back to article Here's how we got persistent shell access on a Boeing 747 – Pen Test Partners

Researchers from infosec biz Pen Test Partners established a persistent shell on an in-flight entertainment (IFE) system from a Boeing 747 airliner after exploiting a vulnerability dating back to 1999. It's an attack that's more of a curiosity than anything else: it's too difficult to pull off during an actual flight, and it's …

  1. Julz

    File

    Under, 'So What' and cross reference to 'Gratuitous Advertising'...

    1. You aint sin me, roit
      Black Helicopters

      Re: File under Mission Impossible script...

      Tom Cruise skulking round the galley, chatting up the steward waiting for an unattended moment so he can access the ethernet

      Plugs iPhone into ethernet port (good guys always use Apples).

      "It's running on NT4... this might take some time!"

      10 seconds later...

      "I'm in!"

      Proceeds to by-pass pilot controls, fires up the aircraft sim interface on his phone, and safely lands the plane at LAX.

      No more fanciful than Independence Day.

    2. Anonymous Coward
      WTF?

      Re: File

      BSOD screen capture or it never happened.

    3. -tim
      Facepalm

      Re: File

      How young is this company? Should this be filed under "Security companies that don't have a decent tool box"? It isn't that hard to grab the source from the 20 year old versions of the scanning tools and recompile it on modern systems.

      1. bean520

        Re: File

        @-tim

        Its rarely that simple. Code written in scripting languages popular 20 year ago will rarely work as-is on modern implementations, even if modern implementations actually exist.

        Even with compiled C/C++ code, you'll find anything more advanced than Hello World is probably making API calls that no longer exist in modern Windows, therefore even compiling the programs will often fail.

        1. Julz

          Re: File

          I was going to down vote you until I got to the bit where you mentioned windows. There's your problem right there.

    4. Clunking Fist

      Re: File

      Are you confident the world nuclear super powers' silos aren't running NT4? Or MSDOS?

      1. TechHeadToo

        Re: File

        Sounds as if NT4 is a whole lot safer than BIllG's latest efforts

      2. Claptrap314 Silver badge

        Re: File

        Umm.... yes. Yes I am.

  2. Chloe Cresswell Silver badge

    Pretty sure the 747's APU is in the tail cone, not the nose cone.

    1. RegGuy1 Silver badge

      Yep. Otherwise there would be a horrible smell of kerosene in the cabin.

    2. Snake Silver badge

      All APU's are in the tailcone; the nosecone holds parts of the radar system (note, therefore, to silly scene from Superman Returns as the nosecone is fibreglass)

      1. Solviva

        747's nosecone also holds jackets.

      2. Annihilator

        Pretty sure the nosecone also contains the 1st class passengers too.

      3. jtaylor

        "All APU's are in the tailcone"

        Yup. In fact, it's so standard that the 727 was remarkable for doing otherwise. Of course, Engine #2 was already occupying the tailcone. https://www.airliners.net/forum/viewtopic.php?t=775445

    3. anothercynic Silver badge

      Bingo...

      Indeed. Even the RAT is in the tail.

    4. diodesign (Written by Reg staff) Silver badge

      Nose cone

      Yup -- we've fixed that, ta. Don't forget to email corrections@ if you spot anything wrong so we can address it immediately.

      C.

    5. This post has been deleted by its author

  3. Magani
    Black Helicopters

    How long...

    ... before some mindless media peon writes the "Boeing Jumbo hacked' article with the requisite insinuations that "WE'RE ALL GOING TO DIE!"

    1. Tomato Krill

      Re: How long...

      Well, we are all going to die…

      1. Sgt_Oddball

        Re: How long...

        On a long enough period of time everyone's survival rate drops to zero...

        - The Narrator

      2. William Towle
        Coat

        Re: How long...

        > Well, we are all going to die…

        Hundreds of capitalists soon to perish? They shouldn't have gone in the first place

        // see you at the wedding -->

        1. William Towle
          Facepalm

          ...downvotes already?

          Looks like I picked the wrong week to start quoting Airplane!...

          1. Aussie Doc
            Pint

            Re: ...downvotes already?

            It's okay.

