FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack

On Jan 7, 2:28 pm, Mxsmanic wrote:
george writes:
To 'hack' into a system you have to have an input device like a
keyboard.

The passengers will have laptops.


Like hell they will look up the regs.

no plug or radio link no contact.

On Jan 7, 1:53 pm, Some Other Guy wrote:

So you have hundreds of passenger devices on the network. Due to a bug, one
or many may malfunction and cause a packet storm, either bringing down the
network or causing unacceptable latency. High latency can cause autopilot
oscillation and loss of control. Oops.

We are talking about the flight systems of an aircraft with, as I
suspect you're aware, two pilots who are there and are trained for
such an eventuality.
Autopilots falling over or going awry for a time are not unknown.
As a bye most ISPs handle hundreds, thousands and sometimes hundreds
of thousands of contacts per minute without falling over.
500 passengers wanting to watch the same movie isn't going to crash
the system

On Sun, 06 Jan 2008 21:06:38 -0500, Bob Noel
wrote in
:

In article ,
Larry Dighera wrote:

http://www.wired.com/politics/securi...liner_security
Boeing's new 787 Dreamliner passenger jet may have a serious
security vulnerability in its onboard computer networks that could
allow passengers to access the plane's control systems, according
to the U.S. Federal Aviation Administration.

Larry, I don't see a conflict there between the FAA and Boeing.

If the FAA is pointing out a potential vulnerability in Boeing's
design, what would you call it?

Where is the FAA pointing out a potential vulnerability?

Wired.com quotes the FAA as saying that. See above.

The special condition is intended to address an area where
the FAA certification requirements don't quite cover.

And it appears that Airbus is doing their best to point out the
potential shortcomings of the Dreamliner design in meeting the special
conditions to the FAA.

Larry Dighera wrote in
:

On Sun, 06 Jan 2008 21:06:38 -0500, Bob Noel
wrote in
:

In article ,
Larry Dighera wrote:

http://www.wired.com/politics/securi...dreamliner_sec
urity
Boeing's new 787 Dreamliner passenger jet may have a serious
security vulnerability in its onboard computer networks that
could allow passengers to access the plane's control systems,
according to the U.S. Federal Aviation Administration.

Larry, I don't see a conflict there between the FAA and Boeing.

If the FAA is pointing out a potential vulnerability in Boeing's
design, what would you call it?

Where is the FAA pointing out a potential vulnerability?

Wired.com quotes the FAA as saying that. See above.

The special condition is intended to address an area where
the FAA certification requirements don't quite cover.

And it appears that Airbus is doing their best to point out the
potential shortcomings of the Dreamliner design in meeting the special
conditions to the FAA.


You're talking out your ass Larry.

Bertie

John T wrote:
wrote in message


My bank's ATMS have touch screens.

One day recently I walked up to them and one clearly had a Microsoft
BSOD.

I didn't try to hack in, but someone might.

I recently saw a similar error displayed on a parking garage ticket
dispenser.

What input device would the would-be hacker use? Was there a touch-screen
keyboard available? Some other input device accessible?

There is also a keypad on those ATMS.

Who knows what it's functionality is; one would hope none and neither
the touch screen nor the keypad do anything until the system is reset
from the inside, but as I didn't design the system, I can't say if that's
how it works.

"Someone might" try hacking *any* system. A computer's mere existence is
enough of a challenge for some folks. Are you suggesting that the ATM should
not be "connected" to another system because it represents a security
vulnerability (which was the premise that started this thread)?

Ummm, no.

While physical separation of systems is one of the better deterents to
hacking, it isn't the only method to prevent it.

Systems that are interconnected can be designed to be secure.

--
Jim Pennino

Remove .spam.sux to reply.

In article ,
Larry Dighera wrote:

Larry, I don't see a conflict there between the FAA and Boeing.

If the FAA is pointing out a potential vulnerability in Boeing's
design, what would you call it?

Where is the FAA pointing out a potential vulnerability?

Wired.com quotes the FAA as saying that. See above.

Larry: Please quote the portion of that wired.com that you think
constitutes a conflict between the FAA and Boeing. Frankly, I don't
see a conflict. I see Boeing and the FAA ACO working on certifying
something new. I don't see where that document claims the FAA
and Boeing disagree on what needs to be done, whether anything
needs to be done, or any disagreement. The only conflict apparent
in that wired.com article comes from the Loveless.




