The Big Bunny DC-9

Feds Say That Banned Researcher Commandeered a Plane | WIRED

CargoFlyer11

FBI: researcher admitted to hacking plane in-flight, causing it to ?climb? | Ars Technica

Chris Roberts, told the FBI that he:

"connected to other systems on the airplane network after he exploited/gained access to, or "hacked" the [in-flight entertainment] system. He stated that he then overwrote code on the airplane’s Thrust Management Computer while aboard a flight. He stated that he successfully commanded the system he had accessed to issue the climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after compromising/exploiting or "hacking" the airplane’s networks. He used the software to monitor traffic from the cockpit system."

xcitation

Someone tell me that these a/c have physically separate networks for flight systems vs entertainment. Did the bean counters save a few $$$'s by using only one network device instead of 2?

This guy is a white hat. Probably formally requested a fix before demonstrating vulnerabilities as a last resort.

777boeings

I'm sure the military would be very interested in an aircraft that can fly "sideways"

Avenger

Complete nonsense there is no connection from the IFE system to the EEC utter rubbish

JB007

Utter tosh on the 737/757...

Amazed the IFE was working though...

KRviator

Old news. This bloke made headlines last month after United blacklisted him following a (hopefully) tongue-in-cheek tweet about Deploying the oxy masks in flight.


That being said, I have no doubt it would be possible for someone sufficiently talented to view data on board, and perhaps even modify it. External systems are even easier. Howabout a TCAS RA based on a series of non-existent ADS-B transmissions? A false "Beware, pax in 14D is a hijacker" ACARS message to the crew?


How long it'll be before someone uses these vulnerabilities remains to be seen.

deptrai

Afaik TCAS gets range/distance from radio interrogation roundtrip time and extrapolates from differences to determine whether an a/c is getting closer. Angle/bearing from directional antennas. Both pretty hard to spoof... (unlike ADS-B altitude, heading and position). Most of these reported "hackers" seem to be attention whores who peddle hot air to journalists.

SAMPUBLIUS

Feds Say That Banned Researcher Commandeered a Plane | WIRED

and the search warrant is at

http://aptn.ca/news/wp-content/uploa...lectronics.pdf

IF- big IF true- then there is a bit of splainin to do by the so called ex- spurts !

But be sure to read the whole article !!

swh

How does IFE display the position, altitude, speed, OAT, wind ?

How does IFE display the outside camera ?

How does IFE have channel 9 (cockpit and ATC transmissions) ?

While I know its not the EEC, I would think there is an ARINC data bus between the IFE and the aircraft. Given that many of these busses contain bridges and gateways, direct control over an engine may not be required. With FADEC aircraft that connect to an autothrottle, I would think providing false sensor information onto the bus (e.g. change in one TAT input by 20 degrees), and then letting the engine through the autothrottle adjust performance may be a way to get this result.

Certainly convective clouds can have similar asymmetrical effects on TAT readings.

deptrai

Every time I looked into such "hackers" claims as reported in the media it turned out to be yet another movie plot. For various reasons "providing false sensor information" on an AFDX network/ARINC bus would require physical access to something else than IFE. To give just one example of an obstacle I see to the "hacker commandeers a/c via IFE" scenario is that all devices connected to an AFDX network are known and addressing is based on a fixed table of MAC addresses, and switches do some form of traffic policing. The aim is to lower latency and ensure bandwidth but a side effect is that it hardens the network. While there may be a physical wire between IFE and other devices (this is what inspires the movie plots), from the perspective of an IFE terminal communication between avionics components pretty much happens on a secure channel. If I see a "hacker" with an AFDX analyzer in an avionics compartment I'd be a bit concerned, but a "hacker" with an Android phone or a laptop in his seat, not really.

swh

ADFX is only on the A380, 787, and A350.

The FBI claim to have evidence that indicates physical tampering with the under seat box and the connection of a cable to those boxes.

As for a MAC address itself, it is very easy to change on most devices in software. Often devices like IFE boot from the server, and have their MAC address displayed on the seat back screen during boot.

HEATHROW DIRECTOR

<<How does IFE have channel 9 (cockpit and ATC transmissions) ?>>

Well, they do - that's for sure!

I don't know about TCAS deriving information from directional antennas? Where did this come from?

deptrai

swh - I'm thinking out loud. Let's assume you connected your device X to an under the seat box. Yes you can easily change your device's MAC address in software. Now you want to change the MAC address of your device X, to spoof the MAC address of sensor Y. But how do you sniff the MAC address of sensor Y if there is no packet from or to Y on the segment of the network you're listening to? It also doesn't introduce itself to you with ARP broadcasts. You also can't alter the hardcoded table of MAC addresses that every device except yours has. Assuming you figured out a way, now how do you insert your spoofed packets to go beyond a switch that discards your packets?

DaveReidUK

I agree, it does repay reading.

"Based on the investigation described above [principally an interview with Roberts and his Twitter claims], probable cause exists to believe that inside the Devices(s) described in Attachment A [iPad, MacBook, various hard drives and thumb drives, etc] will be found evidence, fruits and instrumentalities of a violation of Title 18, United States Code sections 1030(a)(2), 1030(a)(5)."

The relevant USC sections:

"1030(a)(2) Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;

1030(a)(5) Whoever-
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

shall be punished as provided in subsection (c) of this section."

deptrai

Heathrow Director: as I understand it, a directional antenna with four slightly overlapping 90+ degree segments, is used to reduce overlapping transmissions/garble, multipath interference and/or other interesting things I know little about. TCAS II (current) uses a directional antenna on top of the a/c and most installations also a directional option at the bottom. Very neat and well engineered. A side effect is that there is some directional information which can't be spoofed easily...

see Introduction to TCAS II V 7.1 from the FAA, p 11, 12, 18, 19, much more details

cue "a firm grasp of the non-essential" for checkers.

Edit: TCAS doesn't derive angle/bearing from directional antennas (this was intented in TCAS III, but precision isn't good enough), yet the directional antennas could be an obstacle to a "hacker"

Gibon2

And there we have it - the attitude responsible for every successful computer security breach ever.

Tscottme

The so-called evidence of someone tampering with the Ethernet port near the "hacker's" seat is a slightly damaged housing and some slightly backed-out screws. Coincidentally this is the same damage the housing would receive if bumped a few hundred/thousand times by passenger feet and/or luggage.

Remember the first rule of aviation journalism is it's nearly certain the story has something to do with an aircraft, all other details are highly questionable. The reporters and editors in general interest "journalism" wouldn't notice the difference between a C-152 and B-747 carrying the Space Shuttle. If the hacker claimed to have hacked the microwave ovens in the crew-rest area of a Piper Cub to communicate with Mars they wouldn't spot anything fishy.

swh

The MAC comments were in relation to ADFX which was developed for the A380, and then adopted by industry. Earlier aircraft like the one this person targeted use a different ARINC bus, my understanding these are linear buses where any device on the bus can listen to the bus. The bus design itself can be centrally controlled, or as in ARINC 629, control over the bus is distributed. Those buses are normally segregated/partitioned according to their function, and gateways/bridges connect different partitions.

LeadSled

Actually, you might be surprised at the aviation mayhem you could generate with a hacked microwave oven with the door open, but I will not be the one to provide the details.