Buffer overflow flaw in British Airways in-flight entertainment systems will affect other airlines, but why try it in the air? A cybersecurity professor has insisted he was not hunting for a vulnerability when he found a denial-of-service bug on an in-flight entertainment screen during a long-haul flight. His findings could affect a number of airliners running Thales-made equipment. But Hector Marco, an associate cybersecurity professor at the …
True, there's no evidence he was trying to hack the aircraft, but they've got him bang-to-rights on deliberately trying to find vulnerabilities in the in flight entertainment system (which he couldn't be sure wouldn't inconvenience others). He said so himself in his original blog post, and his video completely undermines the hastly concocted fib about wanting to send a message to another seat. I'm not convinced that a no-fly ruling against him would be proportionate, but he's clearly suffering from poor impulse-management and deserves some kind of reprimand.
It's not like he was pen testing the flight control systems, this is the equivalent of sticking a USB stick in a cheap car radio and worrying about it affecting the spark plugs.
Was it not up until recently that some major airlines were still using Windows 3.1 for their in flight entertainment systems? Would you think Windows 3.1 would be used to run the flight control systems?
Nearly every United transatlantic flight I've been on has had a defective in flight entertainment system, it has never affected the safety of the flight control systems. Just means I need to bring a long book.
AC because I'm expecting to be shot down by those in the industry who know what they're talking about.
is the aircraft in question operated by Ryanair?
ahhh, ryanair. The in-flight entertainment system would be a steward leading a sing song..
the flight control computer is a sinclair zx spectrum, with a dodgy rampack held in place with gaffer tape and snot...
ahhh, ryanair. The in-flight entertainment system would be a steward leading a sing song..
And, being Ryanair:
• Purchase earplugs to block the sound: €4.99 (£4.99)
• Use your own earplugs/headphones: €9.99 (£9.99)
• Join along in the sing-song: €4.99 (£4.99)
• The in-flight song for March will be: "The Macarena".
I rather suspect that the next generation of in flight entertainment systems on Ryanair flights will involve large screens, endlessly looping adverts and the Ludovico technique. Customers can simply pay a £50 upgrade fee to retain control over their eyelids.
"Car radios are linked to the engine management far more than you would think. The CAN bus is everywhere!"
Theres a hidden function (requiring a finger twisting keypress combination) on my radio that can bring up speed in Kmh on its crappy red dot-matrix LCD screen and my car is not all that far off being 20 years old now. I have absolutely no clue what its purpose is for as its not something mentioned in the cars manual and the car has both Mph and Kmh on the dials.
Let me guess, you drive an Audi?
The radio has a speed-dependant volume (marketed as gala effect), so it has a speed pulse input. Being German, they work natively in SI units.
The first generation of it used a dedicated pin that delivered a pulse, the frequency of which indicated the speed. Later iterations used the CAN bus which also negated the need to enter a PIN after changing battery etc as it keyed itself to the serial number of the dash ECU.
Why risk it? What if they are on the same network and this particular crash causes an infinite loop that floods the network with activity?
They probably aren't and it probably won't, but I'd rather not try to find out at 30k feet.
Or less urgently but he might find himself introduced to the emergency exit for it: what if he broke the entertainment system for everybody on this long haul flight?
"Why risk it? What if they are on the same network and this particular crash causes an infinite loop that floods the network with activity?"
You're right. Better just leave the thing off and not touch it at all, for fear of causing the plane to fall out of the sky.
Java???? The Java Licence used to say you can't use Java for real time systems or Nuke Power stations. Last thing you want is a garbage collection when you're on finals. Still mightn't be as a bad as windows:
Captain: "Flaps 40"
Co-Pilot: "Roger; Flaps 40"
Beep-beep-beep
Co-Pilot: "Master Caution.... Flight controls..... Flaps device driver has become unresponsive, please reinstall"
United transatlantic flight I've been on has had a defective in flight entertainment system
When UA had just got their first planes with individual screens on the seat backs I ended up with one that didn't work. At that time this was considered "unusual" so I was offered a freeby from the Duty Free. The bottle of JW Black Label was much appreciated, more so than the c**p programme offerings would have been.
so I was offered a freeby from the Duty Free.
