Skip to comments.Boeing's new Dreamliner has serious security vulnerability
Posted on 01/07/2008 1:29:55 PM PST by TomServo
Among the amenities Boeing's new Dreamliner offers its passengers is on-board Internet connection in flight; the Federal Aviation Administration (FAA) reveals that the computer network in the Dreamliner's passenger compartment is connected to the plane's control, navigation, and communication systems; this means that computer savvy passengers could access -- and take control of -- the plane's control systems; experts say a more secure design would physically separate the two computer networks
It's always something: It it's not one thing, it's another. Boeing's new 787 Dreamliner passenger jet may be among the most modern and technologically sophisticated crafts, but it may also have an exceedingly serious security vulnerability in its on-board computer networks which could allow passengers to access the plane's control systems, according to the U.S. Federal Aviation Administration (FAA). The FAA reveals in its report that the computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight Internet access, is connected to the plane's control, navigation, and communication systems. Wired's Kim Zetter writes that the revelation is causing concern in security circles because the physical connection of the networks makes the plane's control systems vulnerable to hackers. A more secure design would physically separate the two computer networks. Boeing said it is aware of the issue and has designed a solution it will test shortly. "This is serious," said Mark Loveless, a network security analyst with Autonomic Networks (a company still in stealth mode), who presented a paper last year on Hacking the Friendly Skies (see his PowerPoint presentation). "This isn’t a desktop computer. It's controlling the systems that are keeping people from plunging to their deaths. So I hope they are really thinking about how to get this right."
The 787 Dreamliner is in final stages of production, and it is Boeing's new mid-sized jet, which will seat between 210 and 330 passengers, depending on configuration. Boeing says it has taken more than 800 advance orders for the new plane, which is due to enter service in November 2008. The FAA is now demanding that Boeing demonstrate that it has addressed the computer-network issue before the planes begin service. The FAA document says that the vulnerability exists because the plane's computer systems connect the passenger network with the flight-safety, control, and navigation network. It also connects to the airline's business and administrative-support network, which communicates maintenance issues to ground crews. The design "allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane," says the FAA document. "Because of this new passenger connectivity, the proposed data-network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane."
Boeing spokeswoman Lori Gunter said the wording of the FAA document is misleading, and that the plane's networks do not completely connect. Gunter would not go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as "air gaps," and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and did not want to discuss in public. "There are places where the networks are not touching, and there are places where they are," she said. Gunter added that although data can pass between the networks, "there are protections in place" to ensure that the passenger internet service doesn't access the maintenance data or the navigation system "under any circumstance." She said the safeguards protect the critical networks from unauthorized access, but the company still needs to conduct lab and in-flight testing to ensure that they work. This will occur in March when the first Dreamliner is ready for a test flight. Gunter said Boeing has been working on the issue with the FAA for a number of years already and was aware that the agency was planning to publish a document regarding the Dreamliner. Gunter said the FAA and Boeing have already agreed on the tests that the plane manufacturer will have to do to demonstrate that it has addressed the FAA's security concerns. "It will all be done before the first airplane is delivered," she said.
Loveless said he was glad the FAA and Boeing are addressing the issue, but without knowing specifically what Boeing is doing, it is impossible to say whether the proposed solution will work as intended. Loveless told Zetter that software firewalls offer some protection, but are not bulletproof, and he noted that the FAA has previously overlooked serious on-board security issues. "The fact that they are not sharing information about it is a concern," he said. "I'd be happier if a credible auditing firm took a look at it."
what kind of total and complete freaking idiot would connect the controls of an airplane to the internet???!?!?!
Hello? Communist China?? Al Qaeda?? Would you like to crash some planes and kill some Americans???
Nothing to worry about. I hear all those computers are running Vista.
I wouldn't call the problem an "oops", since it has been recognized and will be dealt with long before the first 787 ever boards its first passenger.
my first thought exactly..the article states the two networks aren’t “completely connected”, but a saavy hacker doesn’t need a complete connection, only a tidbit to get him/her where they want to go. whoever designed this should be redeployed..
Sure I’d call it an oops...
It’s not like I called it, “We’re all gonna DIE!!!”
“Do you wish to take off? yes or no”
“Do you wish to serve fish? yes or no”
“Do you wish to crash the plane? yes or no”
Bunch of self-styled experts looking for publicity.
OK, good point. :-)
Can you imagine, "Hey ma, hold ma beer. Ya'll ain't gonna believe this one!"
“This copy Windows is not genuine, please contact Microsoft to reactivate your copy of Windows. Our normal business hours are...”
“This copy of Windows is not genuine, please contact Microsoft to reactivate your copy of Windows. Our normal business hours are...”
“what kind of total and complete freaking idiot would connect the controls of an airplane to the internet???!?!?!”
Story says there is a firewall. Its not connected and sounds like a security expert wasn’t used in the design. This is a simple fix.
Those control systems already have connectivity outside of the plane. So they are currently hackable through the corporate networks.
Forget passengers being able to take control. A computer geek in his basement could do it, if what they are contending is true (I suspect not).
And it's a good thing too, with my Flight Simulator setup I've got much more experience than any airline pilot.
I get do-overs with landings don't I?
A corporate network architect who is thinking about what the two computer systems need to talk to and not what the two computer systems are doing. Both systems need to connect the real world at some point, so you put them through the same point. It only becomes a problem when you contemplate what system A does and who might be accessing system B.
This system is 100% secure and safe.
I don’t want to get specific but someone searching my past posts could infer how I know. Rest assured that I know more about this system than anyone quoted in that story.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.