
Man’s Claims of Hacking Plane Discredited by Law Enforcement - RockyMcNuts
http://www.bloomberg.com/news/articles/2015-05-18/hacker-claims-of-plane-takeover-aren-t-credible-official-says
======
philipn
"Hacking into a plane’s critical flight controls is at least theoretically
possible on some new models, computer security experts told the GAO."

Can someone explain this? I've been asking knowledgeable people all day and
haven't heard a good explanation of how this could be possible. Is the IFE
system really on the same physical network as the flight control system on
newer planes?

Edit: the best commentary on this appears to be the comments section on this
Schneier blog post from a few weeks back -
[https://www.schneier.com/blog/archives/2015/04/hacking_airpl...](https://www.schneier.com/blog/archives/2015/04/hacking_airplan.html)

And here's an interesting puzzle: if these planes are sharing a SATCOM link
between their IFE and control systems, is it even possible for it to be non-
software-hackable?

~~~
cperciva
_Is the IFE system really on the same physical network as the flight control
system on newer planes?_

I have no direct knowledge here, but I've heard from multiple sources that
whereas past aircraft had air gaps between aeronautic and IFE systems, newer
aircraft rely on a firewall to block traffic from the IFE side to the
aeronautic side.

~~~
damian2000
I've heard there's a one way (readonly) link from the aeronautic side to the
IFE, which is used for sending the IFE a small amount of information, used to
display the moving map and sensor values (altitude, temp, etc) on the seat
back displays. I'm speculating, but this link could be for example some sort
of legacy serial data link with only one TX->RX pin being used.

~~~
sokoloff
I'm also speculating, but in the case of it being a serial link (very common),
it's probably ARINC-429 as that's the predominant standard in aviation low and
medium (read: very low and low) speed data exchange. (
[http://en.wikipedia.org/wiki/ARINC_429](http://en.wikipedia.org/wiki/ARINC_429)
)

I find ARINC-429 to be quite elegant/pleasing as an engineer and impressive
for the time of its creation.

------
bornabox
Don't know if this is even more worrisome. FBI and Boeing denying any threat.

Either the guy is/was delusional and his 15 min of fame (like mentioned below)
blew up in his face, or the systems are vulnerable and it's being downplayed
(while hopefully it's being fixed).

At this point though, it's difficult to trust FBI and a corporation that has a
lot to loose...

I think Boeing needs to bring in independent researchers and let them loose on
some planes on the ground, either proving or disproving this whole debacle...

~~~
userbinator
"Both Boeing Co. and Airbus Group NV, the world’s largest makers of commercial
airplanes, have issued statements _questioning_ Roberts’s claims."

Note that they didn't actually _deny_ it completely. To me, this says they
either don't want to say "it's impossible" for fear of liability, or that they
know there are some holes and don't want to talk about it.

Also, comparing what the two companies said is interesting: I prefer Boeing's
rather direct "they are isolated" response and find it far more reassuring in
comparison to Airbus' wordy and vague statement.

------
Animats
This guy's claims seem bogus. But there are interconnections between the
networks of the flight control systems and the entertainment network in some
aircraft. Here's such an interconnect unit, the Teledyne Network Extension
Device (NED)[1]: "Teledyne Controls' Network Extension Device (NED) is a high-
performance and compact networking solution that facilitates data transfer
between avionics systems and IP-based equipment, providing greater
accessibility to a wide range of applications. This high-reliability device,
built to OEM standards, combines the multiple functions of an ARINC 429 to
Ethernet converter, multicast router, firewall, data loader and communication
gateway, in one single and lightweight unit." See this block diagram [2]
showing the NED gateway plugged into the in-flight entertainment system on one
side, and the flight management system on the other.

The block diagram shows the flight management system as an output only. The
NED gateway seems to be treated as an untrusted device. The flight management
system (which can be thought of as turn-by-turn navigation for airplanes) does
not directly fly the airplane, but the autopilot, and the human pilot, usually
go where it sends them.

