Hacking the Boeing 787

The news articles are pretty sensational:

The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals.

And:

According to the U.S. Federal Aviation Administration, the new Boeing 787 Dreamliner aeroplane may have a serious security vulnerability in its on-board computer networks that could allow passengers to access the plane's control systems.

More press.

If this is true, this is a very serious security vulnerability. And it's not just terrorists trying to control the airplane, but the more common software flaw that causes some unforeseen interaction with something else and cascades into a bigger problem. However, the FAA document in the Federal Register is not as clear as all that. It does say:

The proposed architecture of the 787 is different from that of existing production (and retrofitted) airplanes. It allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane. Because of this new passenger connectivity, the proposed data network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane. The existing regulations and guidance material did not anticipate this type of system architecture or electronic access to aircraft systems that provide flight critical functions. Furthermore, 14 CFR regulations and current system safety assessment policy and techniques do not address potential security vulnerabilities that could be caused by unauthorized access to aircraft data buses and servers. Therefore, special conditions are imposed to ensure that security, integrity, and availability of the aircraft systems and data networks are not compromised by certain wired or wireless electronic connections between airplane data buses and networks.

But, honestly, this isn't nearly enough information to work with. Normally, the aviation industry is really good about this sort of thing, and it doesn't make sense that they'd do something as risky as this. I'd like more definitive information.

EDITED TO ADD (1/16): The FAA responds. Seems like there's more hype than story here. Still, it's worth paying attention to.

Posted on January 7, 2008 at 12:38 PM • 55 Comments

Comments

Timm MurrayJanuary 7, 2008 12:59 PM

I don't get how this is such a problem. Avionics software has its system. Passenger Internet connections has its system. Just don't put any data linkages between the two. There might be some interesting information you could display to passengers from avionics via an onboard web server (current altitude, speed, position, etc.), but I can't think of anything that would be worth the potential problems.

TanukiJanuary 7, 2008 1:32 PM

Surely this sort of stuff could easily be handled by multicasting the "passenger information" data via an optocoupler or three... Passengers subscribe to the multicast stream to get their data but there's no reverse-path from passenger to plane.

gopiJanuary 7, 2008 1:39 PM

The last airplane I was on had per-seat displays that did video on demand, current flight info, as well as video games.

I'm now envisioning a future upgrade that lets you bring your saved PlayStation games on a standard memory card with you, to plug in.

I wonder if anybody would realize the buffer overflow risks inherent in doing that...

BMurrayJanuary 7, 2008 1:41 PM

Judging by the FAA information this appears to be a problem I'm intimately familiar with: traditional safety engineering does not typically address security because its methodology revolves around component failure and not explicit subversion (malice). To my knowledge the safety world has yet to adopt (and is not interested in adopting) security as part of its problem and not irrationally: there's no real, provable methodology for security analysis like there is for safety. Conservative as safety engineers are (and must be), this is unlikely to change until a coherent security assurance methodology exists. It's not clear to me, however, that one is possible let alone on the horizon.

Worse, it can become commercially impossible to make the necessary safety decision when you are unable to adopt the security problem (that is, fail safely whenever the insecure component communicates), so in the face of commercially valuable (even necessary) new technology the correct and safe response is not viable. Customers are becoming less and less interested in safety cases because such cases must absolutely deny new convenience technology as long as we lack a security assessment methodology we can prove.

Look for more related issues as transportation technologies necessarily embrace network technologies that are increasingly open.

David HarperJanuary 7, 2008 1:47 PM

@gopi "The last airplane I was on had per-seat displays that did video on demand, current flight info, as well as video games."

British Airways offers this on some of its long-haul flights. I flew from London to Seattle last month on a 747. At the start of the flight, the senior purser told everyone about the video-on-demand system, and then explained that the system was a little flaky, especially under heavy load, so please would we refrain from hitting the buttons repeatedly if it didn't respond instantly. Happily, it worked just fine on my flight. I watched a couple of movies, and the plane did not fall out of the sky.

-ac-January 7, 2008 1:49 PM

are there any sensitive data/information telemetrics feeds to/from the plane? that would be more interesting the black hats i should think. Sure hope the cockpit radio and blackbox feeds/etc are air gapped. Would be bad if someone pranked a low fuel, engine fire, etc.

