Boeing 787 May Be Vulnerable to Hacker Attack 332
palegray.net writes "An article posted yesterday on Wired.com notes that 'Boeing's new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane's control systems, according to the U.S. Federal Aviation Administration.' They're already working on solutions to the problem - including placing more physical separation between aircraft networks and implementing more robust software-based firewalls."
The only totally secure network (Score:5, Interesting)
Re:I don't get it... (Score:4, Interesting)
WHAT?!? (Score:2, Interesting)
And now this? What does that mean? I won't be able to board a plane with my laptop again, that's what that means. And who can I blame? The frightened Homeland Security officers who try to no end to sanitize flights with the Stupid Fear Of The Month, of the inept engineers who let that security flaw slip into production on a flying aircraft?
And where's my flying car?
Re:Two seperate networks (Score:5, Interesting)
Yeah, WTF!? (Score:5, Interesting)
I recall reading about MS stuffing their software into cars (that probably evolved into Ford's SYNC) and even there the MS crap and the engine management systems were completely separate.
Re:I don't get it... (Score:5, Interesting)
Reading the story, it seemed like they wanted the airplane's maintenance systems to communicate with ground crews over the Internet, as well the aircraft reporting status to the airline while in flight. Personally, I'm uncomfortable with any part of the aircraft's vital systems being on the Internet.
Re:Two seperate networks (Score:3, Interesting)
I'm not an avionics engineer - however, even in a small hotel I service, we keep the guest network and the hotel/admin network seperate. The only common hardware is the AC power and the modem that has a /28 assigned to it.
Yes, but you are competent.
Re:I don't get it... (Score:3, Interesting)
Doesn't this make Boeing sound stupid? (Score:2, Interesting)
The choice quotes to me were the article's quote that the solution involves some separation of networks, known as 'air gaps', and software firewalls. And the choice quote straight from the spokewoman from Boeing: "There are places where the networks are not touching, and there are places where they are".
OK, so what, having the networks only connected at some points should reassure me somehow? It only takes a single interconnection to have these logically be a single network as far as hacking into it is concerned. I'm also DEEPLY troubled by the statement about using a software firewall. (Any firewall is really some box running software; the term "software firewall" typically implies a windows box running software.. which would be deeply troubling.) It is also troubling to me that they are even willing to imply that adding air gaps at *SOME* points amounts to anything. Sorry, saying a network has an air gap means that it is NOT connected to insecure networks.. not that it's connected at fewer points. (Although, I suppose they cold be confusing things, adding air gaps in the electrical sense, so an etherkiller on the entertainment network doesn't blow out the control network.)
Re:I don't get it... (Score:3, Interesting)
Re:ARINC 653 (Score:3, Interesting)
Oh my God they did it... (Score:3, Interesting)
So there definitely was some notion already back then to tie the passenger networking into the same system as the fly-by-wire. Needless to say, the group (including yours truly, an undergraduate college student) responded with disbelief, and until today I thought they would have scrapped that idea ten times over before ever getting close to an aircraft. Apparently that optimistic view was totally wrong.
(Note: it is possible to have *one-way* airgap security, which would provide, say, navigation information to the passenger network while physically eliminating the possibility of interference in the other direction. All it takes is one-way communications hardware. Needless to say, it's pretty obvious from the vagueness that they're not doing that -- they would have stated so in no uncertain terms.)
Re:I don't get it... (Score:5, Interesting)
However, the system integrators are Boeing engineers at the manufacturing plant in Everett, WA. The decision to connect internal subnets to a live network would most likely be done at that level, by people who are not security minded, but have to make things as easy as possible for the people who buy these systems and have to use them, the airlines. The amount of users that have legitimate purposes for accessing these systems and communicating with them from the airline's network at the airport (another security risk) is very diverse. Many of which have to be assumed to be completely technologically illiterate.
This combined with the fact that everything is ALWAYS LATE, so its rushed rather than designed correct the first time, leaves a non-zero probability that the network can become compromised from an attack which exploits vulnerabilities in these machines segregating the plane's systems from the passenger systems. Odds are its either a common industrial partitioned operating system (fancy talk for sandboxes, which may or may not be escapable), or a common one like a licensed and modified embedded windows, or embedded linux or BSD, depending on the vendor.
I know for a fact though that some of those systems are embedded linux and advertised as such. What if one of those systems were designed on a 2.5 kernel? Impossible you say? There is a risk, dismissing it as FUD does not make it less of a risk.
Re:A little perspective (Score:2, Interesting)
Lest us not forget the USS Yorktown [wired.com]
Re:I don't get it... (Score:3, Interesting)
As for that earlier post that having more systems connected means fewer failure points that is a lie it mores more failure points not less in the system and it is harder to discover the actuall failure point and when one part of the system suffers a catastrophic failure often the whole system fails. Higher cost of maintenance, far higher replacement costs but far cheaper initial installation that is all that is provided by a fully interconnected system, and strangely enough it all adds together for greater profits for the aircraft manufacturer.
Air gap is the only real security in a hard wired network and there can be no guarantee of security in a wireless network (as dollars will always gain you access in a world of greed).
Re:I don't get it... (Score:2, Interesting)
Why should cabin systems be the pilot's responsibility at all? Let the flight attendants attend to seatbelts and lighting and climate control, and let the pilot keep his attention on flying the plane.
But what's the problem. (Score:1, Interesting)
Just thought I'd challenge the knee-jerk reaction of "WTF, who would do that!"
Hum... (Score:1, Interesting)
When I flew Delta from Atlanta to San Diego, the seat's TV showed me the route, current altitude and speed. How would it get that data if it were on a separate network?
I don't remember the model of the airplane, but it was big. If I recall correctly, it was 2 columns of 3 seats each.