The NED does have the ability to update the "electronic flight bag", which
contains navigational charts, aircraft manuals, and FAA and company paperwork.
Those are updated frequently, so there's now a data distribution system to
update them. (They used to be loose-leaf binders with frequent update
packages.) But those have no connection to the flight controls.

A bigger concern is that software updates to the aircraft systems pass through
the NED. Those can now be transmitted by radio to some aircraft.[3] The new
files are stored on a server for updating when the aircraft is parked and the
equipment is in a maintenance mode.

So, while taking over the flight controls in flight seems unlikely, some
variant on a Stuxnet-type attack might be possible.

[1]
[http://www.teledynecontrols.com/productsolution/ned/overview...](http://www.teledynecontrols.com/productsolution/ned/overview.asp)
[2]
[http://www.teledynecontrols.com/productsolution/ned/blockdia...](http://www.teledynecontrols.com/productsolution/ned/blockdiagram.asp)
[3]
[https://web.archive.org/web/20140923154447/http://www.teledy...](https://web.archive.org/web/20140923154447/http://www.teledyne-
controls.com/productsolution/wlds/overview.asp)

------
jgrahamc
_Later that day, an FBI agent examined the initial aircraft he had flown on
and found evidence that boxes containing entertainment electronics on his seat
and the seat in front of him had been tampered with, according to the FBI._

Well, that sucks. Messing around with the equipment on a plane like that is
really a very bad idea. I don't care how 1337 you are.

~~~
JupiterMoon
He claims that he didn't and pointed out that these boxes are under seats
where people ram their luggage every day and that they are usually in this
kind of state.

Not sure I believe him (or them) (or anyone yet). But it is worth bearing in
mind.

------
ck2
This is not exactly hard to prove one way or another.

Have the media present and have Boeing and Airbus make a plane available and
let him do his thing (while it is on the ground and empty).

FBI of course has to agree to give him immunity.

All parties should have nothing to fear if they are truly interested in
protecting the public.

~~~
sokoloff
The IFE system has ties to the weight on wheels sensors at a minimum, meaning
a ground test isn't a faithful reproduction of an air test. (That's how the
IFE shuts down at touchdown, and I suspect it's how they know to push you
their takeoff ads.)

~~~
tw04
Since when? Every flight I've been on, the flight attendants turn it off and
on manually.

~~~
sokoloff
Delta's system plays the Delta ad while the aircraft is still over the runway
on takeoff and the entertainment shuts off in the first few seconds of
rollout, as I recall.

I'd be surprised if there's a flight attendant whose duty it is to hit a
button at a critical time in flight to make that happen.

------
ExpiredLink
I guess someone had his 15 minutes of fame.

------
jackgavigan
Has Chris Roberts ever actually claimed that he hacked into the controls of a
plane in flight?

Or are they anything more than second-hand hearsay cited by the FBI in a
warrant application?

~~~
maxerickson
18:55 here:

[https://www.youtube.com/watch?v=H0F2J_Xh6MA](https://www.youtube.com/watch?v=H0F2J_Xh6MA)

He doesn't come out and say that he tampered with the controls, but he clearly
states that he broke through firewalls and such (Is the unpatched Tomcat
instance part of the controls or not?).

This article has a transcript of the stuff he says about the plane:

[http://arstechnica.com/security/2015/05/alleged-plane-
hacker...](http://arstechnica.com/security/2015/05/alleged-plane-hacker-said-
he-pierced-boeing-jets-firewall-in-2012/)

------
paulhauggis
I'm wondering if the FBI is basing investigations on media spin now.

When this whole story first came out, he never said he 'hacked the plane'. He
created a simulated network based on public plane documents.

The only thing he did was gain access to the infotainment network through a
default username/password.

------
tsotha
Heh heh. Would anyone fly if it wasn't?

------
beedogs
Well, now that the FBI is weighing in, I have no choice but to believe the
man's claims, because the FBI is a three-ring circus filled with nothing but
clowns.

~~~
rjaco31
Even a broken clock is right twice a day..

~~~
chayesfss
Not if it's just broken, slow

