Boeing 757 Testing Shows Airplanes Vulnerable To Hacking, DHS Says (aviationtoday.com) 140
schwit1 shares a report from Aviation Today: A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a DHS official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia. "We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said. The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them. Hickey said newer models of 737s and other aircraft, like Boeing's 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don't have these protections.
why should Southwest Airlines pay? and not boeing? (Score:5, Interesting)
why should Southwest Airlines pay? and not boeing?
Re: (Score:2)
And what's the price of a crash caused by hackers? Oh, right, that's not the same thing, the cost of a security fix is something you have to pay right now, while the price of a crash is only a potential cost in the future. Who cares about the latter even if it's orders of magnitude higher, right?
Re:why should Southwest Airlines pay? and not boei (Score:5, Interesting)
What if a hacker takes down an airplane, people find out in the media, and nobody wants to fly on that aircraft type anymore? Or with that company because it didn't apply a fix that existed? Does the insurance cover that? Now that's something that could bankrupt an airline.
Legacy aircraft (Score:2)
You did read at least the summary, right? 90% of the commercial fleet is the Boeing 737.
Evidently you did not read the summary. It says "legacy aircraft, which make up more than 90% of the commercial planes in the sky". It does not say the Boeing 737 is 90% of the fleet which obviously verified with a single trip to any airport. Boeing 737 are legacy aircraft and are common but there are a lot of other types of legacy aircraft as well.
Re:Legacy aircraft (Score:5, Informative)
Actually the 737 is just as modern as any aircraft being produced. The current airplane with the designation 737 shares virtually nothing with the first plane to carry that designation. The fuselage is different, the wings are different, the engines are different, the avionics are different, and the interior packages are different. The currently produced aircraft with the designation (The Max series) is actually the 4th generation of 737. Basically saying it's a 737 is like saying it's a Ford Mustang, other than size and maybe some styling cues it's fairly meaningless as it tells you nothing about what's in the car/airplane.
Old 737s (Score:2)
Actually the 737 is just as modern as any aircraft being produced.
That depends on which 737 you are talking about. Some 737 have been in service for 30+ years so calling them modern is a bit of a stretch at this point. The 737 has been produced since the 1960s. Yes current versions are considerably updated and quite modern but there are still a lot of older models still in service that aren't nearly so up to date. There are plenty of 737s in service today that could fairly be described at this point as legacy aircraft. Boeing produces 300-400 new aircraft per year an
Re: (Score:2)
Except the avionics have have not undergone that much change in quite a while. The MAX uses the same Smiths (now GE) FMC that 737's have used for well over a decade (the 2907C1). They use either the Rockwell-Collins CMU-900 or Honeywell MKIII to manage external RF-sourced messages. They all use the same TWLU for Gatelink. Yes there are differences between the software releases (e.g., U13 for the FMS on the MAX) but most of the code in these LRUs is the same from release to release.
Re: (Score:2)
Most of the control surfaces are still mechanical but the spoilers are now fly-by-wire.
Re: (Score:2)
My understanding is that the modern Airbus autopilot/collision avoidance system is capable of overriding the pilot's control if it "thinks" they're going to cause a collision - is that wrong? Because that would seem to pretty clearly indicate fly-by-wire. And could certainly be a major problem if that system were hacked.
Re: (Score:2)
Re: (Score:2)
>Decades of senseless crashes and people being instantly turned into charred person-burgers have not changed humanity's desire for air travel.
Why should it? Statistically, the drive to the airport is still the most dangerous part of the trip.
Re: (Score:3)
Re: (Score:2)
The airline can't fix the issue aside from replacing the aircraft. And there is no reason to assume Airbus or MD or anyone else is any better than Boeing.
This is a fundamental problem across the entire industry. It also affects the car and trucking industries----no security designed into those vehicles either, for the most part.
I'd assume they're only reporting about Boeing because the hackers were given a Boeing to play with.
Re: (Score:2)
Insurance companies are (in)famous for taking money for policies and then wiggling out of things they don't have to pay for. Consider the likelihood an insurance company would pay for a crash caused by a publicly known exploit that their customer (the airline) and the manufacturer (Boeing) refused to fix.
Re: (Score:2)
risk = cost * probability
Lets say you have $100 asset. There is a possibility a hacker could completely destroy it. You'd be out $100. I offer an indemnity policy to you. Your estimation of the risk says there is a 10% percent chance a hacker will destroy your asset. You would likely be willing to pay up to $10 for some protection. Much more than that and you would probably prefer to take your chances. That is the simplest situation.
