https://www.wired.com/story/boeing-787-code-leak-security-flaws/?verso=true
A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts
One researcher's discovery suggests troubling oversights in Boeing's cybersecurity.
ANDY GREENBERG
mail@wired.com
submit@wired.com
SECURITY 08.07.2019 03:29 PM
A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts
One researcher's discovery suggests troubling oversights in Boeing's cybersecurity.
Late one night last September, security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative
googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised
to discover a fully unprotected server on Boeing's network, seemingly full of code designed to run on the company's giant
737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could
see.
Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one
of the 787 Dreamliner's components, deep in the plane's multi-tiered network. He suggests that for a hacker, exploiting those
bugs could represent one step in a multistage attack that starts in the plane’s in-flight entertainment system and
extends to highly protected, safety-critical systems like flight controls and sensors.
Andy Greenberg writes about security for wired. He is the author of the forthcoming book Sandworm: A New Era of Cyberwar and
the Hunt for the Kremlin's Most Dangerous Hackers.
Boeing flatly denies that such an attack is possible, and it rejects his claim of having discovered a potential path to pull
it off. Santamarta himself admits that he doesn't have a full enough picture of the aircraft—or access to a $250 million
jet—to confirm his claims. But he and other avionics cybersecurity researchers who have reviewed his findings argue
that while a full-on cyberattack on a plane's most sensitive systems remains far from a material threat, the flaws uncovered
in the 787's code nonetheless represent a troubling lack of attention to cybersecurity from Boeing. They also say that the
company's responses have not been altogether reassuring, given the critical importance of keeping commercial airplanes safe
from hackers.
At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present
his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew
Information Service/Maintenance System. The CIS/MS is responsible for applications like maintenance systems and the so-called
electronic flight bag, a collection of navigation documents and manuals used by pilots. Santamarta says he found a slew of
memory corruption vulnerabilities in that CIS/MS, and he claims that a hacker could use those flaws as a foothold inside a
restricted part of a plane's network. An attacker could potentially pivot, Santamarta says, from the in-flight entertainment
system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including
its engine, brakes, and sensors. Boeing maintains that other security barriers in the 787's network architecture would make
that progression impossible.
Santamarta admits that he doesn't have enough visibility into the 787's internals to know if those security barriers are circumventable.
But he says his research nonetheless represents a significant step toward showing the possibility of an actual plane-hacking
technique. "We don't have a 787 to test, so we can't assess the impact," Santamarta says. "We’re not saying it’s
doomsday, or that we can take a plane down. But we can say: This shouldn’t happen."
Flying Firewalls
In a statement, Boeing said it had investigated IOActive's claims and concluded that they don't represent any real threat
of a cyberattack. "IOActive’s scenarios cannot affect any critical or essential airplane system and do not describe
a way for remote attackers to access important 787 systems like the avionics system," the company's statement reads. "IOActive
reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments.
IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as
if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity
researchers, we’re disappointed in IOActive’s irresponsible presentation."
In a follow-up call with WIRED, a company spokesperson said that in investigating IOActive's claims, Boeing had gone so far
as to put an actual Boeing 787 in "flight mode" for testing, and then had its security engineers attempt to exploit the vulnerabilities
that Santamarta had exposed. They found that they couldn't carry out a successful attack. Honeywell, which supplied Boeing
with the code for the CIS/MS, also wrote in a statement to WIRED that "after extensive testing, Honeywell and its partners
determined there is no threat to flight safety as the 787’s critical systems cannot be affected."
"Every piece of software has bugs. But this is not where I’d like to find the bugs."
STEFAN SAVAGE, UCSD
IOActive's attack claims—as well as Honeywell's and Boeing's denials—are based on the specific architecture of
the 787's internals. The Dreamliner's digital systems are divided into three networks: an Open Data Network, where non-sensitive
components like the in-flight entertainment system live; an Isolated Data Network, which includes somewhat more sensitive
components like the CIS/MS that IOActive targeted; and finally the Common Data Network, the most sensitive of the three, which
connects to the plane's avionics and safety systems. Santamarta claims that the vulnerabilities he found in the CIS/MS, sandwiched
between the ODN and CDN, provide a bridge from one to the other.
