WTF is Boeing on? Not just customer databases lying around on the web. 787 jetliner code, too, security bugs and all A Black Hat presentation on how to potentially hijack a 787 – by exploiting bugs found in internal code left lying around on a public-facing server – was last night slammed as "irresponsible and misleading" by Boeing. At the hacking conference in Las Vegas on Wednesday, Ruben Santamarta, principal security consultant at pen- …
Like telling the FAA the 737MAX was exactly the same as all the previous ones and didn't need re-certifying, despite parts of it's flight envelope being significantly different and warranting a completely new augmentation system to assist the pilots with it? You know, the one which doesn't work and which the flight crews weren't necessarily told was there?
Over 300 people are dead because of that.
And earlier in that quote...
'IOActive chose to ignore our verified results and limitations in its research'
Funny Boeing saying that. Seems they did, too, in order to self certify* their own systems.
*Which is what the FAA apparently was accused of letting them do.
I would like to think there is at most a uni-directional connection from the avionics to the other networks, so that e.g. the passenger information system can display the current altitude, implemented using something obviously uni-directional like an opto-coupler.
Can anyone think of a legitimate reason for anything to flow the other way?
What is a requirement and what is then implemented due to stupidity, ignorance or deliberately is another thing. This is where all the "Software Defined blah" falls down. Software defined is just that, code running on a hardware to emulate what a piece of real equipment used to do because:
It is cheaper to build (generic hardware with code on top)
It is easily upgraded (the endless quest to "improve stuff")
Bugs can be fixed more easily (there are usually more in the first place because it is software)
Bean counters and C-suite idiots had happy because it is cheaper and sound cool
All the leads to a gradual decrease in quality until you reach the point that a catastrophe happens. This is the same wherever you look with what is going on with self-driving cars being the next total clusterf*ck. The difference there is that so many people are already killed or seriously injured on the road due to what are classed as "accidents" (although very few are genuine accidents) and it is just accepted that currently they can get away with it. Big business had so much power now that the regulators are becoming impotent to there demands.
A modern smartphone[*] plugged into the entertainment system could provide all the flight data a passenger might be interested in without any connection at all into the rest of the planes networks. That could completely remove any need at all for secure one way connections, monitoring and logging analyses etc.
[*] Not really an actual smartphone, of course, but the sensors and processing required to produce the data the passengers simply can't do without. They don't need the accurate data the plane is producing for pilot/avionics use.
The link between the secure flight controls and navigation network (third network in the article) and the flight crew and maintenance network (second network) will be needed for things like engine management data too. Things like engine and FADEC system parameters are very important data for the maintenance crews working on the craft between flights. I agree the first network could be fully airgapped from the second and third layer, however that public facing network is probably still running things that the maintenance network wants to know about. (Things like the in-flight entertainment system might not seem important, but play a vital role for both airline image and keeping the cattle calm during the flight)
So just having one maintenance system to monitor & manage all 3 networks? That there is exactly the problem, one system plugged into everything - that would be the target. Would it be so expensive and inconvenient to have a separate maintenance system for the public network?
A legitimate reason for things to flow the other way?
No. But, you know some thought would be convenient to have status information from the entertainment system to the flight attendants system. And, once they rationalize that...
Still, even boundary defenses can have vulnerabilities. How often do they pen test and patch these things? Are they stymied by a long validation process with the FAA that prevents them from patching vulnerabilities?
And, I'm also very picky about in which direction connections can be initiated. If data should only flow in one direction, the initiation of connections should also be in that direction. That is, data should be pushed, not pulled.
If you just give the entertainment system a GPS receiver, it can probably give accurate enough altitude/speed/position data and then be entirely separate. It'd be (1). safer since there's no connection, and (2). probably cheaper since you don't have to define/create/test a secure one-way-link to critical systems.
I'd go as far as saying if they're not doing it this way, then why not?
This post has been deleted by its author
This post has been deleted by its author
"It's self-certification all the way down."
That may be more true than your obviously flippant comment implies.
No matter what the professional body, exam board or whatever, someone, somewhere down the line, had to be the first "authority", essentially self-certified, who then certified others who came after.
Because of faulty readings no siree...
Even if the flight control system like the auto pilot or auto landing didn't take its readings from the 2nd layer. If the pilot instruments are giving false readings because false readings are being injected what are they going to trust?
