A Boeing Code Leak Exposes Security Flaws Deep In a 787's Guts (wired.com) 177
An anonymous reader quotes a report from Wired: Late one night last September, security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised to discover a fully unprotected server on Boeing's network, seemingly full of code designed to run on the company's giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see. Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner's components, deep in the plane's multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multistage attack that starts in the plane's in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.
At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS is responsible for applications like maintenance systems and the so-called electronic flight bag, a collection of navigation documents and manuals used by pilots. Santamarta says he found a slew of memory corruption vulnerabilities in that CIS/MS, and he claims that a hacker could use those flaws as a foothold inside a restricted part of a plane's network. An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors. Boeing maintains that other security barriers in the 787's network architecture would make that progression impossible. Boeing said in a statement that it had investigated IOActive's claims and concluded that they don't represent any real threat of a cyberattack. "IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," the company's statement reads. "IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation."
Boeing says the company put an actual Boeing 787 in "flight mode" to test and try to exploit the vulnerabilities. They found that they couldn't carry out a successful attack.
At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS is responsible for applications like maintenance systems and the so-called electronic flight bag, a collection of navigation documents and manuals used by pilots. Santamarta says he found a slew of memory corruption vulnerabilities in that CIS/MS, and he claims that a hacker could use those flaws as a foothold inside a restricted part of a plane's network. An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors. Boeing maintains that other security barriers in the 787's network architecture would make that progression impossible. Boeing said in a statement that it had investigated IOActive's claims and concluded that they don't represent any real threat of a cyberattack. "IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," the company's statement reads. "IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation."
Boeing says the company put an actual Boeing 787 in "flight mode" to test and try to exploit the vulnerabilities. They found that they couldn't carry out a successful attack.
Boeing is trustworthy (Score:5, Insightful)
Hardly any of their planes fall out of the sky do to design flaws or poor QC
Re: Boeing is trustworthy (Score:1)
Which is actually true. So being fearful of an attack on an airplane is ridiculous. You have far higher odds of dying at home or on the way to the airport. Or eating airplane food.
Re: (Score:1)
"So being fearful of an attack on an airplane is ridiculous." - Not really, it's as valid a fear as anything else. It's actually likely to happen, whatever low odds of 'you' being involved do not necessarily define the fear's scope or validity.
It will no doubt be something we see at some point if Boeing keeps leaving its important back-end network source code in public places for a world of very, very highly technical and angry people to pore over for a few years.
Those planes aren't going to be upgraded o
Re: Boeing is trustworthy (Score:5, Insightful)
Boeing says the company put an actual Boeing 787 in "flight mode" to test and try to exploit the vulnerabilities. They found that they couldn't carry out a successful attack.
In other words they self-certified that there were no problems.
Wait, haven't we been here before?
Re: (Score:1)
Usually, the timeline for exploits is something like this:
1. Researcher finds memory corruption issue, says it could be leveraged to take control of the system.
2. Company says the researcher's report is grossly misleading, since this is just a minor bug that could never be exploited to take control of the system.
3. Researcher takes control of the system.
The in-flight entertainment system is able to display position, speed and altitude which are coming from the airplane's flight data systems. There are also
Re: (Score:2, Flamebait)
That it's literally true is the joke. Kinda like a daycare that boasts it "rarely loses a child" or a restaurant that proudly proclaims no food poisoning deaths so far this month.
Re: Boeing is trustworthy (Score:4, Funny)
Re: (Score:2)
and oil
Self-flaming post (Score:2)
No need to flame this post
--
There is ZERO excuse for "hardly any" of their planes to not be qualify checked.
--
It flames itself.
Re: (Score:1)
At least no snakes have been found. Although, with Boeing's luck...
Re:Boeing is trustworthy (Score:4, Funny)
At least no snakes have been found. Although, with Boeing's luck...
Probably only because nobody looked in the permanently sealed compartments....
Little did the passengers know that every 787 had an anaconda lurking in its bowels, surviving on leftover food scraps that fell through the ventilation ducts by their feet. It lay in wait — hungry, angry, wanting only to devour.