The special condition is intended to address an area where
the FAA certification requirements don't quite cover.

And it appears that Airbus is doing their best to point out the
potential shortcomings of the Dreamliner design in meeting the special
conditions to the FAA.

I would expect Boeing and Airbus are always doing that.

--
Bob Noel
(goodness, please trim replies!!!)

Larry Dighera wrote:
How naïve of Bowing to think that there computer is not hackable:


How naïve of Larry to look to Wired for news on any subject. The entire
article is based on an FAA document that is calling for certification
requirements that assure that in the 787 and the aircraft like that will
come in the future are secure from being hacked.

On Mon, 07 Jan 2008 10:37:21 -0600, Gig601XLBuilder
wrote in
:

Larry Dighera wrote:
How naïve of Bowing to think that their computer is not hackable:

The entire article is based on an FAA document that is calling for certification
requirements that assure that in the 787 and the aircraft like that will
come in the future are secure from being hacked.

The Wired story is based on more than the FAA document:

"This is serious," said Mark Loveless, a network security analyst
with Autonomic Networks, a company in stealth mode, who presented
a conference talk last year on Hacking the Friendly Skies
(PowerPoint). "This isn’t a desktop computer. It's controlling the
systems that are keeping people from plunging to their deaths. So
I hope they are really thinking about how to get this right."

...

Boeing spokeswoman Lori Gunter said the wording of the FAA
document is misleading, and that the plane's networks don't
completely connect.

Gunter wouldn't go into detail about how Boeing is tackling the
issue but says it is employing a combination of solutions that
involves some physical separation of the networks, known as "air
gaps," and software firewalls. Gunter also mentioned other
technical solutions, which she said are proprietary and didn't
want to discuss in public.

"There are places where the networks are not touching, and there
are places where they are," she said.

Gunter added that although data can pass between the networks,
"there are protections in place" to ensure that the passenger
internet service doesn't access the maintenance data or the
navigation system "under any circumstance."

She said the safeguards protect the critical networks from
unauthorized access, but the company still needs to conduct lab
and in-flight testing to ensure that they work. This will occur in
March when the first Dreamliner is ready for a test flight.

Are you familiar with the term buffer-overrun?

Larry Dighera wrote in
:

On Mon, 07 Jan 2008 10:37:21 -0600, Gig601XLBuilder
wrote in
:

Larry Dighera wrote:
How naïve of Bowing to think that their computer is not hackable:

The entire article is based on an FAA document that is calling for
certification
requirements that assure that in the 787 and the aircraft like that
will come in the future are secure from being hacked.

The Wired story is based on more than the FAA document:

"This is serious," said Mark Loveless, a network security analyst
with Autonomic Networks, a company in stealth mode, who presented
a conference talk last year on Hacking the Friendly Skies
(PowerPoint). "This isn’t a desktop computer. It's controlling the
systems that are keeping people from plunging to their deaths. So
I hope they are really thinking about how to get this right."

...

Boeing spokeswoman Lori Gunter said the wording of the FAA
document is misleading, and that the plane's networks don't
completely connect.

Gunter wouldn't go into detail about how Boeing is tackling the
issue but says it is employing a combination of solutions that
involves some physical separation of the networks, known as "air
gaps," and software firewalls. Gunter also mentioned other
technical solutions, which she said are proprietary and didn't
want to discuss in public.

"There are places where the networks are not touching, and there
are places where they are," she said.

Gunter added that although data can pass between the networks,
"there are protections in place" to ensure that the passenger
internet service doesn't access the maintenance data or the
navigation system "under any circumstance."

She said the safeguards protect the critical networks from
unauthorized access, but the company still needs to conduct lab
and in-flight testing to ensure that they work. This will occur in
March when the first Dreamliner is ready for a test flight.

Are you familiar with the term buffer-overrun?


Are you familiar with the term "Give up"?



Bertie

george writes:

We are talking about the flight systems of an aircraft with, as I
suspect you're aware, two pilots who are there and are trained for
such an eventuality.

They have not been trained for this, and in any case, in a fly-by-wire system,
there's not much that they can do if the computer is hacked.