Boeing 757 Testing Shows Airplanes Vulnerable To Hacking, DHS Says

schwit1 shares a report from Aviation Today: A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a DHS official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia. "We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said. The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them. Hickey said newer models of 737s and other aircraft, like Boeing's 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don't have these protections.

Sensationalism on costs

This article claims that one line of code costs a million dollars to fix and would "bankrupt" Southwest.

News flash: Southwest wouldn't be the ones fixing the fucking code! It would be the manufacturer who would then absorb that cost, not the airline. Besides, if this problem is valid the FAA and other regulators will be involved to force the manufacturer to address the issue.

This article is a perfect example of why journalism is headed for self-destruction.

Re:million dollars per line

[archer,+the]

The summary said $1M for a one-line change. I took it to mean making a change, even one line, costs a minimum of $1M. Changing two consecutive lines might cost $1,001,000.

Re:Useless metric spotted

[leonbev]

With something like avionics software, it probably doesn't matter if one line or a thousand lines change... the entire application would need a full regression test for safety/certification purposes. That's where the million dollar estimate probably comes from.

The (missing) details are critical to this story

The convenient excuse that the results of this hack are classified allows the author to make what would likely be a boring and unimportant story sensational. Exactly what systems did they access? A 757 is a pretty old aircraft. NONE of the flight critical systems are networked off the aircraft. I suspect they hackers got access to a non-critical system like ACARS or IFE. The $1M per SLOC is also very misleading. While the FIRST line of code might cost that much on a flight critical system, each successive line of of code is pretty much in line with a traditional software project. You can also spread that cost across the entire fleet of operating aircraft. And since the 757 and 767 systems are almost identical, that's a lot of airplanes that could be upgraded for a single price tag.

Re:million dollars per line

[EndlessNameless]

I've never been convinced that these forms of making stuff good by massive oversite actually works.

Pretty much every major engineering project has massive oversight. If you're likely to affect the safety of the general public, it comes with the territory.

Do you know why you can crash your car into a solid wall at 60 MPH and probably live to tell about it? Because there are so many rules and tests. Just because you can't fathom the immense effort that goes into a project... don't assume it isn't happening.

Most of these "software engineers" working on mobile apps have no idea what it is like to work on safety-critical systems. Until recently, security was not considered as part of the system's safety. That was a serious omission, but it is being rectified.

I feel some serious sympathy for anyone who is left holding the bag. When it comes to securing a legacy system to a comparable same level as its existing mechanical safety certifications, it is either impossible or will require a Herculean effort.

We've seen the fruits of safety regulations, however, and they will need to expand now that everyone can carry a capable computer in their pocket.