|
@Sampublius:
PUUUHHLESE read the FBI warrant request posted several times http://aptn.ca/news/wp-content/uploa...lectronics.pdf granted these are allegations- but he ( hacker ) was specific about the In flight entertainment systems ( IFE). The ongoing argument is that such could not impact flight/cockpit controls. Even so hacking the IFE is a federal crime. One could ask - then why- since he admitted it - isn't he in Jail now ? Don't treat me like a :mad: teenager. Just don't. I've been in the business which I occupy for more than thirty years. Now please show me where in the whole litany of Due Process a search warrant is proof of guilt. Then you say that he "admitted it". Admitted or claimed? While you're turning his boast into an admission please specify the precise degree of the hack. One good reason why he may not be in jail is because of the fact that he may be a BS artist who didn't manage in any way to do what he has claimed. The hacker community is full of BS artists. I've invited them to hack systems that they claim to have hacked. They couldn't. It's that simple. There are several protections against brute force attacks. On the mainframes I've worked, enumeration (random scrolling for valis IDs) doesn't work. Three failed attempts blocks the IP address and the Logical Unit Address. Even with a valid ID, three failures does the same thing, though in some cases also blocks the entire subnet. My clients have offered money to self-professed hackers to display their wares - they have never succeeded despite significant financial inducements. It's the quiet ones which should be of concern.If they can really hack a system they'll keep it quiet and turn their technique into gold very quickly for fear that the entry point has been spotted. |
Groooan
Then you say that he "admitted it". Admitted or claimed? While you're turning his boast into an admission please specify the precise degree of the hack. Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane’s Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states. “He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI Special Agent Mark Hurley wrote in his warrant application (.pdf). “He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.” Roberts did not immediately respond to Ars’ request for comment, but he told Wired on Friday that this paragraph was taken out of context. Further Reading Researcher who joked about hacking a jet plane barred from United flight United's move comes three days after FBI detained white hat hacker for 4 hours. "It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others," he said, declining to elaborate further. Check my initial post on the subject and the links and the claims by both sides and the supposed quotes. Bottom line - there ARE concerns at least for older planes prior to 777 for example per the fed register post earlier. And read the concerns stated at http://www.gao.gov/products/GAO-15-370 |
See Page Number 18
|
and on page 18 we find
re
http://www.gao.gov/assets/670/669627.pdf page 18 According to FAA and experts we interviewed, modern communications technologies, including IP connectivity, are increasingly used in aircraft systems, creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems. Aircraft information systems consist of avionics systems used for flight and in-flight entertainment (see fig. 4 below). Historically, aircraft in flight and their avionics systems used for flight guidance and control functioned as isolated and self-contained units, which protected their avionics systems from remote attack. However, according to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them—as shown in figure 4 (below). Firewalls protect avionics systems located in the cockpit from intrusion by cabinsystem users, such as passengers who use in-flight entertainment services onboard. Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented. The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin. An FAA official said that additional security controls implemented onboard could strengthen the system. Could the guy have done just what he said ?:eek: " ALL four ex-spurts " agree ?? |
Maybe he did and maybe he didn't; but obviously the FBI isn't the only agency which thinks it's possible.
If it's possible, then we have to assign probability and react accordingly. I'm no expurt, but in my opinion some of the posts here ring of complacency or even denial. :rolleyes: There seems to be an attitude of "no one with any brains would design a system with such vulnerabilities." Unfortunately the historical record indicates otherwise. A few well known examples: Apollo 1 Challenger Columbia Pinto Drive On - Drive Off ferry boats HMS Sheffield And many others.... "It appears that there are enormous differences of opinion as to the probability of a failure with loss of vehicle and of human life. The estimates range from roughly 1 in 100 to 1 in 100,000. The higher figures come from the working engineers, and the very low figures from management. What are the causes and consequences of this lack of agreement? Since 1 part in 100,000 would imply that one could put a Shuttle up each day for 300 years expecting to lose only one, we could properly ask "What is the cause of management's fantastic faith in the machinery? .. It would appear that, for whatever purpose, be it for internal or external consumption, the management of NASA exaggerates the reliability of its product, to the point of fantasy." - R. Feynman |
From my last post in this thread....
