Slashdot Mirror
Boeing 787 May Be Vulnerable to Hacker Attack
palegray.net writes "An article posted yesterday on Wired.com notes that 'Boeing's new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane's control systems, according to the U.S. Federal Aviation Administration.' They're already working on solutions to the problem - including placing more physical separation between aircraft networks and implementing more robust software-based firewalls."
No more playing MS Flight Sim.
Why aren't both networks physically completely seperated from each other?
... is one that's physically isolated. I can't think of one good reason why passengers should have any access whatsoever to command/control networks used by the airplane.
I'm not an avionics engineer - however, even in a small hotel I service, we keep the guest network and the hotel/admin network seperate. The only common hardware is the AC power and the modem that has a /28 assigned to it.
Nowadays you cannot get on a plane carrying any kind of gel or liquid. Hell, you there are places where you can't even get on board with a lighter. However, I've always been able to travel with my laptop (don't want "luggage management" to break it), provided that I prove it's a real laptop (i.e. turn it on).
And now this? What does that mean? I won't be able to board a plane with my laptop again, that's what that means. And who can I blame? The frightened Homeland Security officers who try to no end to sanitize flights with the Stupid Fear Of The Month, of the inept engineers who let that security flaw slip into production on a flying aircraft?
And where's my flying car?
Karma cannot be described by words alone.
This is pretty much the exact type of situation they invented red/black networks for. I can't imagine how any design for a passenger accessible network wouldn't use completely segregated networks for a)passenger use, b)flight logistics and maintenance, and c)actual flight control operations. And given the giant nightmarish spiderweb that aircraft wiring harnesses tend to be I'm guessing it will be a non-trivial task to implement it now, even ignoring the software and systems redesigns that would be required.
What kind of an idiot would put the flight control systems and the on-board entertainment/voip/net/pr0n on the same physical network? Were they trying to save weight/money by running only one cable through the plane?
I recall reading about MS stuffing their software into cars (that probably evolved into Ford's SYNC) and even there the MS crap and the engine management systems were completely separate.
There are a few million easier ways to bring down an aircraft (or kill thousands and cause panic if that's your thing). Yes this is idiocy in engineering, but considering all the other threats I don't think it's way up the list. Ultimately, we aren't dead yet because there just aren't that many intelligent people that want to kill us, cause it just isn't that hard to pull off.
I am not an avionics engineer, but I worked with electrical and electronic systems on nuclear power plants, and we had a pretty strict segregation between different types of systems--and with 0 connection between a critical system (power sensing, for example) and a non-critical system (Some water level management). That's not even COUNTING peripheral systems (computers on the local netowrk for email/ppt/xls).
My thought is that some asshole at boeing decided to save some money on cable runs and ginned up an explanation of how software segregation would serve as an adequate barrier between flight critical systems and passenger systems. They never learn.
The article doesn't specify how the networks are connected. It could be something fairly innocuous like sharing the same power source. I seriously doubt they put the passenger internet access on the same packet-switched network as flight control. But who knows...
If what TFA claims is really true, i.e. that the passenger network is physically connected to the control and navigation system, then someone should get fired for this.
The control and navigation system of an airplane is one of the most critical networks possible; the lives of hundreds of passengers (and potentially of thousands of people on the ground) depend on its correct functioning. There are not many more critical networks than that, except maybe control systems for weapons, nuclear plants and some factory control systems.
Even the worst sysadmin out there knows that you do not physically connect such a highly sensitive, highly critical network to something crappy like the in-flight passenger entertainment network.
Why should the two networks should be connected at all? To tell the passengers the current speed of the plane?
The XBox was hacked. The playstation was hacked. DVDs were hacked. HD-DVD was hacked. Pretty much anything out there was hacked if someone had an interest in it (and mostly the interest wasn't commercial, just "for fun"). Even if they do aren't "completely connected" as Boeing claims, the danger of it being hacked is very real. On one hand you are not allowed to use your mobile phone on a plane, and on the other you can play with a network which is attached to the navigation and control system? Come on.
- If the plane deviates from the flight plan, access to Google Maps may become handy to plan a new route
- While on autopilot, access to certain web sites may provide some entertainment to the captain, who usually is a lonely man
- Given the bad quality of many onboard speakers, announcements from the cockpit can be emailed or IM'ed to passengers
- Hacker intrusion may be a better excuse than malfunctioning engine as the reason for a plane crash
- No more planes grounded due to lack of pilot operating manual, as it could be easily downloaded from the Internet
I am sure there are many other good reasons to connect the navigation network to the Internet, so this list is not exhaustive.The flight control and avionics networks as well as the hardware are separate from the passenger network.