Now imagine instead of an indemnity, I am offering to do work to sec
Re: (Score:2)
Risk management is a big thing. However, for most companies, because the individual execs are so well shielded, even if a company causes loss in the thousands to tens of thousands of lives, it is pretty much impossible for the C-levels or even VPs to see any consequences. The banking industry in 2008 showed that with the megabuck bonuses after the recession.
In reality, if a company has a $100 asset, the CxOs will say that paying $10 has no ROI to them. The $100 asset gets destroyed, and the business is t
Re: (Score:1)
I was reading on another site someone that was arguing that corporations are ultimately still the people behind them. This example here is the clearest example against that notion that I've read in ages. Thank you for a nice insightful comment.
Re: (Score:3)
Especially considering that the cost would be high enough to make the airline fail, and being too big to fail as usual we get to foot the bill anyway, so why should the airline be concerned at all?
Re: (Score:2)
And what's the price of a crash caused by hackers? Oh, right, that's not the same thing, the cost of a security fix is something you have to pay right now, while the price of a crash is only a potential cost in the future. Who cares about the latter even if it's orders of magnitude higher, right?
It's one thing when the first plane is hacked, and it results in a crash. It's another thing entirely when the 5th plane goes down within a week. Who needs a box cutter when you can terrorize using "typical stuff that could get through security".
Not to mention the financial impact when no one in their right mind would fly on 90% of airline inventory . It would probably take less than a month to bankrupt most airlines in a scenario like that, along with a rather massive ripple effect crippling US Capitali
Re: (Score:3)
Easy answer. No computing or radio devices permitted as carry on luggage. No laptops, cell phones, media players, medical equipment documented ahead of time and itemized.
and free checked bags + full liability with that r (Score:2)
and 2 free checked bags + full liability with that rule.
Re: (Score:2)
Good luck. you will take what the airline offers and you know you will
Re:why should Southwest Airlines pay? and not boei (Score:4, Informative)
Re: (Score:2)
And even if that weren't a serious safety risk, that would still be the dumbest, most invasive possible approach to fixing the problem. The smartest, least invasive approach would be to permanently shut down the in-flight Wi-Fi on planes that can't be secured. No access to the network = no ability to crack into the systems.
Besides, anything you can do with a device on your person, you can also do with a device in the hold, using a timer or the built-in barometric pressure sensor. Banning devices from ca
Re: (Score:2)
Re: (Score:2)
I'm not necessarily assuming Wi-Fi, but if they're talking ab
Re: (Score:2)
Easy answer. No computing or radio devices permitted as carry on luggage. No laptops, cell phones, media players, medical equipment documented ahead of time and itemized.
We can't even get social media addicts to put their phone down to prevent killing people on the road, and you call this an "easy" answer?
Good fucking luck with that.
Re: (Score:2)
If faced with being tossed to the local airport police and dragged off for a stint in the local pokey for a bit, most people will give up their devices.
Re: (Score:2)
The first time TSA makes someone either trash a $800 iPhone or miss a $600 flight, and it hits the news people with very quickly learn to pack that stuff before headed to the airport
Re: (Score:1)
You'd think that, but thousands of people still forget to unload their handguns from their carry-on baggage every year[1]. Those cost on the same order as a cellphone and failure to remove them can result in jail time, not just missing a flight.
[1] Washintgon Post, August 2017 [washingtonpost.com]
Re: (Score:2)
If faced with being tossed to the local airport police and dragged off for a stint in the local pokey for a bit, most people will give up their devices.
Ah, so threat of becoming a criminal with a record is now the only thing that would actually separate a human from their can't-live-without-it smartphone.
Nope, no addiction to see here...everyone is fine...move along...
Re: (Score:2)
the max headroom guy maybe to pull that off if (Score:2)
the max headroom guy maybe to pull that off if he is still alive.
lone gunmen episode 1 (Score:2)
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:1)
They share a lot of subsystems, so probably yes.
Re: (Score:2)
why should Southwest Airlines pay? and not boeing?
Easy... They hope that Southwest will go back to Boeing and get the money back if Southwest is charged. They don't want to go directly to Boeing because (maybe) they don't want to ruin their relationship with Boeing. However, I doubt that Southwest would do what they hope -- getting all money back from Boeing. I believe Southwest will get the money back from both Boeing and passengers because they now have a reason to charge more (or CEO would get less bonus due to the loss).
