back to article WTF is Boeing on? Not just customer databases lying around on the web. 787 jetliner code, too, security bugs and all

A Black Hat presentation on how to potentially hijack a 787 – by exploiting bugs found in internal code left lying around on a public-facing server – was last night slammed as "irresponsible and misleading" by Boeing. At the hacking conference in Las Vegas on Wednesday, Ruben Santamarta, principal security consultant at pen- …

  1. simonlb
    FAIL

    "irresponsible and misleading"

    Like telling the FAA the 737MAX was exactly the same as all the previous ones and didn't need re-certifying, despite parts of it's flight envelope being significantly different and warranting a completely new augmentation system to assist the pilots with it? You know, the one which doesn't work and which the flight crews weren't necessarily told was there?

    Over 300 people are dead because of that.

    1. m0rt Silver badge

      Re: "irresponsible and misleading"

      And earlier in that quote...

      'IOActive chose to ignore our verified results and limitations in its research'

      Funny Boeing saying that. Seems they did, too, in order to self certify* their own systems.

      *Which is what the FAA apparently was accused of letting them do.

      1. TRT Silver badge

        Re: "irresponsible and misleading"

        Made them sit up and take notice, though, which is exactly what the intention was*

        *probably.

    2. Mark 85 Silver badge

      Re: "irresponsible and misleading"

      Boeing does have a credibility problem, don't they? This whole "he said" back and forth shows it's still a problem.

  2. TJ1
    Alert

    One Network to Rule Them All

    And we can believe Boeing are 100% correct both in hope and via proofs and evidence because...?

    ... of how bug-free the Maneuvering Characteristics Augmentation System (MCAS) has been proved to be?

    1. GnuTzu Silver badge

      Re: One Network to Rule Them All

      Yet: "...hardware filters that only allow data to flow between networks..."

      So, they're not air-gapped. The thing is, how monitored and managed are those "filters", as anyone working boundary defenses know is a necessary?

      1. Phil Endecott Silver badge

        Re: One Network to Rule Them All

        I would like to think there is at most a uni-directional connection from the avionics to the other networks, so that e.g. the passenger information system can display the current altitude, implemented using something obviously uni-directional like an opto-coupler.

        Can anyone think of a legitimate reason for anything to flow the other way?

        1. Doctor Syntax Silver badge

          Re: One Network to Rule Them All

          Since when did vendors need a legitimate reason if it might affect convenience and costs?

          1. hoola Bronze badge

            Re: One Network to Rule Them All

            What is a requirement and what is then implemented due to stupidity, ignorance or deliberately is another thing. This is where all the "Software Defined blah" falls down. Software defined is just that, code running on a hardware to emulate what a piece of real equipment used to do because:

            It is cheaper to build (generic hardware with code on top)

            It is easily upgraded (the endless quest to "improve stuff")

            Bugs can be fixed more easily (there are usually more in the first place because it is software)

            Bean counters and C-suite idiots had happy because it is cheaper and sound cool

            All the leads to a gradual decrease in quality until you reach the point that a catastrophe happens. This is the same wherever you look with what is going on with self-driving cars being the next total clusterf*ck. The difference there is that so many people are already killed or seriously injured on the road due to what are classed as "accidents" (although very few are genuine accidents) and it is just accepted that currently they can get away with it. Big business had so much power now that the regulators are becoming impotent to there demands.

        2. John Brown (no body) Silver badge

          Re: One Network to Rule Them All

          A modern smartphone[*] plugged into the entertainment system could provide all the flight data a passenger might be interested in without any connection at all into the rest of the planes networks. That could completely remove any need at all for secure one way connections, monitoring and logging analyses etc.

          [*] Not really an actual smartphone, of course, but the sensors and processing required to produce the data the passengers simply can't do without. They don't need the accurate data the plane is producing for pilot/avionics use.

          1. imanidiot Silver badge

            Re: One Network to Rule Them All

            The link between the secure flight controls and navigation network (third network in the article) and the flight crew and maintenance network (second network) will be needed for things like engine management data too. Things like engine and FADEC system parameters are very important data for the maintenance crews working on the craft between flights. I agree the first network could be fully airgapped from the second and third layer, however that public facing network is probably still running things that the maintenance network wants to know about. (Things like the in-flight entertainment system might not seem important, but play a vital role for both airline image and keeping the cattle calm during the flight)

            1. greenwood-IT

              Re: One Network to Rule Them All

              So just having one maintenance system to monitor & manage all 3 networks? That there is exactly the problem, one system plugged into everything - that would be the target. Would it be so expensive and inconvenient to have a separate maintenance system for the public network?

        3. GnuTzu Silver badge

          Re: One Network to Rule Them All

          A legitimate reason for things to flow the other way?

          No. But, you know some thought would be convenient to have status information from the entertainment system to the flight attendants system. And, once they rationalize that...

          Still, even boundary defenses can have vulnerabilities. How often do they pen test and patch these things? Are they stymied by a long validation process with the FAA that prevents them from patching vulnerabilities?

          And, I'm also very picky about in which direction connections can be initiated. If data should only flow in one direction, the initiation of connections should also be in that direction. That is, data should be pushed, not pulled.

        4. Peter X

          Re: One Network to Rule Them All

          If you just give the entertainment system a GPS receiver, it can probably give accurate enough altitude/speed/position data and then be entirely separate. It'd be (1). safer since there's no connection, and (2). probably cheaper since you don't have to define/create/test a secure one-way-link to critical systems.

          I'd go as far as saying if they're not doing it this way, then why not?

          1. TimMaher Bronze badge

            Re: One Network to Rule Them All

            Probably the roaming charges.

        5. Fungus Bob Silver badge

          Re: One Network to Rule Them All

          I can't think of a legitimate reason for giving the passengers information from the avionics systems.

        6. Anonymous Coward
          Anonymous Coward

          Re: One Network to Rule Them All

          "Can anyone think of a legitimate reason for anything to flow the other way?"

          being described as network, i'd expect "ack"s to go the other way.

          1. Jamie Jones Silver badge

            Re: One Network to Rule Them All

            No need. They can just spray out UDP packets - guaranteed 100% accuracy would not be required.