Hullo, here we are in JB....there's a surprise. |
"Maybe he did and maybe he didn't; but obviously the FBI isn't the only agency which thinks it's possible. If it's possible, then we have to assign probability and react accordingly. I'm no expurt, but in my opinion some of the posts here ring of complacency or even denial." It's possible that there are a few people actually working in this area involved in the discussion. It's unlikely that they are complacent. |
Probability
If you have any understanding of typical aircraft architecture, you will understand why claims to have "taken control" of an aircraft are extremely improbable. Not trying to offend or be aggressive, I'm just curious. |
It's a well defined number and concept in the aviation systems design world, no?
10^-9 or less. Edit: And with your edit, mine comment looks aggressive...! :-) |
10^-9
One in a billion? I hope you are right.
Then what accounts for the concerns in the GAO report? I know I'm oversimplipifying, but wouldn't you first need to find the very few guys who could do it, and from them find the tiny portion who would do it? Are the GAO, the FAA, and the FBI responding to a non-existent threat? If they are, it wouldn't be the first time... |
There is not a single incident or accident report yet which would indicate "hacking of aircraft" is a problem; that could help to estimate the probabilities even without knowledge of a/c system design. It's an imaginary problem so far. The scaremongering is a real problem though, some statistician with a better grasp of numbers than me estimated that around 1600 people died following 9/11 because they chose to travel by car, instead of flying. I wonder what the probability is that someone will get killed in a road accident because they read stories about "hacking of aircraft"...probably more than those who get killed by "hacked" aircraft?
|
Unforeseen Consequenses
Agreed, that's a very good point.
I wonder how many more have suffered stress related health problems resulting from the frustrations of waiting in screening lines? ;) |
Years ago he built a small "lab" with some IFE parts bought off ebay |
and on Page 18
@SAMPUBLIUS
Now about the claims that such a system can never be hacked ? However, according to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them—as shown in figure 4 (below) The first is that the avionics and FMS are exposed via an IP port to the rest of the aircraft systems. I would find it extremely unlikely that there would be permissive access from any other system inbound to any critical system on an aircraft. That's security 101. Door is shut, reinforced, welded and concreted. Secondly, there is an assumption (that in this case), the avionics actually talk IP at all. As someone asked - "well how to the get the moving map?" How do I get it off FlightRadar24? I'm obviously not connected to an FMS to see where the plane is. Thirdly, that given I get get access to an unlikely exposed TCP port, how am I going to deploy a payload to an embedded system that I don't know, or have an exploit framework for. It'd be like trying to exploit a Mainframe switch major node with a Zeus attack. Pretty pointless, even though the major node talks IP. If the guy in this story "hacked" anything, he probably owned the IFE. And he didn't need plug in to do that if it was WiFi. In terms of the GAO report, it's the same security principles that any enterprise organisation would implement. It's nothing new, and really it's just a bunch of the usual security talking heads doing the rounds on the speech circuit. Security Professionals for Hire. Look, the paradigm may be different for the A350 and B787, but heck, if you expose a service, expect the door to be knocked on. Which is why you would have to say that door is closed and locked... |
Well yssy:
What's your definition of "Extremely Unlikely"? I'm not qualified to form my own opinion, I'm just taking a survey. Do you agree with 10^-9? |
Likelihood
What's your definition of "Extremely Unlikely"? I'm not qualified to form my own opinion, I'm just taking a survey. Do you agree with 10^-9? |
IDK about any of that cr@p, but a simple click click would solve everything.
|
IDK about any of that cr@p, but a simple click click would solve everything Click Click? |
Click click?
|
Secondly, there is an assumption (that in this case), the avionics actually talk IP at all i386 computer running Redhat Linux 2.4.10, starts IP services, including ICMP, UDP, TCPIP, IGMP, and connects with port 50071. It uses Iptables as well, so there is more than enough information to understand how they have set it up. As another poster pointed out, you can buy one of these computers off ebay for $35. No hacking or sniffing, no hardware, not even on the aircraft, just watching a youtube video. How do I get it off FlightRadar24? |
Click Click?
