Pen Test Partners: Boeing 747s Receive Critical Software Updates Over 3.5" Floppy Disks

Boeing 747-400s still use floppy disks for loading critical navigation databases, Pen Test Partners has revealed to the infosec community after poking about one of the recently abandoned aircraft. From a report: The eye-catching factoid emerged during a DEF CON video interview of PTP's Alex Lomas, where the man himself gave a walkthrough of a 747-400, its avionics bay and the flight deck. Although airliners are not normally available to curious infosec researchers, a certain UK-based Big Airline's decision to scrap its B744 fleet gave Pen Test Partners a unique opportunity to get aboard one and have a poke about before the scrap merchants set about their grim task.

"Aircraft themselves are really expensive beasts, you know," said Lomas as he filmed inside the big Boeing. "Even if you had all the will in the world, airlines and manufacturers won't just let you pentest an aircraft because [they] don't know what state you're going to leave it in." While giving a tour of the aircraft on video, Lomas pointed out the navigation database loader.

Good!

[cunniff]

A lot more secure than a network connection or a USB key. The only issue is finding new stock of floppy disks.

Re:Good!

[DogDude]

Exactly what I was going to say. I'd much prefer flying on an aircraft that was NOT updated via the Internet. Heck, I won't even drive a car that can be messed with over the Internet.

Re:

[arglebargle_xiv]

Not just that, these systems are built to last forever and keep going no matter what. Look up the triple-triple-redundant design of the 777's primary flight computers (PFCs) for example, each PFC has three processors from different vendors (80486, 68040, and 290x0) running Ada control software built with three different compilers with three PFCs voting over triple-redundant ARINC-629 buses, etc etc. Would you fly on that, or on a system run from an x86 VM with a live Internet connection?

local USB key is the same as floppy

[Joe_Dragon]

local USB key is the same as floppy

Re:

[nagora]

local USB key is the same as floppy

Well these days if you leave a floppy on a train the chance that the person that finds it can read it is a lot lower.

Re:

[WeatherServo9]

local USB key is the same as floppy

Well these days if you leave a floppy on a train the chance that the person that finds it can read it is a lot lower.

Perhaps, but that's not a huge hurdle; a $25 USB drive from Amazon can fix that if they really are truly interested in the disk contents...

Re:

[HiThere]

Most computer stores don't carry them any more. I've even had trouble finding a keyboard that isn't wireless to a USB dongle.

Re:

[nagora]

local USB key is the same as floppy

Well these days if you leave a floppy on a train the chance that the person that finds it can read it is a lot lower.

Perhaps, but that's not a huge hurdle; a $25 USB drive from Amazon

For most computer users that's not a huge hurdle, it's an impassible barrier.

Re:

[Aristos Mazer]

> the person that finds it can read it

I was never very good at reading floppy disks. I always had to get a computer to do it for me. :-) True story: I spent a couple afternoons as a kid with a magnifying glass because I thought if I zoomed in close enough, I'd see the zeros and ones written down. A neighbor who was an engineer explained things to me.

Re:

[HiThere]

Well, once upon a time that would have worked. Paper tapes were a thing. And actually there was a way to "develop" 200 bpi mag tapes that would make the bits visible. I'm not clear quite what it was because I never wanted to do it, but I did see some developed images.

Re:

[wwphx]

At one time I could read 80 column punch cards, those were pretty easy. Never developed the knack for the 96 column cards, though. And we did have paper tape at one place that I worked in the early '80s. It could be nasty if the tape had a crease, fortunately that was pretty rare. It was actually some sort of mylar, can't remember exactly what it was.

Re:local USB key is the same as floppy

[PCM2]

local USB key is the same as floppy

That's if you assume what is being plugged into the USB port is actually a storage device, and not something that just pretends to be a storage device. It would be pretty hard for a 3.5" floppy to change its own contents on the fly, for example.

Re:local USB key is the same as floppy

[Calydor]

Reminds me of a pretty interesting version of the classic 'abandoned USB stick' scheme: The USB stick told Windows it wasn't a storage device but a basic keyboard, honest! And when Windows said okay, you have a new keyboard now, the program on the stick started 'typing' commands really really fast.

Re:

[CaptQuark]

It's called a Rubber Ducky from Hak5. https://shop.hak5.org/blogs/us... [hak5.org] https://shop.hak5.org/products... [hak5.org]

Hak5 has many pen testing tools but the Rubber Ducky was one of the first. The Pineapple was one of their next tools. Some of their new items like the Bash Bunny are downright scary!

---

Comment removed

[account_deleted]

Comment removed based on user account deletion

What about SD cards?