        7. This post has been deleted by its author

      2. captain veg

        Re: hardware filters that only allow data to flow between networks

        As opposed to allowing, I dunno, magic and thought waves to flow between networks? Some powerful hardware there.

        -A.

    2. This post has been deleted by its author

  3. 's water music Silver badge

    certification

    Well if Boeing have self-certified that the aircraft is secure then that's good enough for me.

    1. 's water music Silver badge

      Re: certification

      Who knew Dennis reads el reg?

    2. Chris G Silver badge

      Re: certification

      I wonder, has anyone thought to check out all of Boeing's other self certifications?

      If they are capable of doing what they did on the Max, what else may be out there?

      1. 's water music Silver badge

        Re: certification

        we will almost certainly never know

        1. Anonymous Coward
          Anonymous Coward

          Re: certification

          I am in no doubt that Boeing have self-certified that they are indeed capable of self-certifying.

          1. Hero Protagonist

            Re: certification

            But who shall self-certify the self-certifiers?

            1. m0rt Silver badge

              Re: certification

              The root certifiers.

            2. Doctor Syntax Silver badge

              Re: certification

              It's self-certification all the way down.

              1. John Brown (no body) Silver badge
                Thumb Up

                Re: certification

                "It's self-certification all the way down."

                That may be more true than your obviously flippant comment implies.

                No matter what the professional body, exam board or whatever, someone, somewhere down the line, had to be the first "authority", essentially self-certified, who then certified others who came after.

                1. Chris G Silver badge

                  Re: certification

                  What bothers me is the fact that the FAA allows Boeing to self certify with apparently no real oversight. That smacks of 'a job for the boys' or a brown envelope.

        2. fidodogbreath Silver badge

          Re: certification

          we will almost certainly never know

          Sure we will...right before impact.

          1. mathew42

            Re: certification

            Unfortunately the knowledge will only come after months of 'nothing to see here' and possibly a couple more impacts.

  4. Anonymous Coward
    Anonymous Coward

    The avionics is connected in some way or it wouldn't be able to accurately show you plane speed/height/location/wind speed/direction.

    1. Sgt_Oddball Silver badge

      And no-one has ever crashed a plane...

      Because of faulty readings no siree...

      Even if the flight control system like the auto pilot or auto landing didn't take its readings from the 2nd layer. If the pilot instruments are giving false readings because false readings are being injected what are they going to trust?

    2. Blazde

      Yea but it's all completely fine because "hardware filters that only allow data to flow between networks rather than instructions or commands".

      (Hopefully they publish the details of these mysterious hardware filters so the rest of the world can use them too).

      And we all know you can't crash a plane with bad data...

      1. tip pc Bronze badge
        Coffee/keyboard

        Application firewalls

        Boeing are refering to application firewalls

        https://en.wikipedia.org/wiki/Application_firewall

        1. Anonymous Coward
          Anonymous Coward

          Re: Application firewalls

          If they where really smart, its more likely they're using physical one way hardware filters... something like a 'data diode' if the networks really have to converge somewhere.

    3. ForthIsNotDead

      You could get that information from a simple GPS box attached to the entertainment system network. No need to tap into avionics networks for that data.

      1. Craig 2

        "You could get that information from a simple GPS box attached to the entertainment system network. No need to tap into avionics networks for that data."

        Oh sure: Add extra hardware at additional cost, or just tap into the avionics data with a couple of lines of code and a filter/firewall exception....

        1. seven of five

          What could *possibly* go wrong?

      2. d3vy Silver badge

        "You could get that information from a simple GPS box attached to the entertainment system network. No need to tap into avionics networks for that data."

        But why? What possible use could you have for that data? Ok you could maybe make use of an updating estimated time of arrival (Thought that can be delivered via your ears directly to your brain meats by the pilot making an announcement).. Theres no real reason other than curiosity for that data to be made available to passengers, is there?

        1. Anonymous Coward
          Anonymous Coward

          The point is, that data is already made available to the passengers, via a link from the primary network. His solution would be to provide the same information without compromising the network.

          1. d3vy Silver badge

            "The point is, that data is already made available to the passengers, via a link from the primary network. His solution would be to provide the same information without compromising the network."

            Well my solution would be to remove it altogether instead giving the passengers information about the two main states that the plane can be in : Ground - Sky. As a passenger having no real need for constant altitude/direction/speed information this is more than sufficient, as an added bonus the requisite equipment is already present on all commercial planes - Windows and Eyes.

            If we are that worried about security and the airlines are worried about costs (Any extra equipment will increase costs) then the obvious solution is to remove it altogether.

    4. John Brown (no body) Silver badge

      "The avionics is connected in some way or it wouldn't be able to accurately show you plane speed/height/location/wind speed/direction."

      As a passenger, why would you care? All that really matters is the ETA at the destination. Until recently, you didn't even get that other than as an announcement from the pilot and then only if you were going to be late due to headwinds, detours around storm fronts or problems at the destination requiring diversion or circling in the stack.

    5. jtaylor

      The avionics is connected in some way or it wouldn't be able to accurately show you plane speed/height/location/wind speed/direction.

      I'm not sure it does show those data accurately. Sometimes In Flight Entertainment and eyes-out-the-window don't agree on location or heading. Altitude and ground speed could be pulled from GPS. Airspeed and winds aloft are irrelevant and invisible to passengers.

  5. Pascal Monett Silver badge

    "we’re disappointed in IOActive’s irresponsible and misleading presentation.”

    Yeah ? Well we're disappointed in Boeing's irresponsible and unprofessional handling of its code. You leave part of the software platform on an Internet-facing repository and you didn't think of locking that down ? This after designing functionality that can change the attitude of plane based on only a single sensor ?

    Something is seriously wrong with Boeing these days. It used to be a company whose engineers had the word "security" practically branded into their foreheads. Seems that, today, it is yet another company taken over by beancounters for whom all that security nonsense costs too much money. Well, this is the result of that mentality.

    1. Anonymous Coward
      Anonymous Coward

      Re: "we’re disappointed in IOActive’s irresponsible and misleading presentation.”

      In a recent BBC article, a former Boeing engineer says they did precisely that:

      "Adam Dickson worked at Boeing for 30 years and led a team of engineers who worked on the 737 Max. He said they were under constant pressure to keep costs down."

      https://www.bbc.com/news/business-49142761

      1. Gruber

        Re: "we’re disappointed in IOActive’s irresponsible and misleading presentation.”