            I got the reference and gave you an upvote anyway. On the house ----->

        2. Cynical Pie

          Re: How long...

          Shirley you can't be serious...

      3. waldo kitty
        Boffin

        Re: How long...

        Well, we are all going to die…

        yup! birth is a death sentence, after all...

  4. Nifty Silver badge

    "Established a persistent shell on an in-flight entertainment (IFE) system" made it sound as if the access was via the IFE itself. While it fact it was the Ethernet port in the galley. Not quite so exciting then.

    1. Anonymous Coward
      Anonymous Coward

      but they got an article published with their company name on it didn't they. The whole point of the exercise is as usual, a PR stunt. Next year... it will be 'we hacked a boat'... no wait.. they did that last year already...

      1. Anonymous Coward
        Anonymous Coward

        "Security research" vs "security theater": can you spot the difference?

        "The whole point of the exercise is as usual, a PR stunt."

        Yep.

    2. zuckzuckgo Silver badge

      >Established a persistent shell on an in-flight entertainment (IFE) system

      Now the attackers can play Battlefield Earth on continuous loop until the passengers force the aircraft down just to stop the suffering.

  5. trevorde Silver badge

    Upgrade to In-Flight Entertainment

    Now running on MS-DOS3.0

    I'd like to see them hack that!

    1. Blackjack Silver badge

      Re: Upgrade to In-Flight Entertainment

      Actually quite easy unless the thing lacks a floppy disk drive. Heck I hacked MS DOS 2.0 once.

  6. David Nash Silver badge
    Stop

    Non-story

    "...Using the exploits PTP found to pwn an in-flight 747 would be impossible in practice..."

    "...Moreover, though PTP declined to reveal more details when we asked about the system and particular aircraft involved, we were told the IFE system is now no longer in use in any 747 still flying today..."

  7. anothercynic Silver badge

    As much as...

    ... This is interesting to note, given that there are virtually no 747s in passenger service anymore, and those in freight service tend to not have IFE systems, this is a fluff piece that's well... pointless.

    Nevermind the 'bait and switch' here... "How we got persistent shell access on a 747" - No, you got persistent shell access to the IFE, not the 747. At least on the 747, there were distinct physically separate networks. Boeing only switched to VLAN-based access on the 787 (or was it the 777?) so this is rubbish.

    Oh, and for God's sake, please fact check not only your own work but also the work of the provider of the fluff piece, i.e. Pen Test Partners. Searching for "APU location 747" would show you instantly where it is, the tail end, not the nose end.

    Call me grouchy, but when it comes to accuracy (and past rubbish fluff pieces about network security on planes), I'll be pretty pedantic. So, fix it please.

    1. diodesign (Written by Reg staff) Silver badge

      Very grouchy

      Yes, it's in the tail end and it's now fixed. The piece does also say that it's impossible exploit in the wild, and it's more an interesting hack than anything else. If it was going to make planes fall out of the sky, we would say so.

      We're not perfect. We make mistakes just like everyone else.

      C.

  8. Simple Simon

    Run old systems for better security

    The big takeaway for me was that the system was so difficult to hack because it was so old.

    So, to maintain systems that can't be hacked, rather than upgrading internet facing servers, we should all be *down*grading them.

    1. iron Silver badge

      Re: Run old systems for better security

      It is funny how they describe Windows components and features that I remember using as if they are relics of a bygone age. Perhaps their hack would have been easier if they'd hired a dev / ex-sys admin in their 40s to explain NT to them.

      1. Roland6 Silver badge

        Re: Run old systems for better security

        Its notable that having determined the server was running NT that no mention is made of firing up an NT image back at the lab and experimenting with that - I'm sure disks are available on fleabay or friends of friends with old Technet CD distributions.

    2. Natalie Gritpants Jr

      Re: Run old systems for better security

      This. It can't be that hard to keep old exploit methods around, can it? I'm pretty sure the TLA professionals would. Far from being positive PR, this just tells me that PTP prefers shiny-shiny to useful-functional, and you shouldn't use them to test your infrastructure.

