SoylentNews is people
SoylentNews
At the hacking conference in Las Vegas on Wednesday, Ruben Santamarta, principal security consultant at pen-testing biz IOActive, told attendees he had found bugs in software used aboard the jetliners.
It is important to note that there are essentially three electronic networks on a 787: the first is home to non-critical stuff like the in-flight entertainment system; the second is used by slightly more important applications reserved for crew and maintenance teams; and the third is used by the vital avionics gear that controls the airplane's flight and reads its sensors.
The software Santamarta probed – a crew information service – lives on the second network. He suggested it may be possible to exploit holes in, say, the in-flight entertainment system on the first network to access the adjoining second network where one could abuse the flaws he found in the crew information software to then reach into the adjoining third network. Once there, one could tap into the avionics equipment to hijack the 787, in theory.
Boeing, however, insists the software on the second network cannot be exploited as IOActive described, nor can a miscreant direct the avionics from other networks, due to restrictions in place, such as hardware filters that only allow data to flow between networks rather than instructions or commands. El Reg quietly hopes the avionics can't be taken over by malformed data that triggers vulnerabilities within the flight control systems on the third network.
During his talk, Santamarta acknowledged he had no way of proving he could actually commandeer the flight control systems via the holes he found in the crew-facing software. For one thing, he couldn’t persuade Boeing to let him loose on a real passenger jet.
“We have confirmed the vulnerabilities, but not that they are exploitable, so we are presenting why we think they are,” he said. “We have got very limited data, so it’s impossible to say if the mitigation factors Boeing say they have work. We offer them our assistance.”
(Score: 5, Interesting) by janrinok on Friday August 09 2019, @06:42AM (2 children)
... and this is the same Boeing that argued that their aircraft design and MCAS software couldn't possibly be responsible for 2 aircraft losses? Who was checking the security of the Dreamliner networking during the design and manufacturing process? Was it more Boeing employees rather than someone with a bit more independence who recognised that software doesn't always do what you think you designed it to do? Simply stating that it couldn't happen is not the same as having a third party who has a lot more experience in breaking software from testing it. I would recommend our own Bytram - but I support the suggestion of another contributor to the comments to this story that the guys making the claim in TFS might also be a good choice.
This is potentially another lesson for Boeing. When you lose your credibility in aircraft building, it tends to affect all areas of your business even if they are entirely unrelated.
(Score: 2) by janrinok on Friday August 09 2019, @06:43AM
Credit to Snotnose for the suggestion - I should have included that in my parent post.
(Score: 2) by SpockLogic on Friday August 09 2019, @04:45PM
Sounds like MBA's Vs Engineers again. Profit wins over safety, ain't capitalism grand.
Overreacting is one thing, sticking your head up your ass hoping the problem goes away is another - edIII