        While I agree that the last 2 platform products of Boeing's engineering activities have fallen short of the ideal (to use the Church of England code), I can't think of any financially viable engineering team that isn't under constant pressure to keep costs down. It's a normal context for technology and product development, surely?

    2. Olivier2553 Silver badge

      Re: "we’re disappointed in IOActive’s irresponsible and misleading presentation.”

      It does not only seems, it is a fact that it has been taken over by beancounters. Development of 787 and 737 MAX is the result.

    3. Loatesy

      Re: "we’re disappointed in IOActive’s irresponsible and misleading presentation.”

      I am told that when Boeing and McDonnell Douglas merged all those years ago, Boeing survived in name only, and that the corporate culture is essentially that of McDonnell Douglas.

  6. steamnut

    Delusional

    I guess they (Boeing et al) all believe what they are telling us; that is very dangerous and, at the same time, arrogant. Of all times for Boeing, now is the time to really come clean and be as transparent as possible about their inner workings and problems.

    Most Register readers are going to be cynical about this situation because we have seen it before. I just hope that it doesn't cost yet more lives to get proof.

    If Boeing is proven to be wrong then they are finished as a company as this really is a case of three strikes and you are out.

    1. Doctor Syntax Silver badge

      Re: Delusional

      "this really is a case of three strikes and you are out."

      And in the case of passenger aircraft manufacture even that seems to err on the side of generosity.

      They should be working really hard to rebuild trust but in that the usual PR platitudes are counter-productive.

      1. ThatOne Silver badge
        Devil

        Re: Delusional

        > the usual PR platitudes are counter-productive

        But cheaper.

        They are a serious company, they won't even dream of endangering management bonuses because of petty customer satisfaction considerations.

        1. Olivier2553 Silver badge

          Re: Delusional

          There would be no great expenses for Boeing to show they are saying: invite a couple of security people to have a good look at security. If it is really secure, they have nothing to hide. Just give the guys access to a system to play with for some time.

      2. 2+2=5 Silver badge

        The usual PR platitudes are counter-productive

        > “IOActive reviewed only one part of the 787 network using rudimentary tools,

        What a disgracefully condescending statement from Boeing - I hope their engineers cringed when they read it, even if the PR people spouting it were in blissful ignorance.

        Firstly, it assumes that tools are required to find bugs. With that attitude, no wonder the MCAS bugs got through. Secondly, it ignores the fact that brainpower and cunning finds bugs. Personally I've never heard of IOActive before, but the last thing I would do is accuse them of lacking grey matter.

    2. batfink Bronze badge

      Re: Delusional

      Unfortunately that probably wouldn't be enough to kill them as a company. Do you think the murricans would let the only Airbus competitor go to the wall? Or stop the military work coming their way? Admittedly the military stuff could conceivably go to other producers. I'm sure, for example, that Lockheed would make a frank, honest and entirely above-board bid for the work...

    3. Mark 85 Silver badge

      Re: Delusional

      If Boeing is proven to be wrong then they are finished as a company as this really is a case of three strikes and you are out.

      Only the civilian airliners part of the company will be in danger. The rest is buried in military work, NASA, etc. The company structure and finance that control those structures are probably more resilient than the hardware/software.

      1. Kabukiwookie Silver badge

        Re: Delusional

        The rest is buried in military work

        If they're treating their military development just as well as their civilian part, the US' 'enemies' don't even need an airforce of their own anymore.

  7. /\/\j17

    "Once Boeing was aware of the nature of the programming blunders in the Honeywell software found by Santamarta, the manufacturer verified in the lab and then on an actual 787 that it was not possible to seize control of a $150-million-ish jetliner via the holes Santamarta discovered."

    Was that verification that the exploits couldn't be used on an actual 787 carried out by the same Boeing engineers who failed to identify the same exploits when certifying the code to be installed on their aircraft...?

    1. Kabukiwookie Silver badge

      The very same engineers who were told repeatedly not to go over budget investigating this issue, or else.

  8. Any other name
    Trollface

    May I humbly suggest a solution?

    ... IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments ...

    That could have been and still can be easily remedied - for example, by setting up a facility where the software can be inspected, using the appropriate tools and in a working environment, by suitably-vetted, independent reviewers - who can then reveal their findings in, say, an annual report.

    Perhaps that's something the UK can take a lead in - after all, there is already a precedent of HMG positively insisting on such procedure, for software far less safety-critical than a passenger airliner control system.

    I am sure that should be satisfactory for all reasonable and open-minded parties.

    1. hoola Bronze badge

      Re: May I humbly suggest a solution?

      GCHQ did that with Huawei and found some code that was not exactly best practice but as far as I am aware, no evidence of malfeasance. Still certain people stuck to their view the Huawei is reporting back to China. They also stated that there was a strong likelihood of other manufacturers being no different in terms of the quality of the code.

      Third party quality assurance only works is those involved accept the findings and there is no interference.

  9. Doctor Syntax Silver badge

    "hardware filters that only allow data to flow between networks rather than instructions or commands."

    Are these "instructions and commands" analogue or different in some other way that distinguishes them from "data"? Normally when stuff's being transmitted it all looks like data.

    1. Sgt_Oddball Silver badge
      Holmes

      That would imply..

      That the network is unencrypted or that the packets are flagged as specific types in transit for the hardware to be non agnostic towards the types of transmissions. Or it might be that they use some sort of API to push data out but not to receive.

      I am however as puzzled as you over how data fed back into a system does not constitute commands or instructions? Surely a request for data is an instruction? Surely a validation check is a command of sorts?

    2. ThatOne Silver badge

      > in some other way that distinguishes them from "data"

      Magical thinking: "As long as it sounds reasonable it has to be possible". The point here is to give an explanation that sounds credible to the 99% of IT-ignorant people.

    3. Loyal Commenter Silver badge

      It's a good thing that there have nver been any exploits that allow data to be treated by a computer as if it is instructructions then. Like, oh I don't know, every buffer overflow exploit ever.

