FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack

How naïve of Bowing to think that there computer is not hackable:


http://www.wired.com/politics/securi...liner_security
Boeing's new 787 Dreamliner passenger jet may have a serious
security vulnerability in its onboard computer networks that could
allow passengers to access the plane's control systems, according
to the U.S. Federal Aviation Administration. The computer network
in the Dreamliner's passenger compartment, designed to give
passengers in-flight internet access, is connected to the plane's
control, navigation and communication systems, an FAA report
reveals...

According to the FAA document

http://frwebgate6.access.gpo.gov/cgi-bin/waisgate.cgi?WAISdocID=486816490816+0+0+0&WAISacti on=retrieve
published in the Federal Register (mirrored at Cryptome.org
http://cryptome.org/faa010208.htm), the vulnerability exists
because the plane's computer systems connect the passenger network
with the flight-safety, control and navigation network. It also
connects to the airline's business and administrative-support
network, which communicates maintenance issues to ground crews...

Out of the frying pan:


http://cs.schwab.com/clicker/cli?req...pkaaaaarcliw2r
10:00 AM 12/24/07

In-Flight Net Providers: Lessons Learned

Airlines and service providers seeking to deliver high-speed
Internet services to passengers say they've learned from Boeing
Co.'s 2006 decision to pull the plug on its ambitions to outfit
its planes with a similar service.

Analysts say Boeing's failed Connexion online service was costly
to install and operate, resulting in large expenditures before
getting a single paying customer. An industry wide downturn
triggered by the 2001 terrorist attacks made the system an even
tougher sell to struggling airlines.

Among other things, JetBlue Airways Corp., AMR Corp.'s American
Airlines and Virgin America are today turning to air-to-ground
connections to avoid Boeing's expensive satellite fees.

"We wanted to attack every one of the things that were inhibitors
in that first-generation system," said Jack Blumenstein, chief
executive of Aircell LLC, which is providing service for American
and Virgin.

JetBlue's LiveTV subsidiary paid the Federal Communications
Commission $7 million for wireless spectrum that one test JetBlue
aircraft has been using since Dec. 11 to communicate with about
100 cell towers spread across the continental United States.

The 1-megahertz frequency band allows that aircraft to offer free
e-mail and instant-messaging services on laptops and handheld
devices through Yahoo Inc. and BlackBerry maker Research In Motion
Ltd.

Aircell licensed a band three times the size of LiveTV's for $31
million and plans to offer broader Internet services, including
Web surfing, for about $10 a flight _ what Boeing had charged for
the first hour. Pending regulatory approval, Aircell's first
Internet-capable flight is expected on American in 2008, using 92
cell towers on the ground. ...

In article ,
Larry Dighera wrote:

How naïve of Bowing to think that there computer is not hackable:


http://www.wired.com/politics/securi...liner_security
Boeing's new 787 Dreamliner passenger jet may have a serious
security vulnerability in its onboard computer networks that could
allow passengers to access the plane's control systems, according
to the U.S. Federal Aviation Administration. The computer network
in the Dreamliner's passenger compartment, designed to give
passengers in-flight internet access, is connected to the plane's
control, navigation and communication systems, an FAA report
reveals...

According to the FAA document

http://frwebgate6.access.gpo.gov/cgi...=486816490816+
0+0+0&WAISaction=retrieve
published in the Federal Register (mirrored at Cryptome.org
http://cryptome.org/faa010208.htm), the vulnerability exists
because the plane's computer systems connect the passenger network
with the flight-safety, control and navigation network. It also
connects to the airline's business and administrative-support
network, which communicates maintenance issues to ground crews...

Notice that the Special Condition published in the 13 April 2007 Federal
Register (and later on 2 Jan 2008) adds the following requirement
for the 787 Type Certificate:

"The design shall prevent all inadvertent or malicious changes
to, and all adverse impacts upon, all systems, networks, hardware,
software, and data in the Aircraft Control Domain and in the Airline
Information Domain from all points within the Passenger Information
and Entertainment Domain."

If complied with, why complain?


of course, several questions come to mind:

1) Exactly what is the extent of the connection (physical and logical) between
cabin systems and cockpit systems? Unfortunately, the specifics are likely
to be considered proprietary and not in the public domain.

2) Why have any connection at all? I don't know if Boeing has publically stated
why, but allow me to posit that perhaps Boeing engineers believed that airlines
needed a means to monitor non-criticals systems and send aircraft status
information to their airline operations centers. There are architectures and
boundary control devices that tightly control the flow and format of information
across network boundaries.

I can envision architectures that would provide adequate protection. They
exist today in the security/classified domains. I'm interested in knowing why
Boeing would want to go through the pain of implementing such architectures
and educating their engineers, DERs, and ATO folks.


btw - I don't think Boeing is dumb enough to think that computers are not
hackable, even Boeing management, and maybe even Boeing lawyers (ok,
maybe the lawyers are dumb enough).