[caveat]

Quite a few COTS avionics systems (e.e. Garmin) get their map updates via SD card. Of course it could be loaded with malicious *data*, but so could a floppy - can an SD card also actually *execute* a package like a USB device?

Re:

[CaptQuark]

can an SD card also actually *execute* a package like a USB device?

It depends on the OS. If the SD card is mounted like a normal mass storage device, then yes.

For other devices like your Garmin that are running a custom control system (not *nix, Windows) then the controller can only do what the programmers tell it to. Can the data on the SD corrupt the data in the Garmin? Yes. Can it reprogram the device to change features on the device? Maybe.

I know the Mio GPS units had alternate controls programs that you could install that did things like play .mp3 files and

Re:

[Darinbob]

How can a USB key do this when the operating system is not linux, or Windows, or OSX, or other consumer oriented operating system? Especially on a system that does not even have a keyboard driver, and a port that only has a single mass storage driver loaded for it? Remember, if Windows is a component in your embedded critical system, then unrecoverable damage has already been done. The problem with too many of these systems is that they go cheap and decide to use cheap operating systems so that they can u

Re:

[thereddaikon]

Support for the different types of USB devices in a generic sense is handled in part by the USB specification. Mass storage, Human Interface, Hubs etc are all separately defined in their behavior. So a USB compliant keyboard is in large part compatible with any OS that supports USB.

Re:

[Darinbob]

Except in many embedded systems. If the system is not designed to use a keyboard, then the USB HID drivers may not exist. Other times if they exist they aren't necessarily going to get connected to lower level systems; ie, I worked on a system that had a keyboard with lots of custom controls (a medical) device, but you never got a console that way, could never type in commands, and every keystroke went to the highest level application. Even if you have Linux, you are not required to have your keyboard co

Re:

[thereddaikon]

So I did a quick search and it seems Boeing prefers VxWorks in their aircraft. For usb keyboards you have to specifically build in the support per this kb: https://docs.windriver.com/bun... [windriver.com]

Another interesting thing I found was last year some major CVEs were posted in regards to VxWorks and essentially its entire IP stack, or that parts that matter at least. https://www.windriver.com/secu... [windriver.com]

Unpatched systems are very vulnerable and I do remember reading not long ago that on many new aircraft various systems

Re:

[CaptQuark]

The Boeing 787 uses AFDX (ARINC664), an improved version of the standard OSI reference model. It supports both twisted pair and fiber optic connections between the devices. https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Darinbob]

And to be honest, it's kind of scary. It's good that you can use Linux and then that solves a whole lot of issues, such as not worrying about the weird and badly supported third party network stack or USB framework. But it also adds a host of other issues, as it's usually too large to support in house and many companies just go with a third party to provide a linux platform and build services and support. Technically, a Linux platform could be very small and done in house, but in practice they usually en

Re:

[OrangeTide]

Unless someone disguises a USB killer [hackaday.com] as an official looking key.

Kinda

[JBMcB]

A USB key works similarly to a floppy drive. The problem is it's not a USB key port, it's a USB port, which means you can plug all kinds of stuff into it. Also, you can spoof devices by hacking the microcontroller in a USB key.

There are some remediations you can take (custom USB stack that only allows devices to use the storage protocols) but giving users access to a general purpose interface bus is going to be a lot less secure than only allowing them to stick a floppy in a drive.

Re:

[TuballoyThunder]

There is probably multiple lifetime supply of AOL disks that can be recycled for this purpose. Much better for the environment than making new USB sticks and much more secure than the unknown malware that can be hidden inside a USB stick controller.

Re:

[Joe_Dragon]

but what about the system / code the splits the data on to X number of disks? or maybe add track errors that load code? Like the copy protection systems?

Re:

[Luckyo]

In my experience, consumer grade floppies last only about a decade to decade and a half at most unless to store them really well. Median is closer to 5-7 years.

Then they're basically dead.

Re:

[Hodr]

I have Commodore 64 5.25" floppies that still work (played Cave-man Ugh-lympics a couple weeks ago). Also plenty of Amiga 500 3.5" disks as well. Stored in the basement and checked every 2-3 years as the urge hits.

Re:Good!

[Luckyo]

Are those the low capacity ones? I recall those were way more stable than later high capacity floppies.

Re: Good!

[SuperDre]

Hmmm, still have a box of floppies from 1990, and the data on them is still readable.

Re:

[freeze128]

Me too, and some of those contain viruses. I would like to know if the 747s have boot sector protection....

Re:Good!