      Now, of course I don't want to trivialise the hard work that I'm sure Boeing have put into trying to secure the hardware, however as any securty expert will tell you, security is extremely hard. If you think you've made something perfectly secure, you probably haven't understood it properly.

      If the threee networks on the plane are physically connected in any way, then there is the potential for flaws that allow the isolation between them to be broken. This does raise the question of why you would have any connections between an avionics system, a business network, and an entertainment system. Surely the only cast-iron way of securing the avionics is to have that system completely isolated from the others. What are the use cases that require those networks to interact?

      1. Ptol

        "If the threee networks on the plane are physically connected in any way, then there is the potential for flaws that allow the isolation between them to be broken. This does raise the question of why you would have any connections between an avionics system, a business network, and an entertainment system. Surely the only cast-iron way of securing the avionics is to have that system completely isolated from the others. What are the use cases that require those networks to interact?"

        My reading of this marketing fluff was that it was quite likely to be one physical network with VLAN tagging. and QoS to ensure priority for the mission critical packets at the switch. Hopefully none of the seat area wiring are connected to trunk ports...

        1. Sgt_Oddball Silver badge

          Vlan....

          Those that think it's a security measure are sorely mistaken. Just Google vlan hopping. Lots of trivial exploits for jumping from one vlan to another. If they then add in some extra security, say mac address whitelists... That's still trivial to hack.

          All in all it sounds very arrogant of the Boeing mouthpiece, but I suppose its aimed at people who aren't of a more technical level.

  10. Alan Brown Silver badge

    At what point...

    Do CASA and EASA join up, insist on impounding one of these aircraft and invite some of these code auditors to go over everything _without_ Boeing present to prevent them from finding "trade secrets" etc?

    or even scarier for Boeing, let them be present, let them prevent the hackers from exploring certain areas, then start investigating WHY Boeing's crapping themselves about people poking into those areas.

    (Incidentally it's not just Boeing that can be targetted here. Toyota's shown that their coding quality has gone to hell in a handbasket too, etc - it's just that Boeing have achieved regulatory capture and have been getting away with this shit for longer)

    1. Avatar of They
      Thumb Up

      Re: At what point...

      Careful you talk sense.

      It is almost like the cars NCAP testing regime but for planes. Letting an independent body test things for safety. Not saying we throw planes into concrete barriers, but coding is much easier. Every plane type sits in a hangar somewhere and has code monkeys try and break it.

      Winners get an air worthiness badge. Losers go home - without their plane (as it can't fly safely)

    2. Doctor Syntax Silver badge

      Re: At what point...

      "or even scarier for Boeing, let them be present, let them prevent the hackers from exploring certain areas"

      That assumes they even know where the problems are.

  11. Cuddles Silver badge

    How many networks?

    "it may be possible to exploit holes in, say, the in-flight entertainment system on the first network to access the adjoining second network where one could abuse the flaws he found in the crew information software to then reach into the adjoining third network."

    That doesn't sound like three separate networks, it's a single network with some access controls. The whole point of having a separate network for critical things like avionics is to avoid any possibility of someone on a customer-facing network being able to mess with it. Questioning whether these particular vulnerabilities actually make it possible to hijack the important systems is rather missing the point - it shouldn't be physically possible for any vulnerability to ever do that.

    1. ACZ
      Unhappy

      Re: How many networks?

      Exactly. This sounds like security through obscurity. It's really simple - either (a) there are *physically* separate networks for the avionics and other systems, or (b) they share the same network.

      If it's (a) then great - just tell us. If it's (b) then it's open to attack and it is impossible to guarantee that there will be no access to the avionics network portion from the entertainment/crew info network portions. Somewhere there will be a bug/issue with a protocol, API etc. etc. that can be exploited. Difficult to exploit is not the same as impossible to exploit.

      And, yes, passenger info systems need access to flight info, but that doesn't have to come from the avionics network portion - just include additional sensors.

      1. Tom 35 Silver badge

        Re: How many networks?

        They could stream flight info to the passenger info system, one way through an opto-isolater. No need for anything to be fed into the avionics system at all.

        1. Yet Another Anonymous coward Silver badge

          Re: How many networks?

          IIRC it's a common physical network for avionics and non-critical data with virtual switches.

          There was some eyebrow raising on el'reg of the "wtf" variety at the time.

          Of course even if somebody did hack the system it couldn't get through to the secure network says team A. While team B says that even if you could get across the networks nobody could hack the system.

        2. 142

          Re: They could stream flight info to the passenger info system, one way through an opto-isolater.

          This was my thinking as well. All Boeing has to say was: "the connection is a one way data stream, through opto-isolators", and they would have stopped the concern about this in its tracks. That they're not saying it means they're clearly doing nothing of the sort.

      2. Cuddles Silver badge

        Re: How many networks?

        "And, yes, passenger info systems need access to flight info"

        Do they really though? Being able to see your current location and altitude might be interesting for some, but it's hardly necessary; it's not like knowing your air speed is going to make you arrive any faster. If they can't provide that information to passengers without compromising the safety of the plane, I'd much prefer they just didn't provide it at all.

        1. Yet Another Anonymous coward Silver badge

          Re: How many networks?

          >Do they really though?

          Yes because it would be expensive to run 2 or 3 separate sets of network cables around a 747. Especially when there are incredibly strict requirements on the type of cable, the conduit, the routing, proximity to other cables, the insulation etc. All of it is very tightly controlled - just not the data on it.

      3. rbb

        Re: How many networks?

        It is security through obscurity, no doubt about it.

        They really need to physically separate the flight control network from the other 2 networks, as you don't want the possibility of the DOS style attack.

        They don't really need separate sensors for each of the networks as the sensors should just be read only.

  12. Dwarf Silver badge

    Irresponsible

    Was it not irresponsible for the code to be publicly accessible in the first place ?

    Blaming the black hats is not the right route here, Boeing needs to realise that they live in 2019, we rely on things to be secure. You should not try to rely on security by obscurity.

    If they need help in doing security reviews, there are plenty of suitably skilled consultants who can help them. There is no excuse for poor security or buggy code, particularly on safety critical platforms that affect people's life.

    1. eldakka Silver badge

      Re: Irresponsible

      Was it not irresponsible for the code to be publicly accessible in the first place ?

