Hacking The Friendly Skies In Boeing's New 787
from the someone-deserves-to-be-fired dept
Wired is running an article about FAA concerns about the computer networks on Boeing's new 787. Apparently, the airplanes have been designed with a computer network in the passenger area that can give fliers internet access. That seems reasonable enough. However, somewhere along the way, someone at Boeing decided to connect that network to the plane's control, navigation and communication systems. It's hard to fathom how anyone would ever consider connecting a general passenger network on an airplane to critical systems that actually deal with issues related to keeping the airplane in the sky. Boeing's response is less than satisfactory as well. While it claims it's fixing some of the issues raised, it also says the report is overblown, noting: "There are places where the networks are not touching, and there are places where they are." That really doesn't matter. If the network is touching anywhere it should be seen as a fairly serious problem. There's simply no good reason to connect the two in any way, no matter how "secure." Glenn Fleishman is saying that this report is Wired making a mountain out of a molehill, and insists that the story is probably not a big deal at all. Yet, I'm still wondering why the two systems would ever touch each other.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: airplanes, faa, internet, security, wireless
Companies: boeing
Reader Comments
Subscribe: RSS
View by: Time | Thread
Boeing should look up firewall.
You lock you doors, you put barriers around things you want safe, you fence off your precious.
Good fences make good neighbors.
Don't give the temptation of trying to realtime monitor the avionics.
[ link to this | view in chronology ]
Re: Boeing should look up firewall.
The only way to ensure security is to keep them physically and logically separated. And let's face it, when you're paying hundreds of millions of dollars for an airplane, it only make sense to spend an extra few thousand for a physically separated guest network for passengers.
[ link to this | view in chronology ]
We gotta know
To give passenger flight info of course! It's our rights as passenger to know exactly where the plane is at all time! Gosh!
[ link to this | view in chronology ]
Re: We gotta know
You would be surprised at how much you can see from 5 miles up, horizon is 200 miles away, oo! that is about 1/2million square miles :)less if it is meters:)
Window seat, the only way to fly!
[ link to this | view in chronology ]
Re: Re: We gotta know
"Less if it is metres" Really?
How many metres in a mile? Say 1600m.
So how many km in a mile? Say 1.6km
How many sq. km in a sq. mile? (1.6)(1.6)? Say 2.5.
So a million sq miles is roughly 2.5 m sq. km.
And a 1/2m sq miles is about 1.25m sq. km.
Whatever happened to the most basic arithmetic?
And if you can see a circle of 200 mile radius from 5 miles up, it would only be 1/8 of a million sq. miles! Since you're one one side of the plane, it's about half that again. Remind me never to go on an expedition with you as navigator, LOL.
Hey can I exchange some currencies with you please, if you'll get it wrong way round?
[ link to this | view in chronology ]
Re: We gotta know
[ link to this | view in chronology ]
I can think of one big reason to keep the networks
Network overload.
100s of airline passengers downloading FoxNEWS video feed of an airline jet in peril because the captian of the 787 passenger jet cannot get reliable network connection to the flight controls, avionics and control tower.
Even an ambulance/fire/police have trouble using the same network backbone if too many cars are on the streets. Just because you have rules, hardware and protocol to move traffic aside for high priority emergency transmission does not mean that the channel will materialize.
Moses parted the sea once but don't expect it to happen for you.
[ link to this | view in chronology ]
Why have security searches at all?
Gosh! Who would have thought that someone on a plane would connect with a cellphone modem and give control of the plane to a third party on the ground? Is Boeing as naive about this as Jamie Lynn Spears is about sex and pregnancy?
Anyone who isn't terrified by Boeing's lack of technical sophistication in this case doesn't know enough about how computer networks operate.
Hey, Boeing: listen to your paranoid network guys. They are right on this one. The networks should not touch ANYWHERE.
[ link to this | view in chronology ]
Give it some time...
That's like new intersections on roads: DOT (or whatever agency it is) doesn't install traffic lights until there have been some FATAL accidents.
