back to article Buffer overflow flaw in British Airways in-flight entertainment systems will affect other airlines, but why try it in the air?

A cybersecurity professor has insisted he was not hunting for a vulnerability when he found a denial-of-service bug on an in-flight entertainment screen during a long-haul flight. His findings could affect a number of airliners running Thales-made equipment. But Hector Marco, an associate cybersecurity professor at the …

  1. disgustedoftunbridgewells Silver badge

    'Marco told El Reg that he "immediately contacted the affected stakeholders" once he had found the bug'

    So he complained at an air hostess.

    1. stiine Bronze badge

      And informed everyone else on the flight? If that was true, I'm sure he would have been jettisoned.

    2. Colin Ritman

      No fly list

      I hope he gets what's coming to him, as he was clearly deliberately trying to hack the aircraft.

      1. Intractable Potsherd Silver badge

        Re: No fly list

        There is no evidence of that. You are talking rubbish.

        1. Anonymous Coward
          Anonymous Coward

          Re: No fly list

          True, there's no evidence he was trying to hack the aircraft, but they've got him bang-to-rights on deliberately trying to find vulnerabilities in the in flight entertainment system (which he couldn't be sure wouldn't inconvenience others). He said so himself in his original blog post, and his video completely undermines the hastly concocted fib about wanting to send a message to another seat. I'm not convinced that a no-fly ruling against him would be proportionate, but he's clearly suffering from poor impulse-management and deserves some kind of reprimand.

  2. Anonymous Coward
    Anonymous Coward

    Entertainment system pen testing

    It's not like he was pen testing the flight control systems, this is the equivalent of sticking a USB stick in a cheap car radio and worrying about it affecting the spark plugs.

    Was it not up until recently that some major airlines were still using Windows 3.1 for their in flight entertainment systems? Would you think Windows 3.1 would be used to run the flight control systems?

    Nearly every United transatlantic flight I've been on has had a defective in flight entertainment system, it has never affected the safety of the flight control systems. Just means I need to bring a long book.

    AC because I'm expecting to be shot down by those in the industry who know what they're talking about.

    1. Hans Neeson-Bumpsadese Silver badge

      Re: Entertainment system pen testing

      Would you think Windows 3.1 would be used to run the flight control systems?

      I can't answer that question without additional data - is the aircraft in question operated by Ryanair?

      1. pɹɐʍoɔ snoɯʎuouɐ

        Re: Entertainment system pen testing

        is the aircraft in question operated by Ryanair?

        ahhh, ryanair. The in-flight entertainment system would be a steward leading a sing song..

        the flight control computer is a sinclair zx spectrum, with a dodgy rampack held in place with gaffer tape and snot...

        1. gazthejourno (Written by Reg staff)

          Re: Re: Entertainment system pen testing

          Believe it or not, Ryanair's fleet of Boeing 737s are almost all brand new.

          1. Bob.

            Re: I was just musing the other day that M$ might do this and low and behold!

            Soon to be grounded no doubt, since Boeing can't write bug free, tested code either.

        2. David 132 Silver badge
          Happy

          Re: Entertainment system pen testing

          ahhh, ryanair. The in-flight entertainment system would be a steward leading a sing song..

          And, being Ryanair:

          • Purchase earplugs to block the sound: €4.99 (£4.99)

          • Use your own earplugs/headphones: €9.99 (£9.99)

          • Join along in the sing-song: €4.99 (£4.99)

          • The in-flight song for March will be: "The Macarena".

        3. katrinab Silver badge

          Re: Entertainment system pen testing

          Ryanair wouldn’t have an inflight entertainment system unless they could sell access to it at a profit. For the short routes they mostly do, I think most people wouldn’t bother paying.

        4. bish

          Re: Entertainment system pen testing

          I rather suspect that the next generation of in flight entertainment systems on Ryanair flights will involve large screens, endlessly looping adverts and the Ludovico technique. Customers can simply pay a £50 upgrade fee to retain control over their eyelids.

      2. Anonymous Coward
        Anonymous Coward

        Re: Entertainment system pen testing

        That was the last shipment of ME licences...

    2. Anonymous Coward Silver badge
      Boffin

      Re: Entertainment system pen testing

      Car radios are linked to the engine management far more than you would think. The CAN bus is everywhere!

      This is more akin to sticking a USB stick in a car radio and expecting it to open your garage door.

      1. Evil Scot
        WTF?

        Re: Entertainment system pen testing

        And then use a public APN as a IP backhaul.

        JEEPers!!!

      2. Anonymous Coward
        Anonymous Coward

        Re: Entertainment system pen testing

        This is true that's why I said about a cheap car radio, as we all fitted in the 80s and 90s. My touchscreen radio shows all sorts of engine stats.