Yea but it's all completely fine because "hardware filters that only allow data to flow between networks rather than instructions or commands".
(Hopefully they publish the details of these mysterious hardware filters so the rest of the world can use them too).
And we all know you can't crash a plane with bad data...
"You could get that information from a simple GPS box attached to the entertainment system network. No need to tap into avionics networks for that data."
Oh sure: Add extra hardware at additional cost, or just tap into the avionics data with a couple of lines of code and a filter/firewall exception....
"You could get that information from a simple GPS box attached to the entertainment system network. No need to tap into avionics networks for that data."
But why? What possible use could you have for that data? Ok you could maybe make use of an updating estimated time of arrival (Thought that can be delivered via your ears directly to your brain meats by the pilot making an announcement).. Theres no real reason other than curiosity for that data to be made available to passengers, is there?
"The point is, that data is already made available to the passengers, via a link from the primary network. His solution would be to provide the same information without compromising the network."
Well my solution would be to remove it altogether instead giving the passengers information about the two main states that the plane can be in : Ground - Sky. As a passenger having no real need for constant altitude/direction/speed information this is more than sufficient, as an added bonus the requisite equipment is already present on all commercial planes - Windows and Eyes.
If we are that worried about security and the airlines are worried about costs (Any extra equipment will increase costs) then the obvious solution is to remove it altogether.
"The avionics is connected in some way or it wouldn't be able to accurately show you plane speed/height/location/wind speed/direction."
As a passenger, why would you care? All that really matters is the ETA at the destination. Until recently, you didn't even get that other than as an announcement from the pilot and then only if you were going to be late due to headwinds, detours around storm fronts or problems at the destination requiring diversion or circling in the stack.
The avionics is connected in some way or it wouldn't be able to accurately show you plane speed/height/location/wind speed/direction.
I'm not sure it does show those data accurately. Sometimes In Flight Entertainment and eyes-out-the-window don't agree on location or heading. Altitude and ground speed could be pulled from GPS. Airspeed and winds aloft are irrelevant and invisible to passengers.
Yeah ? Well we're disappointed in Boeing's irresponsible and unprofessional handling of its code. You leave part of the software platform on an Internet-facing repository and you didn't think of locking that down ? This after designing functionality that can change the attitude of plane based on only a single sensor ?
Something is seriously wrong with Boeing these days. It used to be a company whose engineers had the word "security" practically branded into their foreheads. Seems that, today, it is yet another company taken over by beancounters for whom all that security nonsense costs too much money. Well, this is the result of that mentality.
In a recent BBC article, a former Boeing engineer says they did precisely that:
"Adam Dickson worked at Boeing for 30 years and led a team of engineers who worked on the 737 Max. He said they were under constant pressure to keep costs down."
https://www.bbc.com/news/business-49142761
While I agree that the last 2 platform products of Boeing's engineering activities have fallen short of the ideal (to use the Church of England code), I can't think of any financially viable engineering team that isn't under constant pressure to keep costs down. It's a normal context for technology and product development, surely?
I guess they (Boeing et al) all believe what they are telling us; that is very dangerous and, at the same time, arrogant. Of all times for Boeing, now is the time to really come clean and be as transparent as possible about their inner workings and problems.
Most Register readers are going to be cynical about this situation because we have seen it before. I just hope that it doesn't cost yet more lives to get proof.
If Boeing is proven to be wrong then they are finished as a company as this really is a case of three strikes and you are out.
> “IOActive reviewed only one part of the 787 network using rudimentary tools,
What a disgracefully condescending statement from Boeing - I hope their engineers cringed when they read it, even if the PR people spouting it were in blissful ignorance.
Firstly, it assumes that tools are required to find bugs. With that attitude, no wonder the MCAS bugs got through. Secondly, it ignores the fact that brainpower and cunning finds bugs. Personally I've never heard of IOActive before, but the last thing I would do is accuse them of lacking grey matter.
Unfortunately that probably wouldn't be enough to kill them as a company. Do you think the murricans would let the only Airbus competitor go to the wall? Or stop the military work coming their way? Admittedly the military stuff could conceivably go to other producers. I'm sure, for example, that Lockheed would make a frank, honest and entirely above-board bid for the work...
