A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts

Late one night last September, security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised to discover a fully unprotected server on Boeing's network, seemingly full of code designed to run on the company's giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see.

Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner's components, deep in the plane's multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multi*stage attack that starts in the plane’s in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.
Andy Greenberg writes about security for wired. He is the author of the forthcoming book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.

Boeing flatly denies that such an attack is possible, and it rejects his claim of having discovered a potential path to pull it off. Santa*marta himself admits that he doesn't have a full enough picture of the aircraft—or access to a $250 million jet—to confirm his claims. But he and other avionics cybersecurity researchers who have reviewed his findings argue that while a full-on cyberattack on a plane's most sensitive systems remains far from a material threat, the flaws uncovered in the 787's code nonetheless represent a troubling lack of attention to cybersecurity from Boeing. They also say that the company's responses have not been altogether reassuring, given the critical importance of keeping commercial airplanes safe from hackers.

More

A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a U.S. Department of Homeland Security (DHS) official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia.“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.

Conclusions

We hope that a determined, highly capable third party can safely confirm that these vulnerabilities are not exploitable due to the mitigation controls not visible to us during this analysis. We are confident owners and operators of these aircraft would welcome such independent validation and verification.

We believe as strongly in safety as we do in security. We provide these detailed findings herein so that all stakeholders, security industry and affected entities can form their own judgment as to the exploitability and impact of these confirmed software vulnerabilities.