Re: (Score:2)
I believe that when there is a problem with a plane, the customer has to pay for the fix, just like with regular maintenance. Otherwise, if safety cannot be guaranteed, the plane is grounded.
The idea is that by not requiring manufacturers to pay, it limits the incentives to hide defects.
Now, that's for general aviation, I suppose the situation is not that simple with airlines buying dozens of multi-million dollar planes.
Re: (Score:2)
And yet, when an automobile has a design flaw that causes a safety problem, NHTSA requires them to fix it at no cost to the customers. Some cars have seen many, many safety recalls. So at least anecdotally, it doesn't seem like forcing the manufacturers to pay for their own screw-ups results in more cover-ups.
Also, because it is cheaper to fix things before they are deployed than to incur the cost of fixing them later, a manufacturer-pays policy has the added advantage of making the manufacturer be more
Re: (Score:2)
As part of the maintenance contract with Boeing they would agree to cover costs like this. Business supply contracts are not like consumer law, they typically don't have warranties and the like.
The airline could sue Boeing to make them pay for the fix, but after years in court and millions in legal fees they probably wouldn't win. After all, when other defects are found the airline usually pays the maintenance costs. At best the manufacturer might supply some free placements, but they aren't going to fit th
Sensationalism on costs (Score:2, Insightful)
This article claims that one line of code costs a million dollars to fix and would "bankrupt" Southwest.
News flash: Southwest wouldn't be the ones fixing the fucking code! It would be the manufacturer who would then absorb that cost, not the airline. Besides, if this problem is valid the FAA and other regulators will be involved to force the manufacturer to address the issue.
This article is a perfect example of why journalism is headed for self-destruction.
Re: (Score:2)
Besides, if this problem is valid the FAA and other regulators will be involved to force the manufacturer to address the issue.
You'd think that's how it would work, right? Especially, with this now being made public, though the chances are, the FAA has their hands full with the twin perils of autonomous aerial vehicles and laser lights being shined into the cockpit.
Look for their interest to be piqued after the first passenger plane lands outside of an airport because of this vulnerability.
Re: (Score:3)
This article claims that one line of code costs a million dollars to fix and would "bankrupt" Southwest.
News flash: Southwest wouldn't be the ones fixing the fucking code! It would be the manufacturer who would then absorb that cost, not the airline. Besides, if this problem is valid the FAA and other regulators will be involved to force the manufacturer to address the issue.
This article is a perfect example of why journalism is headed for self-destruction.
Not to mention a lot of that is fixed costs. Changing 1 more line of code wouldn't cost $1 more but is also wouldn't cost $1M more.
Re: (Score:2)
This article claims that one line of code costs a million dollars to fix and would "bankrupt" Southwest.
News flash: Southwest wouldn't be the ones fixing the fucking code! It would be the manufacturer who would then absorb that cost, not the airline. Besides, if this problem is valid the FAA and other regulators will be involved to force the manufacturer to address the issue.
This article is a perfect example of why journalism is headed for self-destruction.
OK, let's make the manufacturer fix this then.
Effective immediately, 90% of US airline fleets are hereby grounded as they are unsafe. They are now part of a manufacturer recall.
Hope that clarifies the impact.
Oh, and speaking of self-destruction, airlines would most likely be bankrupt as a result of that course of action.
Re: (Score:2)
Effective immediately, 90% of US airline fleets are hereby grounded as they are unsafe.
We've leapt from an opaque claim that some hacker has "establish[ed] a presence" to an "unsafe" fleet that requires immediate grounding? Add in the fact that in TFA it tells us that the experts said they knew about this for years and it isn't a big deal. I think "unsafe" would be a bit of a deal.
This is like someone suddenly realizing that you can open an elevator access door from outside the elevator. Anyone who knows elevators knows this; it's only the ignorant who freak out when they learn this amazing
Re: (Score:2)
Re: who pays (Score:2)
If you were running an unsupported (see very old) version of Windows and didn't have a (probably very expensive) support contract to cover it, you would be paying MS to fix that exploit. I'm not sure if Apple has support contracts to support very old iOSs but probably not. Seems unlike them.
Useless metric spotted (Score:1)
>The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement.
Useless metric spotted. The cost is very very very lousily correlated to the number of lines of code. The number of checks/tests to re-run is by far a better metric to estimate the cost. Most of the time one line of code or thousands just cost the same price.
Re:Useless metric spotted (Score:5, Insightful)
With something like avionics software, it probably doesn't matter if one line or a thousand lines change... the entire application would need a full regression test for safety/certification purposes. That's where the million dollar estimate probably comes from.