If Boeing is proven to be wrong then they are finished as a company as this really is a case of three strikes and you are out.
Only the civilian airliners part of the company will be in danger. The rest is buried in military work, NASA, etc. The company structure and finance that control those structures are probably more resilient than the hardware/software.
"Once Boeing was aware of the nature of the programming blunders in the Honeywell software found by Santamarta, the manufacturer verified in the lab and then on an actual 787 that it was not possible to seize control of a $150-million-ish jetliner via the holes Santamarta discovered."
Was that verification that the exploits couldn't be used on an actual 787 carried out by the same Boeing engineers who failed to identify the same exploits when certifying the code to be installed on their aircraft...?
... IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments ...
That could have been and still can be easily remedied - for example, by setting up a facility where the software can be inspected, using the appropriate tools and in a working environment, by suitably-vetted, independent reviewers - who can then reveal their findings in, say, an annual report.
Perhaps that's something the UK can take a lead in - after all, there is already a precedent of HMG positively insisting on such procedure, for software far less safety-critical than a passenger airliner control system.
I am sure that should be satisfactory for all reasonable and open-minded parties.
GCHQ did that with Huawei and found some code that was not exactly best practice but as far as I am aware, no evidence of malfeasance. Still certain people stuck to their view the Huawei is reporting back to China. They also stated that there was a strong likelihood of other manufacturers being no different in terms of the quality of the code.
Third party quality assurance only works is those involved accept the findings and there is no interference.
That the network is unencrypted or that the packets are flagged as specific types in transit for the hardware to be non agnostic towards the types of transmissions. Or it might be that they use some sort of API to push data out but not to receive.
I am however as puzzled as you over how data fed back into a system does not constitute commands or instructions? Surely a request for data is an instruction? Surely a validation check is a command of sorts?
It's a good thing that there have nver been any exploits that allow data to be treated by a computer as if it is instructructions then. Like, oh I don't know, every buffer overflow exploit ever.
Now, of course I don't want to trivialise the hard work that I'm sure Boeing have put into trying to secure the hardware, however as any securty expert will tell you, security is extremely hard. If you think you've made something perfectly secure, you probably haven't understood it properly.
If the threee networks on the plane are physically connected in any way, then there is the potential for flaws that allow the isolation between them to be broken. This does raise the question of why you would have any connections between an avionics system, a business network, and an entertainment system. Surely the only cast-iron way of securing the avionics is to have that system completely isolated from the others. What are the use cases that require those networks to interact?
"If the threee networks on the plane are physically connected in any way, then there is the potential for flaws that allow the isolation between them to be broken. This does raise the question of why you would have any connections between an avionics system, a business network, and an entertainment system. Surely the only cast-iron way of securing the avionics is to have that system completely isolated from the others. What are the use cases that require those networks to interact?"
My reading of this marketing fluff was that it was quite likely to be one physical network with VLAN tagging. and QoS to ensure priority for the mission critical packets at the switch. Hopefully none of the seat area wiring are connected to trunk ports...
Those that think it's a security measure are sorely mistaken. Just Google vlan hopping. Lots of trivial exploits for jumping from one vlan to another. If they then add in some extra security, say mac address whitelists... That's still trivial to hack.
All in all it sounds very arrogant of the Boeing mouthpiece, but I suppose its aimed at people who aren't of a more technical level.
Do CASA and EASA join up, insist on impounding one of these aircraft and invite some of these code auditors to go over everything _without_ Boeing present to prevent them from finding "trade secrets" etc?
or even scarier for Boeing, let them be present, let them prevent the hackers from exploring certain areas, then start investigating WHY Boeing's crapping themselves about people poking into those areas.
(Incidentally it's not just Boeing that can be targetted here. Toyota's shown that their coding quality has gone to hell in a handbasket too, etc - it's just that Boeing have achieved regulatory capture and have been getting away with this shit for longer)
Careful you talk sense.
It is almost like the cars NCAP testing regime but for planes. Letting an independent body test things for safety. Not saying we throw planes into concrete barriers, but coding is much easier. Every plane type sits in a hangar somewhere and has code monkeys try and break it.
Winners get an air worthiness badge. Losers go home - without their plane (as it can't fly safely)
"it may be possible to exploit holes in, say, the in-flight entertainment system on the first network to access the adjoining second network where one could abuse the flaws he found in the crew information software to then reach into the adjoining third network."
