SoylentNews is people
SoylentNews
Pen Test Partners: Boeing 747s receive critical software updates over 3.5" floppy disks:
The eye-catching factoid emerged during a DEF CON video interview of PTP's [Pen Test Partners] Alex Lomas, where the man himself gave a walkthrough of a 747-400, its avionics bay and the flight deck.
Although airliners are not normally available to curious infosec researchers, a certain UK-based Big Airline's decision to scrap its B747 fleet gave Pen Test Partners a unique opportunity to get aboard one and have a poke about before the scrap merchants set about their grim task.
"Aircraft themselves are really expensive beasts, you know," said Lomas as he filmed inside the big Boeing. "Even if you had all the will in the world, airlines and manufacturers won't just let you pentest an aircraft because [they] don't know what state you're going to leave it in."
While giving a tour of the aircraft on video (full embed below), Lomas pointed out the navigation database loader. To readers of a certain vintage it'll look very familiar indeed.
"This database has to be updated every 28 days, so you can see how much of a chore this has to be for an engineer to visit," Lomas said, pointing out the floppy drive – which in normal operations is tucked away behind a locked panel.
[...] The key question everyone wants to know the answer to, though, is whether you can hack an airliner from the cheap seats, using the in-flight entertainment (IFE) as an attack vector. Lomas observed: "Where we've gone deliberately looking, we've not found, at this point, any two-way communication between passenger domain systems like the IFE and the control domain. There is the DMZ of the information services domain that sits between the two; to jump between two layers of segregation would be tricky in my view."
(Score: 0) by Anonymous Coward on Wednesday August 12 2020, @08:09PM (13 children)
Economics. 3.5" floppy disks are about $2 a piece new in 2020 and don't have anywhere comparable longevity to a USB flash drive.
(Score: 4, Insightful) by Dr Spin on Wednesday August 12 2020, @08:31PM (7 children)
3.5" floppy disks are about $2 a piece new in 2020 and don't have anywhere comparable longevity to a USB flash drive.
However, they are reusable, and it would take a lot of $ to replace the floppy disk drive and then get the whole plane re-certified as airworthy
(and its Boeing, so recertification may involve very expensive politics as well).
I suspect there are bigger fish to fry ... It probably costs $500 in paperwork for an engineer to enter the plane and insert the floppy disk.
Warning: Opening your mouth may invalidate your brain!
(Score: 0) by Anonymous Coward on Wednesday August 12 2020, @08:36PM (4 children)
USB drives are also reusable, more so than floppies in fact, which have higher failure rates. And I imagine when hardware fails it will cost even more money to continue tracking down the specific floppy drive that's already certified than it would to install USB and bring the process into the early 2000s.
(Score: 2) by barbara hudson on Wednesday August 12 2020, @09:37PM (3 children)
Newer tech doesn't offer as much opportunity for creative destruction.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 0) by Anonymous Coward on Wednesday August 12 2020, @09:55PM (1 child)
Not with windows. I used to back up Money99 on floppies, never had an error pop up during backups but when I needed the floppy to recover what was lost on the hard drive... Disc corrupt. Lost 6 months of shit.
(Score: 1, Interesting) by Anonymous Coward on Wednesday August 12 2020, @10:02PM
I pretty much backed up all my 720k 5.25" floppies last year without many bad sectors.
The 3.5" disks though -- They already were shit back in the day, and any use of them for backup needed an ECC pass.
(Score: 0) by Anonymous Coward on Thursday August 13 2020, @07:08PM
You probably didn’t know that the pinhole trick was an early form of copy protection. They punched a hole, then wrote the failed sectors to a file. Copied to a floppy with any different faulty sector caused the copy protection to kill the launch.
Yes they’re durable. Yes, it only takes a minute. But it takes a certified A&P how long to head out to the plane on the tarmac, power it up enough to carry out the task, log that it was done, then move on? Multiply times a fleet. And recall that the airlines’ goal was to have no maintenance staff except at their depots, and eventually they were outsourced too.
All in all, a 28 day pain in the butt that seemed reasonable at the time, back when imation was a world spanning company. (They made floppies: spun off from 3M, now just a name.)
(Score: 0) by Anonymous Coward on Wednesday August 12 2020, @08:54PM (1 child)
Can't they just pxe network boot the plane by loading a FreeDos image containing the BIOS flasher off one of the flight entertainment system's USB ports?
I mean sure you'd have to set a jumper on the motherboard so that some snotty 8 year old kid couldn't activate it mid flight by entering a magic code on the gamepad.
(Score: 0) by Anonymous Coward on Thursday August 13 2020, @08:15AM
The in-flight entertainment systems don't run on the same computers that the flight control software runs on and are network isolated. Any other arrangement would be grounds to shoot whoever approved it.
(Score: 5, Insightful) by sjames on Wednesday August 12 2020, @09:07PM (2 children)
For a multi-million dollar plane that costs $10,000/hour to operate, the $2 floppy is lost in the noise even if they have to buy one per plane every month. The person inserting the floppy into the drive costs many times that much. A new drive is under $40.
OTOH, re-design, re-certification, and retrofitting would cost a metric assload for a plane that is seeing declining popularity.
Unlike USB devices, floppies can't have their firmware re-flashed to do something nasty while delivering the stored data.
Words of wisdom: If it ain't broke, don't fix it.
(Score: 2) by toddestan on Thursday August 13 2020, @11:52PM (1 child)
Unlikely. I'm certain a drive that is certified to be used on a B747 is eyewateringly expensive. Even if it's the same $40 drive you might put in your PC.
(Score: 2) by sjames on Friday August 14 2020, @12:07AM
I'm sure the certification adds significantly to the retail cost, but the same was always true and would apply to the USB port as well.
(Score: 2) by barbara hudson on Wednesday August 12 2020, @09:31PM
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2, Funny) by Anonymous Coward on Wednesday August 12 2020, @09:37PM
They probably have a stockpile of AOL floppies to reuse.