FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack

Larry Dighera wrote in
:

On Sat, 5 Jan 2008 14:39:45 -0500, "John T"
wrote in
:

The fact that computers are on the plane in and of itself is a "security
vulnerability" by your definition.

No. I said:

Connecting the cabin entertainment computer system to the
flight control computer is just plane ignorant.

But your decision not to respond to that belies the insincerity of
your followup response.



This from the peson who is the embodiment of disingenuous.



Bertie

In article ,
Larry Dighera wrote:

How naïve of Bowing to think that there computer is not hackable:


http://www.wired.com/politics/securi...liner_security
Boeing's new 787 Dreamliner passenger jet may have a serious
security vulnerability in its onboard computer networks that could
allow passengers to access the plane's control systems, according
to the U.S. Federal Aviation Administration. The computer network
in the Dreamliner's passenger compartment, designed to give
passengers in-flight internet access, is connected to the plane's
control, navigation and communication systems, an FAA report
reveals...

According to the FAA document

http://frwebgate6.access.gpo.gov/cgi...=486816490816+
0+0+0&WAISaction=retrieve
published in the Federal Register (mirrored at Cryptome.org
http://cryptome.org/faa010208.htm), the vulnerability exists
because the plane's computer systems connect the passenger network
with the flight-safety, control and navigation network. It also
connects to the airline's business and administrative-support
network, which communicates maintenance issues to ground crews...

Notice that the Special Condition published in the 13 April 2007 Federal
Register (and later on 2 Jan 2008) adds the following requirement
for the 787 Type Certificate:

"The design shall prevent all inadvertent or malicious changes
to, and all adverse impacts upon, all systems, networks, hardware,
software, and data in the Aircraft Control Domain and in the Airline
Information Domain from all points within the Passenger Information
and Entertainment Domain."

If complied with, why complain?


of course, several questions come to mind:

1) Exactly what is the extent of the connection (physical and logical) between
cabin systems and cockpit systems? Unfortunately, the specifics are likely
to be considered proprietary and not in the public domain.

2) Why have any connection at all? I don't know if Boeing has publically stated
why, but allow me to posit that perhaps Boeing engineers believed that airlines
needed a means to monitor non-criticals systems and send aircraft status
information to their airline operations centers. There are architectures and
boundary control devices that tightly control the flow and format of information
across network boundaries.

I can envision architectures that would provide adequate protection. They
exist today in the security/classified domains. I'm interested in knowing why
Boeing would want to go through the pain of implementing such architectures
and educating their engineers, DERs, and ATO folks.


btw - I don't think Boeing is dumb enough to think that computers are not
hackable, even Boeing management, and maybe even Boeing lawyers (ok,
maybe the lawyers are dumb enough).

--
Bob Noel
(goodness, please trim replies!!!)

george writes:

Surprise for you.
Aircraft have had computer systems for quite q while now.

But they haven't been accessible to passengers up to now. With everything on
the same network, anyone could hack into the control network from the
passenger network. That's what is alarming in this case. It would have been
much easier and safer to just install two physically independent networks.

Larry Dighera writes:

What could be the possible motivation be for Boeing to mingle the
cabin computer system accessible by the passengers with the aircraft
control system computer?

Lower cost. One cable instead of two, etc. It also makes it possible to
install more bells and whistles on the software side, although this also makes
the system vastly more vulnerable.

I fail to understand why their connection is
such an issue, that Boeing would consider doing it, let alone fight
the FAA over it. How could it possibly be justified?

It's cheaper. And the FAA really knows nothing about the risks of such
systems, so it's likely to eventually get by.

Our country would be far better off if its consumers all felt the way
you do, but because they don't, it's becoming more and more difficult
to even find American made products in the marketplace. And the US
need for foreign petroleum in particular should never have been
permitted to occur. As it is, the US transfer of wealth to the
mid-east is financing those who plot against us. What were our
leaders thinking?

"How can I stay in power?"

The same thing that all leaders think.

Because it's likely the cabin entertainment computer is physically
access able from the cabin, it's even more vulnerable to attack.

Messing up the program of movies is no big deal, but when someone hacks into
the flight control computers, there's a problem.

