Under, 'So What' and cross reference to 'Gratuitous Advertising'...
Researchers from infosec biz Pen Test Partners established a persistent shell on an in-flight entertainment (IFE) system from a Boeing 747 airliner after exploiting a vulnerability dating back to 1999. It's an attack that's more of a curiosity than anything else: it's too difficult to pull off during an actual flight, and it's …
Tom Cruise skulking round the galley, chatting up the steward waiting for an unattended moment so he can access the ethernet
Plugs iPhone into ethernet port (good guys always use Apples).
"It's running on NT4... this might take some time!"
10 seconds later...
Proceeds to by-pass pilot controls, fires up the aircraft sim interface on his phone, and safely lands the plane at LAX.
No more fanciful than Independence Day.
Its rarely that simple. Code written in scripting languages popular 20 year ago will rarely work as-is on modern implementations, even if modern implementations actually exist.
Even with compiled C/C++ code, you'll find anything more advanced than Hello World is probably making API calls that no longer exist in modern Windows, therefore even compiling the programs will often fail.
"...Using the exploits PTP found to pwn an in-flight 747 would be impossible in practice..."
"...Moreover, though PTP declined to reveal more details when we asked about the system and particular aircraft involved, we were told the IFE system is now no longer in use in any 747 still flying today..."
... This is interesting to note, given that there are virtually no 747s in passenger service anymore, and those in freight service tend to not have IFE systems, this is a fluff piece that's well... pointless.
Nevermind the 'bait and switch' here... "How we got persistent shell access on a 747" - No, you got persistent shell access to the IFE, not the 747. At least on the 747, there were distinct physically separate networks. Boeing only switched to VLAN-based access on the 787 (or was it the 777?) so this is rubbish.
Oh, and for God's sake, please fact check not only your own work but also the work of the provider of the fluff piece, i.e. Pen Test Partners. Searching for "APU location 747" would show you instantly where it is, the tail end, not the nose end.
Call me grouchy, but when it comes to accuracy (and past rubbish fluff pieces about network security on planes), I'll be pretty pedantic. So, fix it please.
Yes, it's in the tail end and it's now fixed. The piece does also say that it's impossible exploit in the wild, and it's more an interesting hack than anything else. If it was going to make planes fall out of the sky, we would say so.
We're not perfect. We make mistakes just like everyone else.
Its notable that having determined the server was running NT that no mention is made of firing up an NT image back at the lab and experimenting with that - I'm sure disks are available on fleabay or friends of friends with old Technet CD distributions.
This. It can't be that hard to keep old exploit methods around, can it? I'm pretty sure the TLA professionals would. Far from being positive PR, this just tells me that PTP prefers shiny-shiny to useful-functional, and you shouldn't use them to test your infrastructure.
To build on the "old = unhackable" idea, the absence of vulnerable services was important. In this instance, the services the attackers tried to exploit were missing because they weren't invented when the system was deployed, but the same principle applies when you remove unnecessary services from a server.
Another factor is that the longer software is in use, the more bugs are found and corrected. If the software starts with a finite number of bugs and errors are corrected at a higher rate than new ones are introduced, the program should get more secure with time.
And also, back in the early 90s, there were developers around who tried their damnest to make sure their software was up to snuff, because they knew updates weren't a practically weekly occurrence as they are now...
The kind of rubbish nowadays flogged as 'stable' is more an 'MVP' style standard. Minimum viable product... does it work? Yes. Does it do all the things in the standard test catalog without crashing? Yes. Does it fix annoying bugs of previous versions? Mostly. Ok, shove it out the door! We'll fix the rest next week. Or next month...
> Surely... They would have used external Aux power pack rather than spool up the APU[s]? You know, that's sorta why airports are covered in the things
Watch the walkthrough. These idle 747 are so idle the engines are removed (and water ballast added to balance). So surely in LONG-term parking. Out in a desert somewhere. There "may" be an AUX pack in sight just-in-case. But to move it and start it would disrupt the field staff's poker game and probably need authorization from a manager who is already dubious about geeks in his junk/storage yard.
I read this very much as a pointless but for-the-hell-of-it-exercise, and found it kind of interesting nonetheless.
Okay, so it was not via the IFE but a virtually impossible to access Ethernet port. So the planes are pretty much out of service, the IFE is also redundant and it also needs clarification if it was in a lab or in the plane itself. And yes it had some technical inaccuracies (re: the location of the APU). So what?
I still think this was someone just fucking about having been gifted access to one and thought 'That'd be a challenge' which it was. Crikey these comments are full of folk doing stuff with antiquated hardware just because they can. If they get a bit of exposure good for them, it isn't like some of the puff we see under the banner 'of research' with marketing droids pushing services.
Nope, perfect Friday afternoon reading for me.