Maybe Boeing should play a little game called "Try to hack me if you can" with a 787 that's on the ground. That should be safe enough... Uhum! Then they can change their name to Boing!
[ link to this | view in chronology ]
Who in their right mind would design this?
Bet this one came from a focus group.
[ link to this | view in chronology ]
Tipical human stupidity
[ link to this | view in chronology ]
VLANs, perhaps?
[ link to this | view in chronology ]
Re: VLANs, perhaps?
[ link to this | view in chronology ]
Reserve Judgement.. Boeing engineers arent idiots.
First - Mark Loveless' powerpoint on hacking the friendly skies details how to hack (or how to protect) other laptops on an airplane via peer to peer networks. It does not discuss the design architecture of the 787.
The (linked) FAA document does not specify the exact overlap rather states that this is the first time this situation has presented itself and that there may be an issue. And that the current requirement did not forsee this functionality when originally authored.
What if the interconnectivity of the aircraft control domain, airline domain, and passengenter domain, is simply those portions needed to download performance and maintenance metrics from the aircraft into the mainteance system? A very likely scenario...
There have been a few comments about bandwidth connention between user downloads and the pilot's ability to fly the airplane. You can be pretty sure that the "fly by wire" system responsible for sending inputs to the control actuators is seperate.
[ link to this | view in chronology ]
Re: Reserve Judgement.. Boeing engineers arent idi
Oh, brother. Our local junior college offers those degrees too in their vocational education programs. In the US, unless your degree is an appropriate ABET accredited engineering one, then it doesn't count in my mind. And those don't exist in "Aviation Managment and Flight Technology". Sorry to burst your bubble. (And no, a Microsoft "Engineer" certification doesn't count either).
[ link to this | view in chronology ]
Re: Re: Reserve Judgement.. Boeing engineers arent
And futher... I wish i knew that my degree was offered at a Junior College. It would have saved me a TON on tuition...
[ link to this | view in chronology ]
Re: Re: Re: Reserve Judgement.. Boeing engineers a
You made it part of validating your argument, not me. Live with it.
And futher... I wish i knew that my degree was offered at a Junior College. It would have saved me a TON on tuition...
Sucks, huh? Many people who have blown tons of cash on unaccredited courses (e.g. various M$ "engineering" courses) who could have gotten better educations for less money at a local Junior College.
[ link to this | view in chronology ]
What CH said: We don't really know the details
It's likely the systems, like all aircraft systems, will be hardened and separate in a variety of ways, and we only know the barest sliver of information.
Using one analyst's opinion and a typical FAA document as the basis of worries about onboard systems security is simply over the top.
[ link to this | view in chronology ]
Re: What CH said: We don't really know the details
First, whatever the whistle blower's motivations are, if what they report is true, then it is true. No political litmus test should be applied to the truth, especially in a case like this.
Second, unless you have something to backup your allegations it seems to me that you may be the one with some hidden interests.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
OMG!!!
The only reason I can see for Boeing doing this is to share the Internet connection so the pilots can get on the Internet as well, possibly as a cost saving measure. But then they are putting saving money above the safety of the planes and its passengers. Plus, I can just imagine the headlines now: "Airline pilots caught surfing pr0n while in flight".........
[ link to this | view in chronology ]
Re: OMG!!!
I always wondered why they chose suggestive terms like "cockpit" and "joystick".
[ link to this | view in chronology ]
Two Terrifying Words
[ link to this | view in chronology ]
Boeing needs to stop the PR
[ link to this | view in chronology ]
Re: Boeing needs to stop the PR
[ link to this | view in chronology ]
Not Enough Information!
[ link to this | view in chronology ]
Not Enough Data
Example 1: Perhaps it's just capable of reading the flight info. If that's the case, even hacking it would give nothing but perhaps a few more flight informations, like fuel status.
Correction, a hacker could send false data to pilots too, probably. However, since the Plane CNC systems are redundant, I don't think it would do much.