        You can even still buy a Dacia without a radio, so I'm told...

      3. Mr Benny

        Re: Entertainment system pen testing

        The only can in mycar contains drink and the car radio has speaker out, antenna in and thats it.

        Yes, its old.

      4. Shades

        Re: Entertainment system pen testing

        "Car radios are linked to the engine management far more than you would think. The CAN bus is everywhere!"

        Theres a hidden function (requiring a finger twisting keypress combination) on my radio that can bring up speed in Kmh on its crappy red dot-matrix LCD screen and my car is not all that far off being 20 years old now. I have absolutely no clue what its purpose is for as its not something mentioned in the cars manual and the car has both Mph and Kmh on the dials.

        1. Anonymous Coward Silver badge
          Boffin

          Re: Entertainment system pen testing

          Let me guess, you drive an Audi?

          The radio has a speed-dependant volume (marketed as gala effect), so it has a speed pulse input. Being German, they work natively in SI units.

          The first generation of it used a dedicated pin that delivered a pulse, the frequency of which indicated the speed. Later iterations used the CAN bus which also negated the need to enter a PIN after changing battery etc as it keyed itself to the serial number of the dash ECU.

    3. disgustedoftunbridgewells Silver badge

      Re: Entertainment system pen testing

      Why risk it? What if they are on the same network and this particular crash causes an infinite loop that floods the network with activity?

      They probably aren't and it probably won't, but I'd rather not try to find out at 30k feet.

      Or less urgently but he might find himself introduced to the emergency exit for it: what if he broke the entertainment system for everybody on this long haul flight?

      1. Anonymous Coward
        Anonymous Coward

        Re: Entertainment system pen testing

        IFEs are not on the same network as the aircraft controls (except for the _physically_ one-way link that provides nav data and such). They are not on the network of the US electrical grid either.

      2. commonsense

        Re: Entertainment system pen testing

        "Why risk it? What if they are on the same network and this particular crash causes an infinite loop that floods the network with activity?"

        You're right. Better just leave the thing off and not touch it at all, for fear of causing the plane to fall out of the sky.

    4. dvvdvv

      Re: Entertainment system pen testing

      Windows? Please... Pretty much all of them IFEs run Linux/Java now, and crash spectacularly all the same.

      1. Field Marshal Von Krakenfart

        Re: Entertainment system pen testing

        Java???? The Java Licence used to say you can't use Java for real time systems or Nuke Power stations. Last thing you want is a garbage collection when you're on finals. Still mightn't be as a bad as windows:

        Captain: "Flaps 40"

        Co-Pilot: "Roger; Flaps 40"

        Beep-beep-beep

        Co-Pilot: "Master Caution.... Flight controls..... Flaps device driver has become unresponsive, please reinstall"

    5. GlenP Silver badge

      Re: Entertainment system pen testing

      United transatlantic flight I've been on has had a defective in flight entertainment system

      When UA had just got their first planes with individual screens on the seat backs I ended up with one that didn't work. At that time this was considered "unusual" so I was offered a freeby from the Duty Free. The bottle of JW Black Label was much appreciated, more so than the c**p programme offerings would have been.

      1. David 132 Silver badge
        Thumb Up

        Re: Entertainment system pen testing

        so I was offered a freeby from the Duty Free.

        I had a transatlantic flight from Chicago to Amsterdam last month; the IFE for my entire seat row was stuck on the SkyMap the entire time, and multiple attempts to reset it made no difference (didn't even cause the screen to go blank, which makes me wonder what kind of "reset" they were doing).

        I complained to the cabin crew - I may be British, but living in the States for years has rubbed off on me - and was given 7500 loyalty miles as recompense. Which, as you said, is probably a better deal than having the IFE would have been.

        1. Bob.

          Re: Entertainment system pen testing

          If you fancy diembarking over the Atlantic on the return leg.

          Or maybe you can make Goose Bay and hire a car for the rest.

    6. Anonymous Coward
      Anonymous Coward

      Re: Entertainment system pen testing

      This. More hyperbole around 'hacking planes'. You can't via the in flight entertainment system. The flight control system doesn't even use TCP/IP!!!!! Good presentation from Black Hat a few years back by actual pilots who were also security researchers gets lost in the noise of mainstream media. Physically separate systems - don't use TCP/IP - all pilot commands override automatic input = no plane hacking for some time.

      If you start connecting the two together though,...

      1. Ben Tasker Silver badge
        Joke

        Re: Entertainment system pen testing

        If he breaks the IFE for the whole plane, and an angry passenger throws him out of the front door, he could damage a wing (or maybe an engine) on the way out.

        Network seperation's not so helpful there is it

    7. Anonymous Coward
      Anonymous Coward

      Re: Entertainment system pen testing

      I work with a company that refurbishes old airliners for corporate and private users. I've taken apart some of the old IFE systems we have piled up in the scrap warehouse.