Re:Boeing is trustworthy (Score:4, Insightful)
No snakes on the planes (except sometimes in first class) but in Boeing's boardroom, now that's a different story entirely. Boeing says, yeah but who gives a fuck, everyone knows now Boeing lies and they lie a lot and they will quite happily lie you nose first straight into the ground at hundreds of kilometres an hour, don't worry Boeing will claim it was all your fault.
Everyone ready for the massive Billion dollar Boeing bailout, you know it is coming, how is will they pay the executive bonuses.
Re:Boeing is trustworthy (Score:5, Funny)
Agreed. It appears that the greatest threat to aircraft are the powerful storms that appear over the Iberian peninsula. Or, in other words, the planes in Spain fall mainly in the rain.
Because of global warming, no doubt.
Re: (Score:2)
ouch
Re: (Score:2)
Re: (Score:1)
He is a security 'researcher,' didn't ya know?
Re: (Score:1)
There was a guy in my town just sentenced to 5 years for, "researching" the security of homes.
Re: (Score:3)
What does this tell us besides buy Airbus stock?
That land in the flight path near airports is perhaps not a great buy?
Re: (Score:2)
What does this tell us besides buy Airbus stock?
That land in the flight path near airports is perhaps not a great buy?
I laughing out loud over here, Well played sir.
Nothing to see here (Score:5, Insightful)
We have investigated ourselves and find the allegations to be baseless.
Re:Nothing to see here (Score:5, Interesting)
If Boeing were confident they'd park a 787 at McCarrran for Blackhat and would allow (supervised) participants to prove them wrong.
A press release probably sounds easier to them.
Re: (Score:1)
Perhaps only allow the 'security researchers' to prove them wrong with the plane in-flight.
Boing 787 is Open Source? (Score:3)
An Open Source airliner. Does that make you more, or less confident?
Try rubbing different crystals. (Score:1)
Boeing is having a really really bad year. They should boot the CEO to at least give investors a spot of hope.
Re: Try rubbing different crystals. (Score:4, Insightful)
Boeing is having a really really bad year.
Boeing stock is trading at $331. This time last year it was $339. Doesn't seem like a particularly bad year to me .... epecially given that a year earlier they were at $239, and at $129 the year before that.
Re:Sofware security stronger as the weakest link. (Score:5, Insightful)
Re: (Score:2)
The 737 MAX problem isn't a bug. It worked exactly as designed. It was a design flaw. What it was meant to do was not a good idea.
I agree, but i think there may have also been some bugs
Re:Sofware security stronger as the weakest link. (Score:5, Insightful)
What it's meant to do is perfectly fine. What it's designed to do was not a good idea. There is a difference. The fundamental functional description (what it's meant to do) is solid, computer aided trim to make an aircraft act like another.
The problem was in how it did it.
Something smells fishy (Score:3, Interesting)
Boeing is worthy of criticism, maybe even outright condemnation, but don't think for a minute that the likes of Airbus (and others) are beyond trumping up a bit of hysteria to gain a bit of an advantage in manipulating someone's orders and stock price - their own and/or Boeings.
IOActive (the security firm behind this article) has a strong European presence. Of the addresses listed on IOActive's contact page, one is US, two are European, and one is in Dubai. I suspect there's much more to this story than meets the eye.
and:
Boeing says the company put an actual Boeing 787 in "flight mode" to test and try to exploit the vulnerabilities. They found that they couldn't carry out a successful attack.
Carrying out a successful cyber attack on a 787 would likely require activities and physical connections that would be rather alarming to passengers and flight crew. Just because an 'attack' is possible doesn't mean it's realistic or credible. Sometimes the biggest damage and risk of a threat is simply pointing at it and yelling 'Fire!'
Re: Something smells fishy (Score:1)
You're far more likely to die in an unmaintained Lyft than you are any other way.
Re:Something smells fishy (Score:5, Insightful)
Boeing is worthy of criticism, maybe even outright condemnation, but don't think for a minute that the likes of Airbus (and others) are beyond trumping up a bit of hysteria to gain a bit of an advantage in manipulating someone's orders and stock price - their own and/or Boeings.
Do you have any evidence of this or are you just gracing us with unsubstantiated drivel?
IOActive (the security firm behind this article) has a strong European presence. Of the addresses listed on IOActive's contact page, one is US, two are European, and one is in Dubai.
This makes perfect sense to me. Every Seattle based company located in Boeings backyard /w offices in Europe is an Airbus stooge.