[iggymanz]

Not really a problem since military still uses 3.5" too, you can order by the pallet. They only got rid of 8" for nuclear missile launch systems in 2019.

Re:

[hcs_$reboot]

As long as the updates are not iOS like (2 GB)...

Re:

[Darinbob]

And nothing is really wrong with floppy disks here. If the data has good checksums, the software system has good security hashes, then the possibility of corrupted data is negligable. If the floppy doesn't work, you get another one and ground the plane until it arrives.

USB keys are only unsecure if you're doing something like allowing off-the-shelf moronic software like Windows on the navigation systems. Any system stupid enough to execute random files from a USB key found in a parking lot should be bann

Re: Good!

[NagrothAgain]

Any security flaw in a network or USB storage would also be present in a floppy disk.

False. USB devices contain a microcontroller, floppy disks do not. This allows for a variety of potential issues and while they can be secured against, it's another layer of complexity. Network is an even larger attack surface.

Re:

[K. S. Kyosuke]

Clearly you've never had a VIC-1541.

Re:

[DesertNomad]

False. USB devices contain a microcontroller, floppy disks do not..

and we have a winner!

Re:

[bird]

There is no supply issue for 3.5" floppies.

What's wrong with USB?

[rsilvergun]

to be fair I haven't used a well made floppy drive in ages (the cheapo $15 dollar OEM ones I used to buy just before they stopped being needed to boot & install an OS were crazy bad, but my god it was insane buying a disk drive for that money when my 1541 cost $150 in 1989). But USB is pretty reliable and there's plenty of checks you can do on top of it.

Re:

[Baby Yoda's Daddy]

The 1989s called and want their sneaker net back.

Re:

[Dr. Tom]

"Pre-digital tape? Old-school.

Practically pre-school and thus unhackable."

-- Altered Carbon

Re:

[tokul]

> The only issue is finding new stock of floppy disks.

You also have to find aircraft that accepts 3.5 disks and does not require 5.25s or tapes. 747 is from times when 3.5 disks did not exist.

Re:Good!

[RobinH]

Yes, this is the same story we get every few years when the new crop graduates with the "if it's old it's terrible" mantra. Airplanes last a long time, much longer than your car. That tech was state-of-the-art when the plane was built. Once newer tech (like thumb drives) becomes available and widely used, there's going to be a conversation like, "Hey boss, we should upgrade all the NAV system updaters so they can support USB thumb drives." "That's going to cost a ton of money, both for us and our customers, and expose us to some big risks. Engineering a USB controller for that outdated architecture is a big undertaking. Why? What benefit do we get by doing it?" Of course the answer is "almost none." It's a tune I like to call: adults setting appropriate priorities.

Re:

[DesertNomad]

What benefit do we get by doing it?" Of course the answer is "almost none."

Another winner!

Re:Good!

[quetwo]

You also have to realize that this equipment was developed and tested in the early 90's and put into service/production in the mid to late 90's. USB sticks weren't really a thing until the early 2000's. Manufactures like Boeing won't change something like that after the initial manufacture -- they would have to re-certify all the components that change (software, hardware, computer, etc) which can take years. It also means that they would now have to keep two vintages of stuff around -- because the old floppy stuff will live on for 30+ years in service of those airliners.

Re:

[antdude]

Who else is still using ancient hardwares? I remember US' military were still using 8" floppy disks: https://duckduckgo.com/q=gover... [duckduckgo.com].

Avionics

[JBMcB]

Getting avionics type-approved through every required governmental regulation agency (US, Europe, Japan, Russia, China, etc...) costs a TON of money. Once something is proven to work, you use it until there is a *very* good reason to stop. Usually this means the cost of maintenance for obsolete parts is greater than the cost of getting new hardware type approved.

In-flight movies were distributed on DVHS tapes until roughly 2017, when they were replaced with solid state drives. This, even though as a consumer format, DVHS had been dead for over 10 years.

how much pull does Hollywood have over DRM on that

[Joe_Dragon]

how much pull does Hollywood have over DRM on that?
Say people start copying movies will they take the long governmental regulation wait for an fix?

Relevant Older Story

[Kunedog]

https://tech.slashdot.org/stor... [slashdot.org]

Re:

[thereddaikon]

I see this as a good thing as long as it can be kept running. The system is so old and foreign to modern computing that no asshole a world away will be able to hack it. Access requires physically being there, getting past men with rifles. And even if you do manage that you still have a very unique and specialized system that will be hard to break in to merely due to the fact few are around who understand it. How easy is it to write malware for something that only takes 8inch floppies and uses an OS nobody h

Re:

[Darinbob]

Even without the regulations and such, just the practicality of replacing technology is extremely complex. The 2o or 30 somethings may just decide to toss out their television and buy a new one to have it delivered overnight to their front step, and then they think this is oh so easy. But if you've got a tube TV built into a wall console furniture, then you've got to call out some carpenters to help out, someone to get up on the roof and remove the old antenna, and hire someone to help carry that heavy tu

Re:Avionics

[AlanObject]

Came to say this.