      From what I can tell, a lot of the old ones (And some newer ones) are really just wimpy cores running an X Windows Display Server and link up to more powerful machines located in the cabin electronics bay along with the wiring for the intercom system and the wiring that operates the seat belt sign, overhead lighting, etc. The most common IFE server system I've seen are just rebranded Sun Blades and a StorageTek array that run off of 48 VDC.

      Flight data appears to be received through an ARINC -> RS-422 controller that sits in the center pedestal, sitting next to the manual radio controls and plugs into an auxiliary port on the secondary / tertiary FMS (Same port that you'd connect an ELT / ADS-B Out transmitter on the Primary FMS).

      On a side note, I've noticed that a lot of the IFE systems don't even run TCP/IP, and opt for other protocols like IPX/SPX and other light-weight protocol stacks since things like routing and mass numbers of usable ports aren't necessary. At the physical layer, the connection tends to a proprietary quasi-bus-like topology reminiscent of 10Base-2.

      1. This post has been deleted by its author

        1. Intractable Potsherd Silver badge

          Re: Entertainment system pen testing

          So no one should ever tell anyone about vulns, huh? You are part of the problem - maybe working for Thales??

        2. Crazy Operations Guy

          Re: Entertainment system pen testing

          If describing how a system works leads to the system being broken, then the system would have to be so broken that its reckless to allow it to exist.

          But, if anything, the information I posted would sate the curiosity of a lot of people that would normally break into such systems for the purpose of exploration.

    8. Anonymous Coward
      Anonymous Coward

      Re: Entertainment system pen testing

      IIRC - wasn't it French Air Traffic Control that was using Windows 3.1?? Dunno about the aircraft though

  3. Hans Neeson-Bumpsadese Silver badge

    "Although I was very tired, and it was a night flight, I couldn't resist to do some basic security checks in the entertainment systems,"

    While I do believe that identifying (and so remedying) security flaws is a good thing, why do security researchers and the like seem to think they have the right to just jump in to systems like this? And this certainly isn't the first time I've heard of someone probing around on live systems of an in-flight aircraft to see what might happen.

    If I was a professional locksmith visiting a hotel, and started trying to pick the locks on other guests' room doors just to see how secure they are, I'm sure I'd very soon be having a conversation with the boys in blue.

    1. big_D Silver badge

      He was doing the equivalent of picking the lock on his own hotel room door, not his neighbours.

      1. JetSetJim Silver badge

        Except there was potential* for his lock picking activities to cause all other locks to fail.

        IANAPenTester, can't comment as to the probability of this outcome, although I would hazard a guess that there is zero chance of a crash in the IFE impacting flight control systems as they should be completely separate

        1. tip pc Bronze badge
          Facepalm

          Should is the operative word.

          There is also the law of unintended consequences.

          What if crashing the ife caused run away processes that blew a fuse ultimately required by a backup system that suddenly became relied upon?

          Nothing is better ever a problem until it’s a problem.

          https://youtu.be/RY5gBsjlRbU

          https://en.m.wikipedia.org/wiki/Boeing_737_rudder_issues

          After 2 fatal crashes and longest investigation in history they conclude it was a fault with a tiny component with a very low failure rate that left no evidence when it fails.

        2. doublelayer Silver badge

          He was faced with a system requesting input. He simply tried some type of input. It is the responsibility of the system to handle that properly. The better analogy is repeatedly locking and unlocking your own hotel door, because that is what the door is meant to do. If it so happens that, after unlocking a hundred times in one day, everyone else's door stops working, that's clearly the fault of the door system. Similarly, he did not try to disassemble the device or access it in some unusual way (connecting strange USB devices to the port to see if they could inject code). He merely entered input into a field that expected input. The same thing could have happened if he wanted to write a relatively long message.

      2. ChrisC

        He was doing the equivalent of picking the lock on his own hotel door room, which was connected via the hotel network to the locks on every other door in the building, without the slightest idea of what the effect on either his own lock or those on any other door might have been...

        1. Anonymous Coward
          Anonymous Coward

          He was doing the equivalent of picking the lock on his own hotel door room, which was connected via the hotel network to the locks on every other door in the building, without the slightest idea of what the effect on either his own lock or those on any other door might have been...

          Although hotel rooms tend to be at or around ground level, rather than several thousand feet above it and subject to the force of gravity.

        2. Anonymous Coward
          Anonymous Coward

          Hotel doors are not connected to the rest

          Re:He was doing the equivalent of picking the lock on his own hotel door room, which was connected via the hotel network to the locks on every other door in the building

          Hotel doors are dumb.

