Go Back  PPRuNe Forums > Flight Deck Forums > Rumours & News
Reload this Page >

A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts

Rumours & News Reporting Points that may affect our jobs or lives as professional pilots. Also, items that may be of interest to professional pilots.

A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts

Old 7th Aug 2019, 23:05
  #1 (permalink)  
Thread Starter
 
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 707
Likes: 0
Received 0 Likes on 0 Posts
A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts

Maybe not earth-shattering, but probably worth reading and considering:

A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts

Late one night last September, security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised to discover a fully unprotected server on Boeing's network, seemingly full of code designed to run on the company's giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see.

Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner's components, deep in the plane's multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multi*stage attack that starts in the plane’s in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.
Andy Greenberg writes about security for wired. He is the author of the forthcoming book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.

Boeing flatly denies that such an attack is possible, and it rejects his claim of having discovered a potential path to pull it off. Santa*marta himself admits that he doesn't have a full enough picture of the aircraft—or access to a $250 million jet—to confirm his claims. But he and other avionics cybersecurity researchers who have reviewed his findings argue that while a full-on cyberattack on a plane's most sensitive systems remains far from a material threat, the flaws uncovered in the 787's code nonetheless represent a troubling lack of attention to cybersecurity from Boeing. They also say that the company's responses have not been altogether reassuring, given the critical importance of keeping commercial airplanes safe from hackers.

More
OldnGrounded is offline  
Old 7th Aug 2019, 23:17
  #2 (permalink)  
 
Join Date: Jun 1999
Location: world
Posts: 3,424
Likes: 0
Received 0 Likes on 0 Posts
Good timing to try and plug one's book whilst Boeing is in the limelight. Coincidence?!!
Hotel Tango is offline  
Old 8th Aug 2019, 00:34
  #3 (permalink)  
 
Join Date: Nov 2000
Location: Canada
Posts: 576
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by Hotel Tango View Post
Good timing to try and plug one's book whilst Boeing is in the limelight. Coincidence?!!
But is it Accurate?
Longtimer is offline  
Old 8th Aug 2019, 01:08
  #4 (permalink)  
Paxing All Over The World
 
Join Date: May 2001
Location: Hertfordshire, UK.
Age: 66
Posts: 9,740
Received 1 Like on 1 Post
Havinng taken the download - did he then tell Boeing so that they could secure it?
PAXboy is online now  
Old 8th Aug 2019, 01:20
  #5 (permalink)  
Thread Starter
 
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 707
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by PAXboy View Post
Havinng taken the download - did he then tell Boeing so that they could secure it?
It appears that he did, which would be standard practice for people in his corner of the hacking world. Boeing said there is no problem, so nothing to secure. Not everyone agrees.

I would suggest that a good place to start thinking about this, even before digging into details, is with this question: "What were the system architects thinking when they decided that it was OK to have an inflight entertainment system that is not physically separated from flight control systems?" Some air gaps are really very important.
OldnGrounded is offline  
Old 8th Aug 2019, 01:26
  #6 (permalink)  
Thread Starter
 
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 707
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by Hotel Tango View Post
Good timing to try and plug one's book whilst Boeing is in the limelight. Coincidence?!!
I don't think it much matters whether or not the timing is coincidental. At least, it shouldn't matter to the industry, the regulators and the flying public. The only real issue for all of us is whether and to what extent the information the hacker has published reveals potential cybersecurity vulnerabilities in the 787.
OldnGrounded is offline  
Old 8th Aug 2019, 02:19
  #7 (permalink)  
 
Join Date: Aug 2019
Location: UK
Posts: 1
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by OldnGrounded View Post
I would suggest that a good place to start thinking about this, even before digging into details, is with this question: "What were the system architects thinking when they decided that it was OK to have an inflight entertainment system that is not physically separated from flight control systems?" Some air gaps are really very important.
I'm not in the aviation industry but I do know a moderate amount about netsec. Are you sure they're not physically separated? Not that it's something I've looked into in detail, but everything I've heard from people who are in a position to know about the actual network configuration in aircraft suggests that they are (obviously I don't know the details but that's my strong impression), and as you say it would be monumentally stupid to design the system any other way.

The only exploits for which I've seen credible evidence are things like GNSS spoofing, which, while it has the potential to be an enormous pain in the **** and under some circumstances could be a contributing factor in an accident, is by itself not going to be enough to 'hack' a plane in the media sense of hijacking it and flying it into terrain/populated areas. Besides that one weirdo who claimed to have made the plane he was on 'fly sideways' a few years ago, I haven't seen anyone who's not a tabloid journalist suggest that flight controls could be taken over via the IFE.
not jenny is offline  
Old 8th Aug 2019, 07:25
  #8 (permalink)  
 
Join Date: May 2006
Location: Dublin
Posts: 831
Likes: 0
Received 0 Likes on 0 Posts
This follows on from the 2016 demonstration of the vulnerabilities with the Boeing 757