I suspect there's much more to this story than meets the eye.
I suspect you are a paid shill for Boeing.
Re: (Score:2)
Raising suspicions is always unsubstantiated. If you substantiate them, they become facts...
It is not unheard of for competitor companies to engage in espionage against each other, to direct media attention to unflattering information about their competitor, and so on. Don't take it on face value but don't just discount it because there's no proof.
When faced with a completely unsubstantiated assertion there are several things one could elect to do:
1. Agree as you're predisposed to agree
2. Disagree as you're predisposed to disagree
3. Ignore assertion as noise unworthy of anyone's consideration
4. Mock person(s) making and doubling down on unsubstantiated claims for wasting everyone's time.
I tend to agree both options 1 and 2 are problematic for the exact same reasons. Given lack of evidence drawing conclusions in either direction is unwarranted.
Howeve
Re: (Score:2)
Re: (Score:3)
If an in-flight entertainment system has a web browser
And if the inflight system has a command line interface with a poorly passworded sudo ...
These "hacks" require getting access to the system where the "electronic flight bag" is maintained. "There's a buffer overflow exploit" requires being able to put something into the buffer.
Don't know about systems other than on United, but their in-flight system has no text entry method. About the most complicated entry method is a credit card swipe. I doubt that this entry method has a buffer overflow that will get
Re: (Score:1)
"About the most complicated entry method is a credit card swipe."
So just bring a 3 feet long credit card.
Re: (Score:3)
Years ago, Boeing had indicated that the infotainment network, the CIS/MS, and the avionics network are physically independent. If the researcher found a way to jump from the infotainment network to the CIS/MS network, that is a significant development. Moreover, IIRC the CIS/MS network has radio links to the ground network.
But, even being able to impact the CIS/MS network is a pretty big potential impact from a security risk level.
Re: (Score:2)
If the researcher found a way to jump from the infotainment network to the CIS/MS network, that is a significant development.
It would be, especially if the CIS/MS system was somehow flight critical. What he actually said was "An attacker could potentially pivot, Santamarta says, ...", which means he hasn't found an actual way of doing this.
Moreover, IIRC the CIS/MS network has radio links to the ground network.
Do you know, I once saw on a TV program how the flight control system on a major airliner could be completely reprogrammed by someone riding on the top of a car while the airplane made a low, slow pass overhead? That's scary. The system had to be reprogrammed because, even though the pilot cou
Re: (Score:2)
Those networks clearly are not completely independent because they share data. Boeing even says as much.
That map you get on the infotainment system? At the very least it must be getting data on current position, speed, altitude and heading from the aircraft's other systems. Unless they fitted a duplicate set of sensors just for it (unlikely) then those will be the same systems feeding the avionics and CIS/MS network.
Of course it could still be completely safe. Consider a link that consists of a one-way opti
Re: (Score:2)
That map you get on the infotainment system? At the very least it must be getting data on current position, speed, altitude and heading from the aircraft's other systems.
I got it! I came up with the hack! If you READ TOO MUCH DATA from the navigation system you can overflow the navigation system output buffer and cause remote code execution!
There is a well-defined standard interface for transmission of navigation data called NMEA. It's a one-way serial interface, most often running at 4800 baud.
Of course it could still be completely safe. Consider a link that consists of a one-way optically isolated serial data stream
It doesn't even need to be optically isolated. Just please, can we stop getting hysterical predictions of how hackable this stuff is based on pure fantasy?
Worst case is that it allows polling, i.e. a polling command is send over which could potentially be exploited.
Pure fantasy.
it's possible they have found something like that in the CIS/MS code.
It's possible
Re: (Score:1)
I'd definitely optically isolate something like that. An electrical fault one one side should not affect the other.
Re: (Score:2)
Let's just stop making stuff up to spread fear and doubt, ok?
Re: (Score:2)
How can an optically isolated link with only one emitter and one receiver be hacked from the receiver side?
Re: (Score:2)
How can an optically isolated link with only one emitter and one receiver be hacked from the receiver side?
By using the emitter/rcvr on the other direction's optical path. "Optically isolated" does not imply "unidirectional" in any way, shape, or form. Optical isolation is not necessary to prevent hacking, and by conflating the two issues you look poorly informed, at best.