      Hey, they got a free code audit from it.

      If they had of released it publicly, then everyone might have ignored it, like those SSL bugs (heartbleed) that existed for years in open source code, but no-one bothered to check it because everyone assumed that someone else had. By the code being 'discovered' as opposed to being released, security experts were more inclined to poke around in it.

      Cheaper than doing their own code audits.

    2. Doctor Syntax Silver badge

      Re: Irresponsible

      "You should not try to rely on security by obscurity."

      And even if you rely on that you've at least got to make a better attempt at obscurity than putting it where somebody can find it.

    3. Alan Brown Silver badge

      Re: Irresponsible

      "If they need help in doing security reviews, there are plenty of suitably skilled consultants who can help them."

      The same can be said about Huawei - Unfortunately the hardest part is not that help is available, but getting the to admit that they NEED to listen to externals in the first place.

      I'm getting brushoffs about security even after waving the GCHQ report in people's faces - the people who really need to be listening are suffering a bad case of Dunning-Kruger (One Huawei Enterprise engineer told me today that TLS1.2 is totally secure therefore they don't need to do anything - neglecting all the factors that go into SSL connections such as key lengths and crypto types or that TLS1.2 is 11 years old, or that the piece of equipment in question - still being manufactured - CANNOT be SSHed to from RHEL7.6/Ubuntu 18.10 or connected to from current versions of Firefox/Chrome/Edge/IE due to use of obsolete cryptography - his stance (and hence Huawei's official stance) is "But it uses TLS1.2, so it's OK!")

  13. Will Godfrey Silver badge
    FAIL

    Take away their spade

    It seems they only way to stop them digging the hole they're in ever deeper.

    1. imanidiot Silver badge
      Joke

      Re: Take away their spade

      That would only lead them to get another spade, or continue digging with something more suitable like a hydraulic digger. Best take their spade and beat them with it until they promise to stop.

      => but only half =>

    2. Cpt Blue Bear

      Re: Take away their spade

      Boeing no longer own a spade.

      They contract the digging to third parties. Therefore they are not responsible for the implement used.

  14. ForthIsNotDead

    Agree... but

    Wholeheartedly agree with all comments about Boeing. However, I find myself rather underwhelmed by Santamarta's hyperbole. To me, his arguments come across as speculative exaggeration.

    “We have confirmed the vulnerabilities, but not that they are exploitable, so we are presenting why we think they are” he said. “We have got very limited data, so it’s impossible to say if the mitigation factors Boeing say they have work. We offer them our assistance.”

    In other words, you really don't have very much here at all. You found some code, have identified some alleged vulnerabilities (without knowing how that code interacts with other code/systems, and without even knowing if it's production code) and are simply speculating. You're just dialing the hyperbole up to 11.

    I'm not defending Boeing here. That company should no longer be in business after having the blood of 300 passengers on its hands; however, I remain unconvinced by the case made by Santamarta. He would need to put a lot more meat on the table. However, this is Boeing, so that's not going to happen. Especially when they have carte-blanche to certify their own software/systems.

    1. not.known@this.address

      Re: Agree... but

      I read that as Boeing that said "We have confirmed the vulnerabilities, but not that they are exploitable," so Santamarta and friends said "so we are presenting why we think they are” - in other words, Boeing admitted the flaws were there but tried to downplay the seriousness of them. And we all know that Boeing are outstanding examples of truth and honour when it comes to admitting that there is a problem with their software or hardware...

      Psst, wanna buy a bridge?

      1. Alan Brown Silver badge

        Re: Agree... but

        " in other words, Boeing admitted the flaws were there but tried to downplay the seriousness of them. "

        Exactly this - and did so in ways which attempted to discredit Santamarta and friends, which speaks volumes about Boeing's motivations.

    2. DJ Smiley

      Re: Agree... but

      Ok.

      Lets dial it back a bit.

      There's a consumer facing system, which lets you get to a crew facing system. That's confirmed, and proven. Scared yet?

      1. ChrisC

        Re: Agree... but

        But is that even an accurate summary of what's been proved possible here? Unless I'm missing something in the summary as presented here, the only thing that's been proven possible so far is that vulnerabilities exist in the crew facing system - the "inject commands into that via the consumer facing system" idea appears to be just as much speculative hand-wavery as the "use the crew facing vulnerabilites to then inject stuff into the avionics system" part of the "this is how you could hack an airliner" premise.

        1. tiggity Silver badge

          Re: Agree... but

          It has to be speculation - as Boeing won't let them try an attack on a real aircraft (not even grounded in a hangar) and no responsible researcher would have a go on a live aircraft. The big flaw is that someone with evil intent (and the necessary skills) might try it, which would be a bad way to discover if the accusations were true.

          I would not rely on Boeing.

          I have been in situations where pen testers have found potentially exploitable (when "chained together") issues we had missed, not surprising as their day to day job is all about attacking systems and most companies do not have luxury of their own full time pen test system, so the pentesters have better attack skills and experience than inhouse staff.

          I would assume similar would apply at Boeing, without some independent, top quality, security experts auditing it, Boeing cannot be relied upon (even if we generously assume they are being honest & well intentioned saying "it's fine")

          1. Commswonk Silver badge

            Perhaps... just perhaps.

            I would not rely on Boeing.

            In the light of present circumstances who in their right mind would?

            I would like to think at whenever it comes to pass (assuming it does, of course) that the US is trying to trample all over UK interests whilst in pursuit of its own in a trade deal that someone on the UK team will suddenly go <cough> we have a major problem with the certification of Boeing aircraft which in our view is going to delay any agreement, and mean it.

            The noises coming from the US at the moment point towards a very lopsided deal (which of course means that it isn't really a deal at all) and the Boeing situation provides the UK (and everyone else if they are minded to dig their heels in) with an ideal opportunity to redress the balance a bit.

          2. John Brown (no body) Silver badge

            Re: Agree... but

            "and no responsible researcher would have a go on a live aircraft."

            State sponsored security services may well have already done this. There's no way to know, but plenty of countries have bought Boeing and other aircraft. State owned airlines in particular may well want to know if this sort of thing is possible and if so, how to do it. </tinfoil hat mode>

  15. A.P. Veening Silver badge

    "irresponsible and misleading"

    Doesn't anybody see the inherent contradiction in this?

