Hacker turns a/c
Join Date: Mar 2009
Location: YBBN
Posts: 48
Likes: 0
Received 0 Likes
on
0 Posts
Hi swh,
I'm certainly well aware the the IFE has a front end that is based on a listener on an IP port. I use one on a regular basis. :-)
However, the question of the possibility of using the IFE as a pivot to access FMS and avionics packs is the item under discussion. And on that point, the likelihood of a threat actor actually managing to do what the "ethical hacker" has claimed to be able to do is, as far as I am concerned, not possible. I'm calling BS on that. He can claim to have done whatever he thinks. Show me the proof.
I've got a handle on ADS-B, MLAT and the ATC feeds that power FlightRadar. I host a receiver for FR24. :-) I know you mention that the moving maps use on-board data to plot the map, but I'd be interested in the way that data is retrieved. Is it purely a GPS based system which extrapolates velocity and altitude? That wouldn't require any access to the avionics of the aircraft. There will still be a very big gap between something that has an IP stack running linux, and something that is embedded and talks a very different protocol.
IFE does, have a look at this video on youtube
However, the question of the possibility of using the IFE as a pivot to access FMS and avionics packs is the item under discussion. And on that point, the likelihood of a threat actor actually managing to do what the "ethical hacker" has claimed to be able to do is, as far as I am concerned, not possible. I'm calling BS on that. He can claim to have done whatever he thinks. Show me the proof.
What is seen on FlightRadar24....
Is it purely a GPS based system which extrapolates velocity and altitude?
Join Date: Feb 2011
Location: either CET or GMT
Posts: 1,174
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by swh
Yes it is 777/A330/A340. It is not Ethernet, it is not simplex, it is time division multiplex (multiple source, multiple sink), with a limit of 128 devices per bus. Inductive coupling is also used by design.
I've watched multiple reboots of a 747 IFE on a flight and it used a Windows CE OS and an xmodem protocol (which should be half-duplex?) at 115K baud rate.
There also were mentions of memory addresses.
Is this what you are talking about?
Join Date: Jun 2014
Location: London
Posts: 8
Likes: 0
Received 0 Likes
on
0 Posts
IFE generally takes data from secondary, read-only busses (i.e. not integrated GPS / accelerometers, etc.). They don't provide data to any critical systems; if they did, the certification of any IFE system would be a whole lot more difficult than it currently is.
The number of aircraft flying around with anomalies in one or the other of the data types on the flight information / moving maps is an indication that deciphering the information, even once you've got a feed, is not completely trivial.
System analysis & risk assessments are performed to ensure that the likelihood of a catastrophic failure is extremely improbable.
The number of aircraft flying around with anomalies in one or the other of the data types on the flight information / moving maps is an indication that deciphering the information, even once you've got a feed, is not completely trivial.
System analysis & risk assessments are performed to ensure that the likelihood of a catastrophic failure is extremely improbable.
Join Date: Mar 2009
Location: YBBN
Posts: 48
Likes: 0
Received 0 Likes
on
0 Posts
IFE displays the outside air temperature and wind, that does not come from GPS information, it requires air data.
Join Date: Nov 2009
Location: flying by night
Posts: 500
Likes: 0
Received 0 Likes
on
0 Posts
is the method that is used to retrieve that data from the FMS an exploit vector?
To answer your question, there is morbid fascination with movie plot scenarios in the media, not helped by self-declared "experts" (like the guy we are talking about). I think this is the reason why this issue is getting discussed now. And no, it's not an exploit vector.
To answer your question, there is morbid fascination with movie plot scenarios in the media, not helped by self-declared "experts" (like the guy we are talking about). I think this is the reason why this issue is getting discussed now. And no, it's not an exploit vector.
Last edited by deptrai; 18th May 2015 at 14:32.
Join Date: May 2008
Location: Paris
Age: 60
Posts: 101
Likes: 0
Received 0 Likes
on
0 Posts
I agree that there is an appatite for dramas like this, and - to pursue the analogy - there are a ready supply of actors prepared to take on the role of hero or baddy in it.
If this guy Roberts is telling the truth and if he managed to gain control of as much as the reading light over his seat other than through the normal method then he should be able to recreate it.
If you look at hacking tools they almost all generate activity logs and screenshots. The latter make for a more entertaining slideshow at the next hackers convention.
