
I think it's more of a case of bad quality control. If the testing environment of the developers had contained a single "lets throw an exception" or maybe a "lets try to lock up a process at 100%" test, they would have see that they needed to at a bit of exception handling (in the first case).
But writing good test cases can be hard.
Anyway. I've seen code like this tons of times. Some people apparently have issues with (how hard can it be), so they use equal instead, but one day, the step value is changed from 1 to 2 (make it go directly from 99 to 101), or some routine fails and returns a default value of -1. And suddenly the code is in the twilight zone.
Anyway^2, I actually did find this rather un-interesting.
TC - My Photos..
Well, in your case it's obviously not even an 081 IQ or you would have mastered simple string reversal...
Deliberately crashing the IFE system is no great accomplishment. At least some of the darn things crash themselves just fine with no abuse. I was on a Virgin Atlantic flight from Washington, DC to London a couple of years ago, and the IFE systems would crash on a regular basis by groups of four seats. You could be blissfully watching a movie and then poof, everything goes dark. The flight attendant would reset the system and then sometimes it would come back up and other times it would just sit there at a dark screen. Uptimes varied from 10 minutes to a couple of hours. Very, very frustrating, both for the kids trying to play but getting frustrated and cranky and for the parents trying to keep their sanity during an eight hour flight.
--Paul
20.
Since 100 is an average IQ then the opposite of a number 80 points above average would be a number 80 points below average.
"Today, Sesame Street was brought down by the number 5"
Table-ized A.I.
The word wasn't "fortune," though. It was "fortunately." Unlike "fortune," "fortunately" does not imply that luck was involved. It simply means that it was a beneficial arrangement. The sentence in the summary does not imply, in any way, that mere luck is responsible for the arrangement of the avionics and entertainment systems. You invented that ridiculousness on your own. "Fortunately" is derived from "fortune," but that does not mean that they carry the same meaning, as any dictionary will tell you.
Another example...if I give you "a murderous look" it does not mean (or even imply) that I killed you, attempted to kill you, or even contemplated a violent act toward you. "Murder" and "murderous" are not as close in definition as they are in derivation.
The US free market: two halves of a government-granted duopoly are free to set the market price.
Who let that guy onto the plane with a brain over 3 ounces? Don't they know that thing is a deadly weapon? Heads are going to roll.
Several years ago I managed to crash an in flight entertainment system on a united flight completely inadvertently. The system in question required only had a few games for free with the rest costing money to unlock. Since I objected to having to pay for the games I restricted myself to the free games until suddenly in the middle of a game of pong it got more and more sluggish until the screen freezes, goes black and the system reset itself. I went back into pong, cranked up the number of balls to the max allowed (4 IIRC) and noticed that now it would crash within a minute or two.
Playing around (there really was nothing better to do) I found that quickly wiggling the bat around with 4 balls on the screen would crash the system. After about the 4th or 5th crash the system came back up but this time with all the games enabled! After that I was careful not to crash the system but still about 30 minutes from landing it crashed again and came back up with only the free games.
I wondered at the time how such an easily triggered failure could have been overlooked. Unlike the article my crash only affected my screen...but at least there was some beneficial affect!
Can anyone intuit the airline? Because without an airline name, I call bullshit on this story. I would guess it had to be business class, and probably a foriegn carrier, if the story is to be believed.
Dude, I think I can see my house from here.
Based on the description of the IFE system and having recently flown and played a version of Tetris which fits his description .....
Delta 767
I'll see if I can confirm the hack without the crash (I guess I'm just too nice) next week.
Wouldn't you want to buy Fruit of the Loom, since the victims will have to buy new underpants?
The space unintentionally left unblank.
Sorry to reply to my own post, but someone down below suggested it may have been a Delta 767. The Song (Delta's low cost brand) airline has the Panasonic eFX IFE which offers what he describes I think in every seat (my bad for not flying Song I guess!). Link here . The story still seems way to slick to me (as a former tester, I would have tried that sequence of events pretty quick), but evidence of an IFE that fits the description makes it inherently more believable.
Dude, I think I can see my house from here.
Nope, IQ is not a linear measurement (usually).
There are quite a few IQ tests and they are usually structured so that the majority of people fall right around 100 with a max possible score of 200.
