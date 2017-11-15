Boeing 757 Testing Shows Airplanes Vulnerable To Hacking, DHS Says (aviationtoday.com) 16
schwit1 shares a report from Aviation Today: A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a DHS official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia. "We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said. The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them. Hickey said newer models of 737s and other aircraft, like Boeing's 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don't have these protections.
why should Southwest Airlines pay? and not boeing? (Score:2)
why should Southwest Airlines pay? and not boeing?
And what's the price of a crash caused by hackers? Oh, right, that's not the same thing, the cost of a security fix is something you have to pay right now, while the price of a crash is only a potential cost in the future. Who cares about the latter even if it's orders of magnitude higher, right?
What if a hacker takes down an airplane, people find out in the media, and nobody wants to fly on that aircraft type anymore? Or with that company because it didn't apply a fix that existed? Does the insurance cover that? Now that's something that could bankrupt an airline.
They share a lot of subsystems, so probably yes.
Besides, if this problem is valid the FAA and other regulators will be involved to force the manufacturer to address the issue.
You'd think that's how it would work, right? Especially, with this now being made public, though the chances are, the FAA has their hands full with the twin perils of autonomous aerial vehicles and laser lights being shined into the cockpit.
Look for their interest to be piqued after the first passenger plane lands outside of an airport because of this vulnerability.
million dollars per line (Score:2)
1. The airlines operate under a huge amount of regulatory oversight, and structure the development of avionics or engine control software accordingly. The terms ARP4754 and DO-178C are to aviation as ISO9002 is to business models. They provide guidelines on creating a rigorous development process, and regulators are keen to track how well companies develop logic and physical designs in line with best
The summary said $1M for a one-line change. I took it to mean making a change, even one line, costs a minimum of $1M. Changing two consecutive lines might cost $1,001,000.
And again! (Score:2)
Why in the HELL are critical avionics control systems networked in such a way that they can be accessed remotely by radio? FFS, what were they thinking? They design systems that are hardened against direct lightning strikes, but leave them vulnerable to a remote hack using a device that's probably not much more than a small computer and a glorified walkie talkie connected together. WTF?
Danger is not terrorists, but state actors (Score:2)
But state actors and spy agencies, can. It is their bread and butter business. The danger is them giving these tools to the terrorists for political purposes and proliferation and mutation of the leaked hacking tools.