That doesn't sound like three separate networks, it's a single network with some access controls. The whole point of having a separate network for critical things like avionics is to avoid any possibility of someone on a customer-facing network being able to mess with it. Questioning whether these particular vulnerabilities actually make it possible to hijack the important systems is rather missing the point - it shouldn't be physically possible for any vulnerability to ever do that.
Exactly. This sounds like security through obscurity. It's really simple - either (a) there are *physically* separate networks for the avionics and other systems, or (b) they share the same network.
If it's (a) then great - just tell us. If it's (b) then it's open to attack and it is impossible to guarantee that there will be no access to the avionics network portion from the entertainment/crew info network portions. Somewhere there will be a bug/issue with a protocol, API etc. etc. that can be exploited. Difficult to exploit is not the same as impossible to exploit.
And, yes, passenger info systems need access to flight info, but that doesn't have to come from the avionics network portion - just include additional sensors.
IIRC it's a common physical network for avionics and non-critical data with virtual switches.
There was some eyebrow raising on el'reg of the "wtf" variety at the time.
Of course even if somebody did hack the system it couldn't get through to the secure network says team A. While team B says that even if you could get across the networks nobody could hack the system.
This was my thinking as well. All Boeing has to say was: "the connection is a one way data stream, through opto-isolators", and they would have stopped the concern about this in its tracks. That they're not saying it means they're clearly doing nothing of the sort.
"And, yes, passenger info systems need access to flight info"
Do they really though? Being able to see your current location and altitude might be interesting for some, but it's hardly necessary; it's not like knowing your air speed is going to make you arrive any faster. If they can't provide that information to passengers without compromising the safety of the plane, I'd much prefer they just didn't provide it at all.
>Do they really though?
Yes because it would be expensive to run 2 or 3 separate sets of network cables around a 747. Especially when there are incredibly strict requirements on the type of cable, the conduit, the routing, proximity to other cables, the insulation etc. All of it is very tightly controlled - just not the data on it.
It is security through obscurity, no doubt about it.
They really need to physically separate the flight control network from the other 2 networks, as you don't want the possibility of the DOS style attack.
They don't really need separate sensors for each of the networks as the sensors should just be read only.
Was it not irresponsible for the code to be publicly accessible in the first place ?
Blaming the black hats is not the right route here, Boeing needs to realise that they live in 2019, we rely on things to be secure. You should not try to rely on security by obscurity.
If they need help in doing security reviews, there are plenty of suitably skilled consultants who can help them. There is no excuse for poor security or buggy code, particularly on safety critical platforms that affect people's life.
Was it not irresponsible for the code to be publicly accessible in the first place ?
Hey, they got a free code audit from it.
If they had of released it publicly, then everyone might have ignored it, like those SSL bugs (heartbleed) that existed for years in open source code, but no-one bothered to check it because everyone assumed that someone else had. By the code being 'discovered' as opposed to being released, security experts were more inclined to poke around in it.
Cheaper than doing their own code audits.
"If they need help in doing security reviews, there are plenty of suitably skilled consultants who can help them."
The same can be said about Huawei - Unfortunately the hardest part is not that help is available, but getting the to admit that they NEED to listen to externals in the first place.
I'm getting brushoffs about security even after waving the GCHQ report in people's faces - the people who really need to be listening are suffering a bad case of Dunning-Kruger (One Huawei Enterprise engineer told me today that TLS1.2 is totally secure therefore they don't need to do anything - neglecting all the factors that go into SSL connections such as key lengths and crypto types or that TLS1.2 is 11 years old, or that the piece of equipment in question - still being manufactured - CANNOT be SSHed to from RHEL7.6/Ubuntu 18.10 or connected to from current versions of Firefox/Chrome/Edge/IE due to use of obsolete cryptography - his stance (and hence Huawei's official stance) is "But it uses TLS1.2, so it's OK!")
Wholeheartedly agree with all comments about Boeing. However, I find myself rather underwhelmed by Santamarta's hyperbole. To me, his arguments come across as speculative exaggeration.
“We have confirmed the vulnerabilities, but not that they are exploitable, so we are presenting why we think they are” he said. “We have got very limited data, so it’s impossible to say if the mitigation factors Boeing say they have work. We offer them our assistance.”