IIRC, over 80% of all people fall in the 10 point range around 100 (or maybe it was with 10 points of 100).
A 150+ on most tests is in the upper 2% of the population.
Mycroft
https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea
IQ scores are a standard distribution with a standard deviation of 10 and a mean of 100. Therefore,
IQs +/- 1 standard deviation from the mean, that is, 90-110, account for approximately 68% of all scores.
The 80-120 range will account for roughly 95% of the scores.
And 70-130 will include over 99%.
Obviously, an IQ of 180 is astoundingly high. An IQ of 55-60 is, I believe, in the mentally retarded range. Since there's not really a good way to quantify "half as smart" and "twice as smart," you could consider that accurate if you wanted, I suppose. Personally, when I think of somebody who is "half as smart as average," I don't think it's that bad.
From Wikipedia:
* mild mental disability: IQ 50-55 to 70; children require mild support; formally called "Educable Mentally Retarded".
* moderate disability: IQ 35-40 to 50-55; children require moderate supervision and assistance; formally called "Trainable Mentally Retarded".
* severe mental disability: IQ 20-25 to 35-40; can be taught basic life skills and simple tasks with supervision.
* profound mental disability: IQ below 20-25; usually caused by a neurological condition; require constant care.
There are also a bunch of debates as to bias and whether IQs really measure anything worthwhile which I'm sure you can find on the same Wikipedia page if you're interested.
Actually, no, it takes more inside information than that. My dad worked for Swissair for 30 years and its downfall was actually the acquisition of Sabena and the contractual agreement created in the acquisition. At the time, it was a solid investment, but as the overall financial state of Sabena fell apart, Swissair was legally obligated to have to try and save them, draining their resources. The in-flight entertainment was simply a last can of gasoline tossed on an intensely burning flame.
in the U.S., no foriegn carrier is allowed to make any flight that starts and ends in this country.
Maybe his was a philosophical or metaphysical question, not mathematical.
> What's the oposite of a 180 IQ? An 018 QI?
QI (or "chee") means balanced life force energy. Notice the 0 and the 8 on either side of the 1; one circle (0) separated from the two smaller stacked circles (8) (or more precisely, the figure eight circle). Therefore, since 1 represents ("one" or "self"), we can infer from this QI degree quotient "018" that "My intelligence has already come full circle in life and will most assuredly half in my next unless my karma improves".
I hope, when they die, cartoon characters have to answer for their sins.
I think its a good comment. What if you thought it was cool that you could hack the entertainment system. But your hacks caused the system to overheat and set the plane on fire. Scary, you are better of just keeping you fingers away or wait until the plane has landed if you must must hack it. You can read more details of the crash on http://en.wikipedia.org/wiki/Swissair_Flight_111
Fortunately the IFE system is totally disjoint from the avionics.
I was at a presentation (about nine years ago, now) where someone from the aviation industry was showing us the future (or the future as he hoped) of aircraft systems - in particular a new bus that was being used for communication around the aircraft. And yes, the in-flight-entertainment used the same bus as the avionics. It was being actively presented as a positive feature. Sadly, I don't remember the details.
SwissAir 111 went down because the in-flight entertainment & gambling system had been rushed into service, and due to its design overheated and burned down the plane in-flight. This was its design: a separate computer for each seat. The computers (presumably single cards) were located in the ceiling near the front of the passenger compartment. So were the avionics wires. The entertainment/gambling devices overheated, caught fire and the plane crashed near Nova Scotia.
Yes, the wiring insulation burned and brought down the plane. A friend's wife was on that plane, so I have an interest beyond the technical.
Another interesting event was the crash of an Airbus flight control system, resulting in an inflight rebooting message; the pilots flew on in manual.
Greed. SwissAir is no more.
Yes, but it was due to them overpaying their employees and not controlling other expenses as well - a problem many European state run airlines have. Look at Alitalia for example - they could lease planes with crews for less than it costs to fly their own. Europe's carriers are heading towards teh same consolidation and liquidation taht US ones have expereineced and only a handful will survive. I think BA Lufthansa and Air France will probably be the last standing.
I'm a consultant - I convert gibberish into cash-flow.