Re: (Score:2)
Read only data, typically serial, and is usually broadcast from the more secure system to the other.
Re: (Score:2)
Airbus doesn't have to hype anything. Air France gave them an order for 50-70 A220s last week. Airlines are taking a hit from lack of capacity because the Boeing jets are grounded and nobody can say for certain that more problems won't be found.
Re: Something smells fishy (Score:3)
Nobody can say for certain that more problems won't be found on airbus aircraft, either. That's a rather stupid bar to set.
Re: (Score:2)
Carrying out a successful cyber attack on a 787 would likely require activities and physical connections that would be rather alarming to passengers and flight crew. Just because an 'attack' is possible doesn't mean it's realistic or credible. Sometimes the biggest damage and risk of a threat is simply pointing at it and yelling 'Fire!'
I think you might be forgetting about the climbing onto the landing gear as the plane is taking off, getting into the secret guts of the plane where no one can see you, and hooking some alligator clips up to an important looking fuse box thing vector.
Often overlooked, always underestimated.
Re: (Score:2)
Carrying out a successful cyber attack on a 787 would likely require activities and physical connections that would be rather alarming to passengers and flight crew.
You're making a lot of assumptions about what looks alarming in a plane where every idiot has some wires attached from their personal electronics to some point of a plane. Much more so when you take into account that a 787 is often flown long distances, i.e. the kind of plane where the snoring of the passengers is louder than the engines.
Connected systems (Score:2)
Re: (Score:3)
Why on earth would you put the infotainment system on the same network as critical systems, particularly those responsible for making sure people don't end up dead?
To save money by not having to build out a separate network, or because they didn't understand VLANs or how to implement firewalls between networks?
Re: Connected systems (Score:2)
It also saves weight. 3 times the network cabling and fittings saves hundreds of pounds if you can just break it up via software.
Re: (Score:2)
Except the cabling to the entertainment system is all inside the cabin, while the cabling to the control systems are between the cockpit and the wings and tail. You maybe save on a 75% of a single cable run from the cockpit to the tail by letting it share bandwidth and latency with 500 video streams.
I'm inclined to believe Boeing here, the internet is full of people theorizing about hacks jumping from entertainment systems to control systems, but the only proven case is the Jeep that allowed its brakes to
Re: (Score:2)
You are dramatically underestimating the cable runs required for flight systems - multiple redundant paths to each control surface actuator from each avionics bay (fore and aft), multiple redundant paths to each avionics bay from the cockpit, plus the physical backup from the cockpit to each control surface from the cockpit, it all adds up.
Not saying Boeing did it for weight reasons, but your comment is extremely far off base.
VLANs aren't really separate (Score:2)
or because they didn't understand VLANs
I've worked in a corporate environment with VoIP phones on separate VLANs with reserved bandwidth. There were plenty of occasions over the years when extreme network traffic on the computer network side took out the phone network in some areas too, just by taking their switch CPUs to 100% utilisation. Isolation at layer 2 is not enough for safety-critical environments.
Re: (Score:2)
How much money could they possibly save by plugging two networks into each other?
Re: (Score:3)
Why on earth would you put the infotainment system on the same network as critical systems, particularly those responsible for making sure people don't end up dead?
Calm down. They didn't. Nobody said they did. This "researcher" is hypothesizing a lot of non-existent stuff. "It's on the same airplane" is leading to the assumption "it's on the same network".
Re: (Score:3)
Re: (Score:1)
If it were the case that the systems were not attached to the same physical network then Boeing would not have been compelled to "test" their system after the fact to be able to make a statement. They would have been able to simply respond with "they're air gapped, separate and distinct networks with no ability to communicate across and therefore not vulnerable." The very fact that they performed the test meant that at some level they believed there was a possibility of a vulnerability whether or not there in fact is one. It is this, not the researcher's claims that direct the conclusion that they exist on the system physical network hardware even if firewalled, VLAN'd, etc..
Given how complicated some systems can get it is worthwhile to check that the "air-gapped" system actually is.
Re: (Score:2)
The very fact that they performed the test meant that at some level they believed there was a possibility of a vulnerability whether or not there in fact is one.
You're making it up, putting words in their mouths and telling us what they think when you have no clue.
