Slashdot Mirror
Boeing 757 Testing Shows Airplanes Vulnerable To Hacking, DHS Says (aviationtoday.com)
schwit1 shares a report from Aviation Today: A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a DHS official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia. "We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said. The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them. Hickey said newer models of 737s and other aircraft, like Boeing's 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don't have these protections.
why should Southwest Airlines pay? and not boeing?
Why in the HELL are critical avionics control systems networked in such a way that they can be accessed remotely by radio? FFS, what were they thinking? They design systems that are hardened against direct lightning strikes, but leave them vulnerable to a remote hack using a device that's probably not much more than a small computer and a glorified walkie talkie connected together. WTF?
On an unrelated note, why is the page I'm typing this on a standalone text entry box without TFS available on it for reference? Is Slashdot Beta rearing its drooling imbecilic ugly head again?
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
What if a hacker takes down an airplane, people find out in the media, and nobody wants to fly on that aircraft type anymore? Or with that company because it didn't apply a fix that existed? Does the insurance cover that? Now that's something that could bankrupt an airline.
> For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them.
Do you realize that Boeing-737, even in its latest -800/-900 incarnations, is NOT a fly-by-wire airplane? The flight control surfaces are mechanically connected to the yokes in the pilots hands and the pedals under their feet, using push-rods and hydraulic cylinders. The basic design of B-737 originates from circa 1963 and hasn't been radically changed since due to economic pressure from airlines, to whom new "type rating" would incur huge costs in re-training their pilots and mechanics.
Therefore the B-737 is fundamentally different from its rival Airbus-320 or the larger sized B-767/777 planes and cannot be hacked to unilaterally fly to Antartica or whatever.
In case of the Airbus-320, the theoretically hackable fly-by-wire system was a conscious design choice associated with modernity. In case of the very large B-777 and A-380 planes fly-by-wire is mandatory, since the lenght of their fuselages and the large forces required to move the grandiose flight control surfaces no longer allow direct mechanical coupling.
But state actors and spy agencies, can. It is their bread and butter business. The danger is them giving these tools to the terrorists for political purposes and proliferation and mutation of the leaked hacking tools.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Apparently, the developers that did it were lacking as well.
Well, since the threat didn't exist when the systems were developed, it's understandable that mitigations weren't put into place. Also, humans are prone to errors. There aren't any processes that can guarantee perfection, but that doesn't mean you might as well have no process.
I've never been convinced that these forms of making stuff good by massive oversite actually works.
I don't know what "massive oversite" is, but a disciplined process and independent verification and validation combined with reasonable regulatory oversight usually results in good quality
How does JPL do this? They seem to be able to make stuff that works in a wide variety of extreme use cases.
Having worked with JPL, I can assure you that they have their own set of development rules that would make the average Slashdotter blanch. But they aren't involved in commercial passenger aviation, where catastrophic failure rates are measured in failures per billion operating hours.