In other words, you really don't have very much here at all. You found some code, have identified some alleged vulnerabilities (without knowing how that code interacts with other code/systems, and without even knowing if it's production code) and are simply speculating. You're just dialing the hyperbole up to 11.
I'm not defending Boeing here. That company should no longer be in business after having the blood of 300 passengers on its hands; however, I remain unconvinced by the case made by Santamarta. He would need to put a lot more meat on the table. However, this is Boeing, so that's not going to happen. Especially when they have carte-blanche to certify their own software/systems.
I read that as Boeing that said "We have confirmed the vulnerabilities, but not that they are exploitable," so Santamarta and friends said "so we are presenting why we think they are” - in other words, Boeing admitted the flaws were there but tried to downplay the seriousness of them. And we all know that Boeing are outstanding examples of truth and honour when it comes to admitting that there is a problem with their software or hardware...
Psst, wanna buy a bridge?
But is that even an accurate summary of what's been proved possible here? Unless I'm missing something in the summary as presented here, the only thing that's been proven possible so far is that vulnerabilities exist in the crew facing system - the "inject commands into that via the consumer facing system" idea appears to be just as much speculative hand-wavery as the "use the crew facing vulnerabilites to then inject stuff into the avionics system" part of the "this is how you could hack an airliner" premise.
It has to be speculation - as Boeing won't let them try an attack on a real aircraft (not even grounded in a hangar) and no responsible researcher would have a go on a live aircraft. The big flaw is that someone with evil intent (and the necessary skills) might try it, which would be a bad way to discover if the accusations were true.
I would not rely on Boeing.
I have been in situations where pen testers have found potentially exploitable (when "chained together") issues we had missed, not surprising as their day to day job is all about attacking systems and most companies do not have luxury of their own full time pen test system, so the pentesters have better attack skills and experience than inhouse staff.
I would assume similar would apply at Boeing, without some independent, top quality, security experts auditing it, Boeing cannot be relied upon (even if we generously assume they are being honest & well intentioned saying "it's fine")
I would not rely on Boeing.
In the light of present circumstances who in their right mind would?
I would like to think at whenever it comes to pass (assuming it does, of course) that the US is trying to trample all over UK interests whilst in pursuit of its own in a trade deal that someone on the UK team will suddenly go <cough> we have a major problem with the certification of Boeing aircraft which in our view is going to delay any agreement, and mean it.
The noises coming from the US at the moment point towards a very lopsided deal (which of course means that it isn't really a deal at all) and the Boeing situation provides the UK (and everyone else if they are minded to dig their heels in) with an ideal opportunity to redress the balance a bit.
"and no responsible researcher would have a go on a live aircraft."
State sponsored security services may well have already done this. There's no way to know, but plenty of countries have bought Boeing and other aircraft. State owned airlines in particular may well want to know if this sort of thing is possible and if so, how to do it. </tinfoil hat mode>
Doesn't anybody see the inherent contradiction in this?
If it is irresponbsible, there must be truth in it, in which case it can't be misleading.
If it is misleading, there is no danger so it can't be irresponsible.
Even the quality control of the end product of an adult, uncastrated male head of cattle spouted by PR is severely lacking nowadays.
This is Honeywell programmers we are talking about. Next they will blame the hardware manufacturers even though the hardware manufacturer has given them all of the information and hardware they need to write the program. (Speaking from current experience with Honeywell.)
It can be irresponsible to spread false statements with the intention to spread panic. If I were to say "I have planted a bomb set to go off at Waterloo station today at 4pm", would that be:
a) misleading (hint: I didn't do it)?
b) irresponsible?
c) both?
See also Trump's antagonizing statements in the light of the recent mass shootings.
"IOActive’s scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access"
Yea, right. Says a company which claims that 737 Max is the same plane as 737, no differences at all, no way. More like PR BS.
"'IOActive chose to ignore our verified results and limitations in its research'"
*Our* "verified" results. When you "verify" your "results" by yourself it doesn't mean anything at all. Every limitation they had, was imposed by Boeing so I call BS on that too: Boeing could have let them play a while with actual plane.
But of course Boeing doesn't work that way: Everything is secure because *we say so*. Security by obscurity at its finest.