Re: (Score:2)
Re: (Score:2)
the entire application would need a full regression test for safety/certification purposes.
It is a reasonable metric, but ridiculous application. Yes, recertifying the specific piece of avionics that is involved may cost $1 million when you consider the time and manpower involved. That may cover 1 or 1000 lines of code. It won't be Southwest that pays this, and maybe not even Boeing. It will be the manufacturer of the system that needs fixin'.
But this is a ridiculous application of the metric when there is the claim that it would bankrupt Southwest to implement it. Implementing the change would
million dollars per line (Score:5, Informative)
1. The airlines operate under a huge amount of regulatory oversight, and structure the development of avionics or engine control software accordingly. The terms ARP4754 and DO-178C are to aviation as ISO9002 is to business models. They provide guidelines on creating a rigorous development process, and regulators are keen to track how well companies develop logic and physical designs in line with best practices described by those guidelines.
2. If you summarize DO-178C in one sentence, it might be "document the rationale for every change, and the means you employed to ensure it is the right change." Most companies follow a V-shaped change model where you trace from high level requirements to lower level requirements to implementation details, and then verify the code does what is expected and then validate that the requirements are being met (and the requirements are even proper in the first place). Once you have that framework in place, you have to document every step of the chain of review.
3. For every change to a high level requirement, a low level requirement, an implementation, and sometimes even a change in a verification method, there typically has to be an independent review: you cannot trust the implementors to check that the change was appropriate and done correctly as it's easy to be blinded by your own thought process during development.
So in a case like this, the customer needs to inject several new top-level requirement (which shockingly may not have been there in the first place), "the system shall be hardened against unauthorized changes in configuration/operation/state" and that has to flow down to subsystems "the component XYZ shall be hardened..." and that has to flow down a few more tiers before you even identify the protocols or chips or attack vectors to be changed. Then you have to verify the code change works in each component. Then a system-level review. Then a regulatory review to have the updated design certified as safe for test flight and finally safe for revenue service.
Does this sound like a desktop software change control process? Sure, maybe you're really disciplined, but it's a matter of degree. It really can take fifty people or more, from regulators to systems engineers to coders to integration testers to work the process. And that all adds up in terms of time, opportunity costs, tools and tooling, lab test, systems test, hours and hours of live aircraft flight test, and so on.
Re:million dollars per line (Score:5, Insightful)
The summary said $1M for a one-line change. I took it to mean making a change, even one line, costs a minimum of $1M. Changing two consecutive lines might cost $1,001,000.
Re:million dollars per line (Score:4, Informative)
I expect quite a few folks here are going to question the figure, "a million dollars per line changed."
As well they should, because that isn't what he said. What he said was, "The cost to change one line of code on a piece of avionics equipment is $1 million". But everything else you said in your post is spot on. Most software developers have no idea what is involved in creating DAL-A safety critical software for commercial aviation, and would run screaming to the safety of their iOS development environment if they were tasked with doing it.
Re:million dollars per line (Score:4, Interesting)
Apparently, the developers that did it were lacking as well.
Well, since the threat didn't exist when the systems were developed, it's understandable that mitigations weren't put into place. Also, humans are prone to errors. There aren't any processes that can guarantee perfection, but that doesn't mean you might as well have no process.
I've never been convinced that these forms of making stuff good by massive oversite actually works.
I don't know what "massive oversite" is, but a disciplined process and independent verification and validation combined with reasonable regulatory oversight usually results in good quality
How does JPL do this? They seem to be able to make stuff that works in a wide variety of extreme use cases.
Having worked with JPL, I can assure you that they have their own set of development rules that would make the average Slashdotter blanch. But they aren't involved in commercial passenger aviation, where catastrophic failure rates are measured in failures per billion operating hours.
Re:million dollars per line (Score:4, Insightful)
I've never been convinced that these forms of making stuff good by massive oversite actually works.
Pretty much every major engineering project has massive oversight. If you're likely to affect the safety of the general public, it comes with the territory.
Do you know why you can crash your car into a solid wall at 60 MPH and probably live to tell about it? Because there are so many rules and tests. Just because you can't fathom the immense effort that goes into a project... don't assume it isn't happening.
Most of these "software engineers" working on mobile apps have no idea what it is like to work on safety-critical systems. Until recently, security was not considered as part of the system's safety. That was a serious omission, but it is being rectified.