Back in the '90s I was touring a PCB assembly shop and one of the products they did there was a control component for the 747. It was a huge PCB, like 50cm on a side. I asked how much they charged for it and it was something like $20K.

Looking closer I saw that the whole thing was using parts that were available in the early 70s. SSI and DIP packages with 100mil pin spacing and a bunch of T05 transistors and piles of high-wattage passives. I figured the entire function could be replaced by a floppy-disk-sized PCB with a single FPGA and some power parts for about $60 in material, maybe $100 assembled. Much less today of course.

Would never happen. You would think that a business would be insane not to pursue that kind of cost savings but you wouldn't be considering the cost of testing and certification. To qualify the part you would have to fly it something like 600 hours in addition to the static lab tests that would be at least as expensive. A 747 costs something like $20,000/hour to operate and add up all the lab fees and documentation and training and you can see that $20K/unit for a few dozens of more planes to build make a lot of sense.

So a floppy-based update system is not hard to believe.

Re:

[Bert64]

The cost of replacing and recertifying individual components is large, but something like a 747 consists of thousands of individual components many of which could easily be modernised and replaced with something newer and lighter. But if you're going to go through the trouble of modernising the entire plane and getting it entirely recertified you may as well just design a whole new aircraft, hence you have the 777 and 787 etc.

Re:

[burningcpu]

This happens in the quality control side of manufacturing as well, as the Procedure on Record (POR) is generated during process development and subsequent validation. Changing the POR can lead to unexpected / uncontrolled downstream changes, so proper change control procedures include side-by-side analysis, bias and precision evaluations, and customer involvement / approval. Quality control laboratories tend to operate long outdated tech and there can be heroic attempts to maintain the obsolete equipment an

Re:

[wallsg]

There is a big problem with parts obsolescence. If you have to substitute one part with another part, even a superior, there is a LOT of regulatory red tape.

I worked on the 747-400 Flight Management System. I haven't worked on that in about 30 years so I'm sure all of this was obsoleted and replaced so none of this should be sensitive. Some of my activities:

I updated the firmware on the 747-400 8086-based IO controller card to handle the "high speed" disk-based data loader on the transition from the tape

Not too suprising.

[jellomizer]

A lot of technology doesn't follow Moore's law, applying new technology to an existing design, will require a fair amount or regression testing. So a Aircraft to replace a Floppy with say a SD card hooked up to an ISA Cable, May seem like a simple fix. It will change the thermals, power usage, Speed and timing of data collection, vibration and torque. Granted I expect No major consequences for doing this, but it will need to be tested for such a change. Also you will need the fleet to be upgraded, so you will have people opening up the electronics and do the upgrade.

Or just save the data onto a floppy and continue on.

usb stick to floppy emulator??

[Joe_Dragon]

usb stick to floppy emulator??

So what if 3.5" Floppies are used for Nav updates?

[mykepredko]

I guess the article leads off with that point because saying that:

"You can't just clip into a pair of wires into the back of the aircraft and gain access to all of these [systems]."

Just isn't a sexy headline.

I would think that 3.5" floppies are really in the realm of a proprietary data loading system as the public really doesn't have access to them. I believe that pre-Block 50 F-16s are still using tape cartridges for mission data that are basically commercial 3/4" tape cartridges that used to be used in broadcast TV.

It was nice to see that the basic message was that airliners are safe from hackers.

Old tech in old planes

[WoodstockJeff]

The 747-400 was certified in 1989, before USB was a "thing" and things these pen testers take for granted had appeared.

What is certified almost always stays as certified, unless there is a major overhaul to upgrade the tech and re-certify.

Part of the reason these 747s are being scrapped is because they are "old tech".

Re:

[clovis]

This.
The cost-benefit analysis of re-certifying a 747 to use any new device for updates is going to fail.
Heck, I bet just writing the cost-benefit analysis is more expensive than any possible saving for swapping out the floppies.

Re:

[dunkelfalke]

The saving is wastinlg much less time of lhe line maintenance guy who has to perform the updates.
Airbus did that,

Re:

[ceoyoyo]

Certified in 1989 and designed in the mid eighties. My 386 DX uses floppies too. It's got those sexy new 3.5" ones in the hard plastic case.