"Once Boeing was aware of the nature of the programming blunders in the Honeywell software found by Santamarta, the manufacturer verified in the lab and then on an actual 787 that it was not possible to seize control of a $150-million-ish jetliner via the holes Santamarta discovered."
Erm, one has to be severely doubtful of this. Months after the 2 fatal crashes of the 737 Max, they still have not updated their software, assuming the issue is only software-related.
So, IT security in the plane would really be WAY below in terms of priority.
I doubt a single 787 has even been updated on this very issue.
A Black Hat presentation on how to potentially hijack a 787 – by exploiting bugs found in internal code left lying around on a public-facing server – was last night slammed as "irresponsible and misleading" by Boeing.
What irresponsible is leaving said code on a public facing server so every Tom, Dick and Harry can see it.
IOActive chose to ignore our verified results and limitations
Are those the same kind of verified results you used to test MCAS?
Boeing say “IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments"
I read "If he had reviewed more parts of the network, and had other tools, then he may have worked out how to jump between the network segments"
There seem to be a number of issues at Boeing that can be traced back to irresponsible cost-cutting and sloppy corporate culture.
KLM is currently celebrating its 100 year anniversary and had planned to have their new 787-10 play a central role in the celebrations. Due to too many issues with manufacturing quality they couldn't sign off on the plane until it was too late and it arrived a day after the celebrations.
"For example, KLM Royal Dutch Airlines called the factory’s quality control “way below acceptable standards” for a 787-10 delivered at North Charleston in June. The plane included a special livery to celebrate the carrier’s 100th anniversary.
KLM noted several issues, including a loose seat, missing or wrongly installed cotter pins, nuts not fully tightened, an unsecured fuel line clamp and several unspecified missing parts.
“Who looks at quality in this facility,” KLM asked, adding the airline “is worried for the next deliveries.”
The Post and Courier: Airline surveys point to ongoing production problems at Boeing’s SC plant
I saw a bunch once (although the code wasn't for use on a plane, or anything related to safety of humans). The test started by setting a value to true. It called a method that called a bunch of other stuff, and the third line simply checked the original value was still true.
Now this original value is never passed into the method and can never be set to false, so all this test did was check if the code didn't fall over. Which isn't really any help when you're trying to work out what's gone wrong in this massive chunk of code. It did however make the coverage report nice and green, which is all the higher-ups cared about.
Given how often senior management move about in that place, it's only a matter of time before the idiots looking after this code got put in charge of something that matters.
I see their quality isn't any better for airliners than it is for other transportation industries. But they are definitely good at pointing fingers and convincing upper management of how great they are. I didn't like their software from the beginning and even makes me more nervous knowing their crap "programmers" are programming for airliners as well.
"[..] the manufacturer verified in the lab and then on an actual 787 that it was not possible to seize control of a $150-million-ish jetliner via the holes Santamarta discovered."
Says the manufacturer who self-certified the MCAS with a single sensor on the 737 MAX that could not possibly lead to any problems whatsoever.
But what else can you expect from a manufacturer that claims fantasies like "hardware filters that only allow data to flow between networks rather than instructions or commands." I want to have those filters. Should be awesome. ;)
Boeing is better-equipped than any regulatory agency to determine the airworthiness of its products, so flights should resume as soon as Boeing says it's okay. For the first ten thousand or so hours of operation, though, it should be required that a Boeing board member be aboard each flight.
The 737 air max definitely brought Boeing into the spotlight, and under a microscope. Which is a good thing. But I, for one, know full well that other jetliners, from other manufacturers, very likely have their own vulnerabilities. It would be shame (understatement) if one of these vulnerabilities are only discovered after a tragic event.
This may well be the case, but AFAIK, only the USA has the grandfathering scheme on airworthiness certification and the 737 pre-dates actual external certification so that airframe has never been externally certified, it just assumed the airframe in place was fine when certification was introduced and every variant since has been grandfathered into that, hence the "no real change thanks to MCAS" for the max because that would have required expensive certification.
If any of the above is incorrect, I'm open to being educated on the matter.
But given the incredibly conservative nature of the aero industry, how did they end up with 3 separate systems that have ANY connections at all? I'd have assumed they were totally independent systems.