The concern is that a separate network of maintenance and some limited flight information data share the same up/down links as the passenger network. The FAA notice is to demonstrate to the FAA that there can be no interference between the maintenance and flight information data and the passenger network.
Even if the maintenance and flight information data were compromised, at worst this would mean that the operating history of the aircraft is not accurate. This is a big deal but not something that will lead to in flight failure.
An additional requirement of the FAA notice is to prohibit future passenger services without testing for interference and security.
With 2 of those in the cockpit, one for pilot, one for copilot, each running 2 Operating Systems Linux/Windows, and all networked together since each box has 6 network interfaces on it. The thing would be a field day for hackers. While they were designing it a bunch of the consultants helping with the coding were ranting about possible security, but were ignored.
I can't go into specifics because of my NDA, but considering it was 4 years ago I worked on it, I doubt that is still in force. Though I believe I can say I worked on it, and that information is all publicly available.
Did you READ the report? I did. It doesn't say anything is unsafe. What it says is there are unique architectures in the systems that put them at odds with CFR 14 regulations compliance whether they present an actual or potential danger or not. Furthermore there's a comment in the report which states that Airbus objects to the regulatory findings on the basis that the 'standard' is too high level to offer any concrete value for implementation or compliance.
Like any other IT security audit - compliance doesn't mean security it means compliance. And in the cases where there are deviations from the standard, the system has to be able to speak to that deviation and address it or contest it.
If that worries you, then I look into Airbus - at least Boeing beleives the pilot should always have the last say, not the computer
A thistle is a fat salad for an ass's mouth...
While I completely agree, designers are always under pressure to reduce the amount of wiring looms - they add a surptising amount of weight thereby decreasing fuel economy.
A thistle is a fat salad for an ass's mouth...
Is it just me, or does this make Boeing (or at least this spokeswoman in the article) sound like a real grade A moron?
The choice quotes to me were the article's quote that the solution involves some separation of networks, known as 'air gaps', and software firewalls. And the choice quote straight from the spokewoman from Boeing: "There are places where the networks are not touching, and there are places where they are".
OK, so what, having the networks only connected at some points should reassure me somehow? It only takes a single interconnection to have these logically be a single network as far as hacking into it is concerned. I'm also DEEPLY troubled by the statement about using a software firewall. (Any firewall is really some box running software; the term "software firewall" typically implies a windows box running software.. which would be deeply troubling.) It is also troubling to me that they are even willing to imply that adding air gaps at *SOME* points amounts to anything. Sorry, saying a network has an air gap means that it is NOT connected to insecure networks.. not that it's connected at fewer points. (Although, I suppose they cold be confusing things, adding air gaps in the electrical sense, so an etherkiller on the entertainment network doesn't blow out the control network.)
Right. I also posted a link later that showed that I was overestimating the seperation required between critical systems and non-critical systems and among critical systems. That being said, I don't feel that most of the decisions to skimp on safety measures are taken by engineers, they are taken by management over the protests of engineers. In my experience, engineers tend to overdo it. :)
... It looks like you're trying to take over the flight controls ...
/dev/random > /dev/aileron
Or, for a more unix-y flavour...
# cat
As described on a Seinfeld episode:
GEORGE: When are they gonna have the flying cars, already?
JERRY: Yeah, they have been promising that for a while..
GEORGE: Years. When we were kids, they made it seem like it was right around the corner.
JERRY: I think Ed Begley Jr. has one.
GEORGE: No. That's just electric.
JERRY: What about Harrison Ford? He had one in, uh, Blade Runner. That was a cool one.
GEORGE: (Sarcastic) What's the competition, Chitty Chitty Bang Bang?
JERRY: Well, what do you think the big holdup is?
GEORGE: The government is very touchy about us being in the air. Let us run around on the ground as much as we want. Anything in the air is a big production.
JERRY: Yeah, right. And what about the floating cities?
GEORGE: And the underwater bubble cities?
JERRY: It's like we're living in the '50s here!
Get your Unix fortune now!
Considering Boeing is the world's leader in passenger aircraft, how about we just give them the benefit of the doubt that they aren't retards?