I had a transatlantic flight from Chicago to Amsterdam last month; the IFE for my entire seat row was stuck on the SkyMap the entire time, and multiple attempts to reset it made no difference (didn't even cause the screen to go blank, which makes me wonder what kind of "reset" they were doing).
I complained to the cabin crew - I may be British, but living in the States for years has rubbed off on me - and was given 7500 loyalty miles as recompense. Which, as you said, is probably a better deal than having the IFE would have been.
This. More hyperbole around 'hacking planes'. You can't via the in flight entertainment system. The flight control system doesn't even use TCP/IP!!!!! Good presentation from Black Hat a few years back by actual pilots who were also security researchers gets lost in the noise of mainstream media. Physically separate systems - don't use TCP/IP - all pilot commands override automatic input = no plane hacking for some time.
If you start connecting the two together though,...
I work with a company that refurbishes old airliners for corporate and private users. I've taken apart some of the old IFE systems we have piled up in the scrap warehouse.
From what I can tell, a lot of the old ones (And some newer ones) are really just wimpy cores running an X Windows Display Server and link up to more powerful machines located in the cabin electronics bay along with the wiring for the intercom system and the wiring that operates the seat belt sign, overhead lighting, etc. The most common IFE server system I've seen are just rebranded Sun Blades and a StorageTek array that run off of 48 VDC.
Flight data appears to be received through an ARINC -> RS-422 controller that sits in the center pedestal, sitting next to the manual radio controls and plugs into an auxiliary port on the secondary / tertiary FMS (Same port that you'd connect an ELT / ADS-B Out transmitter on the Primary FMS).
On a side note, I've noticed that a lot of the IFE systems don't even run TCP/IP, and opt for other protocols like IPX/SPX and other light-weight protocol stacks since things like routing and mass numbers of usable ports aren't necessary. At the physical layer, the connection tends to a proprietary quasi-bus-like topology reminiscent of 10Base-2.
This post has been deleted by its author
If describing how a system works leads to the system being broken, then the system would have to be so broken that its reckless to allow it to exist.
But, if anything, the information I posted would sate the curiosity of a lot of people that would normally break into such systems for the purpose of exploration.
"Although I was very tired, and it was a night flight, I couldn't resist to do some basic security checks in the entertainment systems,"
While I do believe that identifying (and so remedying) security flaws is a good thing, why do security researchers and the like seem to think they have the right to just jump in to systems like this? And this certainly isn't the first time I've heard of someone probing around on live systems of an in-flight aircraft to see what might happen.
If I was a professional locksmith visiting a hotel, and started trying to pick the locks on other guests' room doors just to see how secure they are, I'm sure I'd very soon be having a conversation with the boys in blue.
Except there was potential* for his lock picking activities to cause all other locks to fail.
IANAPenTester, can't comment as to the probability of this outcome, although I would hazard a guess that there is zero chance of a crash in the IFE impacting flight control systems as they should be completely separate
Should is the operative word.
There is also the law of unintended consequences.
What if crashing the ife caused run away processes that blew a fuse ultimately required by a backup system that suddenly became relied upon?
Nothing is better ever a problem until it’s a problem.
https://youtu.be/RY5gBsjlRbU
https://en.m.wikipedia.org/wiki/Boeing_737_rudder_issues
After 2 fatal crashes and longest investigation in history they conclude it was a fault with a tiny component with a very low failure rate that left no evidence when it fails.
He was faced with a system requesting input. He simply tried some type of input. It is the responsibility of the system to handle that properly. The better analogy is repeatedly locking and unlocking your own hotel door, because that is what the door is meant to do. If it so happens that, after unlocking a hundred times in one day, everyone else's door stops working, that's clearly the fault of the door system. Similarly, he did not try to disassemble the device or access it in some unusual way (connecting strange USB devices to the port to see if they could inject code). He merely entered input into a field that expected input. The same thing could have happened if he wanted to write a relatively long message.
He was doing the equivalent of picking the lock on his own hotel door room, which was connected via the hotel network to the locks on every other door in the building, without the slightest idea of what the effect on either his own lock or those on any other door might have been...
Although hotel rooms tend to be at or around ground level, rather than several thousand feet above it and subject to the force of gravity.
