Boeing 787 May Be Vulnerable to Hacker Attack 332
palegray.net writes "An article posted yesterday on Wired.com notes that 'Boeing's new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane's control systems, according to the U.S. Federal Aviation Administration.' They're already working on solutions to the problem - including placing more physical separation between aircraft networks and implementing more robust software-based firewalls."
Two seperate networks (Score:4, Informative)
Re:I don't get it... (Score:5, Informative)
The 787 is fly by wire, like most new aircraft designs. It's all computer controlled, not mechanical.
My guess is this [aviationtoday.com] - the "common core system" designed by Honeywell - has something to do with the various systems being connected. This is a system designed to simplify the airplane's various systems and reduce the number of separate systems (which means fewer failure points - usually a good thing in engineering). I do believe Boeing when they say that there are built-in separations and that the two systems are not completely tied together, but obviously it wasn't enough for the FAA. So they're fixing it. Nothing really all that unusual about a new airplane design; there are always various issues that need to be addressed before first flight.
Re:I don't get it... (Score:3, Informative)
Aviation software (Score:5, Informative)
The concern is that a separate network of maintenance and some limited flight information data share the same up/down links as the passenger network. The FAA notice is to demonstrate to the FAA that there can be no interference between the maintenance and flight information data and the passenger network.
Even if the maintenance and flight information data were compromised, at worst this would mean that the operating history of the aircraft is not accurate. This is a big deal but not something that will lead to in flight failure.
An additional requirement of the FAA notice is to prohibit future passenger services without testing for interference and security.
The Equipment in Question (Score:4, Informative)
With 2 of those in the cockpit, one for pilot, one for copilot, each running 2 Operating Systems Linux/Windows, and all networked together since each box has 6 network interfaces on it. The thing would be a field day for hackers. While they were designing it a bunch of the consultants helping with the coding were ranting about possible security, but were ignored.
I can't go into specifics because of my NDA, but considering it was 4 years ago I worked on it, I doubt that is still in force. Though I believe I can say I worked on it, and that information is all publicly available.
Re:I don't get it... (Score:3, Informative)
Re:WHAT?!? (Score:3, Informative)
Re:The only totally secure network (Score:3, Informative)
I work in ATC and I have to say it is difficult to do that in a totally thorough way. For example your flight control system might need information on the flight plans being used by the aircraft. These might be generated off line by a variety of people using different sources of information. You don't want type that stuff in again to get it into the aircraft so you might have some kind of interface for doing that. The interface will be made deliberately crude, and thus less subject to the transmission of arbitrary data, but I am sure there will be a link of sorts between the a list of flights in some managers copy of excel and a few bytes of data in the flight control system.
ATC systems are like this. They are technically air gapped but they have links to the outside world and increasingly the operators expect to be able to make use of this information. How else does information on flight movements get on to the web? They don't have people typing that stuff in.
It's not UNSAFE it's uncompliant to CFR 14 regs (Score:5, Informative)
Like any other IT security audit - compliance doesn't mean security it means compliance. And in the cases where there are deviations from the standard, the system has to be able to speak to that deviation and address it or contest it.
Re:I don't get it... (Score:3, Informative)
Primer on AFDX and criticism for the 787 (Score:2, Informative)
Anyway, as I had been involved with some avionics work, it is incredibly difficuly (not impossible) to compromise the control signals for basic surface control on an Avionics Full-Duplex Switched Ethernet (AFDX) ARINC-664 network, the type of standard used for Aircraft Data Networks. You can google it, but for a quick summary, it is a deterministic full duplex version of Ethernet with additional bits and bobs to safeguard redundancy and message integrity. The message integrity spec means that due to special protocols, when a cockpit console control (say the throttle) needs to transmit to the engine FADEC, the actual module on the engine not only expects to receive a relevant message from the right domain (there are different domains such as electrical flight control, communications, pneumatics), but also from a very specific component (that has a serial number). The point is that you cannot re-route messages easily and there is some sort of authentication of components talking to each other. It is incredibly difficult for someone to replay an engine switch off message that should be routed to the engine and make it to appear that it comes from the console switch of the cockpit, when in fact it comes from an external hacker. This combined with the fact that the core OS is probably some real-time micro-kernel derivative with specially obscured commands (Wind River VxWorks, other?), makes things more difficult.
Having said that, security through obscurity and whatever authentication/authorization system is not a panacea for the lifes of 200-300 people that travel at mach 0.8 at 35000 feet. Even if there is someone that succeeds in getting in, in the Airbus version of the system, the pilot has the option to shut off external comms by resetting the external link. None of the critical parts (main MCUs, core switching components) have erasable firmware, so...somebody could be cut off easily, if she is detected on time and provided that it does not create a situation to put the aircraft in a non reversible situation (nose dive, spin). And this is where they fail. They *might* consider now IDS/IPS mechanisms, but so far they might have NOT done it. That is the first point.