his point is when the aircraft doesn't do what he wants he turns of the autopilot |
Hi swh,
IFE does, have a look at this video on youtube However, the question of the possibility of using the IFE as a pivot to access FMS and avionics packs is the item under discussion. And on that point, the likelihood of a threat actor actually managing to do what the "ethical hacker" has claimed to be able to do is, as far as I am concerned, not possible. I'm calling BS on that. He can claim to have done whatever he thinks. Show me the proof. What is seen on FlightRadar24.... |
his point is when the aircraft doesn't do what he wants he turns of the autopilot :D |
Is it purely a GPS based system which extrapolates velocity and altitude? |
Originally Posted by swh
Yes it is 777/A330/A340. It is not Ethernet, it is not simplex, it is time division multiplex (multiple source, multiple sink), with a limit of 128 devices per bus. Inductive coupling is also used by design.
I've watched multiple reboots of a 747 IFE on a flight and it used a Windows CE OS and an xmodem protocol (which should be half-duplex?) at 115K baud rate. There also were mentions of memory addresses. Is this what you are talking about? |
IFE generally takes data from secondary, read-only busses (i.e. not integrated GPS / accelerometers, etc.). They don't provide data to any critical systems; if they did, the certification of any IFE system would be a whole lot more difficult than it currently is.
The number of aircraft flying around with anomalies in one or the other of the data types on the flight information / moving maps is an indication that deciphering the information, even once you've got a feed, is not completely trivial. System analysis & risk assessments are performed to ensure that the likelihood of a catastrophic failure is extremely improbable. |
IFE displays the outside air temperature and wind, that does not come from GPS information, it requires air data. |
is the method that is used to retrieve that data from the FMS an exploit vector?
To answer your question, there is morbid fascination with movie plot scenarios in the media, not helped by self-declared "experts" (like the guy we are talking about). I think this is the reason why this issue is getting discussed now. And no, it's not an exploit vector. |
I agree that there is an appatite for dramas like this, and - to pursue the analogy - there are a ready supply of actors prepared to take on the role of hero or baddy in it.
If this guy Roberts is telling the truth and if he managed to gain control of as much as the reading light over his seat other than through the normal method then he should be able to recreate it. If you look at hacking tools they almost all generate activity logs and screenshots. The latter make for a more entertaining slideshow at the next hackers convention. The thing is that I stopped attending these years ago. The fact is that the most many hackers can manage is to *see* the systems. I heard too often the formulaic: "having got this far I stopped for fear of the feds". Those I have spoken to about mainframe penetration admitted that they know nothing about the underlying hardware and the control block structures of address ranges. They weren't equipped to cause meaningful damage even if given a logon to the system.The ones I would fear are those that somehow *do* know the systems. The quiet ones. |
If this guy Roberts is telling the truth https://twitter.com/sidragon1/status/588433855184375808 he's throwing around words like "Box-IFE-ICE-SATCOM". So let me speculate a bit here...If he uses a packet sniffer on the ethernet, TCP/IP IFE network he can see that word, probably the IFE server host name. "PASS OXYGEN ON": when oxygen masks deploy, then there will be a message to the IFE to trigger a shutdown of the IFE. It does not mean he can deploy oxygen masks, as some media misunderstood. No signs that he could "hack" anything, except that he is able to use an ethernet packet analyzer (edit: obviously he could be able to turn off the IFE if he spoofed that message). There is nothing dramatic here, what I see is someone who is more like a 12 year old kid who plays with computer networking for the first time and thinks he is a "hacker" now because he downloaded some analysis tools, and then goes on to create a big drama about his abilities, and loves the attention. The "PASS OXYGEN ON" is something he would not have seen in flight, so I also believe he just regurgitates innocent things he "simulated" in his ground based lab with parts scavenged from ebay. There are other such "hackers" who claimed they found vulnerabilities in real avionics (not only IFE), like a Flight Management System, and it turned out they had experimented with a PC based simulation of a Flight Management System (which is used as a training tool for Pilots). But believing that they can find vulnerabilities by using a PC based simulation which simulates some functions, is more than naive, the certified, proprietary, embedded system, running on a particular RTOS is coded very differently from a PC based learning tool... and as you said Nialler, no professional would ever try to create publicity in this way :) United Airlines, which understandably banned him after he made a lot of people worried for no reason, even has a formal program to reward researchers who find bugs/vulnerabilities, if he was smart, he would have just submitted his findings there, if there was anything at all. for those who believe this "hacker" is a threat to aircraft, here some more reading: http://www.forbes.com/sites/thomasbr...ms-fallacious/ http://www.runwaygirlnetwork.com/201...in-fbi-report/ |
Attention Hackers- shake the stick when you have control
This story seems a bit unlikely. From the standpoint that there would never be a reason to interface HAL with any IFE system.