I feel some serious sympathy for anyone who is left holding the bag. When it comes to securing a legacy system to a comparable same level as its existing mechanical safety certifications, it is either impossible or will require a Herculean effort.
We've seen the fruits of safety regulations, however, and they will need to expand now that everyone can carry a capable computer in their pocket.
Re: (Score:2)
There is a solution to this problem. For every product you make, create a new shell company. That shell company produces and sells the product and pays "royalties" for some patents or licenses or whatever bullshit your beancounters can come up to the parent company, essentially becoming a pass-through for any revenue.
If the shit hits the fan, the shell goes poof.
And again! (Score:5, Interesting)
Why in the HELL are critical avionics control systems networked in such a way that they can be accessed remotely by radio? FFS, what were they thinking? They design systems that are hardened against direct lightning strikes, but leave them vulnerable to a remote hack using a device that's probably not much more than a small computer and a glorified walkie talkie connected together. WTF?
On an unrelated note, why is the page I'm typing this on a standalone text entry box without TFS available on it for reference? Is Slashdot Beta rearing its drooling imbecilic ugly head again?
Re: (Score:1)
I suspect they were designed that way because the 757 was designed in the mid 1980's - when such exploits would have been impossible to carry out. (Had they even thought of that, which I doubt).
So I would like you to come up with a completely new design for something extremely complex. Then wait 30 or 40 years and have a bunch of engineers with access to tools and methods that simply don't exist today start chipping away at your design.
Why the hell indeed.
Re: (Score:1)
They are not. Whole story is BS. Or at least over hyped. I can tell you for a fact that the critical flight control, navigation, and instrumentation on a 757 are not networked with anything. They may have been able to send the aircraft a ACARS message or break into the entertainment system, but they did not do anything nearly as dramatic as they are claiming.
Re: (Score:2)
What about TCAS, GPS, ADS-B?
What about them? Neither TCAS nor ADS-B have direct input into aircraft controls. ADS-B provides information to the pilot about nearby aircraft. TCAS provides the same kind of information. TCAS has the added provision that pilots are expected to obey conflict resolution commands generated by TCAS, but not when the safety of flight is involved. Explicit exemption for that. If you are 100' AGL and someone tricks your TCAS into commanding "descend", then it will be ignored. The aircraft doesn't do it automatic
Re: (Score:2)
It was designed in the 1980s and the last one was made in 2004.
If I were to hazard a guess, it wasn't designed for remote radio configuration but became so due to some kinds of electronics add-ons or upgrades that created an unexpected vulnerability.
I'd also guess that this problem, if its validated and well-understood from a capability and risk perspective, will just contribute to accelerating plane's economic end of life. I'd imagine some percentage of early 757s have already been retired or moved to fre
Re: (Score:1)
If the airplane isn't *fly by wire* there's not a lot to worry about. The autopilot can be turned off if it acts up for any reason.
why is the page I'm typing this on a standalone text entry box without TFS available on it for reference?
Maybe you opened the "reply" button in a new tab?
Article has no clue what it is talking about. (Score:2, Interesting)
> For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them.
Do you realize that Boeing-737, even in its latest -800/-900 incarnations, is NOT a fly-by-wire airplane? The flight control surfaces are mechanically connected to the yokes in the pilots hands and the pedals under their feet, using push-rods and hydraulic cylinders. The basic design of B-737 originates from circa 1963 and hasn't been radically changed since due to economic pressure from airlines, to whom new "type r
Danger is not terrorists, but state actors (Score:5, Interesting)
But state actors and spy agencies, can. It is their bread and butter business. The danger is them giving these tools to the terrorists for political purposes and proliferation and mutation of the leaked hacking tools.
Re: (Score:2)
The idiots yelling "aloha snackbar" before blowing themselves up sure aren't Nobel prize material. But neither are the front line spies. And neither of them have to be.
The mastermind can well be someone behind the lines, training the one executing the attack to use the tool they build. Push this button, push that one and 72 virgins (along with their mom's basement) are yours.
Re: (Score:2)
The mastermind can well be someone behind the lines ...
Could be. But rarely the mastermind is a genius. The dynamics of terrorist organization, the membership it attracts, its reward system etc do not allow really smart clever genius level thinkers to rise up in the ranks. They routinely lose top leadership and a headless terrorist organization is ripe to be taken over by an evil genius level thinker. It is possible, but pretty soon some hot head assistant with delusions of grandeur will kill him and take it back to dumb angry emotional leadership path.
The bo
Re: (Score:2)
Re: (Score:2)
Terrorists are dumb.