    If it is irresponbsible, there must be truth in it, in which case it can't be misleading.

    If it is misleading, there is no danger so it can't be irresponsible.

    Even the quality control of the end product of an adult, uncastrated male head of cattle spouted by PR is severely lacking nowadays.

    1. onceuponatime

      Re: "irresponsible and misleading"

      This is Honeywell programmers we are talking about. Next they will blame the hardware manufacturers even though the hardware manufacturer has given them all of the information and hardware they need to write the program. (Speaking from current experience with Honeywell.)

    2. Anonymous Coward
      Anonymous Coward

      Re: "irresponsible and misleading"

      It can be irresponsible to spread false statements with the intention to spread panic. If I were to say "I have planted a bomb set to go off at Waterloo station today at 4pm", would that be:

      a) misleading (hint: I didn't do it)?

      b) irresponsible?

      c) both?

      See also Trump's antagonizing statements in the light of the recent mass shootings.

  16. Anonymous Coward
    Anonymous Coward

    Normal low quality PR BS from Boeing again

    "IOActive’s scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access"

    Yea, right. Says a company which claims that 737 Max is the same plane as 737, no differences at all, no way. More like PR BS.

    "'IOActive chose to ignore our verified results and limitations in its research'"

    *Our* "verified" results. When you "verify" your "results" by yourself it doesn't mean anything at all. Every limitation they had, was imposed by Boeing so I call BS on that too: Boeing could have let them play a while with actual plane.

    But of course Boeing doesn't work that way: Everything is secure because *we say so*. Security by obscurity at its finest.

  17. Anonymous Coward
    Anonymous Coward

    Lay off them

    They were just taking part in this open source thing they heard about.

  18. Anonymous Coward
    Anonymous Coward

    "Once Boeing was aware of the nature of the programming blunders in the Honeywell software found by Santamarta, the manufacturer verified in the lab and then on an actual 787 that it was not possible to seize control of a $150-million-ish jetliner via the holes Santamarta discovered."

    Erm, one has to be severely doubtful of this. Months after the 2 fatal crashes of the 737 Max, they still have not updated their software, assuming the issue is only software-related.

    So, IT security in the plane would really be WAY below in terms of priority.

    I doubt a single 787 has even been updated on this very issue.

  19. adam payne Silver badge

    A Black Hat presentation on how to potentially hijack a 787 – by exploiting bugs found in internal code left lying around on a public-facing server – was last night slammed as "irresponsible and misleading" by Boeing.

    What irresponsible is leaving said code on a public facing server so every Tom, Dick and Harry can see it.

    IOActive chose to ignore our verified results and limitations

    Are those the same kind of verified results you used to test MCAS?

  20. mj.jam

    Thank god he only had rudimentary tools

    Boeing say “IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments"

    I read "If he had reviewed more parts of the network, and had other tools, then he may have worked out how to jump between the network segments"

  21. Len Silver badge
    Meh

    Underlying issues at Boeing?

    There seem to be a number of issues at Boeing that can be traced back to irresponsible cost-cutting and sloppy corporate culture.

    KLM is currently celebrating its 100 year anniversary and had planned to have their new 787-10 play a central role in the celebrations. Due to too many issues with manufacturing quality they couldn't sign off on the plane until it was too late and it arrived a day after the celebrations.

    "For example, KLM Royal Dutch Airlines called the factory’s quality control “way below acceptable standards” for a 787-10 delivered at North Charleston in June. The plane included a special livery to celebrate the carrier’s 100th anniversary.

    KLM noted several issues, including a loose seat, missing or wrongly installed cotter pins, nuts not fully tightened, an unsecured fuel line clamp and several unspecified missing parts.

    “Who looks at quality in this facility,” KLM asked, adding the airline “is worried for the next deliveries.

    The Post and Courier: Airline surveys point to ongoing production problems at Boeing’s SC plant

    1. Pete4000uk

      Re: Underlying issues at Boeing?

      I believe the delivery of the USAFs new tanker aircraft have been halted twice because of tools found rattling around where tools shouldn't be.

  22. Anonymous Coward
    Anonymous Coward

    You should see the unit tests!

    I saw a bunch once (although the code wasn't for use on a plane, or anything related to safety of humans). The test started by setting a value to true. It called a method that called a bunch of other stuff, and the third line simply checked the original value was still true.

    Now this original value is never passed into the method and can never be set to false, so all this test did was check if the code didn't fall over. Which isn't really any help when you're trying to work out what's gone wrong in this massive chunk of code. It did however make the coverage report nice and green, which is all the higher-ups cared about.

    Given how often senior management move about in that place, it's only a matter of time before the idiots looking after this code got put in charge of something that matters.

  23. Anonymous Coward
    Anonymous Coward

    Ah Honeywell programmers

    I see their quality isn't any better for airliners than it is for other transportation industries. But they are definitely good at pointing fingers and convincing upper management of how great they are. I didn't like their software from the beginning and even makes me more nervous knowing their crap "programmers" are programming for airliners as well.

  24. elgarak1

    "[..] the manufacturer verified in the lab and then on an actual 787 that it was not possible to seize control of a $150-million-ish jetliner via the holes Santamarta discovered."

    Says the manufacturer who self-certified the MCAS with a single sensor on the 737 MAX that could not possibly lead to any problems whatsoever.

    But what else can you expect from a manufacturer that claims fantasies like "hardware filters that only allow data to flow between networks rather than instructions or commands." I want to have those filters. Should be awesome. ;)

  25. Anonymous Coward
    Anonymous Coward

    Board of directors

    @FAA: Please have Boeing board of directors (especially CEO) fly only on 737 Max planes if and when it flies again.

    1. Stoneshop Silver badge
      Mushroom

      Re: Board of directors

      @FAA: Please have Boeing board of directors (especially CEO) fly only on 737 Max planes

      during its recertification tests.

      FTFY

    2. XSV1
      Thumb Up

      Re: Board of directors

      And the directors' families should fly with them too.

  26. Mister Dubious

    A Modest Proposal

    Boeing is better-equipped than any regulatory agency to determine the airworthiness of its products, so flights should resume as soon as Boeing says it's okay. For the first ten thousand or so hours of operation, though, it should be required that a Boeing board member be aboard each flight.

