Hacking a Boeing 787?
January 7th, 2008

Over the weekend a good friend and aviator sent through a link related to the proposed networking structure of the new Boeing 787 Dreamliner.  The FAA document entitled “Special Conditions: Boeing Model 787-8 Airplane; Systems and Data Networks Security--Isolation or Protection From Unauthorized Passenger  Domain Systems Access” addresses responses to a notification made back in April 2007, and encapsulates discussions between the FAA, the Air Line Pilots Association (ALPA) and Airbus.

One of the key statements in the document relates to how the 787 “allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane. Because of this new passenger connectivity, the proposed data network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane.“

The FAA ends up addressing this concern with the following special condition:
“The design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software, and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain.”

What's to worry about?

While there isn’t really that much information to be had about how this is supposed to be done, or what Boeing really have in the works, most of the public information really just relates to the sharing of the communication channels and that devices will be used to prevent passenger networks from controlling other in-plane networked systems. Still, based upon that information, I’d have concerns.

I’m sure most of us have heard about the weird and whacky projects an engineer has to do to get his professional degree.  I once remember watching project finalists build a bridge that could support their own weight in order to cross a small stream using only rolled-up newspapers and sticky-tape.  It’s an image that came to mind when I read about the 787’s “Novel or Unusual Design Features”.

Yes, you can build a small bridge using only rolled-up newspapers and sticky-tape.  If you build it big enough, you can probably even make it in to the Guinness book of records.  However, people don’t use these materials to build bridges that have to stand up to real life requirements – too much can go wrong.

Yet a newspaper bridge was what came to mind while I was reading up on this shared network proposal.  Too many things could go wrong.  The aviation engineers I know are experts on resiliency, redundancy and fail-safe design.  But there lies one of the problems – fail-safe is not the same as fail-securely. To add to that, it’s all very well considering what happens when some component fails and include contingencies, but it’s an entirely different different kettle of fish if you have to counter someone with malicious intent and actively hacking or exploiting weaknesses.

Hope for the best, plan for the worst

Let’s assume that some of the world’s best network engineers design the hardware, and the world’s best software engineers write the applications and operating systems.  That’s still no guarantee that there aren’t flaws in the systems – just look at the software you use today.

In that case, let’s assume that after it’s all been designed and built, it gets penetration tested.  In fact, let’s say that I was allowed to conduct a month long penetration of these systems and that I had a dozen of the world’s top named reverse engineers and pentesters working with me on it.  Even after any discovered bugs were fixed (and verified as fixed) I’d probably still be concerned about the security (and integrity) of those systems – and the report would probably be filled with so many CYA caveats (e.g. invalid if there are ever any patches or updates applied to the system, etc.) that I’d be embarrassed charging money for it.

Safety and security aren't complementary bed-fellows.

I’d like to see the FAA put a little more meat behind “special condition” requirements – and be precise about what networking security controls need to be in place.  I think the term “air gap” should feature in their wording.

The last place I’d like to be is on a 14 hour 787 flight from London to Singapore with a bored 16 year-old who, after only a couple of hours into the flight, decides to try and see if she can listen to what the pilots are saying after ARP flooding a VLAN switch that was supposed to segregate the different networks.  That said, perhaps triggering an in-flight fireworks party would be exciting after she manages to hack in to any new anti shoulder-launched-missile defense systems?

Note to self: I guess I should have posted this Sunday morning because this afternoon I saw that it had made it to The Register and then on to Bruce Schneier’s blog.

    Copyright 2001-2007 © Gunter Ollmann