
Software Vulnerabilities in the Boeing 787 - hsnewman
https://www.schneier.com/blog/archives/2019/08/software_vulner.html
======
amluto
There is IMO exactly one valid way to get data from the flight systems to the
entertainment network: use a literal one-way connection. Not “the only
supported requests are data retrieval.” Not “the software folks only
transmit.” A bona fide physical connection where one side has a transmitter,
one side has a receiver, and there is no physical mechanism to send any
information whatsoever the other way.

These devices are often called “data diodes”. They are cheap. They cannot be
hacked from the output side — at best a severely malfunctioning destination
could send so much power the wrong way on the fiber or so much voltage the
wrong way on the wire that the data diode fails. This would be surprising to
say the least.

~~~
rootusrootus
Aren't data diodes already a regulatory requirement for any connection between
avionics and the IFE?

~~~
Hunisgung
I guess they are a regulatory requirement because all of the modern aircraft
have to request special conditions form FAA and EASA to justify why they do
not comply with these requirements.

For example for the Airbus A350;:

> The applicable airworthiness regulations do not contain adequate or
> appropriate safety standards for this design feature. These proposed special
> conditions contain the additional safety standards that the Administrator
> considers necessary to establish a level of safety equivalent to that
> established by the existing airworthiness standards.

[1]
[https://www.federalregister.gov/documents/2013/12/17/2013-29...](https://www.federalregister.gov/documents/2013/12/17/2013-29985/special-
conditions-airbus-model-a350-900-series-airplane-electronic-system-security-
protection-from)

------
service_bus
Unlike the security researcher, I do have access to multiple 787s as I am one
of many people responsible for maintaining them.

I'm obviously not going to attempt to exploit the firmware on an aircraft for
obvious reasons, but the security researcher's notion that you can "pivot"
from the in flight entertainment to anything to do with aircraft operation is
pure fantasy.

These systems are entirely separate, including the electricity that controls
the systems.

This guy is preying on individuals' lack of knowledge about aircraft mechanics
in order to promote himself.

~~~
xemdetia
Would you say as someone who deals with these larger planes that at least the
787 current gen is closer to an older style chassis and body for cars? I have
always imagined/assumed that 787's are not unique that they would be the same
'chassis' for a cargo plane or a passenger plane, and it really would have to
do with how they fitted the plane for purpose?

This is part of the reason why I agree with you, because I don't see why the
787 would be unique by mixing avionics/mechatronics with the passenger systems
but I don't know enough to say it with confidence. They would have designed
the passenger systems to be independent and replaceable (especially with the
knowledge gained from the legacies and upgrades of other planes like the 737).

Is there any public guides for 787 chassis and maintenance that you could
point to as being reasonable things to read about this new style plane?

~~~
WalterBright
Not sure what you mean, but aircraft stopped being "chassis and body" some
time in the 1930's. That was the switch to a monocoque design with stressed
skin.

~~~
xemdetia
I couldn't find the right words to describe it, the other person who commented
was a bit closer. At a certain point I would assume the Boeing 787 design
would have interchangeable configurations that would not be dependent on the
airframe and avionics. I wasn't sure if cabin, interior, model, or something
else would best describe what I meant and chassis and body for a car was the
best I could come up with that could describe these two changeable parts
unlike the unibody chassis. It looks like configurations is the most
appropriate word.

I was hoping that the person I commented to could point us at some fun manuals
to describe how these configurations worked at a technical level.

~~~
WalterBright
I don't know about the 787, but in my day (757) every airplane that rolled off
the assembly line was different. For one thing, there was a lot of
customization for each airline, and the airplanes underwent constant technical
improvement from field experience.

Doing things, however, that increased the weight or changed aerodynamics of
the airplane were a very big deal, causing a ripple effect that would be very
expensive.

Freighter versions were commonplace, with the obvious omission of windows
(weight savings) and interior fluff.

Doing a stretch, or a re-wing or re-engine is an enormous thing.

------
sleavey
It seems to me as someone with no experience of designing aircraft control
software, avionics or anything to do with planes, that the entertainment
system should be on a physically separate network to anything safety critical.
Like, different everything: power supplies, switches, cables, control panels,
the works. There should be no entryway into the flight control network except
from the cockpit.

~~~
p_l
There are three separate networks, with data diodes used for cases where
information flows between them.

HW separation was enforced by FAA back when 787 was in prototype stage.

~~~
jakeogh
Where can one read about the 787 data diodes?

~~~
Hunisgung
You can read about the fact that there are NO data diodes on the FAA website

> The proposed architecture of the 787 allows connection to and access from
> external sources (the public Internet) and airline operator networks to the
> previously isolated Aircraft Control Domain and Airline Information Services
> Domain.

> Capability is proposed for providing electronic transmission of field-
> loadable software applications and databases to the aircraft. These would
> subsequently be loaded into systems within the Aircraft Control Domain and
> Airline Information Services Domain.

[1]
[http://rgl.faa.gov/Regulatory_and_Guidance_Library%5CrgSC.ns...](http://rgl.faa.gov/Regulatory_and_Guidance_Library%5CrgSC.nsf/0/2FF392BE50BE5821862572C0004AEB68?OpenDocument)

~~~
p_l
That's a request for comments from before 787 got its type certificate - I'd
like to see the result, as I do recall there being a request to redesign the
networks due to "not enough separation". Even HN talked about it.

I can't find the "work-in-progress" reports for type certification regarding
the network, but the special conditions involve:

> The applicant shall ensure system security protection for > the Aircraft
> Control Domain and Airline Information > Domain from access by unauthorized
> sources external to > the airplane, including those possibly caused by >
> maintenance activity. The applicant shall ensure that > security threats are
> identified and assessed, and that > risk mitigation strategies are
> implemented to protect the > airplane from all adverse impacts on safety, >
> functionality, and continued airworthiness.

------
jdsully
Their "rebuttal" almost seems like a taunt to other security researchers to
prove them wrong. Calling the researchers irresponsible and their tools
rudimentary was a dick move.

------
sebazzz
> That second barrier, the company argues, allows only data to pass from one
> part of the network to the other, rather than the executable commands that
> would be necessary to affect the plane's critical systems.

Assuming planes don't use something like CAN-bus but regular TCP protocol,
this can't really be true right? Perhaps they talk about which services are
allowed to connect (listen for incoming connections).

~~~
p_l
AFDX protocol stack is unidirectional with no ACKs or anything like that,
which makes use of physical data diodes trivial.

~~~
Hunisgung
That is false. Apart from the hard-coded and restrictive network
configuration, AFDX is basically UDP/IP. There are many uses of bidirectional
application protocols (like TFTP).

~~~
p_l
unidirectional nature of the communication protocols means that AFDX-
compatible application can be easily firewalled for cases such as reporting
data to maintenance network, as I understood from Boeing's response.

Electronic Flight Bag being part of maintenance network is not something good,
though.

------
solotronics
I was flying about a year ago and was messing with the in flight entertainment
in a 787. It was pretty easy to figure out how to get to a boot menu in the in
flight entertainment. I was thinking "huh, this seems like maybe a way in".
Seeing how the in-flight displays navigational data it must be on the network
as the flight systems. I'm sure there is some kind of segregation but its
probably not ultimately secure.

------
0xDEFC0DE
How exactly do you get a hold of firmware and set up a lab to test everything
with stuff like this?

------
british_india
[https://www.youtube.com/watch?v=hC-
JCvFyjlo](https://www.youtube.com/watch?v=hC-JCvFyjlo)

The 787 Dreamliner is a nightmare. Bad code produced by offshore teams.
International teams totally violating safety procedures.

