Boeing 757 Testing Shows Airplanes Vulnerable To Hacking, DHS Says

schwit1 shares a report from Aviation Today: A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a DHS official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia. "We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said. The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them. Hickey said newer models of 737s and other aircraft, like Boeing's 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don't have these protections.

why should Southwest Airlines pay? and not boeing?

[Joe_Dragon]

why should Southwest Airlines pay? and not boeing?

Sensationalism on costs

This article claims that one line of code costs a million dollars to fix and would "bankrupt" Southwest.

News flash: Southwest wouldn't be the ones fixing the fucking code! It would be the manufacturer who would then absorb that cost, not the airline. Besides, if this problem is valid the FAA and other regulators will be involved to force the manufacturer to address the issue.

This article is a perfect example of why journalism is headed for self-destruction.

Re:Sensationalism on costs

[Drethon]

This article claims that one line of code costs a million dollars to fix and would "bankrupt" Southwest.

News flash: Southwest wouldn't be the ones fixing the fucking code! It would be the manufacturer who would then absorb that cost, not the airline. Besides, if this problem is valid the FAA and other regulators will be involved to force the manufacturer to address the issue.

This article is a perfect example of why journalism is headed for self-destruction.

Not to mention a lot of that is fixed costs. Changing 1 more line of code wouldn't cost $1 more but is also wouldn't cost $1M more.

Re:why should Southwest Airlines pay? and not boei

[michelcolman]

And what's the price of a crash caused by hackers? Oh, right, that's not the same thing, the cost of a security fix is something you have to pay right now, while the price of a crash is only a potential cost in the future. Who cares about the latter even if it's orders of magnitude higher, right?

million dollars per line

[Speare]

I expect quite a few folks here are going to question the figure, "a million dollars per line changed."

1. The airlines operate under a huge amount of regulatory oversight, and structure the development of avionics or engine control software accordingly. The terms ARP4754 and DO-178C are to aviation as ISO9002 is to business models. They provide guidelines on creating a rigorous development process, and regulators are keen to track how well companies develop logic and physical designs in line with best practices described by those guidelines.

2. If you summarize DO-178C in one sentence, it might be "document the rationale for every change, and the means you employed to ensure it is the right change." Most companies follow a V-shaped change model where you trace from high level requirements to lower level requirements to implementation details, and then verify the code does what is expected and then validate that the requirements are being met (and the requirements are even proper in the first place). Once you have that framework in place, you have to document every step of the chain of review.

3. For every change to a high level requirement, a low level requirement, an implementation, and sometimes even a change in a verification method, there typically has to be an independent review: you cannot trust the implementors to check that the change was appropriate and done correctly as it's easy to be blinded by your own thought process during development.

So in a case like this, the customer needs to inject several new top-level requirement (which shockingly may not have been there in the first place), "the system shall be hardened against unauthorized changes in configuration/operation/state" and that has to flow down to subsystems "the component XYZ shall be hardened..." and that has to flow down a few more tiers before you even identify the protocols or chips or attack vectors to be changed. Then you have to verify the code change works in each component. Then a system-level review. Then a regulatory review to have the updated design certified as safe for test flight and finally safe for revenue service.

Does this sound like a desktop software change control process? Sure, maybe you're really disciplined, but it's a matter of degree. It really can take fifty people or more, from regulators to systems engineers to coders to integration testers to work the process. And that all adds up in terms of time, opportunity costs, tools and tooling, lab test, systems test, hours and hours of live aircraft flight test, and so on.

Re:million dollars per line

[archer,+the]

The summary said $1M for a one-line change. I took it to mean making a change, even one line, costs a minimum of $1M. Changing two consecutive lines might cost $1,001,000.

Re:million dollars per line

[tsqr]

I expect quite a few folks here are going to question the figure, "a million dollars per line changed."

As well they should, because that isn't what he said. What he said was, "The cost to change one line of code on a piece of avionics equipment is $1 million". But everything else you said in your post is spot on. Most software developers have no idea what is involved in creating DAL-A safety critical software for commercial aviation, and would run screaming to the safety of their iOS development environment if they were tasked with doing it.

Re:million dollars per line

[tsqr]

Apparently, the developers that did it were lacking as well.

Well, since the threat didn't exist when the systems were developed, it's understandable that mitigations weren't put into place. Also, humans are prone to errors. There aren't any processes that can guarantee perfection, but that doesn't mean you might as well have no process.

I've never been convinced that these forms of making stuff good by massive oversite actually works.

I don't know what "massive oversite" is, but a disciplined process and independent verification and validation combined with reasonable regulatory oversight usually results in good quality

How does JPL do this? They seem to be able to make stuff that works in a wide variety of extreme use cases.

Having worked with JPL, I can assure you that they have their own set of development rules that would make the average Slashdotter blanch. But they aren't involved in commercial passenger aviation, where catastrophic failure rates are measured in failures per billion operating hours.

Re:million dollars per line

[EndlessNameless]

I've never been convinced that these forms of making stuff good by massive oversite actually works.

Pretty much every major engineering project has massive oversight. If you're likely to affect the safety of the general public, it comes with the territory.

Do you know why you can crash your car into a solid wall at 60 MPH and probably live to tell about it? Because there are so many rules and tests. Just because you can't fathom the immense effort that goes into a project... don't assume it isn't happening.

Most of these "software engineers" working on mobile apps have no idea what it is like to work on safety-critical systems. Until recently, security was not considered as part of the system's safety. That was a serious omission, but it is being rectified.

