
A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts - samuell
https://www.wired.com/story/boeing-787-code-leak-security-flaws/
======
msbarnett
> But Boeing counters that it has both "additional protection mechanisms" in
> the CIS/MS that would prevent its bugs from being exploited from the ODN,
> and another hardware device between the semi-sensitive IDN—where the CIS/MS
> is located—and the highly sensitive CDN. That second barrier, the company
> argues, allows only data to pass from one part of the network to the other,
> rather than the executable commands that would be necessary to affect the
> plane's critical systems.

Well geez, it's a good thing that there's no class of bugs in which a certain
amount of data, maybe more than the receiver was expecting, or terminated in
an odd way, overwhelms the receiver in such a way as to cause the data to then
be interpreted as commands which are run in place of the receiver's code...

~~~
AmericanChopper
Every exploit payload is comprised entirely of data, so I think you’re even
giving them too much credit there...

The thing that triggered me the most was that they got the engineers who wrote
the code to test it, and report back that their own code was fine. From the
sound of it they didn’t even test the vulnerability, they just did an external
test, without specifically testing the segmentation controls or the components
in question.

~~~
mark-r
They probably rely on network segmentation to keep the various components
separated. If they consider the segmentation to be 100% effective, there'd be
no need to do the kind of in-depth testing you advocate. I don't think it's
justifiable to assume that segmentation doesn't have its own bugs that could
be exploited.

~~~
AmericanChopper
Yeah, that seems to be what their attitude is. I have a couple of major issues
with that though.

1\. Relying on segmentation to protect vulnerable components is not a
reasonable standard operating procedure. Segmentation is supposed to be an
additional layer of protection, you’re also supposed to secure individual
components.

2\. It seems as though the researcher believed there may have been a way to
bypass some of the segmentation (the segmentation between the medium-sensitive
network and the highly-sensitive network). The article kinda implies that they
didn’t test that layer of segmentation, that they only tested the most
external layer (the segmentation between the non-sensitive network and the
medium-sensitive network).

The whole response comes across as dismissive spin, that they hope will be
consumed by people who don’t have a particularly sophisticated understanding
of network/application security.

------
jiggawatts
My $0.02: I came across Boeing's documentation for their "Boeing Update"
solution. (think Windows Update, but for 787s).

It described in detail how the planes are updated with new firmware for the
avionics, entertainment system, and the engines. I was shocked to learn that
the 787 uses a lot of COTS kit internally, such as standard WiFi and Ethernet
connections. There's an RJ-45 jack at the front landing gear accessible from
the outside of the plane at any time!

It was by far the best technical document I have ever read, of any type, ever
by at least a factor of ten. It was so good I read it like a novel. Twice. The
security design was amazing. The PKI was amazing. The patch management was
amazing. The network design was amazing. The documentation was amazing. My
estimate was the the document _alone_ would have cost multiple millions of
dollars to write, not including any of the engineering work that went into the
solution itself.

Boeing's engineers thought of _everything_. EVERYTHING. This scenario was
catered for:

    
    
      - The plane is rented, not owned.
      - The IT department is outsourced.
      - Aircraft maintenance is outsourced.
      - The plane is currently on the ground in a country that is hostile.
      - A critical update has been released, without which the plane is unsafe to fly.
    

This is one of the scenarios that is literally spelled out, in plain English,
and you're left completely certain that the update will be safe and secure
despite all of that.

The security is just nuts. Everything uses explicit, hardcoded whitelists. TLS
is bidirectional (clients are verified by the servers too). Patches must be
_quadruple_ signed by Boing, the parts manufacturer, the FAA, and the airline
at a _minimum_ to be acceptable. There are physical connection breakers and
PIN codes on top of that. There are two _nested_ VPNs on top of the already
encrypted WiFi. It just goes on and on.

No part of it left me thinking they could have done better. I've used that
document as a template for my own work, and it's the better for it.

Since then, I've insisted on flying 787s whenever possible, because I'm
certain that the engineering effort that has gone into those things is about
as good as humanly possible.

~~~
brokenmachine
Reading that just makes me think about how "wild west" self-driving cars seem
to be, and most people seem to think that's acceptable.

We have Teslas that don't have anywhere near this kind of security or
redundancy "autopiloting" themselves right now on highways.

People seem to be ok with that because it's a car and not a plane. But the way
I see it, there's thousands of those cars on the roads, and a software bug
across the fleet could cause just as much damage as a plane crash.

~~~
nexuist
>We have Teslas that don't have anywhere near this kind of security or
redundancy "autopiloting" themselves right now on highways.

Not just Teslas, modern vehicles in general. I would say that in terms of
security Tesla is probably doing a more bang-up job than the other automakers;
it was only a few years ago that Charlie Miller and Chris Valasek remotely
killed a Grand Cherokee on the highway.

