deptrai

Click Click?

his point is when the aircraft doesn't do what he wants he turns of the autopilot

yssy.ymel

Hi swh,

I'm certainly well aware the the IFE has a front end that is based on a listener on an IP port. I use one on a regular basis. :-)

However, the question of the possibility of using the IFE as a pivot to access FMS and avionics packs is the item under discussion. And on that point, the likelihood of a threat actor actually managing to do what the "ethical hacker" has claimed to be able to do is, as far as I am concerned, not possible. I'm calling BS on that. He can claim to have done whatever he thinks. Show me the proof.

I've got a handle on ADS-B, MLAT and the ATC feeds that power FlightRadar. I host a receiver for FR24. :-) I know you mention that the moving maps use on-board data to plot the map, but I'd be interested in the way that data is retrieved. Is it purely a GPS based system which extrapolates velocity and altitude? That wouldn't require any access to the avionics of the aircraft. There will still be a very big gap between something that has an IP stack running linux, and something that is embedded and talks a very different protocol.

yssy.ymel

Ah right, very good.

swh

IFE displays the outside air temperature and wind, that does not come from GPS information, it requires air data.

HappyPass

Pardon me, SLF but maybe this can be interesting (?).
I've watched multiple reboots of a 747 IFE on a flight and it used a Windows CE OS and an xmodem protocol (which should be half-duplex?) at 115K baud rate.
There also were mentions of memory addresses.
Is this what you are talking about?

Dagegen

IFE generally takes data from secondary, read-only busses (i.e. not integrated GPS / accelerometers, etc.). They don't provide data to any critical systems; if they did, the certification of any IFE system would be a whole lot more difficult than it currently is.

The number of aircraft flying around with anomalies in one or the other of the data types on the flight information / moving maps is an indication that deciphering the information, even once you've got a feed, is not completely trivial.

System analysis & risk assessments are performed to ensure that the likelihood of a catastrophic failure is extremely improbable.

yssy.ymel

Thanks swh - that is indeed true. The question remains - is the method that is used to retrieve that data from the FMS an exploit vector? I think Dagegen sums it up quite well. No.

deptrai

is the method that is used to retrieve that data from the FMS an exploit vector?

To answer your question, there is morbid fascination with movie plot scenarios in the media, not helped by self-declared "experts" (like the guy we are talking about). I think this is the reason why this issue is getting discussed now. And no, it's not an exploit vector.

Nialler

I agree that there is an appatite for dramas like this, and - to pursue the analogy - there are a ready supply of actors prepared to take on the role of hero or baddy in it.

If this guy Roberts is telling the truth and if he managed to gain control of as much as the reading light over his seat other than through the normal method then he should be able to recreate it.

If you look at hacking tools they almost all generate activity logs and screenshots. The latter make for a more entertaining slideshow at the next hackers convention.

The thing is that I stopped attending these years ago. The fact is that the most many hackers can manage is to *see* the systems. I heard too often the formulaic: "having got this far I stopped for fear of the feds". Those I have spoken to about mainframe penetration admitted that they know nothing about the underlying hardware and the control block structures of address ranges. They weren't equipped to cause meaningful damage even if given a logon to the system.The ones I would fear are those that somehow *do* know the systems. The quiet ones.

deptrai

if I look at his tweet that started all this hysteria: "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? "

https://twitter.com/sidragon1/status/588433855184375808

he's throwing around words like "Box-IFE-ICE-SATCOM". So let me speculate a bit here...If he uses a packet sniffer on the ethernet, TCP/IP IFE network he can see that word, probably the IFE server host name. "PASS OXYGEN ON": when oxygen masks deploy, then there will be a message to the IFE to trigger a shutdown of the IFE. It does not mean he can deploy oxygen masks, as some media misunderstood. No signs that he could "hack" anything, except that he is able to use an ethernet packet analyzer (edit: obviously he could be able to turn off the IFE if he spoofed that message). There is nothing dramatic here, what I see is someone who is more like a 12 year old kid who plays with computer networking for the first time and thinks he is a "hacker" now because he downloaded some analysis tools, and then goes on to create a big drama about his abilities, and loves the attention. The "PASS OXYGEN ON" is something he would not have seen in flight, so I also believe he just regurgitates innocent things he "simulated" in his ground based lab with parts scavenged from ebay.