No, they could very well have done the testing knowing full well they'd find nothing, just to shut up the hysterical fiction being created about how hackable the system is. Can we just stop fantasizing all kinds of stuff? Please? If you have evidence of something, present it. If not, your made-up fear mongering is getting really tiring.
Classic mistake (Score:5, Insightful)
This is a classic security mistake: believing that your own inability to exploit a weakness means that weakness can't be exploited by anyone. Just because you can't figure out how to do it doesn't mean nobody else can.
Re: (Score:2)
Just because you can't figure out how to do it doesn't mean nobody else can.
^^^THIS.
They should print this out and hang it above the desk of every engineer and programmer.
Re: (Score:2)
Re: (Score:2)
Better to either just ask if anyone knows how to fly a plane, or announce that they are out of coffee.
Misdirection? (Score:5, Interesting)
I'm less worried about what this means for the 787, and more worried about what that unsecured server might allude to with respect to their defense work.
How much else has been leaked? What about bits of the F18? Or the F22? Are there various people out there wandering around with copies of all of their software?
Scary.
Re: (Score:3)
My guess is that it would be easier to just lay a missile into an F22 than for an enemy combatant to fly close enough to hack it out of the sky.
Re: (Score:2)
While that's probably true, such a leak would also mean that other (possibly hostile) nations can use it to develop their own competitive systems, and probably a few hundred other uses I can't think of. It's not just about the safety of an individual aircraft.
Re: (Score:2)
An enemy with access to the comms code may be able to jam the fuck out of it.
Re: (Score:1)
Re: (Score:2)
Looking at Russian and Chinese aircraft, it's pretty obvious that they have had access to some Boeing secrets for a while now. The opposite is true as well, US aircraft show occasional signs of having benefited from espionage.
As do British and French ones for that matter - much was made of the Russians stealing data on Concorde, but actually it was working both ways and French attempts to get details of the Tupolev SST resulted in a fatal crash.
Oh no (Score:3)
"Boeing maintains that other security barriers in the 787's network architecture would make that progression impossible."
Oh shit, whenever you hear the word "impossible" when talking about exploits, bet on the exploit.
Re: (Score:2)
wh
Let the hackers loose on those grounded planes (Score:3)
attitude jets with a grain of salt (Score:3)
Nine times out of ten, this kind of access is not granted without some kind of pre-publication vetting contract or equivalent control over the investigator's short and curlies.
While it's not optimal to have these things published without access to the larger context, it's often even less desirable to have a partially muzzled investigation pretending to be something else.
Boeing has barely a leg to stand on right now, considering their lamentable disclosure in their relationship with the FCC throughout their 737 MAX design initiative. Good thing for their shareholder value that their attitude jets remain hard at it 24/7, diligently painting other parties as irresponsible.
I doubt this is exploitable (Score:2)
hyperbole much? (Score:2)
giant 737 and 787 passenger jets
BS right there.
If we were talking Boeing 747 or Airbus 380, fine. A 737, bread-and-butter is maybe not very small, but certainly no giant.
I'm sorely tempted to take TFA with a not-so-little grain of salt.
Wish that he would have reported it right away (Score:2)
The question is, how did it get on an open server? Was the server misconfigured
OR, was this code not supposed to be on this server, but was transferred there by somebody either through stupidity or with nefarious intentions?
Sadly, any of this is possible.
PuppetMedia Magic: On filtering out the truth (Score:2)
An article appeared later, last month in The Atlantic magazine, by so-called aviation expert, Richard Langewiesche, claiming there was nothing new or of value in the report. (In reading this article, it became obvious that Langewiesche has no knowledge of avionics, satellite technology or IT.)
FALSE ASSUMPTION: Nothing o
Time for 787 in PWN2OWN? (Score:2)
If Boeing is so confident, they should enter a brand new 787 in PWN2OWN. If it gets hacked, the hackers keep the plane. If not, Boeing can say they were willing to bet a quarter of a billion dollars that the plane is not hackable. That would be a lot more convincing tha. "We couldn't hack it, so it's unhackable".
Re: (Score:2)
Actually many Boeing engineers have gone on record they will not fly or allow their families to fly Boeing planes. They describe a culture inside Boeing that is focused on profits for shareholders and where safety has been sacrificed. Boeing has squandered decades of good will by outsourcing to third world countries and snubbing its own engineers .