--
Bob Noel
(goodness, please trim replies!!!)

Bob Noel writes:

Notice that the Special Condition published in the 13 April 2007 Federal
Register (and later on 2 Jan 2008) adds the following requirement
for the 787 Type Certificate:

"The design shall prevent all inadvertent or malicious changes
to, and all adverse impacts upon, all systems, networks, hardware,
software, and data in the Aircraft Control Domain and in the Airline
Information Domain from all points within the Passenger Information
and Entertainment Domain."

If complied with, why complain?

How do you verify compliance with something that vague?

1) Exactly what is the extent of the connection (physical and logical) between
cabin systems and cockpit systems? Unfortunately, the specifics are likely
to be considered proprietary and not in the public domain.

If the wires touch, they need to be separated.

2) Why have any connection at all?

Because it's cheaper to do everything with one network than it is to do it
with two.

I don't know if Boeing has publically stated
why, but allow me to posit that perhaps Boeing engineers believed that airlines
needed a means to monitor non-criticals systems and send aircraft status
information to their airline operations centers. There are architectures and
boundary control devices that tightly control the flow and format of information
across network boundaries.

I don't give them that much credit. They just wanted to save money.

Keep in mind that the engineers in this case probably know very little about
computers, networks, and security, and a lot about building airplanes. They
will reinvent the wheel and make all the mistakes that the IT profession fixed
long ago, possibly with very unpleasant results. It happens regularly when
any industry abruptly starts to pile computers into their products.

I can envision architectures that would provide adequate protection.

Yes, but you can be sure that Boeing engineers know nothing about them.

They exist today in the security/classified domains. I'm interested
in knowing why Boeing would want to go through the pain of implementing
such architectures and educating their engineers, DERs, and ATO folks.

Who said they educated anyone? They may not even have designed that part of
the aircraft.

btw - I don't think Boeing is dumb enough to think that computers are not
hackable, even Boeing management, and maybe even Boeing lawyers (ok,
maybe the lawyers are dumb enough).

I think they might be.

Would you fly a plane designed by Microsoft?

Mxsmanic wrote in
:


I think they might be.

Would you fly a plane designed by Microsoft?

Nope, microsoft don't design airplanes, fjukkwit.

Bertie

Mxsmanic wrote:
Bob Noel writes:

Notice that the Special Condition published in the 13 April 2007 Federal
Register (and later on 2 Jan 2008) adds the following requirement
for the 787 Type Certificate:

"The design shall prevent all inadvertent or malicious changes
to, and all adverse impacts upon, all systems, networks, hardware,
software, and data in the Aircraft Control Domain and in the Airline
Information Domain from all points within the Passenger Information
and Entertainment Domain."

If complied with, why complain?

How do you verify compliance with something that vague?

The requirement is not unique nor vague to those that do it for a
living; you know, a job, something you may have heard about but
never experienced.

You hire any number of companies who have been doing this for decades.

snip ignorant babble

--
Jim Pennino

Remove .spam.sux to reply.

schrieb:
Mxsmanic wrote:
(...)
snip ignorant babble

Wouldn't it be a good idea to save your time on answering him? It leads
to nothing than more stupid posts from MX.


#m

Martin Hotze wrote in news:flrakc$moj$3
@kirk.hotze.com:

schrieb:
Mxsmanic wrote:
(...)
snip ignorant babble

Wouldn't it be a good idea to save your time on answering him? It leads
to nothing than more stupid posts from MX.


Make up your mind.

Bertie

Martin Hotze wrote:
schrieb:
Mxsmanic wrote:
(...)
snip ignorant babble

Wouldn't it be a good idea to save your time on answering him? It leads
to nothing than more stupid posts from MX.

No matter what anyone does, he will continue to make stupid posts.

There are two major schools of thought as to what the rest of the rational
world can do:

1. Totally ignore him to reduce the wasted bandwidth, but there will
also allways be someone who will respond whether it is because they
are new or because he particularly ticks someone off.

2. Respond to the extent that it corrects his usually incorrect and
sometimes dangerous postings least someone who doesn't know the
source actually believes what he says.

As for the time it takes, I seldom open a USENET window unless I'm
waiting for something else, e.g. a long compile or a data gathering
session to complete, so it is either that or play pocket pool.

--
Jim Pennino

Remove .spam.sux to reply.

"Mxsmanic" wrote in message
...

Would you fly a plane designed by Microsoft?

The R.A.P. Irony-O-Meter just pegged over to the stop.

John Mazor writes:

The R.A.P. Irony-O-Meter just pegged over to the stop.

Why?