There is IMO exactly one valid way to get data from the flight systems to the entertainment network: use a literal one-way connection. Not “the only supported requests are data retrieval.” Not “the software folks only transmit.” A bona fide physical connection where one side has a transmitter, one side has a receiver, and there is no physical mechanism to send any information whatsoever the other way.
These devices are often called “data diodes”. They are cheap. They cannot be hacked from the output side — at best a severely malfunctioning destination could send so much power the wrong way on the fiber or so much voltage the wrong way on the wire that the data diode fails. This would be surprising to say the least.
I guess they are a regulatory requirement because all of the modern aircraft have to request special conditions form FAA and EASA to justify why they do not comply with these requirements.
For example for the Airbus A350;:
> The applicable airworthiness regulations do not contain adequate or appropriate safety standards for this design feature. These proposed special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards.
Not just that. They have to be designed securely so they work in face of both logical and physical attacks. Security-focused diodes are supposed to include things such as emanation attacks. They're not cheap. Even the cheaper setups would be better than software-based security, though.
Does any of that actually matter in a realistic threat model in an airplane? The integrity of the critical systems matters, but there shouldn’t be any secrecy concerns. An attacker learning the full state of the avionics computer would be of little value. Similarly, a side channel from the entertainment system to a critical system shouldn’t matter unless the critical system is already compromised, since the critical system won’t be listening to the side channel.
Unlike the security researcher, I do have access to multiple 787s as I am one of many people responsible for maintaining them.
I'm obviously not going to attempt to exploit the firmware on an aircraft for obvious reasons, but the security researcher's notion that you can "pivot" from the in flight entertainment to anything to do with aircraft operation is pure fantasy.
These systems are entirely separate, including the electricity that controls the systems.
This guy is preying on individuals' lack of knowledge about aircraft mechanics in order to promote himself.
If that is true, I am surprised that Boeing did not use that as a response to the researcher. Instead they responded that they have compiler mitigations in place and could not exploit the vulnerabilities themselves. That response makes me feel like the networks are not entirely seperate.
There are _always_ bugs in software. Your assertion that it's pure fantasy to pivot from the flight entertainment system goes against there near infinite space of sidechannel attacks and demonstrated attacks on even airgapped systems; it's almost a law of physics that you are wrong.
> These systems are entirely separate, including the electricity that controls the systems.
This is not what Boeing said to the FAA 12 years ago when they asked to certify their network architecture
> The proposed architecture of the 787 is different from that of existing production (and retrofitted) airplanes. It allows connection to and access from external sources (the public Internet) and airline operator networks to the previously isolated Aircraft Control Domain and Airline Information Services Domain. The Aircraft Control Domain and the Airline Information Services Domain perform functions required for the safe operation of the airplane.
> It allows connection to and access from external sources (the public Internet) and airline operator networks to the previously isolated Aircraft Control Domain and Airline Information Services Domain.
I believe this contradicts the "systems are entirely separate" statement from the parent comment.
Would you say as someone who deals with these larger planes that at least the 787 current gen is closer to an older style chassis and body for cars? I have always imagined/assumed that 787's are not unique that they would be the same 'chassis' for a cargo plane or a passenger plane, and it really would have to do with how they fitted the plane for purpose?
This is part of the reason why I agree with you, because I don't see why the 787 would be unique by mixing avionics/mechatronics with the passenger systems but I don't know enough to say it with confidence. They would have designed the passenger systems to be independent and replaceable (especially with the knowledge gained from the legacies and upgrades of other planes like the 737).
Is there any public guides for 787 chassis and maintenance that you could point to as being reasonable things to read about this new style plane?
Not sure what you mean, but aircraft stopped being "chassis and body" some time in the 1930's. That was the switch to a monocoque design with stressed skin.
I couldn't find the right words to describe it, the other person who commented was a bit closer. At a certain point I would assume the Boeing 787 design would have interchangeable configurations that would not be dependent on the airframe and avionics. I wasn't sure if cabin, interior, model, or something else would best describe what I meant and chassis and body for a car was the best I could come up with that could describe these two changeable parts unlike the unibody chassis. It looks like configurations is the most appropriate word.
I was hoping that the person I commented to could point us at some fun manuals to describe how these configurations worked at a technical level.
I don't know about the 787, but in my day (757) every airplane that rolled off the assembly line was different. For one thing, there was a lot of customization for each airline, and the airplanes underwent constant technical improvement from field experience.
Doing things, however, that increased the weight or changed aerodynamics of the airplane were a very big deal, causing a ripple effect that would be very expensive.
Freighter versions were commonplace, with the obvious omission of windows (weight savings) and interior fluff.
Doing a stretch, or a re-wing or re-engine is an enormous thing.