Or is the fact you can't get into the system (no WiFi or handy ethernet sockets) used as a claim of security - like how even an unpatched XP box is perfectly safe as long as it never goes on the internet and has all its USB ports ripped out?
Of course now WiFi IS starting to appear on planes, and they let you use your own devices to access in-flight entertainment, any such 'air-gapping' is threatened. Is that what's happening here?
Genuinely interested, if anyone can explain or point me at a good article.
But given the incredibly conservative nature of the aero industry, how did they end up with 3 separate systems that have ANY connections at all? I'd have assumed they were totally independent systems.
Or is the fact you can't get into the system (no WiFi or handy ethernet sockets) used as a claim of security - like how even an unpatched XP box is perfectly safe as long as it never goes on the internet and has all its USB ports ripped out?
Of course now WiFi IS starting to appear on planes, and they let you use your own devices to access in-flight entertainment, any such 'air-gapping' is threatened. Is that what's happening here?
Genuinely interested, if anyone can explain or point me at a good article.
Happy to oblige. Avionics systems are not built out of PCs running Linux and the flavour of Ethernet or WiFi that we're all used to in our PCs and servers..
Typical component parts include INTEGRITY, a rock-hard formally developed embedded RTOS ideal for this kind of application (you can't beat it for process separation): AFDX - Ethernet tweaked to give deterministic transfer rates / latencies: CPUs without things like speculative execution (certain types of PowerPC is really good for real time systems): data diodes / air gaps - literally physical data links that go only one way (e.g. a single strand of fibre optic), ideal for getting data out of, say, the avionics systems and into the in flight entertainment without exposing a physical return path for passenger-delivered nasties. Both Airbus and Boeing use a lot of the same technology for a very good reason; it's the most appropriate for the task.
The problem with the 737MAX is that they've tried to imbue it with more software sophistication without (AFAIK) using these things, and without appropriate architectural design either.
Radio links (e.g. WiFi) aren't used on critical systems - it's near impossible to prove that it'll work all the time, with complete dependency. A cable, properly assembled and properly installed and not interfered with, won't ever break. And of course you run several through different routes, just in case.
Some aspects of what Boeing have been doing of late are exceptionally poor (e.g. MCAS, the evident supremecy of their beancounters over engineers and test pilots, etc), but I don't see any particular reason to doubt the architecture or implementation of the discussed systems on 787. Though it is supremely unfortunate to have left a load of source code lying around for all to see...
What's particularly lame about the presentation reported in this article is that some extremely lazy speculations have been made, when even the most cursory of glances at the Wikipedia page for the Boeing 787 would indicate that Boeing have data dioded / air-gapped the 3 networks. It's trivial to correctly use an air gap to make it very impossible for a software nasty to be able to traverse the wrong way across that gap. Assuming Boeing have at least mastered that, I think that IOActive have rather made fools of themselves. I wonder if they're short of business at the moment?
(BTW I'm not associated with Boeing in anyway whatsoever).
You know that you can do bidirectional communication on a single strand of fiber optic (or copper cable). Simply use separate career frequency.
Yes, but software (e.g. a hacking attack) can't retro-fit the requisite electronics or optics to do that if Boeing didn't put it there in the first place. Which they haven't.
And there's no practiable way in which a passenger could do that whilst an aircraft is in flight.
They use AFDX, well documented in Wikipedia for those who can be bothered to go looking. Airbus use it too.
CAN is quite interesting - electronically very robust, but I'm not sure that it provides the same QoS guarantees that AFDX uses. Quite a lot of car manufacturers are moving away from CAN, it's just too slow for everything they want to do these days.
Oh gawd!!
Such cluelessness.......
Since the introduction of the 777 aircraft have used high-speed unidirectional point-to-point data-link interfaces.
Since the A380 the network type of choice is A664P7 (developed by Airbus) which is more commonly referred to as AFDX.
There are no critical systems in modern aircraft using CAN bus, and none of the data-buses flight critical systems are accessible by the general public, well, unless you want to try to force your way into the cockpot or one of the avionics bays - good luck that bruh!!
I thought the UK Government was a bit stupid when they allowed window fitters to self certify they had fitted the windows correctly with no issues. But the FCC allowing plane manufacture to self certify safety and then all the other governments to say that's ok the US authorities say its ok so it must be without a second thought is just bone idle lazy incompetence all round.