I feel some serious sympathy for anyone who is left holding the bag. When it comes to securing a legacy system to a comparable same level as its existing mechanical safety certifications, it is either impossible or will require a Herculean effort.

We've seen the fruits of safety regulations, however, and they will need to expand now that everyone can carry a capable computer in their pocket.

And again!

[jenningsthecat]

Why in the HELL are critical avionics control systems networked in such a way that they can be accessed remotely by radio? FFS, what were they thinking? They design systems that are hardened against direct lightning strikes, but leave them vulnerable to a remote hack using a device that's probably not much more than a small computer and a glorified walkie talkie connected together. WTF?

On an unrelated note, why is the page I'm typing this on a standalone text entry box without TFS available on it for reference? Is Slashdot Beta rearing its drooling imbecilic ugly head again?

Re:why should Southwest Airlines pay? and not boei

[michelcolman]

What if a hacker takes down an airplane, people find out in the media, and nobody wants to fly on that aircraft type anymore? Or with that company because it didn't apply a fix that existed? Does the insurance cover that? Now that's something that could bankrupt an airline.

Article has no clue what it is talking about.

> For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them.

Do you realize that Boeing-737, even in its latest -800/-900 incarnations, is NOT a fly-by-wire airplane? The flight control surfaces are mechanically connected to the yokes in the pilots hands and the pedals under their feet, using push-rods and hydraulic cylinders. The basic design of B-737 originates from circa 1963 and hasn't been radically changed since due to economic pressure from airlines, to whom new "type rating" would incur huge costs in re-training their pilots and mechanics.

Therefore the B-737 is fundamentally different from its rival Airbus-320 or the larger sized B-767/777 planes and cannot be hacked to unilaterally fly to Antartica or whatever.

In case of the Airbus-320, the theoretically hackable fly-by-wire system was a conscious design choice associated with modernity. In case of the very large B-777 and A-380 planes fly-by-wire is mandatory, since the lenght of their fuselages and the large forces required to move the grandiose flight control surfaces no longer allow direct mechanical coupling.

Danger is not terrorists, but state actors

[140Mandak262Jamuna]

Terrorists are dumb. They will never hack at this level.

But state actors and spy agencies, can. It is their bread and butter business. The danger is them giving these tools to the terrorists for political purposes and proliferation and mutation of the leaked hacking tools.

Re:Useless metric spotted

[leonbev]

With something like avionics software, it probably doesn't matter if one line or a thousand lines change... the entire application would need a full regression test for safety/certification purposes. That's where the million dollar estimate probably comes from.

Re:why should Southwest Airlines pay? and not boei

[TheRaven64]

Crashes might be covered by your insurance, but if the crash has a known-preventable cause then the insurance might not cover it, and if they do then your premiums are going to shoot up once they discover that you're not fixing known issues.

The (missing) details are critical to this story

The convenient excuse that the results of this hack are classified allows the author to make what would likely be a boring and unimportant story sensational. Exactly what systems did they access? A 757 is a pretty old aircraft. NONE of the flight critical systems are networked off the aircraft. I suspect they hackers got access to a non-critical system like ACARS or IFE. The $1M per SLOC is also very misleading. While the FIRST line of code might cost that much on a flight critical system, each successive line of of code is pretty much in line with a traditional software project. You can also spread that cost across the entire fleet of operating aircraft. And since the 757 and 767 systems are almost identical, that's a lot of airplanes that could be upgraded for a single price tag.

Re:why should Southwest Airlines pay? and not boei

[Opportunist]

Especially considering that the cost would be high enough to make the airline fail, and being too big to fail as usual we get to foot the bill anyway, so why should the airline be concerned at all?

Re:why should Southwest Airlines pay? and not boei

[DarkOx]

Easy answer. No computing or radio devices permitted as carry on luggage. No laptops, cell phones, media players, medical equipment documented ahead of time and itemized.

Re:Legacy aircraft

[afidel]

Actually the 737 is just as modern as any aircraft being produced. The current airplane with the designation 737 shares virtually nothing with the first plane to carry that designation. The fuselage is different, the wings are different, the engines are different, the avionics are different, and the interior packages are different. The currently produced aircraft with the designation (The Max series) is actually the 4th generation of 737. Basically saying it's a 737 is like saying it's a Ford Mustang, other than size and maybe some styling cues it's fairly meaningless as it tells you nothing about what's in the car/airplane.

Re:why should Southwest Airlines pay? and not boei

[shortscruffydave]

Problem with that is the number of devices with lithium-based batteries, which are not supposed to be carried in the hold - they are perceived as a fire risk, and if carried in the cabin then a fire can be detected more quickly

Lucky for us

[fustakrakich]

Legacy aircraft have mechanical backup on the controls. The airplane is still flyable if the computer malfunctions. Hackers can still mess with the autopilot and navigation though.

ACARS

[barbariccow]

Probably just sent ACARS messages over RF and the airplane thought they were from the airport. These messages can include things automated acted upon like "Your plane's altitude has been detected at XX feet" or "Huge category-5 hurricane straight ahead, divert to ETOPS field". Not like they designed any of these protocols with security..

Re:The (missing) details are critical to this stor

[MDMurphy]

I was disappointed I had to go so far down the page to see someone comment on this. I followed the link specifically to see *what* was hacked and nothing was mentioned. There's a huge difference between being able turn off the "Fasten Seatbelts" lights, encouraging people to walk around during turbulence and dumping cabin pressure or altering flight controls.

Even something vague like the area they accessed: communications, cabin systems, avionics would make it look less like something sensationalized to get more funding or again increase the scope of DHS power.