Slashdot Mirror

← Back to Stories (view on slashdot.org)

Boeing 787 May Be Vulnerable to Hacker Attack

Posted by Zonk on from the does-anyone-speak-l33t dept.

palegray.net writes "An article posted yesterday on Wired.com notes that 'Boeing's new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane's control systems, according to the U.S. Federal Aviation Administration.' They're already working on solutions to the problem - including placing more physical separation between aircraft networks and implementing more robust software-based firewalls."

8 of 332 comments (clear)

  1. Two seperate networks by maxrate · · Score: 3, Informative

    I'm not an avionics engineer - however, even in a small hotel I service, we keep the guest network and the hotel/admin network seperate. The only common hardware is the AC power and the modem that has a /28 assigned to it.

  2. Re:I don't get it... by badasscat · · Score: 5, Informative

    Why can you remotely control aircraft systems at all? There should be no network equipment to compromise in the first place!

    The 787 is fly by wire, like most new aircraft designs. It's all computer controlled, not mechanical.

    My guess is this - the "common core system" designed by Honeywell - has something to do with the various systems being connected. This is a system designed to simplify the airplane's various systems and reduce the number of separate systems (which means fewer failure points - usually a good thing in engineering). I do believe Boeing when they say that there are built-in separations and that the two systems are not completely tied together, but obviously it wasn't enough for the FAA. So they're fixing it. Nothing really all that unusual about a new airplane design; there are always various issues that need to be addressed before first flight.

  3. Re:I don't get it... by Naughty+Bob · · Score: 3, Informative

    It is mandatory that the avionics are physically disconnected from other systems. The story is a consequence of the Wired writers misunderstanding the FAA's report. A comment (by 'Vorsicht') in the article's comments points this out....

    --
    "Be light, stinging, insolent and melancholy"
  4. Aviation software by shawkin · · Score: 4, Informative

    The flight control and avionics networks as well as the hardware are separate from the passenger network.
    The concern is that a separate network of maintenance and some limited flight information data share the same up/down links as the passenger network. The FAA notice is to demonstrate to the FAA that there can be no interference between the maintenance and flight information data and the passenger network.
    Even if the maintenance and flight information data were compromised, at worst this would mean that the operating history of the aircraft is not accurate. This is a big deal but not something that will lead to in flight failure.
    An additional requirement of the FAA notice is to prohibit future passenger services without testing for interference and security.

  5. The Equipment in Question by nonsequitor · · Score: 3, Informative
    http://www.astronautics.com/new/PIDDemo/Piddemo.html

    With 2 of those in the cockpit, one for pilot, one for copilot, each running 2 Operating Systems Linux/Windows, and all networked together since each box has 6 network interfaces on it. The thing would be a field day for hackers. While they were designing it a bunch of the consultants helping with the coding were ranting about possible security, but were ignored.

    I can't go into specifics because of my NDA, but considering it was 4 years ago I worked on it, I doubt that is still in force. Though I believe I can say I worked on it, and that information is all publicly available.

  6. Re:I don't get it... by bepe86 · · Score: 3, Informative

    The reason for that is simple. Techs in the military (at least in the nation where I'm hired, are practically brainwashed into seperating every system regardless of classification, to prevent hazards like this. It's really a royal pain in the ass, especially when you have to deploy 4 or 5 parallell networks using fibre optics only to take it down in a week or two, when one network could've served it all, but it is totally understandable, and I think that a lot of civilian businesses has a lot to learn when it comes to this.

  7. It's not UNSAFE it's uncompliant to CFR 14 regs by gelfling · · Score: 5, Informative

    Did you READ the report? I did. It doesn't say anything is unsafe. What it says is there are unique architectures in the systems that put them at odds with CFR 14 regulations compliance whether they present an actual or potential danger or not. Furthermore there's a comment in the report which states that Airbus objects to the regulatory findings on the basis that the 'standard' is too high level to offer any concrete value for implementation or compliance.

    Like any other IT security audit - compliance doesn't mean security it means compliance. And in the cases where there are deviations from the standard, the system has to be able to speak to that deviation and address it or contest it.

  8. Re:I don't get it... by wirelessbuzzers · · Score: 3, Informative

    "Not completely connected" is a very strange phrase... either there's a connection between the two networks or there isn't. I don't know what it means to be connected at some points and not at others. There could be a data diode between them. That would allow the passengers to see flight path and sensor statistics and hear the cabin radio, and allow the cabin lights and indicators to be controlled from the cockpit side without being physically isolated, but nothing on the cabin side could influence the cockpit side. They might also want to electrically isolate the two sides to block power surges from reaching the avionics (although they should already be hardened enough to handle that, because lightning strikes airplanes sometimes).
    --
    I hereby place the above post in the public domain.