"Sure, Boeing's spent a decade designing this plane with thousands of engineers, but I read a short Slashdot story summary and now I'm going to decree I know more than them!"
Comment of the year
ARINC 653? Um, no. 653 is an operating system interface specification, analogous to POSIX in the consumer market. It says nothing about interconnect mechanisms.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 Whoops, silly middle mouse button...
The FAA document in question is basically saying that there needs to be some previously unneeded standards for certification for the 787 just to make sure that the electronics can't be used to do what the Wired artcle and the headline of this thread threatens.
Is buying a Harley Davidson as your first motorcycle since you were 16 at age 49 a midlife crisis issue?
Queue up 11,000 A/C posts about H4X0RZ Cr45h1n6 for REALZ Do0DEZ!.
This is not a "Windows vs Linux" thing. These are highly specialized data networks designed specifically for aircraft. The typical running life of a big jet is some 40 years or more - the idea of a consumer O/S such as Windows (or even Linux) being suitable for such a situation is simply stupid. Everything is coded in firmware, micro-processor based, with a likelyhood of actually crashing accidentally being somewhat less likely than getting struck by lightning on a sunny day while sitting in the cellar of your 4-story house.
Not bloody likely.
But, actual, malicious attack? Possible - and if there was *ANY* connection between the passenger data networks and the main control networks, that's an issue that must be addressed.
Most likely, the FAA found some part that was connected to both networks, that itself was not capable of actually transmitting data. But they're being car eful, as is their job, since lives are on the line.
Go FAA!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Back in college, 15 years ago now, I was hanging out on one of the networking Usenet groups when someone asked whether or not laptops supported Token Ring. The answer, from many sources, was that you could get PCMCIA cards for them (built-in networking wasn't common in that era), but that they would be much more expensive than Ethernet. We got the response that the original poster was an engineer with Boeing, he was researching passenger networking, and "we can't use Ethernet because it is not real-time enough for fly by wire." (The fly-by-wire system of the 777 is indeed based on Token Ring; since then the aviation industry has developed a spec fly-by-wire-capable Ethernet which the 787 uses.)
So there definitely was some notion already back then to tie the passenger networking into the same system as the fly-by-wire. Needless to say, the group (including yours truly, an undergraduate college student) responded with disbelief, and until today I thought they would have scrapped that idea ten times over before ever getting close to an aircraft. Apparently that optimistic view was totally wrong.
(Note: it is possible to have *one-way* airgap security, which would provide, say, navigation information to the passenger network while physically eliminating the possibility of interference in the other direction. All it takes is one-way communications hardware. Needless to say, it's pretty obvious from the vagueness that they're not doing that -- they would have stated so in no uncertain terms.)
Anyway, as I had been involved with some avionics work, it is incredibly difficuly (not impossible) to compromise the control signals for basic surface control on an Avionics Full-Duplex Switched Ethernet (AFDX) ARINC-664 network, the type of standard used for Aircraft Data Networks. You can google it, but for a quick summary, it is a deterministic full duplex version of Ethernet with additional bits and bobs to safeguard redundancy and message integrity. The message integrity spec means that due to special protocols, when a cockpit console control (say the throttle) needs to transmit to the engine FADEC, the actual module on the engine not only expects to receive a relevant message from the right domain (there are different domains such as electrical flight control, communications, pneumatics), but also from a very specific component (that has a serial number). The point is that you cannot re-route messages easily and there is some sort of authentication of components talking to each other. It is incredibly difficult for someone to replay an engine switch off message that should be routed to the engine and make it to appear that it comes from the console switch of the cockpit, when in fact it comes from an external hacker. This combined with the fact that the core OS is probably some real-time micro-kernel derivative with specially obscured commands (Wind River VxWorks, other?), makes things more difficult.
Having said that, security through obscurity and whatever authentication/authorization system is not a panacea for the lifes of 200-300 people that travel at mach 0.8 at 35000 feet. Even if there is someone that succeeds in getting in, in the Airbus version of the system, the pilot has the option to shut off external comms by resetting the external link. None of the critical parts (main MCUs, core switching components) have erasable firmware, so...somebody could be cut off easily, if she is detected on time and provided that it does not create a situation to put the aircraft in a non reversible situation (nose dive, spin). And this is where they fail. They *might* consider now IDS/IPS mechanisms, but so far they might have NOT done it. That is the first point.
