Computers Aboard Airliners Vulnerable to Hacking, Watchdog Says

Airliners carry a variety of computer systems that could become vulnerable to hackers and U.S. regulators haven't imposed adequate counter measures, a government watchdog report concluded. From a report: The Federal Aviation Administration hasn't prioritized cyber risks, developed a cybersecurity training program or conducted testing of potentially vulnerable systems, the Government Accountability Office said in a report issued Friday. "Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplane," the GAO report said. Commercial aircraft carry increasingly sophisticated computer systems, including wireless networks, seat-back entertainment, position broadcasts and devices that automatically transmit data to the ground.

New Bluetooth device detected

[nospam007]

'Boeing 737 MAX'

CONNECT? YES/NO

But seriously, very old joke, we've had that discussion many, many times since wireless connections were invented.
The Airlines didn't listen the last 20 years, they won't listen now.

Re:New Bluetooth device detected

[ShanghaiBill]

TFA is mixing very different issues.

It is discussing "seatback entertainment systems" and flight control avionics in the same sentence.

If these are actually physically or electronically connected in any way whatsoever, then everyone involved needs to go to prison.

Re:

[tysonedwards]

They are, and have been used, exploited, and reported for years. Boeing was especially at fault for using vlan tagging for segmentation.

Re:

[sjames]

VLAN tagging can be a valid form of segmentation as long as the end nodes aren't the ones that get to add the tags and the switches that can add the tags have no interface available to the low security side.

Re:

[sjames]

No *admin* interface, that is.

Re:

[tysonedwards]

Oh, I agree. But do you think that’s how they handled it? The 2017 issue was identified simply by plugging in to the entertainment head unit, assigning vlan 0, and having access to avionics systems.

Re:

[sjames]

Given the test, I'd say they screwed up and assigned the switch ports to the entertainment system as all-access trunks. Without the test, I would have suspected that anyway given the track record.

Re:

[lessSockMorePuppet]

Absolutely. And holy fuck at the sibling comment above me.

Hard prison time is in order for mixing those two. These are *lives*, this is a *fucking flying machine thousands of feet in the air*--not some freemium crack app.

Re:

[Applehu Akbar]

TFA is mixing very different issues.

It is discussing "seatback entertainment systems" and flight control avionics in the same sentence.

If these are actually physically or electronically connected in any way whatsoever, then everyone involved needs to go to prison.

As they were on this Swissair flight. There were no survivors: https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[CaptQuark]

After reading the Wikipedia article, the only connection I can see between the two systems is a fire caused by arcing wires above the Inflight Entertainment System (IFE) power panel caused a fire that affected ALL the electrical systems on the plane, and spread into the cockpit area. Having the IFE system and avionic systems on different power supplies would have not have prevented this type of accident. The IFE system of this era was selectable music channels, not the individual infotainment systems most

Re:

[postmortem]

Where does flight information for entertainment systems come from?

Re:

[CaptQuark]

Satellites?

Re:

[Joce640k]

Where does flight information for entertainment systems come from?

A $10 GPS device?

Re:

[Tablizer]

Windows Update for "737-MAX-JET43" is automatically being installed. Estimated completion time: 25 minutes. Please Do Not Shut Off Computer.

Re:

[hcs_$reboot]

You better answer the question quickly

Its the SYSTEM dummy!

[Canberra1]

The dumbing down of pilots means weather/storm info, numbers to type into the flight computer/Nav (and there have been typos) and takeoff weight etc. With CPU management engines, these CRITICAL sources of communication can be corrupted - say because common PC's have 'Management Chips' installed. Or the workshop coud be hacked so when the Angle of Attack sensor is tested, baloney offsets are programmed. Aircraft OBD ports are more complicated, but ground crew can get in... Now take inflight entertainment sys

If you think Covid Crisis is bad...

[Tablizer]

If there is a ever a WW3, a lot of infrastructure will go Kaflooey. I'm sure the US also keeps some strategic hacks on file for the Big One.

the lone gunmen season 1 episode 1

[Joe_Dragon]

the lone gunmen season 1 episode 1

I would be surprised

[aepervius]

Flight Computer aboard airliner are pretty much isolated from the flight entertainment stuff. Any connection coming from the pax deck is checked and rejected if it want to attain other part of the network linked to airplane navigation. Yes the in flight entertainment stuff isn't protected as well, but that's it.