          That swipe card they give you just has:

          • Start

          • End

          • Accessible locks

          The cards bring the intelligence, the locks take their orders from the card.

          That's why if you extend your stay you need to get your cards refreshed by front desk.

          Security have a programming card that can do other magic (such as block cards).

          Sure there are more intelligent networked systems on the market. But you are unlikely to find them on hotel doors because "room door locks" is low down their budget priorities.

      3. Anonymous Coward
        Anonymous Coward

        It was the equivalent of picking the lock on the safe in his hotel room cupboard, totally unrelated to the door mechanisms.

        1. Michael Wojcik Silver badge

          It was the equivalent of picking the lock on the safe in his hotel room cupboard, totally unrelated to the door mechanisms.

          Not even that. It was the equivalent of pressing the buttons on the safe a whole bunch of times.

          Pasting lots of data into the stupid IFE system wasn't a great idea. But clearly this IFE app is rubbish, and that's the real story here. A faulty touchscreen could accidentally achieve the same effect by sending a keypress event repeatedly until the app crashed.

          It's the Thales developers who need their wrists slapped.

      4. agurney

        It's not his lock to pick.

    2. ATeal

      Let's not forget:

      He copy and pasted stuff. He put some random crap into the window, selected that, copied, pasted a few times, then selected that copied and pasted a few times <--- that's it.

      He plugged in a mouse right? If it was that USB device that bricks stuff you connect it to (the one that charges slowly then shoves a lot back into the port) then yeah you'd have a point.

      Imagine that "try copying and pasting loads of text" becomes some standard benchmark that "average people" try for "fun", seeing if "software is up to par" - then there's no "security researcher" here.

      C'mon guys get some perspective. If he attached a debugger then yeah maybe, but f'cking copying and pasting a few times?

      1. Anonymous Coward
        Anonymous Coward

        Re: Let's not forget:

        Yeah. This is not like trying to pick a lock. This is copy/paste. It's like going "wait, can I put the lid back on the bottle of wine" and finding out it crashes the automatic barcode system in the automated minibar...

        Yes, this kind of thing is being cheeky, but what if it was a kid pressing the button repeatedly? I'd rather a trained professional checks if button pressing breaks the system, than get suprised when a kid trying to get "Cars" to load on the flight entertainment crashes *my* film.

        But then again, I'd not expect it to do any damage to the plane, as I would trust the pilots.

        1. Intractable Potsherd Silver badge

          Re: Let's not forget:

          "... what if it was a kid pressing the button[?]"

          I was going to post the same thing. Thankfully, I haven't flown with my pair of under-5s on a plane with an entertainment system - it would be too much stress keeping their fingers off everything. They are the best pen-testers I know, since they can find that special technique for bringing a device to its knees regularly.

      2. Down not across Silver badge

        Re: Let's not forget:

        He plugged in a mouse right? If it was that USB device that bricks stuff you connect it to (the one that charges slowly then shoves a lot back into the port) then yeah you'd have a point.

        I'm suprised the IFE allowed to plug in any HIDs at all. Would be understandable if they were only charging ports.

    3. Black Betty

      Re: Hotel security

      You might be surprised. Check out a Deviant Olam vid or 3.

    4. Crazy Operations Guy

      Not like looks at all

      What he did was closer to fiddling with the television in his hotel room to see what happens when you mash all the buttons at the same time. Sure, there is the potential that he could bork the television itself, the hotel's satellite receiver or VoD server. But that is the extent, no matter what, they aren't going to be able to turn out the lights or stop the toilets from flushing.

  4. imanidiot Silver badge

    So, uhhhmm, why should I care?

    He can make the chat app crash. Big whoopty friggin dooo.. It has NO relation to the actual flight systems of the aircraft and how I understand the article only affects the one system. Worst case scenario is a flight will have to do without the IFE chat app. Few people use that to begin with AFAIK.

    I'd be worried if he found a port from the IFE to the flight systems. This is pretty much non consequential even if unfixed.

    1. Anonymous Coward Silver badge

      Re: So, uhhhmm, why should I care?

      Worst case scenario, the cabin crew would have to go and press the 'reboot' button on the master console.

      1. Steve K Silver badge

        Re: So, uhhhmm, why should I care?

        You'll probably fid that the reboot switch is in an alcove just behind the turbofan on the right-hand engine (like that bit in "The Core" when they are stuck in the geode and have to reset something).

      2. Bob.

        Re: So, uhhhmm, why should I care?

        Is it the one mext to the Flight Control reboot button?

    2. big_D Silver badge

      Re: So, uhhhmm, why should I care?

      At worst, he would crash the whole IFE system and nobody would be able to use it. But, yes, as long as it isn't connected to anything else, I see it as annoying, but not a real (inflight) security issue*. The IFE should be patched.