The thing is that I stopped attending these years ago. The fact is that the most many hackers can manage is to *see* the systems. I heard too often the formulaic: "having got this far I stopped for fear of the feds". Those I have spoken to about mainframe penetration admitted that they know nothing about the underlying hardware and the control block structures of address ranges. They weren't equipped to cause meaningful damage even if given a logon to the system.The ones I would fear are those that somehow *do* know the systems. The quiet ones.
If this guy Roberts is telling the truth and if he managed to gain control of as much as the reading light over his seat other than through the normal method then he should be able to recreate it.
If you look at hacking tools they almost all generate activity logs and screenshots. The latter make for a more entertaining slideshow at the next hackers convention.
The thing is that I stopped attending these years ago. The fact is that the most many hackers can manage is to *see* the systems. I heard too often the formulaic: "having got this far I stopped for fear of the feds". Those I have spoken to about mainframe penetration admitted that they know nothing about the underlying hardware and the control block structures of address ranges. They weren't equipped to cause meaningful damage even if given a logon to the system.The ones I would fear are those that somehow *do* know the systems. The quiet ones.
Join Date: Nov 2009
Location: flying by night
Posts: 500
Likes: 0
Received 0 Likes
on
0 Posts
If this guy Roberts is telling the truth
https://twitter.com/sidragon1/status/588433855184375808
he's throwing around words like "Box-IFE-ICE-SATCOM". So let me speculate a bit here...If he uses a packet sniffer on the ethernet, TCP/IP IFE network he can see that word, probably the IFE server host name. "PASS OXYGEN ON": when oxygen masks deploy, then there will be a message to the IFE to trigger a shutdown of the IFE. It does not mean he can deploy oxygen masks, as some media misunderstood. No signs that he could "hack" anything, except that he is able to use an ethernet packet analyzer (edit: obviously he could be able to turn off the IFE if he spoofed that message). There is nothing dramatic here, what I see is someone who is more like a 12 year old kid who plays with computer networking for the first time and thinks he is a "hacker" now because he downloaded some analysis tools, and then goes on to create a big drama about his abilities, and loves the attention. The "PASS OXYGEN ON" is something he would not have seen in flight, so I also believe he just regurgitates innocent things he "simulated" in his ground based lab with parts scavenged from ebay.
There are other such "hackers" who claimed they found vulnerabilities in real avionics (not only IFE), like a Flight Management System, and it turned out they had experimented with a PC based simulation of a Flight Management System (which is used as a training tool for Pilots). But believing that they can find vulnerabilities by using a PC based simulation which simulates some functions, is more than naive, the certified, proprietary, embedded system, running on a particular RTOS is coded very differently from a PC based learning tool...
and as you said Nialler, no professional would ever try to create publicity in this way United Airlines, which understandably banned him after he made a lot of people worried for no reason, even has a formal program to reward researchers who find bugs/vulnerabilities, if he was smart, he would have just submitted his findings there, if there was anything at all.
for those who believe this "hacker" is a threat to aircraft, here some more reading:
http://www.forbes.com/sites/thomasbr...ms-fallacious/
http://www.runwaygirlnetwork.com/201...in-fbi-report/
Last edited by deptrai; 18th May 2015 at 20:26.
Join Date: Feb 2009
Location: MIA
Posts: 35
Likes: 0
Received 0 Likes
on
0 Posts
Attention Hackers- shake the stick when you have control
This story seems a bit unlikely. From the standpoint that there would never be a reason to interface HAL with any IFE system.
Did hacker take control of U.S. flight from his seat?
Did hacker take control of U.S. flight from his seat?
Join Date: Jan 2015
Location: USA
Posts: 25
Likes: 0
Received 0 Likes
on
0 Posts
Nimrod tampering with wiring in cabin
First, if I saw this nimrod tampering with the wiring next to me I would probably club him to death with my cellphone or laptop, and probably have a dozen helpers. This guy needs to be placed on the no-fly list and go to jail for risking the lives of everyone on the planes he may have imperiled.
Second, even if he were an AFDX expert (which I doubt), his simulations were undoubtedly based upon COTS routers and not real hardware, since he would have to get through dedicated, single purpose point-to-point virtual links certified to DO-178 standards to move up the tiers. The same scrutiny applies to the older protocols.
The whole thing seems like a bunch of hype, and the Feds rightfully called his bluff. I'll bet he does time.