There are other such "hackers" who claimed they found vulnerabilities in real avionics (not only IFE), like a Flight Management System, and it turned out they had experimented with a PC based simulation of a Flight Management System (which is used as a training tool for Pilots). But believing that they can find vulnerabilities by using a PC based simulation which simulates some functions, is more than naive, the certified, proprietary, embedded system, running on a particular RTOS is coded very differently from a PC based learning tool...

and as you said Nialler, no professional would ever try to create publicity in this way United Airlines, which understandably banned him after he made a lot of people worried for no reason, even has a formal program to reward researchers who find bugs/vulnerabilities, if he was smart, he would have just submitted his findings there, if there was anything at all.

for those who believe this "hacker" is a threat to aircraft, here some more reading:

http://www.forbes.com/sites/thomasbr...ms-fallacious/

http://www.runwaygirlnetwork.com/201...in-fbi-report/

mach2.6

This story seems a bit unlikely. From the standpoint that there would never be a reason to interface HAL with any IFE system.
Did hacker take control of U.S. flight from his seat?

TWT

Old news.Thread running here:

http://www.pprune.org/north-america/...r-turns-c.html

ohnutsiforgot

...that United started a big advert campaign offering to reward any successful hacker. If this is supposed to be spin control, its clumsy.

SysDude

First, if I saw this nimrod tampering with the wiring next to me I would probably club him to death with my cellphone or laptop, and probably have a dozen helpers. This guy needs to be placed on the no-fly list and go to jail for risking the lives of everyone on the planes he may have imperiled.

Second, even if he were an AFDX expert (which I doubt), his simulations were undoubtedly based upon COTS routers and not real hardware, since he would have to get through dedicated, single purpose point-to-point virtual links certified to DO-178 standards to move up the tiers. The same scrutiny applies to the older protocols.

The whole thing seems like a bunch of hype, and the Feds rightfully called his bluff. I'll bet he does time.

FlightCosting

Just waiting a bidding war between Boeing and Airbus for this guy. His ability to get a fixed wing aircraft to fly sideways is a massive breakthrough. Just image the scenario.
Tower: BA123 you are on short finals and 1 mile left of centre line.
BA123: non problem Tower, I'll just activate the Chris Roberts mode!

hikoushi

If you look carefully, the flight tracker in the IFE (talking A330) only shows great-circle track to destination from present position to destination. So it has no link to route or flight plan. It DOES however have a connection to the ETA at destination in the FMS. Sitting in the back on break one day watched our ETA on the flight-tracker jump 30 minutes early. Called up to see about adjusting break times. Apparently the winds aloft had dumped out somewhere in the climb, and the boys up front re-inserted them so the airplane went from assuming a 30 knot wind (projected based on the current position wind) to a 150 knot tailwind for most of the flight (correct). When the FMS recalculated the landing time, that got fed thru to the IFE. However, it still thought we would be flying the great circle directly over Pyongyang, which did not occur.

So some things are connected, and some are not.

edmundronald

History shows 14 year olds getting into a lot of "inaccessible" computer systems.

Edmund

Nialler

Some examples?

I love the idea of the teenage savant.

Nialler

Exactly. Every intrusion I've encountered has merely been some "hacker" detecting the presence of a system. The moment they start trying anything the IP address is blocked, so brute force password efforts are eliminated.

On the systems I work even unumeration efforts result in an IP block.

Some of these "hackers" may get a thrill from seeing that they have access to a minframe logon screen but their efforts end their. All that they have done i gain access to a port and an IP address which are publicly available but not publicised. That's not hacking, and systems are designed to flick these flies of our butts with a judicious swish of the tail.

That said, I have to fear those who create tools in private.

deptrai

Chris Roberts, the "hacker", also claimed he has changed the temperature in the International Space Station, and rambles about altering target coordinates in nuclear missiles, in a talk he gave in 2012. I'm not going to post a link the video, it's a waste of time to watch it. The sad thing is that media reported his aircraft story uncritically.