The second point I don't like is the way Boeing deploys IMA, the Integrated Modular Avionics system. Both Boeing and Airbus have reduced the number of discrete avionics units to make the aircraft lighter and simplify maintenance (so both use 1 core network for everything). However, whilst the A380's IMA has 8 processing modules all tied together by an AFDX network, Boeing has 3 distinct units with less degree of autonomy from the comms network. It does not mean that everyone can get in and start playing flight sim, but there are less obstructions to place out of the way.
I hope that they will include IDS/IPS on the core network. Whatever firewall or other solution they might have, it is good to know that someone is likely to be in, even after the effect and chop the connection at the right time under conditions. Integration cannot be avoided. It can only be managed.
IFE security is not a priority (Score:2, Informative)
The connection between the IFE and avionics is NOT as tenuous as Gunter tries to say. There is a direct link (Ethernet over fibre or UTP) between the avionics and the IFE. Traffic is supposed to be passed through a managed switch, but the switch is embedded in the IFE.
Bit of background:
An IFE system is MORE complex than a small-medium business. There are hundreds of workstations, a multi-chassis (and multiple-CPU per chassis) server room, and a multitude of switches between them, with the possibility of wired and wireless connections for crew and passengers. This is all supposed to some up, without human intervention, from a simultaneous application of power to all components, within a few minutes. Even if some components have been swapped from spare and DO NOT have the appropriate software or configuration for the aircraft on which they are installed. Do NOT try this at home.
The problem is the management of the IFE companies, or, at least, the one I worked for. Senior management is totally, completely, utterly, (you get the picture) clueless regarding security, but know enough buzzwords to consider themselves expert. Security is the LAST consideration in system implementation, and will be sacrificed for any of several reasons: management has promised some blue-sky deadline for delivery; the "magic" autoconfiguration must work despite security holes; it's too much trouble to use SSH and manage the keys, so we'll just use telnet and ftp, with static, or no, passwords; someone decides to use a handheld crew device that can't do proper wireless security, so just skip it.
Back to embedded switch: the box in which it is embedded will have the best firewall a very bright, but overworked programmer, pressured to meet insanely unrealistic demands, can accomplish.
There is a fantasy that no one will try to crack the system, since the potential punishment is too severe, which may, although I don't believe it, deter attempting to get free drinks, or capture the movie streams, but it isn't going to stop someone trying to crash the plane.
Re:I don't get it... (Score:3, Informative)
Re:Wow, this is scary (Score:3, Informative)
Actually the reason why Airbus uses computers so extensively is that computers know better what the airplane can take and can't take in a any given situation. The problem with airplanes, especially big jets and super jumbos is that they are very delicate and very fragile machines, and if you do something with them, that goes over their capacity, then you will have with very high probability plane coming down. Like in example American Airlines Flight 587 [wikipedia.org] that came down because the pilot made too aggressive inputs which eventually braked the vertical stabilizer. Accidentally the crashed plane was an Airbus A300 [wikipedia.org] which didn't have fly-by-wire controls.
To quote Wikipedia [wikipedia.org]: "Boeing and Airbus differ in their FBW philosophies. In Airbus aircraft, the computer always retains ultimate control and will not permit the pilot to fly outside the normal flight envelope. In a Boeing 777, the pilot can override the system, allowing the plane to be flown outside this envelope in emergencies. The pattern started by Airbus A320 has been continued with the Airbus family and the Boeing 777. The Boeing 787 makes some minor improvements in the control laws, adopting some protections that Airbus has had in place for decades."
Now, yes, computers can make mistakes and they for certainly have bugs, but still again, I would trust more on flying with a plane which has computerized control and a good safety record. So all in all for me that there is a system that says to pilot "no, you can't do that. no that's too hard. let's do this instead." is a definitive plus.
Re:Why Networks (Score:3, Informative)
The world's most popular short/medium range airliner, the Boeing 737, has control cables (and hydraulic boost). It's entirely possible to control a 737 with no electricity and no hydraulics (only the rudder won't function).
All those little regional jets like the CRJ and ERJ are all cable controlled. The DC9 series (DC9, MD80, Boeing 717) don't even have hydraulic boost, it's pure old fashioned steel cable. Every bizjet you might meet - steel cables (or hydraulics for the big ones). Anything with propellers (all the short haul stuff) - steel cables.
While some (but not all, by a long way) new designs are fly by wire, most planes are fly by cable, cable and hydraulic boost, or hydraulics.
Incidentally, Concorde was the first fly by wire passenger jet.
Re:Restriction on software during flight? (Score:2, Informative)
Re:I don't get it... (Score:3, Informative)
Re:I don't get it... (Score:3, Informative)