      * Well, it might be a personal security issue for him, if he deprived everybody onboard of their entertainment...

  5. Anonymous Coward
    Anonymous Coward

    Safety

    The potential 'safety implication' is that he's likely to have me 'accidentally' spill a cup of coffee over his delicate parts. Travelling economy class long haul, as I often do, is made marginally more tolerable by the ability to watch the trashy movies that would be vetoed as insufficiently culturally enriching by the management of Chateau AC. Crash the IFE at your peril.

    1. Intractable Potsherd Silver badge

      Re: Safety

      Please, just grow up. If you are depending on someone else to supply your entertainment so you don't get grumpy, then you shouldn't be in a confined space with others. The chances of the system not working are really high. Bring your own kit and reduce your risk of me being affected by your shitty temper.

  6. Anonymous Coward
    Anonymous Coward

    Unwise

    Perhaps installing an untested system in a commercial aircraft is also unwise?

    1. Phil O'Sophical Silver badge

      Re: Unwise

      Given the screenfuls of Linux missing symbol messages that I've seen pour past when these systems are rebooted (and the frequency that reboots seem to be needed) I'd be surprised if any of them get tested beyond "did it compile?".

    2. Anonymous Coward
      Anonymous Coward

      Re: Unwise

      Who says it was un-tested. Could equally well be correctly programmed and fully tested.

      If( data entry to field > 256 characters and characters are typical of bored nerd) then (

      lock IFES

      tag passenger as 'prat'

      )

      1. heyrick Silver badge

        Re: Unwise

        lock IFES

        tag passenger as 'prat'

        invoke ejector seat mechanism...

        1. David 132 Silver badge
          Happy

          Re: Unwise

          invoke ejector seat mechanism...

          But there's no hatch above his seat, he'd just splat at high velocity into the overhead locker... ohhhhhh wait, I see what you did there, never mind

      2. Ozumo

        Re: Unwise

        Mark for "Enhanced Security Checks" in perpetuity.

  7. Lee D Silver badge

    "There are potential safety implications here, so testing an IFE in an airplane with passengers on board is unwise."

    Surely, it's much much much much much more unwise to allow random members of the public access to a system with potential safety implications for an aircraft?

    Though I don't agree with his methodology - a child could have done the same. And we wouldn't know.

    Because things like this should be caught in internal security testing, especially if there are "potential safety implications", and the results published, no? And they wouldn't miss something as simple as a buffer overflow in a user-controlled field, would they?

    There's no way he endangered the aircraft (maybe inconvenienced some passengers) - not unless there was a catastrophic layer failure in the original specification of the system. Which - again - is something we should know about.

    Rather than divert blame... thank him... patch it... ask him not to repeat the experiment except under controlled conditions... and then supply him with a copy of the device to see if he can find anything else. Because, for sure, in ten minutes he found something that all your expert programmers not only missed, but are trying to hush up and bring in "airline safety" against to silence him.

    1. Anonymous Coward
      Anonymous Coward

      Think of the children

      "potential safety implications" What safety implications? Some rent a quote researcher saying it could be a risk doesn't make it true. I'm fairly sure that there's a potential that sending the code 'thhd666&&&£$@" as an SMS to the navy might trigger the launch of a nuclear missile. But somehow I doubt that it's a very high potential.

  8. ortunk
    Devil

    A bored nerd is still a nerd, and nerds do these kind of things.

    Once I wrote a script to send the same SMS to all th company using a serial gsm modem just because I was stuck recovering a shitty database from old backups at the middle of the night.

    Let me tell you they didn't appreciate the 3 am recovery complete SMS.

    Still the culprit is the airline/manufacturer as they didn't test a very basic thing in the first place.

    1. tip pc Bronze badge

      I’m fairly sure they tested a bunch of other more critical stuff and this low hanging fruit was left as it wasn’t actually critical.

      Don’t get me wrong, If I was on that flight I’d be pissed at the so called security guy tired on a night flight who couldn’t help himself but conduct a pen test on a live airborne flight even though he didn’t know of any vulnerabilities and didn’t know the impact of stuffing systems full of stuff they where not designed to accept well outside of their expected use case. The fact that that system crashed is actually a positive, hopefully it crashed in a way preventing further dicking around with it, so failed safe which is what most things on an airplane are meant to do.

      If your a nerd and want to test that stuff hire a jet tell the owners and support vendor and do it in a controlled way, not randomly trying to get lucky at the potential expense of others lives.

      I totally accept that the ife should not be able to have a derogatory impact on safety critical flight systems but you don’t test that theory with out explicit consent.

