FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack

Bob Noel writes:

Notice that the Special Condition published in the 13 April 2007 Federal
Register (and later on 2 Jan 2008) adds the following requirement
for the 787 Type Certificate:

"The design shall prevent all inadvertent or malicious changes
to, and all adverse impacts upon, all systems, networks, hardware,
software, and data in the Aircraft Control Domain and in the Airline
Information Domain from all points within the Passenger Information
and Entertainment Domain."

If complied with, why complain?

How do you verify compliance with something that vague?

1) Exactly what is the extent of the connection (physical and logical) between
cabin systems and cockpit systems? Unfortunately, the specifics are likely
to be considered proprietary and not in the public domain.

If the wires touch, they need to be separated.

2) Why have any connection at all?

Because it's cheaper to do everything with one network than it is to do it
with two.

I don't know if Boeing has publically stated
why, but allow me to posit that perhaps Boeing engineers believed that airlines
needed a means to monitor non-criticals systems and send aircraft status
information to their airline operations centers. There are architectures and
boundary control devices that tightly control the flow and format of information
across network boundaries.

I don't give them that much credit. They just wanted to save money.

Keep in mind that the engineers in this case probably know very little about
computers, networks, and security, and a lot about building airplanes. They
will reinvent the wheel and make all the mistakes that the IT profession fixed
long ago, possibly with very unpleasant results. It happens regularly when
any industry abruptly starts to pile computers into their products.

I can envision architectures that would provide adequate protection.

Yes, but you can be sure that Boeing engineers know nothing about them.

They exist today in the security/classified domains. I'm interested
in knowing why Boeing would want to go through the pain of implementing
such architectures and educating their engineers, DERs, and ATO folks.

Who said they educated anyone? They may not even have designed that part of
the aircraft.

btw - I don't think Boeing is dumb enough to think that computers are not
hackable, even Boeing management, and maybe even Boeing lawyers (ok,
maybe the lawyers are dumb enough).

I think they might be.

Would you fly a plane designed by Microsoft?