Example 2: Perhaps the network connected to the CNC system is part of control redundancy, so a pilot can use it to dump the fuel in case of emergency landing. In that case, a hacker can dump the fuel. And Boeing 787 gets grounded. Literary and figuratively.
Imho, I don't think that we know just how much of a "network connection" is there to CNC in the first place, so any opinions we make would be based on presumptions. I certainly don't believe the networks should intersect anywhere, however I can see cases in which such practice is, in fact, safe. The reason I don't believe it should intersect is the old practice to upgrade systems, so what was once a safe "read only" network system gets upgraded to "read/write" with little or no regard on the possible security issues it might bring. Better design it safe from start with the most-paranoid view possible.
[ link to this | view in chronology ]
connecting a general passenger network on an airpl
Did Diebold design the network on these planes??
[ link to this | view in chronology ]
Sensationalism
Boeing didn't spend hundreds of millions of dollars designing and testing redundant systems, from wings to controls to comms and to the onboard passenger network to simply "connect that network to the plane's control, navigation and communication systems." They didn't spend tens of millions stress testing wings to loads orders of magnitude greater than flight load and simply not thoroughly consider the security ramifications of their networking decisions. Contrary to what TechDirt readers may believe, they are not smarter on this matter than the Boeing engineers who worked on this system.
There are plenty of practical and safe reasons why networks may touch at different layers, most of which in this case probably has to do with reducing complexity (and thus weight, electrical signaling & static, etc) that may very well make the plane safer overall. There are plenty of examples of security isolation on shared physical layers - government classified networks, banks, satcom, etc.
[ link to this | view in chronology ]
Re: Sensationalism
[ link to this | view in chronology ]
Re: Sensationalism
Again, how do you know? Some of the readers may very well be qualified engineers in the field themselves. Just because they criticize Boeing does not make them somehow dumber than Boeings engineers (even if they work for the FAA). You sound like you've maybe got some Boeing stock or other interest you're trying to protect.
Also, there are managers that sometimes override engineers on technical matters. Maybe to lower costs or maybe the manager just wants to leave "his mark" on the project (call it "engineer envy"). It happens all the time. To anyone who thinks otherwise I say that history is full of such examples with disastrous results. (Remember NASA's Challenger shuttle?)
The only reasons I can think of relate to cost. And that's being penny-wise and pound-foolish, not safe. Or maybe Boeing management was planning to slip this past the FAA and then get paid big bucks again by the airlines to fix it after delivery. That sounds like some software companies I know of.
In my experience, the most highly classified government networks are never connected to the internet, even with firewalls. If you can provide an example to the contrary, please do.
[ link to this | view in chronology ]
WHAT?
If there is even a grain of truth to this then someone at Boeing needs a serious bitch-slap.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Des Moines
[ link to this | view in chronology ]
Stupidity
Honestly, this smells like one of those (all too common) situations where the pointy-haired-management boss overrode the engineers and insisted it be done this way because he read in some magazine that "unified networking" was the latest trend. Of course, when it breaks he'll then blame the engineers.
[ link to this | view in chronology ]
Cockpit Porn
[ link to this | view in chronology ]
CH, nice try, but there is no calming the ass-clowns with logic, (or expertise, or knowledge, or facts, or well; anything really...)
[ link to this | view in chronology ]
Re:
I tried... I see there are couple more threads of sanity that spoke up.
Sensationalism and Not enough data...
[ link to this | view in chronology ]
No big deal.
I'm sure Boeing didn't just plug it all up on the same switch and call it a day. Although, I am left wondering why they couldn't have used 2 distinct networks just to feel warm and fuzzy...
[ link to this | view in chronology ]
Re: No big deal.
The single, most secure way to keep the avionics equipment secure from passenger interaction is to physically separate the two networks, which is the way it should have been to begin with. As it has already been pointed out, any sort of connection between the two whatsoever could potentially result in the plane's equipment being compromised, be it intentional or not.