The second point I don't like is the way Boeing deploys IMA, the Integrated Modular Avionics system. Both Boeing and Airbus have reduced the number of discrete avionics units to make the aircraft lighter and simplify maintenance (so both use 1 core network for everything). However, whilst the A380's IMA has 8 processing modules all tied together by an AFDX network, Boeing has 3 distinct units with less degree of autonomy from the comms network. It does not mean that everyone can get in and start playing flight sim, but there are less obstructions to place out of the way.
I hope that they will include IDS/IPS on the core network. Whatever firewall or other solution they might have, it is good to know that someone is likely to be in, even after the effect and chop the connection at the right time under conditions. Integration cannot be avoided. It can only be managed.
I've worked for the In-Flight Entertainment industry, specifically for systems that go onto 787s (A380, etc.).
The connection between the IFE and avionics is NOT as tenuous as Gunter tries to say. There is a direct link (Ethernet over fibre or UTP) between the avionics and the IFE. Traffic is supposed to be passed through a managed switch, but the switch is embedded in the IFE.
Bit of background:
An IFE system is MORE complex than a small-medium business. There are hundreds of workstations, a multi-chassis (and multiple-CPU per chassis) server room, and a multitude of switches between them, with the possibility of wired and wireless connections for crew and passengers. This is all supposed to some up, without human intervention, from a simultaneous application of power to all components, within a few minutes. Even if some components have been swapped from spare and DO NOT have the appropriate software or configuration for the aircraft on which they are installed. Do NOT try this at home.
The problem is the management of the IFE companies, or, at least, the one I worked for. Senior management is totally, completely, utterly, (you get the picture) clueless regarding security, but know enough buzzwords to consider themselves expert. Security is the LAST consideration in system implementation, and will be sacrificed for any of several reasons: management has promised some blue-sky deadline for delivery; the "magic" autoconfiguration must work despite security holes; it's too much trouble to use SSH and manage the keys, so we'll just use telnet and ftp, with static, or no, passwords; someone decides to use a handheld crew device that can't do proper wireless security, so just skip it.
Back to embedded switch: the box in which it is embedded will have the best firewall a very bright, but overworked programmer, pressured to meet insanely unrealistic demands, can accomplish.
There is a fantasy that no one will try to crack the system, since the potential punishment is too severe, which may, although I don't believe it, deter attempting to get free drinks, or capture the movie streams, but it isn't going to stop someone trying to crash the plane.
Actually the reason why Airbus uses computers so extensively is that computers know better what the airplane can take and can't take in a any given situation. The problem with airplanes, especially big jets and super jumbos is that they are very delicate and very fragile machines, and if you do something with them, that goes over their capacity, then you will have with very high probability plane coming down. Like in example American Airlines Flight 587 that came down because the pilot made too aggressive inputs which eventually braked the vertical stabilizer. Accidentally the crashed plane was an Airbus A300 which didn't have fly-by-wire controls.
To quote Wikipedia: "Boeing and Airbus differ in their FBW philosophies. In Airbus aircraft, the computer always retains ultimate control and will not permit the pilot to fly outside the normal flight envelope. In a Boeing 777, the pilot can override the system, allowing the plane to be flown outside this envelope in emergencies. The pattern started by Airbus A320 has been continued with the Airbus family and the Boeing 777. The Boeing 787 makes some minor improvements in the control laws, adopting some protections that Airbus has had in place for decades."
Now, yes, computers can make mistakes and they for certainly have bugs, but still again, I would trust more on flying with a plane which has computerized control and a good safety record. So all in all for me that there is a system that says to pilot "no, you can't do that. no that's too hard. let's do this instead." is a definitive plus.
Survey research tool for commercial and scientific use
Most aircraft? That's a bit of a sweeping statement.
The world's most popular short/medium range airliner, the Boeing 737, has control cables (and hydraulic boost). It's entirely possible to control a 737 with no electricity and no hydraulics (only the rudder won't function).
All those little regional jets like the CRJ and ERJ are all cable controlled. The DC9 series (DC9, MD80, Boeing 717) don't even have hydraulic boost, it's pure old fashioned steel cable. Every bizjet you might meet - steel cables (or hydraulics for the big ones). Anything with propellers (all the short haul stuff) - steel cables.
While some (but not all, by a long way) new designs are fly by wire, most planes are fly by cable, cable and hydraulic boost, or hydraulics.
Incidentally, Concorde was the first fly by wire passenger jet.
Oolite: Elite-like game. For Mac, Linux and Windows