Did hacker take control of U.S. flight from his seat? |
|
Somewhat disturbing
...that United started a big advert campaign offering to reward any successful hacker. If this is supposed to be spin control, its clumsy.
|
Nimrod tampering with wiring in cabin
First, if I saw this nimrod tampering with the wiring next to me I would probably club him to death with my cellphone or laptop, and probably have a dozen helpers. This guy needs to be placed on the no-fly list and go to jail for risking the lives of everyone on the planes he may have imperiled.
Second, even if he were an AFDX expert (which I doubt), his simulations were undoubtedly based upon COTS routers and not real hardware, since he would have to get through dedicated, single purpose point-to-point virtual links certified to DO-178 standards to move up the tiers. The same scrutiny applies to the older protocols. The whole thing seems like a bunch of hype, and the Feds rightfully called his bluff. I'll bet he does time. |
Just waiting a bidding war between Boeing and Airbus for this guy. His ability to get a fixed wing aircraft to fly sideways is a massive breakthrough. Just image the scenario.
Tower: BA123 you are on short finals and 1 mile left of centre line. BA123: non problem Tower, I'll just activate the Chris Roberts mode! |
Originally Posted by yssy.ymel
(Post 8980419)
Hi swh,
I'm certainly well aware the the IFE has a front end that is based on a listener on an IP port. I use one on a regular basis. :-) However, the question of the possibility of using the IFE as a pivot to access FMS and avionics packs is the item under discussion. And on that point, the likelihood of a threat actor actually managing to do what the "ethical hacker" has claimed to be able to do is, as far as I am concerned, not possible. I'm calling BS on that. He can claim to have done whatever he thinks. Show me the proof. I've got a handle on ADS-B, MLAT and the ATC feeds that power FlightRadar. I host a receiver for FR24. :-) I know you mention that the moving maps use on-board data to plot the map, but I'd be interested in the way that data is retrieved. Is it purely a GPS based system which extrapolates velocity and altitude? That wouldn't require any access to the avionics of the aircraft. There will still be a very big gap between something that has an IP stack running linux, and something that is embedded and talks a very different protocol. So some things are connected, and some are not. |
History shows 14 year olds getting into a lot of "inaccessible" computer systems.
Edmund |
History shows 14 year olds getting into a lot of "inaccessible" computer systems. I love the idea of the teenage savant. |
Basement dwelling geek probably using freeware like Wireshark to sniff data packets is not hacking. This guy is a fantasist attention seeker, not some kind of James Bond super Villain. That ridiculous beard will be a useful recognition aid for flight crew in future, the Commander will be able to deny boarding before he gets past check-in. On the systems I work even unumeration efforts result in an IP block. Some of these "hackers" may get a thrill from seeing that they have access to a minframe logon screen but their efforts end their. All that they have done i gain access to a port and an IP address which are publicly available but not publicised. That's not hacking, and systems are designed to flick these flies of our butts with a judicious swish of the tail. That said, I have to fear those who create tools in private. |
Chris Roberts, the "hacker", also claimed he has changed the temperature in the International Space Station, and rambles about altering target coordinates in nuclear missiles, in a talk he gave in 2012. I'm not going to post a link the video, it's a waste of time to watch it. The sad thing is that media reported his aircraft story uncritically.
|
| All times are GMT. The time now is 14:59. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.