Wouldn't it be best to let IOActive onboard a 787 and tell them, "Have at it!"? If the plane is truly unhackable, as Boeing claims, then IOActive will not be able to do any harm, and Boeing will then be able to loudly and publicly proclaim that their own internal experts and an unpaid but motivated group of third-party pen testers were unable to find any exploits. Might even bump up Boeing's reputation, not to mention share price. Seems like a win-win to me.
They're not willing to do that? I wonder why.
"They're not willing to do that? I wonder why."
Commercials reasons.
All recent aircraft platforms have gone through numerous pen-tests, but the gag orders placed on the companies and individuals engaged to perform the tests are extremely stringent.
In some cases the engagement contracts are so stringent that personal liability is in the range of $20m if an individual just mentions they conducted a pen-test for a particular aircraft platform, talking about the pen-test, test procedures, test process, test time-frame, results, etc can carry a liability of up to $110m.
Every aircraft platform is unique and the OEMs go to great lengths to make sure their Intellectual Property are protected, since these programs have a decades long ROI.
Boeing must know that once they sell a 787 to a foreign state, say Indonesia, that the Indonesian state ferrets will have contacts with Chinese, Russian and North Korean ferrets(among others) and these ferrets will try to reverse engineer all aspects of the 787 code (regardless of any agreement to the contrary) and try to ceate exploits that they will guard and keep to themselves in the hope that they can then back up nto Boeing R&D and Corporate servers for more fun and frolic.
They should take this threat seriously and hire their own Black/White hats quietly from those they see at the conference.
This whole story smacks of management ossification at the highest levels. Driven by costs and ever higher wage rates forced out of them by the unions, they should close down their main factory and build a new one in a less union friendly place and only hire good creative workers for the new workplace,
After killing hundreds of people with amateurish engineering design and implementation, the proposed fixes have failed multiple times, then we learned they used a single computer with no redundancy and the planes were vulnerable to a single bit flip (which is common from alpha particle strike*), now we're supposed to believe them when researchers find their code laying around on the internet (poor security) plus they find vulnerabilities?
If they can't even secure their code and systems from the internet, what are the chances they've secured their software? It would be more curious to know whether the code base was writable from the internet.
This once proud company has truly become a basket case.
* Look into the E-Cache issues that Sun Microsystems suffered. IBM had also suffered from the issues as they knew all about it.
Of course we're still in "Boeing knocking time", but this is not specifically a Boeing problem.
When any organisation grows to a critical level of scale and complexity, control is unwittingly lost for several reasons. Chains of communication become over-extended, the growing disparity of power between the individual and the "organisation" encourages folks to keep their heads below the parapet, and identifying individuals with specific responsibilities gets increasingly difficult.
In any human endeavour normalised deviance (aka entropy) constantly causes processes and controls to weaken imperceptibly over time - imperceptibly because it's progressive and thus defines the current cultural norm against which performance is verified. Typically, only when an accident happens is attention drawn to the degree of departure from the original intent.
This largely explains most major incidents and the internal cultural responses to them. For example, both shuttle disasters were precipitated by the culture at NASA, and I can quite believe the former CIO of Equifax when he stated to the enquiry that he did "not think Equifax could have done anything differently". What they did was in each of these cases driven by their current cultural norms and therefore assumed to be adequate.
Boeing must have some very talented security people to have 'confirmed' that there's no way to use the holes in the 2nd network to get to the 3rd network. They seem very, very sure that it is 'not possible'. If they were so supremely sure, why don't they give the black hats a plane to play with for a while?
The discussion is wonderful of course...but...
Faced with one airline choice on a route.... which only flies the type of plane...
Do you...
i) Go
ii) Not go
Your choices are influenced by alternate modes of transport/time/cost, circuitous alternatives, or suck it up and be at that meeting on time (or vacations where you might be subject to additional hours of grumpy, mewling sproglets, and/or your significant other harping that we should have booked <obvious airline in question>).
Ignoring the very valid technical possibilities, postulating, and opinions....What will you really choose?
Well, since they have already open-sourced their code and made such good experience with that swarm intelligence kind of bug-fixing, why don't they simply leave their code open?
With the fatal Boeing 737 MAX groundings in mind, the software running on that planes should indeed be regarded as of public interest.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