    3. Anonymous Coward
      Anonymous Coward

      Re: Run old systems for better security

      To build on the "old = unhackable" idea, the absence of vulnerable services was important. In this instance, the services the attackers tried to exploit were missing because they weren't invented when the system was deployed, but the same principle applies when you remove unnecessary services from a server.

      Another factor is that the longer software is in use, the more bugs are found and corrected. If the software starts with a finite number of bugs and errors are corrected at a higher rate than new ones are introduced, the program should get more secure with time.

      1. anothercynic Silver badge

        Re: Run old systems for better security

        And also, back in the early 90s, there were developers around who tried their damnest to make sure their software was up to snuff, because they knew updates weren't a practically weekly occurrence as they are now...

        The kind of rubbish nowadays flogged as 'stable' is more an 'MVP' style standard. Minimum viable product... does it work? Yes. Does it do all the things in the standard test catalog without crashing? Yes. Does it fix annoying bugs of previous versions? Mostly. Ok, shove it out the door! We'll fix the rest next week. Or next month...

    4. Valheru

      Re: Run old systems for better security

      I am sure lots of folks are like me and keep old images of backtrack and other useful legacy toolboxes.

      There are lots of old machines still out there and the admins are looong gone and past caring.

  9. PTW
    Flame

    Surely

    They would have used external Aux power pack rather than spool up the APU[s]? You know, that's sorta why airports are covered in the things

    1. PRR Bronze badge

      Aux power pack or APU?

      > Surely... They would have used external Aux power pack rather than spool up the APU[s]? You know, that's sorta why airports are covered in the things

      Watch the walkthrough. These idle 747 are so idle the engines are removed (and water ballast added to balance). So surely in LONG-term parking. Out in a desert somewhere. There "may" be an AUX pack in sight just-in-case. But to move it and start it would disrupt the field staff's poker game and probably need authorization from a manager who is already dubious about geeks in his junk/storage yard.

      1. Richard 12 Silver badge
        WTF?

        Re: Aux power pack or APU?

        A hired diesel genny would have paid for itself in roughly 10-15 minutes.

        So either they did that and want to pretend they didn't, or they're idiots you shouldn't trust to decide which end of a fork to use.

  10. Dabooka
    Go

    Well I appear to be alone in my thinking

    I read this very much as a pointless but for-the-hell-of-it-exercise, and found it kind of interesting nonetheless.

    Okay, so it was not via the IFE but a virtually impossible to access Ethernet port. So the planes are pretty much out of service, the IFE is also redundant and it also needs clarification if it was in a lab or in the plane itself. And yes it had some technical inaccuracies (re: the location of the APU). So what?

    I still think this was someone just fucking about having been gifted access to one and thought 'That'd be a challenge' which it was. Crikey these comments are full of folk doing stuff with antiquated hardware just because they can. If they get a bit of exposure good for them, it isn't like some of the puff we see under the banner 'of research' with marketing droids pushing services.

    Nope, perfect Friday afternoon reading for me.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well I appear to be alone in my thinking

      "it isn't like some of the puff we see under the banner 'of research' with marketing droids pushing services."

      Isn't it? To me, and to others posting here before me, it seems pretty much exactly like some of the stuff posted under the banner of "research" to get some company or some research group some (futile?) column inches.

      1. Dabooka

        Re: Well I appear to be alone in my thinking

        Oh sure it's different to a lot of what we see.

        Some survey of a couple of hundred people sponsored by a company that just so happens to self SaaS or whatnot to help / hinder whatever the findings are. You can't compare the two at all.

  11. Irony Deficient

    PTP said

    Modern operating systems tend to use UTF-8, which encodes characters in a single byte rather than UTF-16's two bytes, PTP said,

    UTF-8 only encodes characters from U+0000 through U+007F as single bytes (viz preserving the seven-bit ASCII character range as is); other Unicode characters require between two and four bytes when UTF-8-encoded.

    1. Ken Hagan Gold badge

      Re: PTP said

      Also, Windows still uses UTF-16 for everything internally. Maybe PTP don't regard it as a modern operating system?