RikuJanuary 7, 2008 1:49 PM

Timm,

current altitude, speed and position can all be pulled from a separate GPS receiver, it does not need to connect the avionics and navigation used by the pilot to In flight entertainment.

unexpected

David WJanuary 7, 2008 1:49 PM

Just to be clear, there doesn't appear to be any reference to a "physical connection" between these networks; packets containing movie data aren't getting sent on the same physical wire as, say, rudder control.

It would seem to me some component in the new design doesn't satisfy existing safety guidelines?

jblJanuary 7, 2008 1:50 PM

I agree, the answer is an air-gap, or a gateway between two separate networks providing only one-way transport of information the airline would like the public to be able to see.

Till then, I'm looking forward to a new version of a Flight Simulator program that has real-time options!

AndreasJanuary 7, 2008 2:00 PM

Very frightening... I don't understand why such stupid decisions are made in times everyone is afraid of terrorism (not always reasonable). This is IMO a stronger source of danger than a knife in the hand baggage. Only strict seperation of networks brings security in such a life-critical environment. Imagine viruses spreading from passengers laptops to flight computers...

AaronJanuary 7, 2008 2:24 PM

I understand this has been the hot topic internally at Boeing for the last year. As the situation was explained to me, the engineers want to build a real fix (I assume that means an air gap), but the bean counters want to ship airplanes.

Boeing has basically bet the company on the 787. They can't afford any delays. That said, they probably can't afford little Tommy's PSP web browser crashing the avionics either.

The real question is why they didn't design it with an air gap in the first place.

JosephJanuary 7, 2008 3:02 PM

So is there or is there not an air gap in the current design? Does anyone know?

AnonymousJanuary 7, 2008 3:31 PM

@ Joseph

The sentence from FAA document:

It allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane.

implies that there is no air gap.

Algirdas

anonymousJanuary 7, 2008 3:32 PM

I'm with Bruce. I want to see a lot more information.

I'm less worried about the 'real time flight simulator' than I am about unexpected interactions. I have some experience with transportation systems (not aircraft). Some have proprietary operating systems and IP stacks and can react in strange and unexpected ways when tested. .

What happens when someone runs nmap on the network with oddball options? Hopefully the systems are more robust than some big name network gear a few years ago. What happens when some proprietary protocol gets interrogated to see if it can be identified? Even today a lot of software responds poorly to malformed packets. A surprising number of listeners just roll over and die if they don't receive a perfectly formed packet.

What happens if someone with some real skill figures out how to DoS some of the systems?

I for one will want to see how this resolves before I fly in a 787.

BMurrayJanuary 7, 2008 3:36 PM

Regarding designed air gaps, let's keep in mind the process by which huge systems like this are designed: it's broken into subsystems with isolated responsibilities. Now let's say the high level architecture calls for a network for avionics communication and so forth. The network performance is specified, requirements drawn up, and that goes out to whoever (internal or ex-) builds the network. Now, at this stage in design, the performance requirements of the network are not really well known, so the specs have a high margin built in. Maybe incredibly high, based on an assumption of a known technology.

Now, later in the game someone notices the huge disparity between network capacity and network usage and sees a feature that could save a doomed project: maybe we can use the surplus capacity to provide customer content! Movies! Advertisements! Internet access!

A feature is born and probably *after* any initial safety assessment is done. Thankfully the FAA appears to be awake.

S. ArcasmJanuary 7, 2008 3:38 PM

@ "air gap" comments

Yeah, just like we protect "critical infrastructure" control systems.

ph0rmanJanuary 7, 2008 4:10 PM

I'm working on the software/networking pieces of the 787 now & find this sort of FUD to be rather laughable. The systems to which a passenger would have any sort of access will in no way be able to affect anything approaching a critical system.

In my informed & somewhat humble opinion, this is just another movie plot threat, not something that is truly credible. Worrying about a "hacker" passenger affecting avionics is like worrying about your computer getting taken over because there is a telephone handset in the same room.