~~~
skgoa
As an automotive security engineer, I have to interject. Miller and Valasek
hacked into a car that was very far removed from what we consider modern
automotive electronics. Any truly modern car will have decoupled networks with
firewalls in-between. It will have intrusion detection systems, secure boot,
signed code, encrypted memory, will communicate critical information via TLS
etc.

The Jeep hack (as well as their Toyota and Ford hacks) was exptremely
important, because it put public pressure on the less technologically capable
OEMs to get with the times and implement a (somewhat) secure electronics
architecture. As someone who shares the road with those shitty cars I'm
thankful for that. But even at the time of the hack, there were many OEMs
whose cars were not anywhere close to that vulnerable and the industry hasn't
stood still since then.

And since you mention Tesla, I also have to point out that they are one of the
worst at security. E.g. they have an RJ45 port behind the dash that you can
just plug into. It used to be that this gave you complete access to
everything, but people abused it. So Tesla made it a little bit harder, though
not impossible, to get into their system. Tesla also has a lot of bugs in
their smartphone integration that allow "fun" exploits like remote unlocking.

------
MegaButts
I feel like this is the kind of thing that would've been completely ignored by
everybody except for a handful of concerned hackers had it not been for the
recent media outrage against Boeing (and in my opinion absolutely deserved).

I guess the question is how bad is it (from the article it's hard to tell
exactly, but it sure doesn't sound great)? And another question is how many of
our systems that we rely on, from bridges to airplanes to traffic lights, are
just actually very insecure but either nobody notices or nobody exploits them?

That said, Boeing's abysmal PR and completely blanket "it's not our fault"
statements make me assume the worst here. I have no idea how that company will
ever earn back my trust. But maybe they have enough regulatory capture, much
like Equifax, that they just don't care.

~~~
jdavis703
I can tell you traffic lights are extremely insecure. Last month there was a
traffic light that was turned the wrong way, such that it was impossible to
tell if the light was green. So I climbed the poll and turned it to the right
direction. Another fellow pedastrian thanked me.

A bad actor could do anything from a DOS (positioning it the wrong direction)
to tampering with the bulbs (for example swapping out all the greens with
reds).

The reason most society doesn't collapse is because we assume most people are
good actors. Unfortunately once your device is hooked up to the internet you
vastly increase the odds of dealing with bad actors and have to spend more
time and money securing against bad actors.

~~~
akira2501
> I can tell you traffic lights are extremely insecure.

All municipal infrastructure tends to be. It's usually implemented to a cost
and security considerations are completely absent.

You can bet that in any given city, all those street light control cabinets
are keyed alike and the city has no true idea who has keys and who doesn't.

This exact problem applies to so many domains it's literally for lack of
effort that they haven't been exploited yet.

~~~
distant_hat
In India I found that in Bangalore (a city with far better infrastructure than
most other), for a lot of intersections the traffic lights are toggle switches
that some cop flicks on and off every so often. There is no lock on the switch
cabinet.

------
sushisource
It seems insane that all this code isn't just open source by default. No one's
going to be able to rip off airlines by stealing it, you still need to have a
company that, you know, sells planes.

Keeping it closed seems like a full admission that "there are probably a bunch
of bugs in here and we don't want people to see them"

~~~
avgDev
Because by keeping it closed, it is safer. /s

Most executives care about profits, security is simply not important. Even if
an engineer explains that he needs more time to properly secure something, he
will be asked to cut corners. Then, when shit hits the fan the executive will
make a "pikachu face" and engineer will get fired for not properly
implementing security.

~~~
b_tterc_p
Having met a fair number of top executives I don’t feel this is true. People
at the top do care quite a bit, and put personal pride into their company
being good. But all low level decisions are made downstream, and middle
managers are far less personally invested. Reactions to bad press are
reactions. Hard to say whether it reflects anyone’s reality.

~~~
bsg75
Leadership starts at the top. If middle management is making bad decisions,
the fault rests with their superiors.

~~~
b_tterc_p
Hmm sounds reasonable but I think not. Management is hard and information is
imperfect to all actors. With a god like view you would probably conclude that
there’s a variety of people who should be removed from an org for its health
and performance. The top may be accountable for things, but I wouldn’t think
it’s correct to blame them personally

------
kps
Who thought that having _any_ communication path from the passenger
entertainment system to flight control was a good idea?