Re:He was doing the equivalent of picking the lock on his own hotel door room, which was connected via the hotel network to the locks on every other door in the building
Hotel doors are dumb.
That swipe card they give you just has:
• Start
• End
• Accessible locks
The cards bring the intelligence, the locks take their orders from the card.
That's why if you extend your stay you need to get your cards refreshed by front desk.
Security have a programming card that can do other magic (such as block cards).
Sure there are more intelligent networked systems on the market. But you are unlikely to find them on hotel doors because "room door locks" is low down their budget priorities.
It was the equivalent of picking the lock on the safe in his hotel room cupboard, totally unrelated to the door mechanisms.
Not even that. It was the equivalent of pressing the buttons on the safe a whole bunch of times.
Pasting lots of data into the stupid IFE system wasn't a great idea. But clearly this IFE app is rubbish, and that's the real story here. A faulty touchscreen could accidentally achieve the same effect by sending a keypress event repeatedly until the app crashed.
It's the Thales developers who need their wrists slapped.
What he did was closer to fiddling with the television in his hotel room to see what happens when you mash all the buttons at the same time. Sure, there is the potential that he could bork the television itself, the hotel's satellite receiver or VoD server. But that is the extent, no matter what, they aren't going to be able to turn out the lights or stop the toilets from flushing.
He can make the chat app crash. Big whoopty friggin dooo.. It has NO relation to the actual flight systems of the aircraft and how I understand the article only affects the one system. Worst case scenario is a flight will have to do without the IFE chat app. Few people use that to begin with AFAIK.
I'd be worried if he found a port from the IFE to the flight systems. This is pretty much non consequential even if unfixed.
At worst, he would crash the whole IFE system and nobody would be able to use it. But, yes, as long as it isn't connected to anything else, I see it as annoying, but not a real (inflight) security issue*. The IFE should be patched.
* Well, it might be a personal security issue for him, if he deprived everybody onboard of their entertainment...
The potential 'safety implication' is that he's likely to have me 'accidentally' spill a cup of coffee over his delicate parts. Travelling economy class long haul, as I often do, is made marginally more tolerable by the ability to watch the trashy movies that would be vetoed as insufficiently culturally enriching by the management of Chateau AC. Crash the IFE at your peril.
Please, just grow up. If you are depending on someone else to supply your entertainment so you don't get grumpy, then you shouldn't be in a confined space with others. The chances of the system not working are really high. Bring your own kit and reduce your risk of me being affected by your shitty temper.
"There are potential safety implications here, so testing an IFE in an airplane with passengers on board is unwise."
Surely, it's much much much much much more unwise to allow random members of the public access to a system with potential safety implications for an aircraft?
Though I don't agree with his methodology - a child could have done the same. And we wouldn't know.
Because things like this should be caught in internal security testing, especially if there are "potential safety implications", and the results published, no? And they wouldn't miss something as simple as a buffer overflow in a user-controlled field, would they?
There's no way he endangered the aircraft (maybe inconvenienced some passengers) - not unless there was a catastrophic layer failure in the original specification of the system. Which - again - is something we should know about.
Rather than divert blame... thank him... patch it... ask him not to repeat the experiment except under controlled conditions... and then supply him with a copy of the device to see if he can find anything else. Because, for sure, in ten minutes he found something that all your expert programmers not only missed, but are trying to hush up and bring in "airline safety" against to silence him.
"potential safety implications" What safety implications? Some rent a quote researcher saying it could be a risk doesn't make it true. I'm fairly sure that there's a potential that sending the code 'thhd666&&&£$@" as an SMS to the navy might trigger the launch of a nuclear missile. But somehow I doubt that it's a very high potential.
A bored nerd is still a nerd, and nerds do these kind of things.
Once I wrote a script to send the same SMS to all th company using a serial gsm modem just because I was stuck recovering a shitty database from old backups at the middle of the night.
Let me tell you they didn't appreciate the 3 am recovery complete SMS.
Still the culprit is the airline/manufacturer as they didn't test a very basic thing in the first place.
I’m fairly sure they tested a bunch of other more critical stuff and this low hanging fruit was left as it wasn’t actually critical.