Marc MJanuary 7, 2008 4:20 PM

@Marc: You've got my name, and you've got my idea... Scary... I really had to think hard about whether or not it was I who posted that comment... I guess you just stole my identity :)

shoobe01January 7, 2008 4:46 PM

> current altitude, speed and position can all be pulled from a separate GPS receiver, it does not need to connect the avionics and navigation used by the pilot to In flight entertainment.

I think its pretty obvious this is how at least most current systems work. The position info updates pretty infrequently, and is fairly jumpy and inaccurate. On landing at SFO, we touched down 30 ft below sea level before the runway levelled off 6 ft below. Sounds like a cheap, GPS-only system to me.

Tangerine BlueJanuary 7, 2008 5:09 PM

@ph0rman
> The systems to which a passenger
> would have any sort of access will
> in no way be able to affect anything
> approaching a critical system.

Bummer.

Could I hack the lights and buttons into a Tetris game?

Could I alter the in-flight movie selection?

jkcJanuary 7, 2008 5:52 PM

If what I've gleaned from Bruce's first link is correct, we're talking about ARINC 664. Essentially, it looks like UDP over IP over Ethernet. There appears to be some sort of virtual circuit routing going on, but nothing that looks like it was intended to be hackproof.

Tutorial here.
I am not reassured by the references to ALOHAnet, or by the detail in which it discusses the technology behind twisted-pair Ethernet.

AnonymousJanuary 7, 2008 6:54 PM

@ph0rman:

"I'm working on the software/networking pieces of the 787 now & find this sort of FUD to be rather laughable. The systems to which a passenger would have any sort of access will in no way be able to affect anything approaching a critical system."

I don't program 787's, but from some passing contact with people who do work in avionics, the mere idea that the people building the 787 are incompetent in the manner suggested by this thread is indeed quite funny.

SteveJJanuary 8, 2008 5:17 AM

I read one report saying that Boeing had agreed to address the threat by adding physical separation between the systems and firewalls.

I've heard of defence in depth, so a belt-and-braces approach might be appropriate. But where exactly in the airgapped networks would you put the firewalls?

Now, I'm going to assume that it's not the Boeing software engineers who originated that snippet, so either it's the PR office panicking, or else someone has misunderstood some documents somewhere, and the firewalls are for a different purpose than the airgap. That being the case, there's not much point listening to anything else the press say about Boeing's response for the time being.

We won't get a sensible answer until some sanity has had a chance to filter through the wild speculation...

SteveJJanuary 8, 2008 5:24 AM

@ph0rman: "Worrying about a "hacker" passenger affecting avionics is like worrying about your computer getting taken over because there is a telephone handset in the same room."

Fair comment. But we've been told for years, but supposedly-authoritative sources, that use of mobile phones on planes is "unsafe" because they might "interfere" with avionics (or, at the very least, with pilot-ground communications, which is still quite bad).

That being the case, it is natural to believe that it is indeed possible to interfere with avionics systems using a physically disconnected device.

Now, I'm prepared to believe that this is in fact not possible, and that we've been consistently lied to (or rather, that the risk has been exaggerated for the sake of a simple rule). But you can't entirely blame people for respecting the supposed authorities in the field. Even if the engineers involved in the technology know different, the average journalist has to treat the FAA as the authority, not the engineer.

Nathan T. FreemanJanuary 8, 2008 6:24 AM

@SteveJ

Actually, we've been told that everything from CD players to Gameboys to laptops to cell phones cause electrical interference with avionics. The supposed rationale is accidental electrical radio transmissions being emitted from activity over any internal wires. If the right electronic signals were to travel down the length of the wire to the headphones, while my head was at just the right angle, we would fly to Atlanta instead of Dallas.

So perhaps this is a resurgence of that obviously ridiculous premise. If a hacker learned how to send packets down the length of the wire to the router at just the right rate from just the right seat, it would turn the networking cable into some sort of emitting antenna that would reset sea level to minus 400 feet in the cockpit. No physical connection between the networks is required.

Personally, I think it sounds insane. But then, I think Van Eck phreaking sounds insane, and apparently some people are capable of doing it, so I'm clearly no expert.

solaraddictJanuary 8, 2008 6:43 AM

I sincerely hope for an airgap. Even if the networks were connected but unhackable (as if), can you say "etherkiller"?

bobJanuary 8, 2008 6:54 AM

This has to have been oversimplified to the point of changing the meaning, I cant imagine anyone at Boeing is dumb enough to provide a passenger network (good idea) with outside connectivity that also has any connection whatsoever with the fly by wire "bus" which controls basic functionality of the aircraft. Actually I cant imagine ANYONE ANYWHERE (ok, outside of TSA) being that dumb yet having survived to an age that could type.