There is no logical reason whatsoever for those two being connected. If they want to provide passengers with up-to-date flight information, they could wire up monitors to the private network that display said information on a continuous basis. No reason to need computers to access it. For that matter, I think screens like that are unnecessary too. A friendly update from the captain over the PA system every so often works quite well for me. Come on people, put on your thinking caps and pull the plug, or you'll just be asking for trouble.
[ link to this | view in chronology ]
Did anybody bother to read the whole article?
[ link to this | view in chronology ]
Re: Did anybody bother to read the whole article?
Gunter wouldn't go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as "air gaps," and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn't want to discuss in public.
"There are places where the networks are not touching, and there are places where they are," she said.
Gunter added that although data can pass between the networks, "there are protections in place" to ensure that the passenger internet service doesn't access the maintenance data or the navigation system "under any circumstance."
[ link to this | view in chronology ]
Agreed that critical vs non-critical systems should not be sharing bandwidth, and should have their own connections. Some kid in the 5th row going crazy with bittorrent should not affect the flight.
[ link to this | view in chronology ]
Re:
Read the linked article.
For all we know, two routers happen to plug into the same power strip...
Um, no. In the article that you clearly didn't read Boeing admits that the networks exchange data. I seriously that they're doing that over a "power strip".
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Airbus
Sure, the average hacker isn't going to know jack about these systems. We are not dealing with average hackers, however. Also, the spokesperson did not just say "Air gaps" but submitted that vulnerabilities were being addressed by "air gaps and software firewalls". Somehow the software part is not reassuring to me.
Well, if it's all the same to me, I'll just wait until the Dreamliner version 2.0 comes out. Leave that 1.0 stuff for the early adopters.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Think about...
Airplanes are bound by strict specifications (weight and space concerns). They may have had to use the same switch and create a VLAN in order to meet those specifications.
Possibly, how they attempt to 'fix' it is by finding a way to physically seperate those networks and still meet those specifications.
[ link to this | view in chronology ]
Re: Think about...
Specifications can be driven by different concerns. What you are referring to are cost concerns. And the issue whether Boeing is unreasonably sacrificing safety in the name of cost. (Like when Ford shaved $11 off the cost of the Pinto but turned it into a fire trap. Was that reasonable? Some people think so.)
[ link to this | view in chronology ]
Re: Re: Think about...
[ link to this | view in chronology ]
Smells like rotten meat or real good cheese...
[ link to this | view in chronology ]
Re: Smells like rotten meat or real good cheese...
[ link to this | view in chronology ]
Re: Re: Smells like rotten meat or real good chees
[ link to this | view in chronology ]
Re: Re: Smells like rotten meat or real good chees
[ link to this | view in chronology ]
http://www.newairplane.com
[ link to this | view in chronology ]
Hacking the skies of Boeing
[ link to this | view in chronology ]
Hacking the skies of Boeing
[ link to this | view in chronology ]
boeings sabotage of the "friendly skies"
[ link to this | view in chronology ]
Off of my 3rd tour...
I always book my flights on Boeing Aircraft. "If It Ain't a Boeing, I ain't Going".
Kudos Boeing. Keep up the good work. Make us proud.
[ link to this | view in chronology ]
Re: Off of my 3rd tour...
Sure sounds like a marketing troll. And not even a very good one.
[ link to this | view in chronology ]
Re: Re: Off of my 3rd tour...
Many of those who have commented in this blog have zero knowledge of the expertise resident in Boeing ... try attending a few trade shows and finding some of them.
It is highly unlikely that Boeing will tell anyone exactly how they design or respond to vague generalities because that could give an advantage to competitors, which is not a good thing to do. If you want to know how Boeing thinks perhaps you should send in an application and see if they hire you ... if you're really that impressive I believe they will.
If PR is all that counted it would add time to production by having to take time to respond to a few folks who have little knowledge of the situation. This is counterproductive to delivering products. Which means revenue could be affected and therefore only someone on their own time would even bother to respond.
Cisco got its start from Boeing Engineers ... and is still very appreciative of that fact.
otoh - I think something might be said directly from Boein - but if not I guess we'll just have to see on Day 1
[ link to this | view in chronology ]
Re: Re: Re: Off of my 3rd tour...