Don’t get me wrong, If I was on that flight I’d be pissed at the so called security guy tired on a night flight who couldn’t help himself but conduct a pen test on a live airborne flight even though he didn’t know of any vulnerabilities and didn’t know the impact of stuffing systems full of stuff they where not designed to accept well outside of their expected use case. The fact that that system crashed is actually a positive, hopefully it crashed in a way preventing further dicking around with it, so failed safe which is what most things on an airplane are meant to do.
If your a nerd and want to test that stuff hire a jet tell the owners and support vendor and do it in a controlled way, not randomly trying to get lucky at the potential expense of others lives.
I totally accept that the ife should not be able to have a derogatory impact on safety critical flight systems but you don’t test that theory with out explicit consent.
To put this in context, he typed in a bunch of characters. That's it. He did not break into the system's hardware or software, and he did not destroy it in any way. He typed into a field whose purpose is to receive input. The same thing would have happened if I was typing a message in but wanted to say more than its input limit. Unless it tells me this before I send (and if it has a buffer overflow it almost certainly doesn't), I wouldn't know when I've hit its limit. The only difference is that my characters would be a natural language message while his were not. If there is a situation where a user error from a user that is not acquainted and should not have any privileges can cause a safety risk, the system needs to be patched. If there is a situation where such error can cause a safety risk aboard an aircraft, then that system needs to be completely removed from aircraft and returned to its manufacturer, ideally by catapult into their security office.
Would you blame me for pressing every icon on one of these to see what they do? What if there is a certain pattern of icons that would cause the navigation system to reroute to Antarctica? What if the movie selector will zap the pilot with a massive surge of current if I watch two separate videos after clicking on the clock five times? What if the engines are disabled if I type in a 257-character message? If they shouldn't be able to do things, don't give the user-facing devices the ability to do those things.
Not knowing what you might trigger.
Calm down, this isn't the Daily Mail.
If his dicking around with his entertainment system affected any other part of the aircraft (from flight control to toilet flush), the entire airline should have their permission to fly revoked...
Don't really understand the downvotes here, unless it's Link Din folk having thin skins, here's why:
What's the worst thing that this security fail can allow to happen? That at some point, some bugger will knacker the IFE and stop folk from quietly watching a film.
So rather than doing something actually worthwhile, this bollix knackers the IFE.
Legitimate security work ASKS before doing ANYTHING with a reasonable chance of causing any sort of problem, and also sensibly restricts itself to things that there's a reasonable chance of them getting fixed.
FAIL.
"There are potential safety implications here, so testing an IFE in an airplane with passengers on board is unwise."
I thought these consumer systems were isolated from the planes avionics.
"The Register can reveal that the affected software is in fact made and maintained by Thales Group under the trade name Thales TopSeries i5000"
What would be interesting to know is what Operating System the Thales TopSeries i5000 runs on and why weren't such bugs picked up in the developenent and testing phase.
10 years ago I worked for a contract manufacturer that built the IFEs for Thales. The processors were IBM power PC, the OS was some variant of Linux and the user interface was the Opera web browser and a touch screen. Good ingredients, poorly executed. The IFEs ran almost hot enough to be fire hazards (no exaggeration considering that these things had no ventilation and were surrounded by nice, insulating foam rubber). No one at Thales even took the time to do the basic arithmetic necessary to see if the mechanical tolerances could add up in such a way that the things couldn't even be screwed together. There were many times we got enclosures that were within Thales' tolerances that wouldn't fit together or wouldn't allow components to fit. Absolute crap on Thales' part, I doubt they've got any smarter.
Causing a crash by typing in too much text does not mean you found a buffer overflow. Could just as easily be a validation mismatch between front and backend. You don't even know if the program is written in a memory-unsafe language like C.
And if I may play the man not the ball, this security researcher doesn't even have HTTPS on his blog.
InFlyt (which is what this likely is) is actually a custom Android spin Thales glued together, which means that we're probably looking at Java (or alternatively Xamarin/C#). It's possible that this was some kind of overflow, but I'd hazard a guess they're not arbitrarily passing user input to native code. I mean, I've been proven wrong many times.
More than likely, the backend didn't like it - probably some parser somewhere that wasn't expecting an enormous blob of json and just decided to nope out.
I'm actually a security person myself, but I do hate people who feel compelled to try, and I use the word try here, to hack random things they see lying around.