Bob Noel writes:

Notice that the Special Condition published in the 13 April 2007 Federal
Register (and later on 2 Jan 2008) adds the following requirement
for the 787 Type Certificate:

"The design shall prevent all inadvertent or malicious changes
to, and all adverse impacts upon, all systems, networks, hardware,
software, and data in the Aircraft Control Domain and in the Airline
Information Domain from all points within the Passenger Information
and Entertainment Domain."

If complied with, why complain?

How do you verify compliance with something that vague?

1) Exactly what is the extent of the connection (physical and logical) between
cabin systems and cockpit systems? Unfortunately, the specifics are likely
to be considered proprietary and not in the public domain.

If the wires touch, they need to be separated.

2) Why have any connection at all?

Because it's cheaper to do everything with one network than it is to do it
with two.

I don't know if Boeing has publically stated
why, but allow me to posit that perhaps Boeing engineers believed that airlines
needed a means to monitor non-criticals systems and send aircraft status
information to their airline operations centers. There are architectures and
boundary control devices that tightly control the flow and format of information
across network boundaries.

I don't give them that much credit. They just wanted to save money.

Keep in mind that the engineers in this case probably know very little about
computers, networks, and security, and a lot about building airplanes. They
will reinvent the wheel and make all the mistakes that the IT profession fixed
long ago, possibly with very unpleasant results. It happens regularly when
any industry abruptly starts to pile computers into their products.

I can envision architectures that would provide adequate protection.

Yes, but you can be sure that Boeing engineers know nothing about them.

They exist today in the security/classified domains. I'm interested
in knowing why Boeing would want to go through the pain of implementing
such architectures and educating their engineers, DERs, and ATO folks.

Who said they educated anyone? They may not even have designed that part of
the aircraft.

btw - I don't think Boeing is dumb enough to think that computers are not
hackable, even Boeing management, and maybe even Boeing lawyers (ok,
maybe the lawyers are dumb enough).

I think they might be.

Would you fly a plane designed by Microsoft?

Mxsmanic wrote in
:


I think they might be.

Would you fly a plane designed by Microsoft?

Nope, microsoft don't design airplanes, fjukkwit.

Bertie

"Larry Dighera" wrote in message

No. I said:

Connecting the cabin entertainment computer system to the
flight control computer is just plane ignorant.

But your decision not to respond to that belies the insincerity of
your followup response.

I did. You just didn't like it.

--
John T
http://sage1solutions.com/blogs/TknoFlyer
http://sage1solutions.com/products
NEW! FlyteBalance v2.0 (W&B); FlyteLog v2.0 (Logbook)
____________________

Mxsmanic wrote in
news
george writes:

Surprise for you.
Aircraft have had computer systems for quite q while now.

But they haven't been accessible to passengers up to now.

Wrong again


Bertie

Mxsmanic wrote in
:

Larry Dighera writes:

What could be the possible motivation be for Boeing to mingle the
cabin computer system accessible by the passengers with the aircraft
control system computer?

Lower cost. One cable instead of two, etc. It also makes it possible
to install more bells and whistles on the software side, although this
also makes the system vastly more vulnerable.

I fail to understand why their connection is
such an issue, that Boeing would consider doing it, let alone fight
the FAA over it. How could it possibly be justified?

It's cheaper. And the FAA really knows nothing about the risks of
such systems, so it's likely to eventually get by.

Our country would be far better off if its consumers all felt the way
you do, but because they don't, it's becoming more and more difficult
to even find American made products in the marketplace. And the US
need for foreign petroleum in particular should never have been
permitted to occur. As it is, the US transfer of wealth to the
mid-east is financing those who plot against us. What were our
leaders thinking?

"How can I stay in power?"

The same thing that all leaders think.

Because it's likely the cabin entertainment computer is physically
access able from the cabin, it's even more vulnerable to attack.

Messing up the program of movies is no big deal, but when someone
hacks into the flight control computers, there's a problem.


Nope

Bertie

On Sun, 06 Jan 2008 07:54:34 -0500, Bob Noel
wrote in
:


Notice that the Special Condition published in the 13 April 2007 Federal
Register (and later on 2 Jan 2008) adds the following requirement
for the 787 Type Certificate:

"The design shall prevent all inadvertent or malicious changes
to, and all adverse impacts upon, all systems, networks, hardware,
software, and data in the Aircraft Control Domain and in the Airline
Information Domain from all points within the Passenger Information
and Entertainment Domain."

If complied with, why complain?

Apparently Boeing is not currently in compliance, hence the conflict
with FAA over certification of the Dreamliner.