Wait wait wait, so let me get this straight: you have to sit in that seat and stare at the 4 buttons they specifically told you not to push? For hours on end? That is my own vision of a personal hell.
Sure, but Fruit of the Loom will have to compete with the dirt-cheap Gnome Underpants flooding the market. If you search long enough, you'll find an exact replacement for the ones you lost!
Antiquis temporibus, nati tibi similes in rupibus ventosissimis exponebantur ad necem.
Here is another picture of an in-flight entertainment system running Linux, seemingly booting up:
n ux-the-reliability-myth-debunked.aspx
http://www.shelleytherepublican.com/2006/12/01/li
>north
You're an immobile computer, remember?
You forgot one more category
IQ 70-85 - idiot that will buy what advertisers tell them to buy. #1 buyer of 4WD SUV's because they believe they will be safer. Believe that they really are the center of the universe. Prime candidates for Middle managenent, Sales and Marketing departments.
What happens if the plane has to make an emergency landing? Do the authorities shoot it down?
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
"Gremlins! Gremlins! I'm not imagining it, he's on the LAN! Don't look, he's not out there now. He swaps out whenever anyone might stat him, except me."
One line blog. I hear that they're called Twitters now.
There was/is no danger of this happening. I develop software for major airline Flight Management Systems (FMS) and the entertainment system is physically separated from the FMS as well as other "flight critical" systems. Also, Software on an aircraft needs to be developed according to the guidelines of RTCA's DO-178B, which classifies the fallout of software into "levels". The most critical, Level A, like autopilot and flight controls requires very stringent evidence of verification. The least critical, Level E, requires basically no verification or documentation whatsoever, and this is what entertainment systems are developed under.
There was a case in the early days when in-flight entertainment systems were first put on planes where a short in the video system crashed other critical computer components due to the entertainment system and flight system being on the same electrical bus. This obviously caused changes to the rules, so now everything is separated.
In that case, the landing has definitely caused an emergency.
You've been on Slashdot for 5 years, and now you start posting, and you come up with one of the least useful posts possible.
You just summarized TFA's explanation of "what went wrong," but less succinctly and less coherently than TFA.
Way to go.
Actually,
.02
per the WAIS-III manual sitting in front of me, the std. dev is 15, not 10. Therefore, 85-115 is +/- 1 s.d. from the mean of 100. But your point is still accurate that a an IQ of 185 is astoundingly high. Mental retardation is -2 s.d.'s below average, which puts that at an I.Q. of =70. You also need significant adaptive impairment in at least two domains (e.g. communication, self care, interpersonal skills, etc...)
just my
jeff
Test *software*, if it is used, is software that exists outside of the avionics software in question. It does not need to be rigorously tested, only "qualified" (FAA term). Qualification means that someone goes over the code in a cursory manner and checks each logical case the software tests for, and verifies correct operation.
For example, a coverage analysis tool would have a qualification test report that shows the system works for an if-statement, a for-loop, a while-loop, and so on. Similarly, the compiler is qualified by showing that it generates correct code for an if-statement, a for-loop, &c.
In practice, there is usually very little external test software that can be used effectively. Exceptions exist, but largely much of the avionics software components don't port to another system for testing very well. (As opposed to testing the *entire unit* by having some sort of simulator computer which generates synthesized inputs, which works very well.) (Fly-by-wire calculation engines being one of the exceptions.)
In the case of ASSERT's and other constructs which continuously check the code inside the unit, they are considered to be part of the avionics software and thus must undergo the same level of criticality testing as the rest of the code.
As an example from projects I have worked on, in a level-A project each separate ASSERT statement was tested for both cases (pass/fail) and verified to be working. In a level-C project the ASSERT macro was analyzed and shown to generate correct code, and then a handful of the simple-clause ASSERT's were rigorously tested, and from this all the rest of the simple ASSERT's were deemed OK. (and complex clause ASSERT's were rewritten to use simple clauses, and the one remaining complex ASSERT was tested rigorously).
Once the number in the Tetris game rolls over to -128, the plane is supposed to go down by itself. If the authorities can guide the falling plane to land perfectly between the high rise and the parking garage, they will clear the row and move on to the next level...