    1. AK565

      Re: A Modest Proposal

      That'd never happen because there'd be too much of a chance of someone having to take responsibility and/or there being actual consequences in the event of a fuck-up.

  27. Overflowing Stack

    Should be physically separate, for all manner of reasons. Clearly isn't!

  28. NantucketClipper

    Time to cast a wider net?

    The 737 air max definitely brought Boeing into the spotlight, and under a microscope. Which is a good thing. But I, for one, know full well that other jetliners, from other manufacturers, very likely have their own vulnerabilities. It would be shame (understatement) if one of these vulnerabilities are only discovered after a tragic event.

    1. John Brown (no body) Silver badge

      Re: Time to cast a wider net?

      This may well be the case, but AFAIK, only the USA has the grandfathering scheme on airworthiness certification and the 737 pre-dates actual external certification so that airframe has never been externally certified, it just assumed the airframe in place was fine when certification was introduced and every variant since has been grandfathered into that, hence the "no real change thanks to MCAS" for the max because that would have required expensive certification.

      If any of the above is incorrect, I'm open to being educated on the matter.

  29. JDX Gold badge

    I'm no sysadmin

    But given the incredibly conservative nature of the aero industry, how did they end up with 3 separate systems that have ANY connections at all? I'd have assumed they were totally independent systems.

    Or is the fact you can't get into the system (no WiFi or handy ethernet sockets) used as a claim of security - like how even an unpatched XP box is perfectly safe as long as it never goes on the internet and has all its USB ports ripped out?

    Of course now WiFi IS starting to appear on planes, and they let you use your own devices to access in-flight entertainment, any such 'air-gapping' is threatened. Is that what's happening here?

    Genuinely interested, if anyone can explain or point me at a good article.

    1. Stevie Silver badge

      Re: I'm no sysadmin

      I'm no airframe engineer, but if I had to guess I'd say weight restrictions on infrastructure mean using shared electronics.

      1. John Brown (no body) Silver badge

        Re: I'm no sysadmin

        I'd say weight restrictions on infrastructure mean using shared electronics to allow for more passengers to be squeezed in.

        FTFY :-)

    2. Anonymous Coward
      Anonymous Coward

      Re: I'm no sysadmin

      But given the incredibly conservative nature of the aero industry, how did they end up with 3 separate systems that have ANY connections at all? I'd have assumed they were totally independent systems.

      Or is the fact you can't get into the system (no WiFi or handy ethernet sockets) used as a claim of security - like how even an unpatched XP box is perfectly safe as long as it never goes on the internet and has all its USB ports ripped out?

      Of course now WiFi IS starting to appear on planes, and they let you use your own devices to access in-flight entertainment, any such 'air-gapping' is threatened. Is that what's happening here?

      Genuinely interested, if anyone can explain or point me at a good article.

      Happy to oblige. Avionics systems are not built out of PCs running Linux and the flavour of Ethernet or WiFi that we're all used to in our PCs and servers..

      Typical component parts include INTEGRITY, a rock-hard formally developed embedded RTOS ideal for this kind of application (you can't beat it for process separation): AFDX - Ethernet tweaked to give deterministic transfer rates / latencies: CPUs without things like speculative execution (certain types of PowerPC is really good for real time systems): data diodes / air gaps - literally physical data links that go only one way (e.g. a single strand of fibre optic), ideal for getting data out of, say, the avionics systems and into the in flight entertainment without exposing a physical return path for passenger-delivered nasties. Both Airbus and Boeing use a lot of the same technology for a very good reason; it's the most appropriate for the task.

      The problem with the 737MAX is that they've tried to imbue it with more software sophistication without (AFAIK) using these things, and without appropriate architectural design either.

      Radio links (e.g. WiFi) aren't used on critical systems - it's near impossible to prove that it'll work all the time, with complete dependency. A cable, properly assembled and properly installed and not interfered with, won't ever break. And of course you run several through different routes, just in case.

      Some aspects of what Boeing have been doing of late are exceptionally poor (e.g. MCAS, the evident supremecy of their beancounters over engineers and test pilots, etc), but I don't see any particular reason to doubt the architecture or implementation of the discussed systems on 787. Though it is supremely unfortunate to have left a load of source code lying around for all to see...

      What's particularly lame about the presentation reported in this article is that some extremely lazy speculations have been made, when even the most cursory of glances at the Wikipedia page for the Boeing 787 would indicate that Boeing have data dioded / air-gapped the 3 networks. It's trivial to correctly use an air gap to make it very impossible for a software nasty to be able to traverse the wrong way across that gap. Assuming Boeing have at least mastered that, I think that IOActive have rather made fools of themselves. I wonder if they're short of business at the moment?

      (BTW I'm not associated with Boeing in anyway whatsoever).

      1. Olivier2553 Silver badge

        Re: I'm no sysadmin

        You know that you can do bidirectional communication on a single strand of fiber optic (or copper cable). Simply use separate career frequency.

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm no sysadmin

          You know that you can do bidirectional communication on a single strand of fiber optic (or copper cable). Simply use separate career frequency.

          Yes, but software (e.g. a hacking attack) can't retro-fit the requisite electronics or optics to do that if Boeing didn't put it there in the first place. Which they haven't.

          And there's no practiable way in which a passenger could do that whilst an aircraft is in flight.

          1. Olivier2553 Silver badge

            Re: I'm no sysadmin

            Sure can't, but saying it is a single fiber is still meaningless.

  30. c1ue

    Who are we kidding? We already know airlines are using 15-30 year old CPUs.

    The likelihood that these 3 "systems" are using a CAN or serial RS232 type bus is quite high.

    1. Anonymous Coward
      Anonymous Coward

      They use AFDX, well documented in Wikipedia for those who can be bothered to go looking. Airbus use it too.

      CAN is quite interesting - electronically very robust, but I'm not sure that it provides the same QoS guarantees that AFDX uses. Quite a lot of car manufacturers are moving away from CAN, it's just too slow for everything they want to do these days.

    2. AvSecDude

      face-palm

      Oh gawd!!

      Such cluelessness.......