      1. doublelayer Silver badge

        To put this in context, he typed in a bunch of characters. That's it. He did not break into the system's hardware or software, and he did not destroy it in any way. He typed into a field whose purpose is to receive input. The same thing would have happened if I was typing a message in but wanted to say more than its input limit. Unless it tells me this before I send (and if it has a buffer overflow it almost certainly doesn't), I wouldn't know when I've hit its limit. The only difference is that my characters would be a natural language message while his were not. If there is a situation where a user error from a user that is not acquainted and should not have any privileges can cause a safety risk, the system needs to be patched. If there is a situation where such error can cause a safety risk aboard an aircraft, then that system needs to be completely removed from aircraft and returned to its manufacturer, ideally by catapult into their security office.

        Would you blame me for pressing every icon on one of these to see what they do? What if there is a certain pattern of icons that would cause the navigation system to reroute to Antarctica? What if the movie selector will zap the pilot with a massive surge of current if I watch two separate videos after clicking on the clock five times? What if the engines are disabled if I type in a 257-character message? If they shouldn't be able to do things, don't give the user-facing devices the ability to do those things.

        1. Cavehomme_ Bronze badge

          Didn’t you learn that curiosity killed the cat?

          1. jbuk1

            If curiosity killed the cat we would not have invented airplanes.

  9. Anonymous Coward
    Anonymous Coward

    Big deal

    Half the flights I've ever been on had their entertainment systems crash just in normal use.

    1. Simon Harris Silver badge

      Re: Big deal

      On one flight I had a seat with a defective frozen entertainment system.

      I got them to bump me up to a better seat when I told them it was a health and safety risk to leave me where I was as I was unable to watch their 'what to do in an emergency' video.

    2. jaywin

      Re: Big deal

      I suppose the first question is was it his playing with the system that caused the crash or was it just part of it's normal operation?

  10. Fat_Tony
    Facepalm

    They just can't help themselves

    "Although I was very tired, and it was a night flight, I couldn't resist to do some basic security checks in the entertainment systems"

    this is exactly why so many people think they're knobs

  11. knarf

    I didn't know the existence of any vulnerability at that time.

    No shit Sherlock it not if it's printed on the safety card.

  12. Pascal Monett Silver badge
    Thumb Down

    "I was not probing [..] because I didn't know the existence of any vulnerability at that time."

    No, you weren't probing, you were just dicking around.

    In a plane full of passengers.

    Not knowing what you might trigger.

    You might have missed a Darwin award there, bud.

    1. heyrick Silver badge

      Re: "I was not probing [..] because I didn't know the existence of any vulnerability at that time."

      Not knowing what you might trigger.

      Calm down, this isn't the Daily Mail.

      If his dicking around with his entertainment system affected any other part of the aircraft (from flight control to toilet flush), the entire airline should have their permission to fly revoked...

    2. Intractable Potsherd Silver badge

      Re: "I was not probing [..] because I didn't know the existence of any vulnerability at that time."

      Pascal, you are wrong. Lots of other responses here to explain why. Don't buy into the panic - Ive read your comments for a long time, and know you are better than that.

  13. Simon B-52

    The real crime here

    Despite being, in his own words, 'very tired', he still couldn't resist trying to break things to impress fellow dweebs on Link Din, the snottier version of Fugbook.

    Pillock.

    1. Simon B-52

      Re: The real crime here

      Don't really understand the downvotes here, unless it's Link Din folk having thin skins, here's why:

      What's the worst thing that this security fail can allow to happen? That at some point, some bugger will knacker the IFE and stop folk from quietly watching a film.

      So rather than doing something actually worthwhile, this bollix knackers the IFE.

      Legitimate security work ASKS before doing ANYTHING with a reasonable chance of causing any sort of problem, and also sensibly restricts itself to things that there's a reasonable chance of them getting fixed.

      FAIL.

  14. datawise

    "There are potential safety implications here, so testing an IFE in an airplane with passengers on board is unwise." - gives BSoD some bite...

  15. crapula

    I think the IFE system is classed as level E in DO-178B or C but I could be wrong.

  16. Walter Bishop Silver badge
    Linux

    Thales TopSeries i5000 potential safety implications

    "There are potential safety implications here, so testing an IFE in an airplane with passengers on board is unwise."

    I thought these consumer systems were isolated from the planes avionics.

    "The Register can reveal that the affected software is in fact made and maintained by Thales Group under the trade name Thales TopSeries i5000"

    What would be interesting to know is what Operating System the Thales TopSeries i5000 runs on and why weren't such bugs picked up in the developenent and testing phase.

    1. Anonymous Coward
      Anonymous Coward

      Re: Thales TopSeries i5000 potential safety implications

      > I thought these consumer systems were isolated from the planes avionics.

      You'd think.

      However, amazingly, they're not always completely isolated.

      Significantly isolated, yes, but not always air-gapped.