The savings of having a shared backbone (which still requires the expensive part - unique host wiring to every seat) instead of running a unique isolated one would be trivial in both weight and expense yet the potential risk of sharing would be enormous. Actually, I wouldn't be very surprised to learn that Cisco makes a fiber optic switch specifically for passenger subnets in 2-engined airliners (with a different model for 3, 4-engined ones) that mounts in the standardized airline seats.

This would be a lot like going to inspect seams inside a half-loaded gasoline tanker in the dark with a blowtorch because you already had a lit one in your hand and you didn't want to invest the time that would be required to shut it off, put it down and get the (hazardous area rated) flashlight out of your pocket.

RSaundersJanuary 8, 2008 7:32 AM

The real problem is the Boeing response. From the first news piece, "Boeing spokeswoman Lori Gunter told wired.com the FAA document was misleading, and that the plane's networks don't completely connect. Gunter would not provide details about how Boeing is dealing with the issue beyond saying they are using a combination of physical and software solutions."

We need to stop sending Lori the PR person over to Wired. There are thousands of engineers at Boeing, send one of them instead. It's the weasel words like "don't completely connect" that cause the problem. What's the middle ground between "not pregnant" and "completely pregnant?" Can something be "partially connected" to an electric outlet? What does this mean, connected in a flimsy way? Awful.

The combination of physical and software solutions says they are connected. You couldn't use software if there wasn't a hardware link. That alone seems like a very bad choice. So bad, I have to agree with others in the forum that have suggested is just can't be the design.

This would all blow over if they had one of the real engineers write a statement for PR to put out.

FPJanuary 8, 2008 9:56 AM

It is worth a reminder that the FAA notice is not an indication of an existing issue, but merely a notice of "it's special because we haven't seen that before."

The FAA and its international counterparts are very conservative, as they should be. When they come across something that they haven't seen before, such as jet engines or fly by wire, they merely ask for proof that the new system is safe.

Maybe the connection is just to feed live navigation data from the cockpit to the passenger entertainment system, in which case there's probably a one-way router inbetween. So the FAA, never having seen a router, now asks for proof that the router does not affect the other systems in any circumstance.

I'm sure that Boeing can quickly supply the necessary documentation to satisfy the authorities.

D-CafJanuary 8, 2008 10:34 AM

Here are a few articles about the system on the 787:

http://www.avtoday.com/av/categories/maintenance/932.html

http://www.avtoday.com/av/categories/commercial/832.html

Some key facts, core systems are separated from passenger data via a "Firewall", ie no airgap. There is a common network shared by core systems (which includes radar, weather, avionics, etc) and passenger systems like on-board entertainment. There are protected wireless LAN's for the cockpit systems. A lot of cool new technology, but is it secure enough?

ConchuborJanuary 8, 2008 2:12 PM

It's simple why this occurrs, and similar to why phone systems struggle with security. Those who control the budgets to buy planes don't take data security into consideration or think to include those who would. The reuqirements are never created and the features aren't built. There's no incentive if the aviation company still makes the sale and quarterly numbers are met. It is a shame.

Michael RichardsonJanuary 8, 2008 6:27 PM

I've built some minor pieces of equipment for experimental aircraft. My experience is that not only is security a second thought, but that operational requirements make it almost undesireable. I.e. if the GPS/GIS can't load a map from the (solid state) NFS server because of a password error, it's a problem.

One of the major wins by going to digital controls on the bigger airplanes was a SIGNIFICANT reduction in weight due to copper wiring. I can believe that adding a second network to all (?-just business class?)
the seats would be prohibitively expensive.
I don't know anything about the 787, but I would not be surprised if the whole seat was network enabled --- i.e. the back of the seat screen is video-over-IP, etc.