  12. Yet Another Anonymous coward Silver badge

    Bioterrorism Shock Headline

    We were able to introduce a toxic biological agent into the aircraft vital coffee supply by being given access to the coffee pot and the toilet

    1. You aint sin me, roit
      Pint

      Re: Bioterrorism Shock Headline

      Or just pour some out of the whisky minature the hostess gave you...

      1. Yet Another Anonymous coward Silver badge

        Re: Bioterrorism Shock Headline

        Somebody doesn't fly Spirit / Ryanair

    2. Chloe Cresswell Silver badge

      Re: Bioterrorism Shock Headline

      Sure that wasn't Jack Black trying to hide a packet of drugs?

  13. Michael B.

    Are there any passenger 747s still flying?

    At this point it's almost like finding a vulnerability in, say, a Ford Sierra's ecu, vaguely interesting but of no security value at all.

    1. Lon24

      Re: Are there any passenger 747s still flying?

      That's what struck me - until I remembered Air Force One. Now that would make an interesting hack ...

      1. tip pc Silver badge

        Re: Are there any passenger 747s still flying?

        Was that a burner account you used there?

      2. Cliffwilliams44 Silver badge

        Re: Are there any passenger 747s still flying?

        And Air Force 2. So that makes 2.

    2. chivo243 Silver badge

      Re: Are there any passenger 747s still flying?

      Not in the first two worlds, but I believe that some 3rd world countries may...

      However, a quick google informs me that in late 2020:

      there are 492 Boeing 747s in service, stored, or on order with airlines worldwide. 157 of these are passenger aircraft. 35 are in use, while 122 are in storage. Of these 35, 21 are passenger versions of the Boeing 747-400. Lufthansa is one of the only airlines operating a significant number of 747 aircraft for passenger flights.

      https://simpleflying.com/only-35-passenger-boeing-747s-remain-in-service/#:~:text=According%20to%20Cirium's%20analysis%2C%20there,of%20the%20Boeing%20747%2D400.

      I stand corrected!

      1. anothercynic Silver badge

        Re: Are there any passenger 747s still flying?

        Lufthansa however uses the 747-8, which is distinctly more modern and does not have an NT4 server somewhere in the avionics bay. :-)

      2. AJ MacLeod

        Re: Are there any passenger 747s still flying?

        I realise you're probably quoting, but I've never really understood how people can write "one of the only" without their heads exploding.

        1. Anonymous Coward
          Anonymous Coward

          @AJ MacLeod - Re: Are there any passenger 747s still flying?

          Like in ... one of the only few airplanes remaining ? Yeah, it sounds a little bit weird but it conveys the message quite nicely.

        2. 2Fat2Bald

          Re: Are there any passenger 747s still flying?

          Yes. Annoys the heck out of me "One of the most unique..."

          No. No no no no. "Unique" means there's only one - literally. What you meant to say is "One of the most unusual" or something. But something is either unique, or it isn't. You can't have comparative levels of uniqueness.

          Similarly. "I was only 2 minutes late and the boss literally tore my head off about it!". I think that's called "Capital punishment" and generally isn't permitted in the workplace. I think you meant to say was he *figuratively* tore your head off. Which is the diametric opposite of what you just said.

          I'm severely dyslexic. And I knew that.

    3. Roland6 Silver badge

      Re: Are there any passenger 747s still flying?

      >vaguely interesting but of no security value at all.

      Are you sure the 737-Max doesn't use the same (or slightly modified) IFE? Also, there are other places of interest that still use NT...

      It would not surprise me if Boeing used this 'proven' IFE on other aircraft...

  14. vtcodger Silver badge

    What Now?

    OK. So you head back toward the lavatory. Then your assistant fakes a heart attack and lures the flight attendants out of the galley. Then -- working quickly and efficiently -- you grab control of the In Flight Entertainment system. Then you ... what? ... Drive everyone on the aircraft mad by playing the same Celine Dion song over and over at full volume? Might work. Sort of. But what about the ones who snatch their headsets off? And those who looked at the available "entertainment" options and decided to sleep instead?

    1. John Brown (no body) Silver badge

      Re: What Now?

      "Then you ... what? ... Drive everyone on the aircraft mad by playing the same Celine Dion song over and over at full volume?"