"it isn't like some of the puff we see under the banner 'of research' with marketing droids pushing services."
Isn't it? To me, and to others posting here before me, it seems pretty much exactly like some of the stuff posted under the banner of "research" to get some company or some research group some (futile?) column inches.
Modern operating systems tend to use UTF-8, which encodes characters in a single byte rather than UTF-16's two bytes, PTP said,
UTF-8 only encodes characters from U+0000 through U+007F as single bytes (viz preserving the seven-bit ASCII character range as is); other Unicode characters require between two and four bytes when UTF-8-encoded.
Not in the first two worlds, but I believe that some 3rd world countries may...
However, a quick google informs me that in late 2020:
there are 492 Boeing 747s in service, stored, or on order with airlines worldwide. 157 of these are passenger aircraft. 35 are in use, while 122 are in storage. Of these 35, 21 are passenger versions of the Boeing 747-400. Lufthansa is one of the only airlines operating a significant number of 747 aircraft for passenger flights.
I stand corrected!
Yes. Annoys the heck out of me "One of the most unique..."
No. No no no no. "Unique" means there's only one - literally. What you meant to say is "One of the most unusual" or something. But something is either unique, or it isn't. You can't have comparative levels of uniqueness.
Similarly. "I was only 2 minutes late and the boss literally tore my head off about it!". I think that's called "Capital punishment" and generally isn't permitted in the workplace. I think you meant to say was he *figuratively* tore your head off. Which is the diametric opposite of what you just said.
I'm severely dyslexic. And I knew that.
>vaguely interesting but of no security value at all.
Are you sure the 737-Max doesn't use the same (or slightly modified) IFE? Also, there are other places of interest that still use NT...
It would not surprise me if Boeing used this 'proven' IFE on other aircraft...
OK. So you head back toward the lavatory. Then your assistant fakes a heart attack and lures the flight attendants out of the galley. Then -- working quickly and efficiently -- you grab control of the In Flight Entertainment system. Then you ... what? ... Drive everyone on the aircraft mad by playing the same Celine Dion song over and over at full volume? Might work. Sort of. But what about the ones who snatch their headsets off? And those who looked at the available "entertainment" options and decided to sleep instead?
"the minute you connect up your device, everyone with headsets on is turned into a Cyberman."
Wasn't there also one where they all downloaded the latest Cyber Windows Update, only for it to emerge that it was an Evilised Windows Update ? And that was before Windows 10, if I remember rightly.
It's been over a decade since I flew long-haul, but I remember getting on board an Aer Lingus 747 at Dublin, and every seat-back screen was showing a Linux boot, with the Tux logo; and also a number of "file not found" errors. The latter probably not ideal for nervous passengers.
How long does it take to access the Ethernet jack? If you've already worked out the details of the exploit, the whole delivery system could be packaged up into something small that looks like an ordinary dirty old airplane Ethernet jack cover. If you can switch to the the higher voltage 10BASE-T spec, you might even be able to extract a few milliwatts of power from the signal line to enable indefinite low duty cycle wireless control.
Then, once you've gained root access, you can finally execute your evil plan involving music from Rick Astley, Celine Dion, Spin Doctors, Nicketback, Rick Dees, William Shatner, whatever. Just make sure nobody sees that playlist on your phone screen or you won't live to the end of the flight.
It looks like they restricted exploits to passengers with no previous access and no prior remote access to any of the hardware. If you wanted to do it in the real world surely you would prep the system by initiating a patch be it hands on mission impossible style, or by inserting your code in the hardware vendors server prior to the event or even as has been muted before over China, by having the vendor install your code in their firmware at manufacture.
Plus all this having to access the wall jack seems lacking imagination, surely there are other attack vectors to the same network cable. Maybe through the toilet wall panels?
All this seems to show is a complete lack of prior planning, and we all know where that gets you.
"the necessary Ethernet port for gaining access is in the 747's galley: an area rarely left unattended for more than a few minutes during flight. Using the exploits PTP found to pwn an in-flight 747 would be impossible in practice."
Unless, of course, the hacker is one of the flight attendants. Or the hacker connects an unobtrusive RJ45-to-wireless connector to the galley RJ45 port when boarding and then hacks from the comfort of their seat.
Maybe I mis-read something. Given that this is just the in flight entertainment system which I'd hope is very airgapped from anything flight-related I don't think anyone needs to be too worried.
no longer used.
hack is difficult to carry out.
hack probably needs physical access to areas passengers generally don't have.
Breathless news-speak version "Airliner hacked!" real-talk version "unusually convoluted and difficult way to break obsolete computer system discovered by curious nerds".
About the worst of it is some disgruntled airline employee deciding to have a jape by substituting "Debbie Does Dallas" for "How the grinch stole Christmas" :-)
Biting the hand that feeds IT © 1998–2021