That's what they want you to think.
They will never hack at this level.
Of course not, they don't need to either. Just pay someone or threaten to kill their family.
The (missing) details are critical to this story (Score:4, Insightful)
The convenient excuse that the results of this hack are classified allows the author to make what would likely be a boring and unimportant story sensational. Exactly what systems did they access? A 757 is a pretty old aircraft. NONE of the flight critical systems are networked off the aircraft. I suspect they hackers got access to a non-critical system like ACARS or IFE. The $1M per SLOC is also very misleading. While the FIRST line of code might cost that much on a flight critical system, each successive line of of code is pretty much in line with a traditional software project. You can also spread that cost across the entire fleet of operating aircraft. And since the 757 and 767 systems are almost identical, that's a lot of airplanes that could be upgraded for a single price tag.
Re: (Score:3)
I was disappointed I had to go so far down the page to see someone comment on this. I followed the link specifically to see *what* was hacked and nothing was mentioned. There's a huge difference between being able turn off the "Fasten Seatbelts" lights, encouraging people to walk around during turbulence and dumping cabin pressure or altering flight controls.
Even something vague like the area they accessed: communications, cabin systems, avionics would make it look less like something sensationalized to
Re: (Score:2)
There's a huge difference between being able turn off the "Fasten Seatbelts" lights, encouraging people to walk around during turbulence
You don't need to encourage people to do that by turning off the seatbelt light, they'll do it whether the light is on or not. On a flight a few days ago, one idiot got up not once but twice to use the lavatory while we were on final descent. Both times the attendant walked by to lock the lav but didn't need to because the idiot was in it and the sign said "occupied". She thought it was empty and locked by another attendant. After she strapped in, the idiot returned to his seat, leaving the lav door ajar.
A
Re: (Score:2)
The convenient excuse that the results of this hack are classified allows the author to make what would likely be a boring and unimportant story sensational. Exactly what systems did they access? A 757 is a pretty old aircraft. NONE of the flight critical systems are networked off the aircraft. I suspect they hackers got access to a non-critical system like ACARS or IFE. The $1M per SLOC is also very misleading. While the FIRST line of code might cost that much on a flight critical system, each successive line of of code is pretty much in line with a traditional software project. You can also spread that cost across the entire fleet of operating aircraft. And since the 757 and 767 systems are almost identical, that's a lot of airplanes that could be upgraded for a single price tag.
They do mention maintenance crews and I do wonder about an impostor hooking up a hacking device to a maintenance interface. If this is left while the airplane is flying, it could try to put the aircraft into maintenance mode in flight. Though I think they already have software in place to try to prevent such a thing from being done by accident, and I would hope maintenance crews are fairly well monitored as they could do far worse with an explosive device attached somewhere you can't see it.
Re: (Score:2)
Easy Peasy (Score:2)
Settings
Bluetooth
select Boing 737
Connect
http://www.vicclap.hu/static/p... [vicclap.hu]
Re: (Score:2)
The article also presumes the *fix* is to change the software. I could be possible to just pop a circuit breaker. There are number of non-critical systems that can fail and the aircraft is still operational. One thing that comes to mind is the Inmarsat communications that was still active in MH370 when all other comms was lost. If that comms link was not required for normal passenger service but turned out to be a vector for hacking there's no need to re-write the code, just open the circuit breaker for
Lucky for us (Score:2)
Legacy aircraft have mechanical backup on the controls. The airplane is still flyable if the computer malfunctions. Hackers can still mess with the autopilot and navigation though.
ACARS (Score:4, Informative)
woot (Score:2)
I picked a bad day to quit... (Score:2)
In unrelated news ... (Score:1)
I was successful in accomplishing a remote, non-cooperative, penetration.
So it looks like Judge Roy Moore [nytimes.com] can find a back-up career if his run for Alabama Senator falls through - once these planes get to be 14 years old, of course.
(More seriously, wouldn't a "cooperative" penetration be just like logging in and not an exploit/hack?)
Why would anyone believe any of this. (Score:1)
The B757 never had WiFi or any other common networking on it. The closest thing might be ACARs, or one of the databus that aircraft use.
The 737 classics that Southwest has, had WiFi added, but nothing connected in the cockpit. Even the 737-NGs had WiFi added, but again, nothing to the cockpit.
The newer 737-MAX's are Boeings responsibility. So far Southwest doesn't have enough of them to threaten the company should the need to be retro-fitted.
A fix to one line of code, would apply to several thousand aircraf