Second, even if he were an AFDX expert (which I doubt), his simulations were undoubtedly based upon COTS routers and not real hardware, since he would have to get through dedicated, single purpose point-to-point virtual links certified to DO-178 standards to move up the tiers. The same scrutiny applies to the older protocols.
The whole thing seems like a bunch of hype, and the Feds rightfully called his bluff. I'll bet he does time.
Join Date: Apr 2006
Location: ESSL
Age: 79
Posts: 61
Likes: 0
Received 0 Likes
on
0 Posts
Just waiting a bidding war between Boeing and Airbus for this guy. His ability to get a fixed wing aircraft to fly sideways is a massive breakthrough. Just image the scenario.
Tower: BA123 you are on short finals and 1 mile left of centre line.
BA123: non problem Tower, I'll just activate the Chris Roberts mode!
Tower: BA123 you are on short finals and 1 mile left of centre line.
BA123: non problem Tower, I'll just activate the Chris Roberts mode!
Join Date: Jun 2006
Location: B.F.E.
Posts: 228
Likes: 0
Received 0 Likes
on
0 Posts
Hi swh,
I'm certainly well aware the the IFE has a front end that is based on a listener on an IP port. I use one on a regular basis. :-)
However, the question of the possibility of using the IFE as a pivot to access FMS and avionics packs is the item under discussion. And on that point, the likelihood of a threat actor actually managing to do what the "ethical hacker" has claimed to be able to do is, as far as I am concerned, not possible. I'm calling BS on that. He can claim to have done whatever he thinks. Show me the proof.
I've got a handle on ADS-B, MLAT and the ATC feeds that power FlightRadar. I host a receiver for FR24. :-) I know you mention that the moving maps use on-board data to plot the map, but I'd be interested in the way that data is retrieved. Is it purely a GPS based system which extrapolates velocity and altitude? That wouldn't require any access to the avionics of the aircraft. There will still be a very big gap between something that has an IP stack running linux, and something that is embedded and talks a very different protocol.
I'm certainly well aware the the IFE has a front end that is based on a listener on an IP port. I use one on a regular basis. :-)
However, the question of the possibility of using the IFE as a pivot to access FMS and avionics packs is the item under discussion. And on that point, the likelihood of a threat actor actually managing to do what the "ethical hacker" has claimed to be able to do is, as far as I am concerned, not possible. I'm calling BS on that. He can claim to have done whatever he thinks. Show me the proof.
I've got a handle on ADS-B, MLAT and the ATC feeds that power FlightRadar. I host a receiver for FR24. :-) I know you mention that the moving maps use on-board data to plot the map, but I'd be interested in the way that data is retrieved. Is it purely a GPS based system which extrapolates velocity and altitude? That wouldn't require any access to the avionics of the aircraft. There will still be a very big gap between something that has an IP stack running linux, and something that is embedded and talks a very different protocol.
So some things are connected, and some are not.
Join Date: May 2008
Location: Paris
Age: 60
Posts: 101
Likes: 0
Received 0 Likes
on
0 Posts
Basement dwelling geek probably using freeware like Wireshark to sniff data packets is not hacking. This guy is a fantasist attention seeker, not some kind of James Bond super Villain.
That ridiculous beard will be a useful recognition aid for flight crew in future, the Commander will be able to deny boarding before he gets past check-in.
That ridiculous beard will be a useful recognition aid for flight crew in future, the Commander will be able to deny boarding before he gets past check-in.
On the systems I work even unumeration efforts result in an IP block.
Some of these "hackers" may get a thrill from seeing that they have access to a minframe logon screen but their efforts end their. All that they have done i gain access to a port and an IP address which are publicly available but not publicised. That's not hacking, and systems are designed to flick these flies of our butts with a judicious swish of the tail.
That said, I have to fear those who create tools in private.
Last edited by Nialler; 19th May 2015 at 15:30.
Join Date: Nov 2009
Location: flying by night
Posts: 500
Likes: 0
Received 0 Likes
on
0 Posts
Chris Roberts, the "hacker", also claimed he has changed the temperature in the International Space Station, and rambles about altering target coordinates in nuclear missiles, in a talk he gave in 2012. I'm not going to post a link the video, it's a waste of time to watch it. The sad thing is that media reported his aircraft story uncritically.