A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts
Thread Starter
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 788
Likes: 0
Received 0 Likes
on
0 Posts
A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts
Maybe not earth-shattering, but probably worth reading and considering:
A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts
Late one night last September, security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised to discover a fully unprotected server on Boeing's network, seemingly full of code designed to run on the company's giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see.
Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner's components, deep in the plane's multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multi*stage attack that starts in the plane’s in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.
Andy Greenberg writes about security for wired. He is the author of the forthcoming book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.
Boeing flatly denies that such an attack is possible, and it rejects his claim of having discovered a potential path to pull it off. Santa*marta himself admits that he doesn't have a full enough picture of the aircraft—or access to a $250 million jet—to confirm his claims. But he and other avionics cybersecurity researchers who have reviewed his findings argue that while a full-on cyberattack on a plane's most sensitive systems remains far from a material threat, the flaws uncovered in the 787's code nonetheless represent a troubling lack of attention to cybersecurity from Boeing. They also say that the company's responses have not been altogether reassuring, given the critical importance of keeping commercial airplanes safe from hackers.
More
Late one night last September, security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised to discover a fully unprotected server on Boeing's network, seemingly full of code designed to run on the company's giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see.
Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner's components, deep in the plane's multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multi*stage attack that starts in the plane’s in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.
Andy Greenberg writes about security for wired. He is the author of the forthcoming book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.
Boeing flatly denies that such an attack is possible, and it rejects his claim of having discovered a potential path to pull it off. Santa*marta himself admits that he doesn't have a full enough picture of the aircraft—or access to a $250 million jet—to confirm his claims. But he and other avionics cybersecurity researchers who have reviewed his findings argue that while a full-on cyberattack on a plane's most sensitive systems remains far from a material threat, the flaws uncovered in the 787's code nonetheless represent a troubling lack of attention to cybersecurity from Boeing. They also say that the company's responses have not been altogether reassuring, given the critical importance of keeping commercial airplanes safe from hackers.
More
Thread Starter
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 788
Likes: 0
Received 0 Likes
on
0 Posts
I would suggest that a good place to start thinking about this, even before digging into details, is with this question: "What were the system architects thinking when they decided that it was OK to have an inflight entertainment system that is not physically separated from flight control systems?" Some air gaps are really very important.
Thread Starter
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 788
Likes: 0
Received 0 Likes
on
0 Posts
I don't think it much matters whether or not the timing is coincidental. At least, it shouldn't matter to the industry, the regulators and the flying public. The only real issue for all of us is whether and to what extent the information the hacker has published reveals potential cybersecurity vulnerabilities in the 787.
Join Date: Aug 2019
Location: UK
Posts: 1
Likes: 0
Received 0 Likes
on
0 Posts
I would suggest that a good place to start thinking about this, even before digging into details, is with this question: "What were the system architects thinking when they decided that it was OK to have an inflight entertainment system that is not physically separated from flight control systems?" Some air gaps are really very important.
The only exploits for which I've seen credible evidence are things like GNSS spoofing, which, while it has the potential to be an enormous pain in the **** and under some circumstances could be a contributing factor in an accident, is by itself not going to be enough to 'hack' a plane in the media sense of hijacking it and flying it into terrain/populated areas. Besides that one weirdo who claimed to have made the plane he was on 'fly sideways' a few years ago, I haven't seen anyone who's not a tabloid journalist suggest that flight controls could be taken over via the IFE.
This follows on from the 2016 demonstration of the vulnerabilities with the Boeing 757
From Avionics International
https://www.aviationtoday.com/2017/1...king-dhs-says/
JAS
From Avionics International
A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a U.S. Department of Homeland Security (DHS) official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia.“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.
JAS
Conclusions
We hope that a determined, highly capable third party can safely confirm that these vulnerabilities are not exploitable due to the mitigation controls not visible to us during this analysis. We are confident owners and operators of these aircraft would welcome such independent validation and verification.
We believe as strongly in safety as we do in security. We provide these detailed findings herein so that all stakeholders, security industry and affected entities can form their own judgment as to the exploitability and impact of these confirmed software vulnerabilities.
We hope that a determined, highly capable third party can safely confirm that these vulnerabilities are not exploitable due to the mitigation controls not visible to us during this analysis. We are confident owners and operators of these aircraft would welcome such independent validation and verification.