Re:

[ebvwfbw]

Certified in 1989 and designed in the mid eighties. My 386 DX uses floppies too. It's got those sexy new 3.5" ones in the hard plastic case.

LOL. I used to walk around a college campus with a 3.5 in my shirt pocket. I remember downloading free BSD onto I think it was 45-50 of those.

Then there was going home, downloading X11, etc and creating a workstation from source.

Who cares?

[MBGMorden]

I don't see how this is an issue. If the systems are in place and working, then there's no reason to replace it for novelties sake. Computers from the era of the floppy disk are perfectly capable of performing the tasks they were designed for.

Re:

[Nidi62]

I don't see how this is an issue. If the systems are in place and working, then there's no reason to replace it for novelties sake. Computers from the era of the floppy disk are perfectly capable of performing the tasks they were designed for.

Yep. If you try to move fast and break things around aircraft you'll end up breaking both aircraft and people. Change for the sake of change is a bad idea in aviation.

Re:

[Joe_Dragon]

and when the maps are to big for the systems?
We can't fly to ORD as the new runway layout does not work on our 1989 system?

mh370 and it's bay? is that where the fire started

[Joe_Dragon]

mh370 and it's bay? is that where the fire started

With good reason.

[fish_in_the_c]

The average time from creation to market with avionics software and hardware is well over 5 years because ( TEST TEST TEST TEST TEST TEST TEST)
SO, it may not be perfect but every fault is well known by the time it is deployed and every danger vetted. The systems are not changed and updated without really good reason ,because testing requirements are so high to mitigate the risk of death and disaster.

What am I missing?

[robi5]

Why does it require physical access to know that the beast uses a 3.5" drive? They could've just asked a pilot or maintenance person. I'm sure there are trainings and documentation too which are probably not terribly hard for infosec folks to find and download, even if not public. Or are infosec people so isolated in society that such info doesn't propagate?

Re:

[ceoyoyo]

Guess they don't know how to use Google. There's even a YouTube video.

https://lmgtfy.com/?q=airliner... [lmgtfy.com]

Y no USB conversion and what those are good for.

[couchslug]

Retaining the floppy instead of replacing the drive with a USB flash drive adapter (as done on everything from sewing machines to CNC machine tools) was convenient and most importantly didn't require a software and hardware change and certification. Since Slashdot used to be a techie site, here's an example adapter. I used these on two Bridgeport EZ Trak CNC knee mills. Software included with many adapters partitions USB flash drives into many virtual floppy images. Example Gotek:

https://www.amazon.com/Got [amazon.com]

Re:

[Zak3056]

Answer to "why" is "everything on an airplane is certified, and changing anything is a horribly expensive process."

It is technology that meets the requirements

[WatchMaster]

There is no shame in using robust technology that meets all requirements of the specification.
Advantages:

Floppy technology/versions is now static. No need to worry about the "new version" breaking the system.
Software can assume the storage capacity of the device, because it is fixed.
System is fully tested with this technology over the past 20 years, all behaviours and failure points are known by now

There is no point in changing unless the requirements change. For example if the data size cannot fit on the

Scrapped planes

[flyingfsck]

Why anyone would update anything on a scrapped plane is beyond me, but if someone would want to update a scrapped plane, then using a scrapped AOL floppy disk is probably OK.

Re:

[dunkelfalke]

Scrapped aircraft are usually parted out,

So does the Airbus A320

[dunkelfalke]

Although newer ones have PCMCIA slots
Many of them still use CRT displays. Avionics are expensive and most time they are replaced by refurbished parts in case of a defect.

So what?

[Bert64]

The 747 was first introduced in 1970, so is it any wonder that it would be using old technology? The whole thing is old tech at this point, but it's also tried, tested, and certified for aviation use.

Not Again

[hoofie]

A regular as clockwork one of these articles pops up : "OMG, a uses to do Function X. LOL"

And as always people who know what they are doing appear to wearily point out YET AGAIN that for reasons of certification, safety etc. you don't just rip out and replace that technology because it's "old".

Have an address, will travel !

[Seshadri Kothandaraman]

Any device having any sort of address (MAC/IP/Bluetooth/whatever), by design, opens up communication with its environment. That is where things start getting a little interesting :)

Re:

[Cid Highwind]

This one's address is "#60 the aircraft boneyard, Mojave desert, California". Have fun!

Solaris

[ebvwfbw]

Last I knew they were all controlled by a Solaris server. Wonder if they still are.