Not true. US Air Force.
those who have been know the spelling that is commonly used is not what the trenches guys use.
And I find your implication that US enlisted men and women are somehow too ignorant to even spell to be highly insulting.
"Sargent Miller" is an obvious company troll. Same for you.
[ link to this | view in chronology ]
They have a long list ahead of them-
Getting to the Moon
GPS Systems
A composite Airplane
A Mission of getting an aircraft to Mars.
Maybe they could send something out to the outer reaches of the Solar System (Read: Voyager or Voyager II)
Maybe they could bid on the newly announced upgrade of Hubble...
I don't know. They are really lacking somehow. Throw me a bone here... What can they do?
There are many more, should I even attempt to continue..?
[ link to this | view in chronology ]
Re:
"Investigators concluded that a critical piece of the jet's airframe broke during the flight because of a manufacturing defect. A defective longeron -- a metal strut that runs lengthwise down the fuselage -- was cut improperly by the manufacturer, Boeing, and led to a series of cracks over the plane's lifespan, Corley said."
[ link to this | view in chronology ]
Re:
Fly detainees to 'black sites' to be tortured.
Get some top executives into prison. (and here)
Make duckbill pliers (Boeing price: $2,548)
Make plastic caps that go over the end of stool legs (Boeing price: $1,118)
Develop a stealth pollution method (Stealth polluter: Boeing's dirty little secrets. Washington Free Press)
Steal documents and information from rivals Lockheed Martin and Raytheon.
Traffic in classified Pentagon documents (criminal)
Produce a super sonic passenger airplane (oh wait, that wasn't Boeing)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: by Anonymous Coward
I certainly should have specifically said "Sarge" rather than reverted to Comp 101 ... my mistake Anon ... point to you.
Don't ever belive your misconception that I doubt the intelligence and integrity of US service men and women ... I not only am an honorably discharged veteran, but support ... actively ... their efforts.
The replacement for the F-15 is the F-18 ... and F-22 and sometime soon the F-35 ... errs in the F-15 have been resolved as shown by the return to flight status just recently announced.
When you talk about the ... what the links show as exorbitant prices for products ... remember that the articles are talking about "first articles" ... so when you first have to develop a tool .... there is a lot more that goes into the equation than what you'd pay to buy a set of pliers at Ace hardware ...
Answer me this ... if we're trolls ... what are you? Airbus ... or someone laid off during the merger acquisiton?
[ link to this | view in chronology ]
Re: Re: by Anonymous Coward
What are you doing, playing games and tracking points?
errs in the F-15 have been resolved as shown by the return to flight status just recently announced.
Are we to believe that this was some kind of "secret" announcement (you didn't cite any sources) and they are going to keep flying known defective aircraft? I have a hard time believing that. The last announcement I read said the defective F-15s were still grounded and Boeing wasn't taking responsibility.
When you talk about the ... what the links show as exorbitant prices for products ... remember that the articles are talking about "first articles"...
OK, now you're just plain lying. That certainly doesn't make your company look very good (of course Boeing is known for dishonesty: see here, here, and here)
And the irony is that I wasn't even aware of this stuff until you obvious shills came along spouting off which prompted me to go do a little research on Boeing. Nice job there, I wonder if your handler is going to be pleased? Go look up the term "Streisand effect".
None of this gives me any confidence in the wisdom of Boeing's decision to connect the 787's control, navigation and communication systems to the passenger internet network. Especially if the only excuse is along the lines of "Trust us, we're Boeing". You guys don't seem very trustworthy to me.
Answer me this ... if we're trolls ... what are you?
Just someone who dislikes shills and liars. I guess you could call me a "troll hunter".
[ link to this | view in chronology ]
Boeing Link to Deutsche Bank and other Multi Na
[ link to this | view in chronology ]
boeing
[ link to this | view in chronology ]
fgh
[ link to this | view in chronology ]
fgh
[ link to this | view in chronology ]
fgh
[ link to this | view in chronology ]