We believe as strongly in safety as we do in security. We provide these detailed findings herein so that all stakeholders, security industry and affected entities can form their own judgment as to the exploitability and impact of these confirmed software vulnerabilities.
Join Date: Mar 2015
Location: uk
Posts: 16
Likes: 0
Received 0 Likes
on
0 Posts
"sprintf" is NOT an unexploitable function - it can (and has in the past) been used as an exploit for buffer overruns.
By contrast, "snprintf" (note the extra 'n') is MUCH safer, the 'n' being a buffer limit length set by the programmer.
Also it beggars belief that they allow "sprintf" in their coding standard, we use "snprintf" and similar exclusively, to cut down on the possibility of bugs and exploits, and it's usual practice these days for C programmers in industry.
By contrast, "snprintf" (note the extra 'n') is MUCH safer, the 'n' being a buffer limit length set by the programmer.
Also it beggars belief that they allow "sprintf" in their coding standard, we use "snprintf" and similar exclusively, to cut down on the possibility of bugs and exploits, and it's usual practice these days for C programmers in industry.
Last edited by a_q; 8th Aug 2019 at 15:44. Reason: add more detail
Thread Starter
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 788
Likes: 0
Received 0 Likes
on
0 Posts
"Compiler level-mitigations can work even if they are not added to the resulting binary."
Santamarta has a rather sharp sense of humor. And he doesn't seem fazed by Boeing's response.
As pointed out just above, sprintf is definitely exploitable. For some basic insight, Google "format string attacks."
Santamarta has a rather sharp sense of humor. And he doesn't seem fazed by Boeing's response.
As pointed out just above, sprintf is definitely exploitable. For some basic insight, Google "format string attacks."
Join Date: Nov 2014
Location: Netherlands
Posts: 6
Likes: 0
Received 0 Likes
on
0 Posts
I do assume that Boeings code standards require formal proof for each and every line of code. It would also be very possible that Boeing uses a compiler that performs extra memory management steps and explicitely forbids writing outside of allocated memory space for a specific pointer. That would also make it unexploitable but also break strict C language specifications.
But in the general case you're right, using snprintf is an easy way to prevent a buffer overflow if all those precautions had not been taken and/or an error was made in the proof or the implementation of those compiler level memory management precautions.
Join Date: Aug 2012
Posts: 1
Likes: 0
Received 0 Likes
on
0 Posts
"sprintf" is NOT an unexploitable function - it can (and has in the past) been used as an exploit for buffer overruns.
By contrast, "snprintf" (note the extra 'n') is MUCH safer, the 'n' being a buffer limit length set by the programmer.
Also it beggars belief that they allow "sprintf" in their coding standard, we use "snprintf" and similar exclusively, to cut down on the possibility of bugs and exploits, and it's usual practice these days for C programmers in industry.
By contrast, "snprintf" (note the extra 'n') is MUCH safer, the 'n' being a buffer limit length set by the programmer.
Also it beggars belief that they allow "sprintf" in their coding standard, we use "snprintf" and similar exclusively, to cut down on the possibility of bugs and exploits, and it's usual practice these days for C programmers in industry.
Join Date: Aug 2017
Location: London
Posts: 94
Likes: 0
Received 0 Likes
on
0 Posts
Comment on theregister website:
"Wouldn't it be best to let IOActive onboard a 787 and tell them, "Have at it!"? If the plane is truly unhackable, as Boeing claims, then IOActive will not be able to do any harm, and Boeing will then be able to loudly and publicly proclaim that their own internal experts and an unpaid but motivated group of third-party pen testers were unable to find any exploits. Might even bump up Boeing's reputation, not to mention share price. Seems like a win-win to me.
They're not willing to do that? I wonder why. "
"Wouldn't it be best to let IOActive onboard a 787 and tell them, "Have at it!"? If the plane is truly unhackable, as Boeing claims, then IOActive will not be able to do any harm, and Boeing will then be able to loudly and publicly proclaim that their own internal experts and an unpaid but motivated group of third-party pen testers were unable to find any exploits. Might even bump up Boeing's reputation, not to mention share price. Seems like a win-win to me.
They're not willing to do that? I wonder why. "