They're more like the same airframe (fuselage, wings, undercarriage) with different fit an finish. Like different interior and possibly engines. The entertainment system is basically an add-on, it's separated both because it's not there in every configuration of the plane and also because it's supposed to be separated in order to be 100% sure that any failure there will not impact critical systems (like a short circuit, or an exploit). How exactly Boeing ensures this separation is another topic.
That's valuable to know -- thanks -- but nevertheless, demonstrating that if you can get onto the avionics network you can trivially compromise it is still valuable, no? There may be discovered other ways to access the avionics network (besides the IFE) that no one realized, or thought to protect.
When studying separation kernels, I remember that they were trying to safely/securely consolidate multiple systems (software and hardware) into fewer ones to save cost, size, energy, etc. Two things they were doing were separation kernels allowing lower-criticality stuff to be hosted with high-criticality and a special version of Ethernet (AFDX) that did something similar with provisions like reserving bandwidth.
So, you're saying there's no shared components at all... boards, data lines/switches, power lines/switches... between entertainment and critical systems? They run separate, highly-filtered power wires with separate boards with separate data lines for the two? No shared components at all?
It seems to me as someone with no experience of designing aircraft control software, avionics or anything to do with planes, that the entertainment system should be on a physically separate network to anything safety critical. Like, different everything: power supplies, switches, cables, control panels, the works. There should be no entryway into the flight control network except from the cockpit.
You can read about the fact that there are NO data diodes on the FAA website
> The proposed architecture of the 787 allows connection to and access from external sources (the public Internet) and airline operator networks to the previously isolated Aircraft Control Domain and Airline Information Services Domain.
> Capability is proposed for providing electronic transmission of field-loadable software applications and databases to the aircraft. These would subsequently be loaded into systems within the Aircraft Control Domain and Airline Information Services Domain.
That's a request for comments from before 787 got its type certificate - I'd like to see the result, as I do recall there being a request to redesign the networks due to "not enough separation". Even HN talked about it.
I can't find the "work-in-progress" reports for type certification regarding the network, but the special conditions involve:
> The applicant shall ensure system security protection for > the Aircraft Control Domain and Airline Information
> Domain from access by unauthorized sources external to
> the airplane, including those possibly caused by
> maintenance activity. The applicant shall ensure that
> security threats are identified and assessed, and that
> risk mitigation strategies are implemented to protect the
> airplane from all adverse impacts on safety,
> functionality, and continued airworthiness.
If Boeing decides to cut costs by using a single network for their entertainment, communications and flight control, who is there gonna be to tell them no? You would assume there is some oversight by independent security researchers who review these planes security, but this assumption seems unsubstantiated.
In reality, how is this separation of critical networks looking like exactly? MAC address filters? Are they air-gapped? I would venture to guess, nobody that isn't bound by an NDA knows.
As a network engineer it is terrifying that they would try this. Also, even if you have no MAC learning its trivial to sniff the MAC on an endpoint and then spoof it. You would really need pubkey based encryption where the key is stored in secure chips on every endpoint to know for sure what each device is connected to.
Companies do these things all the time and in other industries they get away with it. It would be nice if other industries would have similar strict audits and requirements.
the difference is that AFDX is a "closed" network. If you attached anything to it directly, you're already past the security boundary, as timing and reliability is more important than verifying identities in it.
The issue is that for every kilogram you need to get into the air, is another kilogram of fuel that you need to carry onboard. Airlines, and by association, Boeing are very conscious of weight over something like airgapping.
Their "rebuttal" almost seems like a taunt to other security researchers to prove them wrong. Calling the researchers irresponsible and their tools rudimentary was a dick move.
> That second barrier, the company argues, allows only data to pass from one part of the network to the other, rather than the executable commands that would be necessary to affect the plane's critical systems.
Assuming planes don't use something like CAN-bus but regular TCP protocol, this can't really be true right? Perhaps they talk about which services are allowed to connect (listen for incoming connections).
That is false. Apart from the hard-coded and restrictive network configuration, AFDX is basically UDP/IP. There are many uses of bidirectional application protocols (like TFTP).
unidirectional nature of the communication protocols means that AFDX-compatible application can be easily firewalled for cases such as reporting data to maintenance network, as I understood from Boeing's response.
Electronic Flight Bag being part of maintenance network is not something good, though.
I was flying about a year ago and was messing with the in flight entertainment in a 787. It was pretty easy to figure out how to get to a boot menu in the in flight entertainment. I was thinking "huh, this seems like maybe a way in". Seeing how the in-flight displays navigational data it must be on the network as the flight systems. I'm sure there is some kind of segregation but its probably not ultimately secure.
These devices are often called “data diodes”. They are cheap. They cannot be hacked from the output side — at best a severely malfunctioning destination could send so much power the wrong way on the fiber or so much voltage the wrong way on the wire that the data diode fails. This would be surprising to say the least.