
Boeing 787 In Flight Entertainment System Security fun - rbanffy
https://www.btr.pm/rambles/2017/5/12/787-inflight-entertainment-fun
======
jgrahamc
I wish people wouldn't do shit like this on live systems like this one. Even
the port scan could have had bad consequences (especially since this person
did -A). By all means explore the interesting JSON object that was downloaded
and yeah I'd worry about installing random stuff on my machine.

I'm not talking about crashing the plane; I'm talking about crashing the IFE
and me then having to sit through 10 hours of people who didn't bring a book.

~~~
S_A_P
Thank you for this comment. I for one would be pretty pissed if a "hacker"
decided to crash my/or my kids entertainment on a long flight. There is
definitely a need for this type of work, but doing so in a 50,000 lb brick
floating a few miles above the ground isn't an atmosphere I am comfortable
with, especially if I am present...

~~~
bonzini
If anything were to happen, it definitely shouldn't affect the avionics, not
even remotely, or the plane would not have had a chance of certification. Data
to the less secure IFE had better flow through a unidirectional network ("data
diode"), and/or use a separate set of sensors.

Even if it brought down the server, it's still nothing that the flight
attendants can't solve by "turning it off and back on". This kind of fault
happens all the time.

More interesting to me is the level of isolation of the network. Could someone
exploit my phone through the in-flight WiFi, for example?

~~~
S_A_P
I agree that, in theory, at least the avionics shouldn't be accessible from
the IFE. I am sure there is a rigorous protocol for making sure this is
properly secured and certification for airworthiness. I think the parent
comment was more making the point that we don't need a flight full of people
scanning ports for fun and profit, and the consequences of doing so are
unknown and could lead to things like no wifi or IFE on the flight you're on
and hopefully not worse

~~~
qubex
This is obscurantism. Port-scanning a networked system, even aggressively,
must be considered typical environmental hazards that any network-attached
system must be able to weather (preferably with no degradation in service).

~~~
mulmen
The point is not that the system is fine, the point is that the method used to
identify the flaw is dangerous. This needs to be fixed but the ends do not
justify the means.

------
the_mitsuhiko
It's really quite useful. I changed my zsh prompt a while back to show me the
status of the internet connection on board, remaining time, flight number and
from where to where the plane is going.

[https://twitter.com/mitsuhiko/status/867043286128656384](https://twitter.com/mitsuhiko/status/867043286128656384)

~~~
FabHK
Very cool. I saw that you handle Lufthansa as well, now.

Tiny nitpick:

In my understanding, ETA denotes a point in time, e.g. 22:50h, that is the
estimated time _at_ which you arrive. (Absolute)

If you want to specify a duration in this context, i.e. how much _longer_
until arrival, e.g. 0:53h for another 53 minutes until arrival, you'd speak of
the ETE (estimated time enroute). (Relative)

See (in German) e.g.
[https://de.wikipedia.org/wiki/Estimated_time_of_arrival](https://de.wikipedia.org/wiki/Estimated_time_of_arrival)

tl;dr: use "ete" instead of "eta"

------
zero_one_one
There's a lot of posts mentioning that a scan shouldn't cause any trouble,
however there's no way of knowing how the services are configured on the other
end, or how they are set up to respond to certain packet types, or how the
server will respond to certain data within those packets if said data does not
conform to expected lengths etc. A lot of assumptions are made that non-
conforming data will be ignored in a closed proprietary system, and that the
system will handle all packets across all protocols gracefully. Anyone who
says sending packets to a port running an unknown service (or implementation
of said service) can't cause any issues with the service is throwing quite a
wide net. Running a port scan or trying to interface with any of the systems
on an aircraft while it's in flight without knowing how the systems operate or
interact with each other is incredibly irresponsible, if not downright stupid.

~~~
mseebach
I remember about 20 years ago, you could crash any Windows computer you had
the IP address of by sending a particularly crafted package to a certain port.
Oh, those were the days.

~~~
porsupah
Port 139, maybe?

[http://insecure.org/sploits/windows.OOB.DOS.html](http://insecure.org/sploits/windows.OOB.DOS.html)

~~~
tcdent
Also, ping of death:

[http://insecure.org/sploits/ping-o-
death.html](http://insecure.org/sploits/ping-o-death.html)

------
yread
> I did a port scan on the System Control Unit

Is that still white hat? Did they also check to see if the cockpit door is
locked?

~~~
Cthulhu_
Scanning should be fine; trying to access them becomes dubious; bruteforcing
the login could lead to arrest.

~~~
davrosthedalek
I had a projector firmware freeze up hard on me during a port scan. There is
some risk there.

~~~
theWatcher37
So what does that say about the wisdom of port scanning a machine your life is
currently depending on?

~~~
throwawayjava
If that plane ever plans to enter US or EU airspace, there is a literal air-
gap between the IFE and the flight systems.

~~~
WhitneyLand
Then how is it showing the flight metrics?

I wouldn’t guess they would add double sensors for all that information.

Or did you mean well protected, instead of literal air gap?

~~~
fragmede
Optoisolators are a prolific and an extremely cheap electrical component that
performs the "air-gap" functionality.