    2. Anonymous Coward
      Anonymous Coward

      Re: Thales TopSeries i5000 potential safety implications

      10 years ago I worked for a contract manufacturer that built the IFEs for Thales. The processors were IBM power PC, the OS was some variant of Linux and the user interface was the Opera web browser and a touch screen. Good ingredients, poorly executed. The IFEs ran almost hot enough to be fire hazards (no exaggeration considering that these things had no ventilation and were surrounded by nice, insulating foam rubber). No one at Thales even took the time to do the basic arithmetic necessary to see if the mechanical tolerances could add up in such a way that the things couldn't even be screwed together. There were many times we got enclosures that were within Thales' tolerances that wouldn't fit together or wouldn't allow components to fit. Absolute crap on Thales' part, I doubt they've got any smarter.

  17. artbristol
    FAIL

    "Buffer overflow" has a specific meaning

    Causing a crash by typing in too much text does not mean you found a buffer overflow. Could just as easily be a validation mismatch between front and backend. You don't even know if the program is written in a memory-unsafe language like C.

    And if I may play the man not the ball, this security researcher doesn't even have HTTPS on his blog.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Buffer overflow" has a specific meaning

      InFlyt (which is what this likely is) is actually a custom Android spin Thales glued together, which means that we're probably looking at Java (or alternatively Xamarin/C#). It's possible that this was some kind of overflow, but I'd hazard a guess they're not arbitrarily passing user input to native code. I mean, I've been proven wrong many times.

      More than likely, the backend didn't like it - probably some parser somewhere that wasn't expecting an enormous blob of json and just decided to nope out.

      I'm actually a security person myself, but I do hate people who feel compelled to try, and I use the word try here, to hack random things they see lying around.

      1. Gwyn Evans
        FAIL

        Re: "Buffer overflow" has a specific meaning

        Indeed, particularly as no one's going to believe his change to "not probing for vulnerabilities" when reminded of things such as the Computer Misuse Act...

        Any sort of reputable pentester/security researcher knows to get the systems owner's agreement before testing, rather than just rocking up and ****ing about trying to break a multi-user production system, let alone one where there's unlikely to be anyone with knowledge/access to recover any damage or loss of service caused.

        1. DavCrav Silver badge

          Re: "Buffer overflow" has a specific meaning

          "Indeed, particularly as no one's going to believe his change to "not probing for vulnerabilities" when reminded of things such as the Computer Misuse Act..."

          However, surely he was authorized to put text into the text box? How many characters do you have to put in before it becomes unauthorized?

      2. Anonymous Coward
        Anonymous Coward

        Re: One and only time.

        I do remember typing "Format C:" at college, because at that age I assumed everything had security... I quickly made escape, and pretended to be amazed one of the PCs was not working in that room. I doubt they ever even fixed it.

        I now know DOS was not protected (and they never bothered with anything like Deepfreeze, but without even Admin restrictions, I was WAY too naive) there.

        I have since only done messing around it on my own systems, or the self service tills at Tesco. XD

  18. Glen Turner 666

    Not the flight systems, the entertainment system, but still...

    Its not a safety of flight issue, but he'd dropped the entertainment system at the beginning of that transatlantic flight people would be rightly upset about the selfishness of entertaining himself at the cost of everyone else's boredom.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not the flight systems, the entertainment system, but still...

      I'd be more concerned there is no "reboot" button/procedure for the IFE system, than 1 person typing garbage in a field crashing it... who is to blame? IMO the makers of a broken system.

  19. Anonymous Coward
    Anonymous Coward

    It won't affect me as I've refused to fly with that excuse of an airline for 20 years after my last experience with them. I'd rather fly Ryanair (yes that bad) as at least their idea of an entertainment system* is a scratch card and I've yet to see a buffer overflow effect a piece of cardboard.

    * they do have one more type of entertainment system but that's in the airport, it's a game called "will my plane turn up ?"

  20. redpawn Silver badge

    BYOE

    I don't know about you, but I find a book more entertaining. Other than the flight tracker showing how much longer the plane will be over the ocean it has little value. Low rez movies on bad screens and a terrible selection of music hardly qualifies as entertainment and the WiFi solution is oversubscribed with hundreds of devices inside a metal cylinder which causes frequent failures.

    The very presence of an entertainment system causes people to close all the windows and create an atmosphere akin to a tomb or the Elevator to Hell. BYOE (Bring Your Own Entertainment) and you will be happier.

    1. vir

      Re: BYOE

      I believe you are forgetting how loud toddlers can be when they do not have something to distract them, especially on a plane.

      1. Simon B-52

        Noise Abatement?

        Duct tape works best, though it's best to get the parent's permission first. Sadly, these days, they're often so mercenary that a £50 sweetener is necessary.