That check should be neither necessary nor possibl

[raymorris]

> Any connection coming from the pax deck is checked and rejected if it want to attain other part of the network linked to airplane navigation

That's the problem, and suggests the solution. That check can be fooled. It checks the source and the destination. What if there are two destinations, rather than one as required by the protocol? Create two packets of 24 bytes each. In the first packet at one point mark the length as 48 and the destination as an allowed destination. The "single" 48-byte packe

Re:

[PPH]

There should be two physically separate networks

That was the good old days. Modern passenger and avionics systems will incorporate protocols that haven't even been thought of yet. Which will require two way communications between the two parts of the network. As a result, Boeing sought and recieved [justia.com] changes to the existing CFRs which will allow them to interconnect. Subject to analysis, testing and various other protections.

Yeah, right.

One of the other issues affecting this was a lawsuit (the status of which I forget) filed by a third party app develope

it actually can't be fooled

[aepervius]

The network is not checking the meta data of the packet, it physically distrust any info coming from the fl entertainment deck. It isn't as if you can spoof that. You don#t need to trust me, go check the network stuff from the airplane and the processor involved. Unless you start cutting cable and switching them, there is no way a packet from fl entertainment goers beyond those processor checking integrity and rejecting anything coming from there. The only reason there is a connection at all is to PUSH data

Also overrated mod ?

[aepervius]

Gee overrating a 1 score mod is stupid.

"Overrated Sometimes comments are disproportionately up-moderatedâ"this probably means several moderators saw it at nearly the same time, and their cumulative scores exaggerated its merit. (Example: A knock-knock joke at +5, Funny.) Such a comment is Overrated. "

Learn to moderate. Mod down me to oblivion but you are not doing a good job.

Re:

[drinkypoo]

Underrated and overrated mods should not exist at all, period.

If a post is under- or overrated, TELL US WHY.

Help Me Understand the Vocabulary

[eepok]

I wear many hats. Risk management. Sustainability. Education. Transportation. Every industry uses words differently. When it comes to computer security, how are the following words/terms interpreted?

Adequate ("U.S. regulators haven't imposed adequate counter measures").
Usually "adequate" means "good enough" or "sufficient". When someone writes about "adequate counter measures" in computer security are they saying the same thing or is it a higher standard? Is it in response to actual standards that some organization puts forth. Because from the outside, a person will think "Planes aren't getting hacked? Seems like security is adequate."

Prioritized ("hasn't prioritized cyber risks")
The statement suggests that cyber risks are not considered a priority at all. But I find that hard to believe. Is it supposed to be assumed to mean that they haven't made cyber risk the highest priority?

Re:

[martynhare]

Adequate is based upon the simple context of likelihood * impact. The impact of aviation computers being hacked is critical, even if the likelihood is greatly lessened compared to other networked systems. Given Boeing (and other companies) are willing to sell planes with some electronic safety software disabled in cheaper SKUs... why would we expect decent cyber security to be included?

The formula for how much to spend on security

[raymorris]

Here's my reading of it, as a cybersecurity professional.
Note I've only read an article, not the official paperwork.

From my reading they are using "adequate" and "prioritized" in a subjective way, as opposed to "not compliant with standard number 847484". In fact, they point out that FAA does HAVE a standard to which airlines are supposed to comply. Not HAVING a standard is clearly inadequate by any definition of the term.

What *is* and adequate and appropriate level of security?
Most security people don't

no upstream from IFE to Flight

[dltaylor]

Back when I worked on IFE, the scenario simply wasn't possible. All information flowing from the flight system to the IFE (heading, gate assignments, ...) was UDP transmitted. The filter rule on the flight system connecting port was "drop all".

Could have changed, I suppose, since the managers at that company were morons. We were actually asked if we implemented proper handling of the "evil bit": https://ietf.org/rfc/rfc3514.t... [ietf.org] [ietf.org]

What?

[kenh]

Is the premise of the article that essential flight management systems are somehow connected to in-plane wireless networks? Do any commercial airliners rely on wireless "Internet of Things" elements to control operation of the plane? Are there RJ45 ethernet drops in the passenger area of a plane?

The premise of this article is that airplane designers are morons, and it lacks any evidence to support that conclusion.