      Since the introduction of the 777 aircraft have used high-speed unidirectional point-to-point data-link interfaces.

      Since the A380 the network type of choice is A664P7 (developed by Airbus) which is more commonly referred to as AFDX.

      There are no critical systems in modern aircraft using CAN bus, and none of the data-buses flight critical systems are accessible by the general public, well, unless you want to try to force your way into the cockpot or one of the avionics bays - good luck that bruh!!

  31. Lorribot

    I thought the UK Government was a bit stupid when they allowed window fitters to self certify they had fitted the windows correctly with no issues. But the FCC allowing plane manufacture to self certify safety and then all the other governments to say that's ok the US authorities say its ok so it must be without a second thought is just bone idle lazy incompetence all round.

  32. sosipiuk

    If Boeing is so confident...

    Wouldn't it be best to let IOActive onboard a 787 and tell them, "Have at it!"? If the plane is truly unhackable, as Boeing claims, then IOActive will not be able to do any harm, and Boeing will then be able to loudly and publicly proclaim that their own internal experts and an unpaid but motivated group of third-party pen testers were unable to find any exploits. Might even bump up Boeing's reputation, not to mention share price. Seems like a win-win to me.

    They're not willing to do that? I wonder why.

    1. AvSecDude

      Re: If Boeing is so confident...

      "They're not willing to do that? I wonder why."

      Commercials reasons.

      All recent aircraft platforms have gone through numerous pen-tests, but the gag orders placed on the companies and individuals engaged to perform the tests are extremely stringent.

      In some cases the engagement contracts are so stringent that personal liability is in the range of $20m if an individual just mentions they conducted a pen-test for a particular aircraft platform, talking about the pen-test, test procedures, test process, test time-frame, results, etc can carry a liability of up to $110m.

      Every aircraft platform is unique and the OEMs go to great lengths to make sure their Intellectual Property are protected, since these programs have a decades long ROI.

    2. JimC Silver badge

      Re: If Boeing is so confident...

      Indeed. Why on earth would Boeing not want to spend a load of money to give a bunch of people they consider irresponsible access to an aircraft?

  33. aurizon

    Boeing must know that once they sell a 787 to a foreign state, say Indonesia, that the Indonesian state ferrets will have contacts with Chinese, Russian and North Korean ferrets(among others) and these ferrets will try to reverse engineer all aspects of the 787 code (regardless of any agreement to the contrary) and try to ceate exploits that they will guard and keep to themselves in the hope that they can then back up nto Boeing R&D and Corporate servers for more fun and frolic.

    They should take this threat seriously and hire their own Black/White hats quietly from those they see at the conference.

    This whole story smacks of management ossification at the highest levels. Driven by costs and ever higher wage rates forced out of them by the unions, they should close down their main factory and build a new one in a less union friendly place and only hire good creative workers for the new workplace,

  34. Anonymous Coward
    Anonymous Coward

    Boeing has no cred

    After killing hundreds of people with amateurish engineering design and implementation, the proposed fixes have failed multiple times, then we learned they used a single computer with no redundancy and the planes were vulnerable to a single bit flip (which is common from alpha particle strike*), now we're supposed to believe them when researchers find their code laying around on the internet (poor security) plus they find vulnerabilities?

    If they can't even secure their code and systems from the internet, what are the chances they've secured their software? It would be more curious to know whether the code base was writable from the internet.

    This once proud company has truly become a basket case.

    * Look into the E-Cache issues that Sun Microsystems suffered. IBM had also suffered from the issues as they knew all about it.

  35. Anonymous Coward
    Anonymous Coward

    It's Boeing to be hard for them to get their good reputation back.

  36. Mike 137 Bronze badge

    Completely predictable in principle

    Of course we're still in "Boeing knocking time", but this is not specifically a Boeing problem.

    When any organisation grows to a critical level of scale and complexity, control is unwittingly lost for several reasons. Chains of communication become over-extended, the growing disparity of power between the individual and the "organisation" encourages folks to keep their heads below the parapet, and identifying individuals with specific responsibilities gets increasingly difficult.

    In any human endeavour normalised deviance (aka entropy) constantly causes processes and controls to weaken imperceptibly over time - imperceptibly because it's progressive and thus defines the current cultural norm against which performance is verified. Typically, only when an accident happens is attention drawn to the degree of departure from the original intent.

    This largely explains most major incidents and the internal cultural responses to them. For example, both shuttle disasters were precipitated by the culture at NASA, and I can quite believe the former CIO of Equifax when he stated to the enquiry that he did "not think Equifax could have done anything differently". What they did was in each of these cases driven by their current cultural norms and therefore assumed to be adequate.

  37. Craigie

    Who confirmed that it was 'not exploitable'?

    Boeing must have some very talented security people to have 'confirmed' that there's no way to use the holes in the 2nd network to get to the 3rd network. They seem very, very sure that it is 'not possible'. If they were so supremely sure, why don't they give the black hats a plane to play with for a while?

  38. Anonymous Coward
    Anonymous Coward

    How many readers spit out their coffee at the end of this sentence?

    "due to restrictions in place, such as hardware filters that only allow data to flow between networks rather than instructions or commands."

    Anyway, interconnection tacitly confirmed. Thanks Boeing.

  39. Anonymous Coward
    Anonymous Coward

    Missing the point

    Even if the bugs aren't exploitable, you don't seem bothered that you have bugs in critical code?

  40. spold Bronze badge

    Moot and futile

    The discussion is wonderful of course...but...

    Faced with one airline choice on a route.... which only flies the type of plane...

    Do you...

    i) Go

    ii) Not go

    Your choices are influenced by alternate modes of transport/time/cost, circuitous alternatives, or suck it up and be at that meeting on time (or vacations where you might be subject to additional hours of grumpy, mewling sproglets, and/or your significant other harping that we should have booked <obvious airline in question>).

    Ignoring the very valid technical possibilities, postulating, and opinions....What will you really choose?

  41. Miledhel

    Why not leaving it open?

    Well, since they have already open-sourced their code and made such good experience with that swarm intelligence kind of bug-fixing, why don't they simply leave their code open?

    With the fatal Boeing 737 MAX groundings in mind, the software running on that planes should indeed be regarded as of public interest.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019