    2. Joe W

      Re: BYOE

      Had a book - finished it (there was a massive blurb on the next book at the end)

      Had laptop - battery empty because I did some work at the airport

      Empty battery on the mp3-player

      And then the IFE did not work... got copious amounts of booze, but LH supplies that anyway, and some Air Miles, but still sucked big time.

      1. doublelayer Silver badge

        Re: BYOE

        I prefer having the IFEs, not because I find their features useful (I've never used one), but simply because they usually have the ability to charge USB devices. This can be quite useful after the laptop battery or book didn't last as long as you wanted and you're stuck with your phone for the rest of the flight. Otherwise, you always have to save enough power in the phone battery because you know you'll need it to get navigation or transportation when you land.

  21. Doctor Syntax Silver badge

    "We are already aware of this issue"

    Translation: Yes, we've read that too.

  22. tiggity Silver badge

    Some major over reaction here

    Any parts of the inboard entertainment system someone can access as a paying passenger should be totally separate from the important keep the plane in the air networks.

    In flight entertainment is normally fairly fragile anyway* so hard to imagine how a bit of messing about can make it much worse than it already is.

    * I'm old enough to remember no such thing as in flight entertainment systems & so still have the mindset of ensuring I have what I need onboard with me to keep me entertained (e.g. real books, not a "device" I may be asked to switch off due to paranoia)

  23. TRT Silver badge

    I must be old fashioned...

    But what kind of in-flight "Entertainment" is being able to chat to/troll the passenger in the oversized Hawaiian print muumuu sitting 4 rows back?

  24. mark l 2 Silver badge

    I guess if the in flight entertainment system is susceptible to being owned, it could be used by bad actors to cause panic on the plane.

    Imagine someone were able to put a message on all the screens that their was a bomb on the plane or that the pilot was a terrorist who was going to crash the the aircraft.

    1. Aqua Marina Silver badge

      You mean something like this?

      https://youtu.be/X_V9jhBcCDU

  25. John Miles
  26. Anonymous Coward
    Anonymous Coward

    G-STBD

    It is with much disappointment that I announce the non-existence of a G-PORT in the UK register. What a wasted opportunity.

  27. StuntMisanthrope Bronze badge

    No key, no cash...

    Even the big stack in the safe, when the power or disks fail. #opensesame

  28. GrapeBunch Bronze badge
    Coat

    Ghee whiz

    Sadly, no scampi were harmed in the making of this butter overflow. Mine's the one with the grease marks, but smells so goood.

  29. Lorribot

    What is the most shocking, that someone tried to hack an infotainment system on a plane or that the company that sold said system had not done simple basic security pen testing or that the company that bought said system had not not done basic pen testing as implemented in their planes?

    For me teh latter two far out weigh the former.

    We only have BAs word that nothing critcal was a risk, but given they didn't test this how do we know? The car manufacturers don't seem to differentiate between infotainment and control systems why should we assume Airplane operators do?

    There should be a GDPR for security of system access for all transport that covers system security rather than data loss, but I fear that would only come from teh EU as our own government would not have teh balls or clout to implement such a thing.

  30. ATeal

    No flame war on the "Right Thing" to do?

    I imagine *A LOT* of things with text-boxes are ill-equipped to deal with this (editors should be alright, they have like nice trees, can work with a file rather than all in ram, blah blah, I'm talking something that is ultimately a null-terminated string) I am surprised that there has been no real talk of what the program *ought* to have done.

    In this case an absolute limit should be fine, but generally these are not good (some old editors have 4kib or even 16kib hard limits - not very future proof and often exceeded for generated files, Bison has options to generate small code even today because of this)

    Anyway what *should* you do guys? C'mon, absolute limit in *this* case but those old editors.... should they try to find out how much ram is free and use that (I bet that's fired some of you lot up)

    DISCUSS!

  31. herman Silver badge

    Auto repeat

    The in flight entertainment system is not on the same bus as the the flight control system. I cannot remember when I last flew on a plane where the in flight entertainment system actually worked correctly, but the plane was fine otherwise.

    Anyhoo, no self respecting device should crash when you do the equivalent of putting your finger on a key and holding it down and that cannot be described as 'computer hacking' either.

  32. Bucky 2

    "Goodness, no, officer, I was just testing the convenience store's booze and pop-tart security. My poor, misunderstood heart is as pure as the driven snow."

  33. Andy Denton

    Thales....

    ...with the exception of a couple of decent employees, the biggest bunch of inept fools I've ever had the misfortune to work with in my 30 year career.

  34. This post has been deleted by a moderator

  35. Mike_G

    Quote:

    ' [Marco] knew the potential consequence of his actions and also is hopefully aware of the UK Computer Misuse Act.'

    Does this apply if he is in International Airspace?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019