~~~
tjr
Connecting entertainment systems to _flight control_ sounds very wrong.
Connecting entertainment systems to _flight management_ would be common; it
should be one-way communication (entertainment can only read FMS data, not
send any), for the purpose of driving the moving map displays for passengers.

~~~
toomuchtodo
> it should be one-way communication (entertainment can only read FMS data,
> not send any), for the purpose of driving the moving map displays for
> passengers.

Would you agree that this logical boundary should be physically enforced? Such
as an opto-isolator?

~~~
henryfjordan
> Boeing maintains that other security barriers in the 787's network
> architecture would make that progression impossible.

They probably do something to that effect

~~~
toomuchtodo
The longer I'm alive the more firmly I commit to never assume anything.

I have seen things. Terrible things.

~~~
p_l
Connectivity between zones is something FAA actually caught in 787 when it was
still being built and forced a redesign.

------
draugadrotten
From the article: "He was surprised to discover a fully unprotected server on
Boeing's network, seemingly full of code designed to run on the company's
giant 737 and 787 passenger jets, left publicly accessible and open to anyone
who found it. So he downloaded everything he could see."

Is that even legal? Will he ever be allowed to cross the US border after
admitting this?

~~~
SkyBelow
>Is that even legal?

Generally no. There is a difference between being unprotected and being open
to the public. While in some cases a person can claim to not have known and
proving mens rea for such a crime is much harder than if it was protected and
the protection had to be bypassed, it isn't impossible.

Such laws are selectively enforced, but being this is Boeing, you can expect
it will be enforced on their behalf if they have any desire for it to be
(given the current PR issues and the impact this might have, they might let
this one go, at least for the time being).

------
throw7
...an FAA spokesperson wrote in a statement to WIRED that it's "satisfied with
the manufacturer’s assessment of the issue."

Can't help but read this as: "We don't have a clue and depend on the
manufacturer to tell us everything is 5 by 5."

~~~
magduf
The FAA was satisfied with Boeing's design for the 737MAX. Sorry, but I now
have zero trust in the FAA.

~~~
blunte
Given in the US that corporations are allowed to contribute to political
campaigns, and that one party has a very strong sense of "regulation is bad",
there is intense pressure to deregulate as much as possible. And with the
current administration and its choice to not staff many positions while
cutting budgets (and while enacting executive orders to eliminate some
regulations), the FAA is really unable to do anything.

[https://www.forbes.com/sites/marisagarcia/2019/03/18/did-
tru...](https://www.forbes.com/sites/marisagarcia/2019/03/18/did-trump-
executive-orders-further-weaken-faa-oversight/)

~~~
magduf
That's not true, because they just did something: they said they were
satisfied with Boeing here. They could have been honest and said "we're not
competent to properly evaluate Boeing's design decisions".

~~~
blunte
But the mandate is that because of budget cuts, the FAA must depend on the
manufacturers themselves to be the SMEs. Thus, they are asking Boeing to judge
Boeing's own systems.

If B says, "It's all good", and B is the SME, then FAA must agree and pass.

------
sagebird
If I owned a 787, would I be likely to have the rights to lend it to security
researchers to test the exploits, or would it be prohibited through a contract
that Boeing requires customers to agree to?

Is there a reason that an individual would own a 787 for personal use— eg - is
it a plane that people change the interior layout for use as a private jet, or
are these planes all tied up in commercial use?

If I owned one, I would lend it to the researcher as I would want to know the
flaws and risks more clearly.

~~~
ken
Drake owns a 767 [1], and the founders of Google own one [2]. A couple members
of the Saudi Arabian royal family are reported to own 777s [3]. It's not
inconceivable that an individual could own a 787, though I can't find any
reference to one yet.

I think, though, that the sort of person who owns one doesn't tend to want to
tinker with it. You just hire someone to fly it, and know that it's always
available. The difference between owning and renting, at that level, is mostly
financials. Besides, even if you own the aircraft, it's likely you don't own
the engines [4], and they're kind of an important component of the overall
system.

Likewise, I don't know anyone who owns a car who has loaned it to a researcher
to analyze it for design flaws. A couple people have done it [5], but for the
vast majority of owners, you just use it normally, and if something breaks,
you deal with the problem then. Airplanes are loaded with redundancies for
critical systems so a lot of things have to go wrong for it to crash.