As such, the video-system is a "airplane system", and might well be disconnected from the control system. But, the passenger desktops might well see it on the network.

abmanJanuary 9, 2008 8:17 AM

What a shame; without the denials from probably well-informed people such as @ph0rman, I had a nice movie lined up in my head of the cabin-crew all unconscious and cabin-door locked with no override, and some spotty teen saving the day by hacking his flight simulator on his laptop to the plane's internal computer system by stealing their wireless WEP key, and landing the plane :)

Seems to me they'd be far more likely to do something like design the system with completely separate subnets, and then have some muppet forget to change the default password on the linking router to stop DoS on all network comms leading to a software hangup on control causing the plane to.... well, probably reboot after a few seconds of manual(?) control and monitoring by dual-redundant systems? All sounds very movie-plottish to me.

AnonymousJanuary 9, 2008 8:53 AM

It's obvious that this is a feature, not a security flaw. It's designed to make it easier for Jack Bauer to land the plane from his PDA before his flash memory explodes.

reswobJanuary 9, 2008 10:29 AM


Hey, I just thought of this: do you guys remember that Dilbert cartoon several years ago where the PHB controlled or crashed the plane by using his laptop?

Talk about life imitating art!

KashmarekJanuary 9, 2008 5:45 PM

I believe that Ford now has cars equipped with Microsoft software. The only gain here is lower cost on the first failure. But it too is a target. Wanna bet on how that network is set up?

NutjobJanuary 10, 2008 1:14 AM

If Boeing wanted to be to use the planes internet connection to upload data [weather, gate information, maintenance info] onto the glass cockpit displays, this would require a connection between the avionics and the same network in the passenger cabin.

Similarly, the TSA or airline might want avionics data and/or cabin/cockpit video downlinked over the same internet connection the paying customers would use.

Jari ArkkoJanuary 11, 2008 4:25 AM

Bruce,

This article more smoke than fact. If you look at the Shmoocon preso, it contains nothing new; a number of known issues in wireless LANs, link local IP addresses, and Windows systems using them. The last slide of the presentation goes on to make the conclusion that 787 employs Windows and therefore all these bugs affect 787. That is simply bogus. For instance, you would expect that control sensitive information inside the plane travels on wired networks. Even if wireless were to be applied, Boeing would have to be braindead to use an open, non-encrypted channel. The question is not just whether a particular OS has serious security vulnerabilities. We also have to know what configuration it runs in.

The FAA excerpt that got published also contains no data about specific problems. It is a discussion of what requirements to set for next-generation aircraft system networks. A discussion that needs to happen. The airline industry and the manufacturers are keen themselves to get the different domains within the plane separated.
What counts as a safe form of separation?

Not So FunnyJanuary 11, 2008 3:24 PM

With Microsoft Windows onboard, we soon will be talking about the Widows Operating System.

waleedJanuary 12, 2008 7:37 AM

I'm less worried about the 'real time flight simulator' than I am about unexpected interactions. I have some experience with transportation systems (not aircraft). Some have proprietary operating systems and IP stacks and can react in strange and unexpected ways when tested. .

DrDweebJanuary 14, 2008 6:08 PM

Slightly off-topic, but peripherally relevant.

Some spotty teenager in Lodz, Poland, using a TV remote control and a soldering iron, managed to take control of the trams (that's light rail for you septics) and inadvertantly derailed/crashed a few of them with some personal injury to passenegers as a result.

http://www.theregister.co.uk/2008/01/11/tram_hack/

There news is covered several places.

Dweeb

hguhfJuly 14, 2008 8:45 PM

With Microsoft Windows onboard, we soon will be talking about the Widows Operating System .

LOOOOOOOL

I'm laughing out Loud

Thanks for the post

BSJanuary 11, 2009 10:44 PM

What an awesome rumor - Comeone people. Take a vivid imagination, with a little FAA flavoring and conspiracy theory a shake well... Absolute BS

frankFebruary 9, 2009 10:46 PM

The Dec 2008 issue of the Proceedings of the IEEE is about Aviation Information Systems, and an article in particular titled "Secure operation, control, and maintenance of future e-enabled airplanes".

The thought of a passenger tripping into the critical avionics via his PDA is less troubling to me than that of a terrorist posing as technician who uploads software as part of "maintenance rounds". Would make physically breaking into the cockpit seem so 20th century.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..