From Avionics International
A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a U.S. Department of Homeland Security (DHS) official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia.“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.
https://www.aviationtoday.com/2017/1...king-dhs-says/

JAS
Just a spotter is offline  
Old 8th Aug 2019, 09:36
  #9 (permalink)  
 
Join Date: Jan 2008
Location: Reading, UK
Posts: 14,420
Likes: 0
Received 4 Likes on 2 Posts
DaveReidUK is offline  
Old 8th Aug 2019, 09:55
  #10 (permalink)  
 
Join Date: Jan 2008
Location: Weedon, UK
Age: 75
Posts: 125
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by DaveReidUK View Post
Surely only one footnote is necessary -

* - Verified by the designers of MCAS.
sooty655 is offline  
Old 8th Aug 2019, 10:09
  #11 (permalink)  
 
Join Date: Jan 2008
Location: Reading, UK
Posts: 14,420
Likes: 0
Received 4 Likes on 2 Posts
Conclusions

We hope that a determined, highly capable third party can safely confirm that these vulnerabilities are not exploitable due to the mitigation controls not visible to us during this analysis. We are confident owners and operators of these aircraft would welcome such independent validation and verification.

We believe as strongly in safety as we do in security. We provide these detailed findings herein so that all stakeholders, security industry and affected entities can form their own judgment as to the exploitability and impact of these confirmed software vulnerabilities.
Arm IDA and Cross Check: Reversing the 787’s Core Network
DaveReidUK is offline  
Old 8th Aug 2019, 16:41
  #12 (permalink)  
a_q
 
Join Date: Mar 2015
Location: uk
Posts: 16
Likes: 0
Received 0 Likes on 0 Posts
"sprintf" is NOT an unexploitable function - it can (and has in the past) been used as an exploit for buffer overruns.

By contrast, "snprintf" (note the extra 'n') is MUCH safer, the 'n' being a buffer limit length set by the programmer.

Also it beggars belief that they allow "sprintf" in their coding standard, we use "snprintf" and similar exclusively, to cut down on the possibility of bugs and exploits, and it's usual practice these days for C programmers in industry.

Last edited by a_q; 8th Aug 2019 at 16:44. Reason: add more detail
a_q is offline  
Old 8th Aug 2019, 21:53
  #13 (permalink)  
Thread Starter
 
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 707
Likes: 0
Received 0 Likes on 0 Posts
"Compiler level-mitigations can work even if they are not added to the resulting binary."

Santamarta has a rather sharp sense of humor. And he doesn't seem fazed by Boeing's response.

As pointed out just above, sprintf is definitely exploitable. For some basic insight, Google "format string attacks."
OldnGrounded is offline  
Old 9th Aug 2019, 12:31
  #14 (permalink)  
 
Join Date: Nov 2014
Location: Netherlands
Posts: 6
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by a_q View Post
"sprintf" is NOT an unexploitable function - it can (and has in the past) been used as an exploit for buffer overruns.
True in general, if this is the sprintf() function out of stdlib with a standard compiler. But if used correctly, it should be easy to prove, for each invocation of the function, what the maximum length of the resulting string is and if the provided buffer is long enough under any condition. If both conditions hold the call would not be exploitable.

I do assume that Boeings code standards require formal proof for each and every line of code. It would also be very possible that Boeing uses a compiler that performs extra memory management steps and explicitely forbids writing outside of allocated memory space for a specific pointer. That would also make it unexploitable but also break strict C language specifications.

But in the general case you're right, using snprintf is an easy way to prevent a buffer overflow if all those precautions had not been taken and/or an error was made in the proof or the implementation of those compiler level memory management precautions.
RoelB is offline  
Old 9th Aug 2019, 22:14
  #15 (permalink)  
 
Join Date: Aug 2012
Posts: 1
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by a_q View Post
"sprintf" is NOT an unexploitable function - it can (and has in the past) been used as an exploit for buffer overruns.

By contrast, "snprintf" (note the extra 'n') is MUCH safer, the 'n' being a buffer limit length set by the programmer.

Also it beggars belief that they allow "sprintf" in their coding standard, we use "snprintf" and similar exclusively, to cut down on the possibility of bugs and exploits, and it's usual practice these days for C programmers in industry.
You might be right, if they take care of the technical debt and have some kind of static analysis going that picks up unsafe practices.
Sunamer is offline  
Old 10th Aug 2019, 08:39
  #16 (permalink)  
 
Join Date: Aug 2017
Location: London
Posts: 94
Likes: 0
Received 0 Likes on 0 Posts
Comment on theregister website:
"Wouldn't it be best to let IOActive onboard a 787 and tell them, "Have at it!"? If the plane is truly unhackable, as Boeing claims, then IOActive will not be able to do any harm, and Boeing will then be able to loudly and publicly proclaim that their own internal experts and an unpaid but motivated group of third-party pen testers were unable to find any exploits. Might even bump up Boeing's reputation, not to mention share price. Seems like a win-win to me.

They're not willing to do that? I wonder why. "

PerPurumTonantes is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright © 2022 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.