~~~
SAI_Peregrinus
Electrical safety airgapping and information security airgapping are
different, and entirely unrelated. If data can pass from one side to the other
it's not airgapped (from an infosec perspective).

~~~
bonzini
Fiber needs transmitter and receiver transducers. If each side has only one of
those, data can literally flow only in one direction. So it's still infosec-
airgapped in the other.

~~~
SAI_Peregrinus
No, data diodes are a different (but related) concept. An airgap implies no
information transfer, either in or out. Use an airgap when information leakage
must be stopped (as well as remote attacks), use a data diode when information
can be released but you need to stop remote attacks.

Fiber optic connections aren't required, anything with separate transmit and
receive lines can be turned into a data diode (as long as the protocols used
permit it). RS232 null modem cables with the RX lines disconnected are a
classic.

------
netsharc
The decompression flag is interesting, I would've poked around the Javascript
to see if that flag is ever read. If they were thorough, the web frontend
would show a red screen with words like "Decompression! Put on your oxygen
mask!"

Otherwise, passengers could be so distracted with the electronic entertainment
that they might not notice that it got very breezy all of a sudden...

~~~
dx034
This is actually a good idea. Or at least activate the PA system and stop
videos. Not sure how easy it is to notice masks falling down if you wear noise
cancelling headphones and look down on your tablet.

~~~
jrimbault
I imagine it would tangle onto your hair or you'd notice the confusion around
you ?

------
kevin_b_er
Were the in flight entertainment touchscreens really capactive? I've found
that such designs have almost exclusively been resistive. The resistive
designs are cheaper, but also tend to be designed with a high threshold. The
two put together makes a lot of resistive touchscreens feel sluggish. You feel
like you have to mash the heck out of them to get them to act sometimes. On
the upside they don't require human capacitance to work, just screen pressure.

~~~
richrichardsson
I've often thought the genius who thought it was a good idea to put a crappy
low sensitivity touchscreen directly behind my head needs to be kicked
squarely in the nuts, repeatedly.

------
PeachPlum
All fun and games until someone remembers that there is no air gap on Boeing's
in-flight network

> There are places where the networks are not touching, and there are places
> where they are

Boeing's Lori Gunter

[https://www.wired.com/2015/04/hackers-commandeer-new-
planes-...](https://www.wired.com/2015/04/hackers-commandeer-new-planes-
passenger-wi-fi/)

------
innocenat
Not a pilot, but Regarding flight phrase, actually airplane can detect FLARE
easily (Airbus even has a FLARE flight law governing the aircraft during
flare).

Typically FLARE would be RA (Radio Altimeter) < 50ft, flaps/slats extended,
speedbrake armed, and weight on wheel = 0 or something along this line.

------
samfisher83
Reading through the post it didn't seem like he found any security issues.
Their map has javascript variables which isn't a security issue. It doesn't
seem like SCU had many open ports. It was running a relatively new version of
Linux.

~~~
wepple
Didn't find anything of interest at all + did a foolish, possibly illegal
thing.

Why is this blog post being upvoted?

------
chinathrow
> I did a port scan on the System Control Unit

Scanning during flight is not really responsible at all.

------
mdekkers
Awesomely entertaining (hah!) read. Very interesting, thanks. Also, welcome to
every no-fly list on the planet. If you are going to find that you are
increasingly seeing more scrutiny, this is why.

------
Test2123
Beside a scan is good or bad, how would they go about finding the source?
There wont be an IT officr at landing collecting logs/mac address from any
wireless card. I've scanned those systems many times and nothing ever happened
- i am just pointing out to the issue that catching a real attacker it is hard
not just technically but in practice

~~~
ZanyProgrammer
Also, don't use a typical *nix terminal that looks all hackerish (black
background, green font, something like that). Someone non technical is bound
to notice that, even if out of the corner of their eye.

~~~
bonzini
Actually my experience is that fellow passengers were often intrigued by all
the colors on the screen (from your usual syntax highlighting) rather than
worried by the dark background!

Unfortunately nowadays "Arabic" is what worries people, even if that turns out
to mathematical notation. [1]

[1] [https://www.theguardian.com/us-news/2016/may/07/professor-
fl...](https://www.theguardian.com/us-news/2016/may/07/professor-flight-delay-
terrorism-equation-american-airlines)

------
emodendroket
I'm not too keen on the idea that I'm now supposed to watch on a laptop. If I
wanted to go to that kind of trouble I wouldn't be confining myself to
whatever crap was on the in-flight entertainment system in the first place.

~~~
0xffff2
I'm not too keen on having a screen I don't control ( and never use anyway) in
front of me for an entire flight. I _hate_ being shown ads, and the only place
I still regularly encounter them are airplane IFE systems I can't turn off
during certain phases of the flight, and poorly chosen gas stations.
Interestingly neither of those used to be significant sources of advertising.

~~~
emodendroket
I've never seen one that couldn't be turned off.

------
esaym
>td_id_decompression:"0"

Well that's just...awesome..

------
_pmf_
Welcome to the no fly list, sir!

------
flyer651
Some domestic Chinese airlines I have flown sidestep most IFE problems
completely. As you enter the plane, you are issued a sturdy, fully charged
Android tablet computer that is fully loaded with entertainment content. You
return the tablet as you exit the aircraft. If something is going wrong with
your tablet they give you a fresh one.

So many good things with this approach: cost, easy upgrades, no complicated
certification or hardening needed.

I have no idea why no other airlines use this method, it seems so much easier
to me.