[1]: [https://www.cbsnews.com/news/inside-air-drake-rapper-
unveils...](https://www.cbsnews.com/news/inside-air-drake-rapper-unveils-new-
massive-767-plane-which-could-cost-more-than-187-million/) [2]:
[https://searchengineland.com/your-guide-to-the-google-
jet-12...](https://searchengineland.com/your-guide-to-the-google-jet-12161)
[3]: [https://www.private-jet-fan.com/private-jet-owners-
register....](https://www.private-jet-fan.com/private-jet-owners-
register.html) [4]: [https://www.quora.com/Do-some-airlines-not-own-the-
engines-o...](https://www.quora.com/Do-some-airlines-not-own-the-engines-on-
their-aircraft) [5]: [https://www.washingtonpost.com/news/morning-
mix/wp/2015/07/2...](https://www.washingtonpost.com/news/morning-
mix/wp/2015/07/22/car-hacking-just-got-real-hackers-disable-suv-on-busy-
highway/)

~~~
FDSGSG
>Likewise, I don't know anyone who owns a car who has loaned it to a
researcher to analyze it for design flaws

Oh, tons of people! There's a whole industry around hacking cars, most of
those people aren't the kind of researchers that do con talks though.

~~~
userbinator
To be precise, in the culture itself it's usually called "modding" or
"tuning"; but the newer parts of it, especially around modifying ECUs, does
involve work closer to traditional computer hacking.

(I'm an automotive enthusiast myself, although I'm more into the "old school"
non-computer-controlled stuff. Mostly because it's simpler and inherently
resistant to remote hackers.)

------
rwmj
I'm slightly astonished that the 3 networks mentioned aren't airgapped. I
suppose the entertainment system needs to know where the plane is in order to
display the flight map, but that should be provided by a dumb serial link with
the RX wire cut.

~~~
Rediscover
Receive only to my box on the 787. (Not the IFE, but rather a data gathering
LRU for maint. and owners)

------
jpgrace
Is nobody going mention the irony that the source code was discovered because
of a misconfiguration and Boeing is claiming that these vulnerabilities aren’t
important because of their secure configuration?

------
PedroBatista
The level of not giving a shit from Boeing and the FAA is astonishing.

~~~
netsharc
But... it's a researcher making claims and assumptions but no working code...
just because the target is Boeing doesn't mean the researcher might not be
full of shit.

------
camgunz
I would assume in-flight entertainment is Level E and wasn't ever subjected to
verification. And yeah that requires physical separation from higher-level
systems. So... surprisingly I think I'm on Boeing's side here?

~~~
tjr
The subsystem that connects in-flight entertainment to anything on the flight
deck (assuming an intended one-way, read-only connection) would probably be
Level D. I would guess that that subsystem is in error here.

------
drummyfish
Nice to read an article that's covered in 20 billion ads, great experience.

~~~
jmkni
uBlock Origin blocks 35 (26% of) requests on that page

------
starpilot
> To be clear, neither Savage nor Koscher believe that, based on Santamarta's
> findings alone, a hacker could cause any immediate danger to an aircraft or
> its passengers. "This is a long way from an imminent safety threat. Based on
> what they have now, I think you could let the IOActive guys run amok on a
> 787 and I'd still be comfortable flying on it," Savage says. "But Boeing has
> work to do."

------
bsaul
Don't people here think that if boeing ever get over the current set of
investigation without collapsing they're going to create the safest plane ever
designed ? With the amount of scrutiny they're encountering at the moment i
have the feeling every single dark corner is going to be under the spotlight..

Or is the reason too deep, the whole corporate structure too rotten at the
core, that there's no hope ?

~~~
brokenmachine
The larger problem that the FAA doesn't have the capability to actually check
Boeing's safety claims, so are forced to take their word for it.

Funding hasn't dramatically changed for the FAA, so won't it just be more of
the same? "We've fixed the AOA sensor problems (again). Trust us, our
engineers have deemed it safe!"

------
chovy
Honestly, if the airline industry partakes in agile development I will not be
flying anymore.

~~~
taloft
Too late.

------
neffy
Legacy code...

[https://www.tripwire.com/state-of-
security/featured/boeing-7...](https://www.tripwire.com/state-of-
security/featured/boeing-757-hacked/)

------
hacker_9
So people hack planes now. Well this is just great.

------
snowwindwaves
The article says the 787 runs VxWorks which has just had a number of
vulnerabilities identified in the tcp/ip stack.

------
cryptozeus
I wondered how much part some kind of hack played into downing these planes.

------
danek
Boeing: “We investigated ourselves and determined there is no issue”

------
neop1x
I would be interested to know how today's internet-connected cars are
prevented from remote exploitation. I wish they at least separated steering
wheel servo controls from infotainment and remote access but I have no way to
verify it...

------
BubRoss
Almost seems like this source should be open.

------
solotronics
Would planes be more or less safe if all the code was required to be put in
the public domain? I would think more.

~~~
qekbg
I think the obvious answer is "less safe at first, safer in the long term".
Only that a plane is not something you want to ever be less safe, so it's a
risk that might not be worth taking