Indeed, particularly as no one's going to believe his change to "not probing for vulnerabilities" when reminded of things such as the Computer Misuse Act...
Any sort of reputable pentester/security researcher knows to get the systems owner's agreement before testing, rather than just rocking up and ****ing about trying to break a multi-user production system, let alone one where there's unlikely to be anyone with knowledge/access to recover any damage or loss of service caused.
"Indeed, particularly as no one's going to believe his change to "not probing for vulnerabilities" when reminded of things such as the Computer Misuse Act..."
However, surely he was authorized to put text into the text box? How many characters do you have to put in before it becomes unauthorized?
I do remember typing "Format C:" at college, because at that age I assumed everything had security... I quickly made escape, and pretended to be amazed one of the PCs was not working in that room. I doubt they ever even fixed it.
I now know DOS was not protected (and they never bothered with anything like Deepfreeze, but without even Admin restrictions, I was WAY too naive) there.
I have since only done messing around it on my own systems, or the self service tills at Tesco. XD
Its not a safety of flight issue, but he'd dropped the entertainment system at the beginning of that transatlantic flight people would be rightly upset about the selfishness of entertaining himself at the cost of everyone else's boredom.
It won't affect me as I've refused to fly with that excuse of an airline for 20 years after my last experience with them. I'd rather fly Ryanair (yes that bad) as at least their idea of an entertainment system* is a scratch card and I've yet to see a buffer overflow effect a piece of cardboard.
* they do have one more type of entertainment system but that's in the airport, it's a game called "will my plane turn up ?"
I don't know about you, but I find a book more entertaining. Other than the flight tracker showing how much longer the plane will be over the ocean it has little value. Low rez movies on bad screens and a terrible selection of music hardly qualifies as entertainment and the WiFi solution is oversubscribed with hundreds of devices inside a metal cylinder which causes frequent failures.
The very presence of an entertainment system causes people to close all the windows and create an atmosphere akin to a tomb or the Elevator to Hell. BYOE (Bring Your Own Entertainment) and you will be happier.
Had a book - finished it (there was a massive blurb on the next book at the end)
Had laptop - battery empty because I did some work at the airport
Empty battery on the mp3-player
And then the IFE did not work... got copious amounts of booze, but LH supplies that anyway, and some Air Miles, but still sucked big time.
I prefer having the IFEs, not because I find their features useful (I've never used one), but simply because they usually have the ability to charge USB devices. This can be quite useful after the laptop battery or book didn't last as long as you wanted and you're stuck with your phone for the rest of the flight. Otherwise, you always have to save enough power in the phone battery because you know you'll need it to get navigation or transportation when you land.
Any parts of the inboard entertainment system someone can access as a paying passenger should be totally separate from the important keep the plane in the air networks.
In flight entertainment is normally fairly fragile anyway* so hard to imagine how a bit of messing about can make it much worse than it already is.
* I'm old enough to remember no such thing as in flight entertainment systems & so still have the mindset of ensuring I have what I need onboard with me to keep me entertained (e.g. real books, not a "device" I may be asked to switch off due to paranoia)
I guess if the in flight entertainment system is susceptible to being owned, it could be used by bad actors to cause panic on the plane.
Imagine someone were able to put a message on all the screens that their was a bomb on the plane or that the pilot was a terrorist who was going to crash the the aircraft.
What is the most shocking, that someone tried to hack an infotainment system on a plane or that the company that sold said system had not done simple basic security pen testing or that the company that bought said system had not not done basic pen testing as implemented in their planes?
For me teh latter two far out weigh the former.
We only have BAs word that nothing critcal was a risk, but given they didn't test this how do we know? The car manufacturers don't seem to differentiate between infotainment and control systems why should we assume Airplane operators do?
There should be a GDPR for security of system access for all transport that covers system security rather than data loss, but I fear that would only come from teh EU as our own government would not have teh balls or clout to implement such a thing.
The in flight entertainment system is not on the same bus as the the flight control system. I cannot remember when I last flew on a plane where the in flight entertainment system actually worked correctly, but the plane was fine otherwise.
Anyhoo, no self respecting device should crash when you do the equivalent of putting your finger on a key and holding it down and that cannot be described as 'computer hacking' either.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