      Oh FFS! RICK ASTLEY of course. Who wouldn't want to rick-barrel-roll a 747 full of "captives"?

    2. Albatross

      Re: What Now?

      No, complete Doctor Who? scenario - the minute you connect up your device, everyone with headsets on is turned into a Cyberman. Cyberperson? Okay, fine, a Dalek.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who Now?

        "the minute you connect up your device, everyone with headsets on is turned into a Cyberman."

        Wasn't there also one where they all downloaded the latest Cyber Windows Update, only for it to emerge that it was an Evilised Windows Update ? And that was before Windows 10, if I remember rightly.

  15. Steve Graham

    Penguins all the way down

    It's been over a decade since I flew long-haul, but I remember getting on board an Aer Lingus 747 at Dublin, and every seat-back screen was showing a Linux boot, with the Tux logo; and also a number of "file not found" errors. The latter probably not ideal for nervous passengers.

  16. Anonymous Coward
    Anonymous Coward

    Security thru obsolescence

  17. Kevin McMurtrie Silver badge

    Maybe not that hard

    How long does it take to access the Ethernet jack? If you've already worked out the details of the exploit, the whole delivery system could be packaged up into something small that looks like an ordinary dirty old airplane Ethernet jack cover. If you can switch to the the higher voltage 10BASE-T spec, you might even be able to extract a few milliwatts of power from the signal line to enable indefinite low duty cycle wireless control.

    Then, once you've gained root access, you can finally execute your evil plan involving music from Rick Astley, Celine Dion, Spin Doctors, Nicketback, Rick Dees, William Shatner, whatever. Just make sure nobody sees that playlist on your phone screen or you won't live to the end of the flight.

  18. Anonymous Coward
    Anonymous Coward

    Ethernet dongles...

    There must be some tiny thing that you can plug into an ethernet port and route it to wifi?

    It'd be a great hacking tool, you often see terminals with an open ethernet port facing the customer...

    1. Richard 12 Silver badge

      Re: Ethernet dongles...

      There are a great many such hardware platforms. I've considered using one for a real product several times but the cost outweighed the coolness, sadly.

  19. arachnoid2

    They knda made boundaries though

    It looks like they restricted exploits to passengers with no previous access and no prior remote access to any of the hardware. If you wanted to do it in the real world surely you would prep the system by initiating a patch be it hands on mission impossible style, or by inserting your code in the hardware vendors server prior to the event or even as has been muted before over China, by having the vendor install your code in their firmware at manufacture.

    Plus all this having to access the wall jack seems lacking imagination, surely there are other attack vectors to the same network cable. Maybe through the toilet wall panels?

    All this seems to show is a complete lack of prior planning, and we all know where that gets you.

  20. ChrisBedford

    Esoteric at best

    ...and "the IFE system is now no longer in use in any 747 still flying today" - so a complete waste of time and effort then.

    1. arachnoid2

      Re: Esoteric at best

      Unless you use Stewies time machine and go back to hack the plane

  21. billvo

    If PTP was trying to get C# code to run is cscript, that might have been the problem.

  22. Albatross
    FAIL

    Insider Threats

    "the necessary Ethernet port for gaining access is in the 747's galley: an area rarely left unattended for more than a few minutes during flight. Using the exploits PTP found to pwn an in-flight 747 would be impossible in practice."

    Unless, of course, the hacker is one of the flight attendants. Or the hacker connects an unobtrusive RJ45-to-wireless connector to the galley RJ45 port when boarding and then hacks from the comfort of their seat.

  23. 2Fat2Bald

    Maybe I mis-read something. Given that this is just the in flight entertainment system which I'd hope is very airgapped from anything flight-related I don't think anyone needs to be too worried.

    non-safety-related system.

    no longer used.

    hack is difficult to carry out.

    hack probably needs physical access to areas passengers generally don't have.

    Breathless news-speak version "Airliner hacked!" real-talk version "unusually convoluted and difficult way to break obsolete computer system discovered by curious nerds".

    About the worst of it is some disgruntled airline employee deciding to have a jape by substituting "Debbie Does Dallas" for "How the grinch stole Christmas" :-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like