Monday, May 18, 2015

Hacking Airplanes

Kim Zetter (via Bill Bumgarner):

Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane’s Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states.

[…]

He obtained physical access to the networks through the Seat Electronic Box, or SEB. These are installed two to a row, on each side of the aisle under passenger seats, on certain planes. After removing the cover to the SEB by “wiggling and Squeezing the box,” Roberts told agents he attached a Cat6 ethernet cable, with a modified connector, to the box and to his laptop and then used default IDs and passwords to gain access to the inflight entertainment system. Once on that network, he was able to gain access to other systems on the planes.

Bruce Schneier (via Bill Bumgarner):

The problem the GAO identifies is one computer security experts have talked about for years. Newer planes such as the Boeing 787 Dreamliner and the Airbus A350 and A380 have a single network that is used both by pilots to fly the plane and passengers for their Wi-Fi connections. The risk is that a hacker sitting in the back of the plane, or even one on the ground, could use the Wi-Fi connection to hack into the avionics and then remotely fly the plane. […] Previous planes had separate networks, which is much more secure.

[…]

What this all means is that we have to start thinking about the security of the Internet of Things--whether the issue in question is today’s airplanes or tomorrow’s smart clothing. We can’t repeat the mistakes of the early days of the PC and then the Internet, where we initially ignored security and then spent years playing catch-up. We have to build security into everything that is going to be connected to the Internet.

2 Comments RSS · Twitter

Utterly tangential to the incredibly disturbing security concerns here, but let's not forget that an in-flight entertainment system actually bought down a commercial airliner, resulting in the loss of 229 souls.

Not quite what Neil Postman was getting at with his excellent Amusing Ourselves to Death, but it does rhyme...

RTCA DO-178B, Software Considerations in Airborne Systems and Equipment Certification is what the FAA points to. A large fedgov contractor specifies their approach in ARINC 653, Avionics Application Software Standard Interface. FWIW, I have a lot of trouble believing this guy.

Leave a Comment