But Boeing counters that it has both "additional protection mechanisms" in the CIS/MS that would prevent its bugs from being
exploited from the ODN, and another hardware device between the semi-sensitive IDN—where the CIS/MS is located—and
the highly sensitive CDN. That second barrier, the company argues, allows only data to pass from one part of the network to
the other, rather than the executable commands that would be necessary to affect the plane's critical systems.
"Although we do not provide details about our cybersecurity measures and protections for security reasons, Boeing is confident
that its airplanes are safe from cyberattack," the company's statement concludes.
Boeing says it also consulted with the Federal Aviation Administration and the Department of Homeland Security about Santamarta's
attack. While the DHS didn't respond to a request for comment, an FAA spokesperson wrote in a statement to WIRED that it's
"satisfied with the manufacturer’s assessment of the issue."
"This Is Security 101"
The new claims of software flaws come against the backdrop of the ongoing scandal over Boeing's grounded 737 Max aircraft,
after that aircraft's faulty controls contributed to two crashes that killed 346 people. At the same time, Santamarta has
his own history of unresolved disagreements with the aerospace industry over its cybersecurity measures. He previously hacked
a Panasonic Avionics in-flight entertainment system. And at last year's Black Hat conference, for instance, he presented vulnerabilities
in satellite communication systems that he said could be used to hack some non-sensitive airplane systems. The Aviation Industry
Sharing and Analysis Center shot back in a press release that his findings were based on "technical errors." Santamarta countered
that the A-ISAC was "killing the messenger," attempting to discredit him rather than address his research.
But even granting Boeing's claims about its security barriers, the flaws Santamarta found are egregious enough that they shouldn't
be dismissed, says Stefan Savage, a computer science professor at the University of California at San Diego, who is currently
working with other academic researchers on an avionics cybersecurity testing platform. "The claim that one shouldn't worry
about a vulnerability because other protections prevent it from being exploited has a very bad history in computer security,"
Savage says. "Typically, where there's smoke there's fire."
Savage points in particular to a vulnerability Santamarta highlighted in a version of the embedded operating system VxWorks,
in this case customized for Boeing by Honeywell. Santamarta found that when an application asks to write to the underlying
computer's memory, the tailored operating system doesn't properly check that it's not instead overwriting the kernel, the
most sensitive core of the operating system. Combined with several application-level bugs Santamarta found, that so-called
parameter-check privilege escalation vulnerability represents a serious flaw, Savage argues, made more serious by the notion
that VxWorks likely runs in many other components on the plane that might have the same bug.
"Every piece of software has bugs. But this is not where I’d like to find the bugs. Checking user parameters is security
101," Savage says. "They shouldn't have these kinds of straightforward vulnerabilities, especially in the kernel. In this
day and age, it would be inconceivable for a consumer operating system to not check user pointer parameters, so I'd expect
the same of an airplane."
"This shouldn’t happen."
RUBEN SANTAMARTA, IOACTIVE
Another academic avionics cybersecurity researcher, Karl Koscher at the University of Washington, says he's found such serious
security flaws in an aircraft component as those Santamarta reported in the CIS/MS. "Perhaps Boeing intentionally treated
it as untrusted, and the rest of the system can handle that untrusted bit," Koscher says."But saying, 'It doesn’t matter
because there are mitigations further down' isn’t that good an answer. Especially if some of the mitigations turn out
to be not as robust as you think they are."
Koscher also points to the CIS/MS access to the Electronic Flight Bag, full of documents and navigation materials a plane's
pilot might refer to via a tablet in the cockpit. Corrupting that data could cause its own form of mayhem. "If you can create
confusion and misinformation in the cockpit, that could lead to some pretty bad outcomes," Koscher notes. (A Boeing spokesperson
says that the EFB can't be compromised from the CIS/MS, either, despite both being located in the same part of the 787's network.)
Big, Flying Collections of Computers
To be clear, neither Savage nor Koscher believe that, based on Santamarta's findings alone, a hacker could cause any immediate
danger to an aircraft or its passengers. "This is a long way from an imminent safety threat. Based on what they have now,
I think you could let the IOActive guys run amok on a 787 and I'd still be comfortable flying on it," Savage says. "But Boeing
has work to do."
Assessing whether IOActive's findings truly represent a step toward a serious attack is difficult, Savage points out, simply
due to the impossible logistics of airplane security research. Companies like Boeing have the means to comprehensively test
a quarter-billion-dollar aircraft's security, but also have deep conflicts of interest about what results they publish. Independent
hackers like IOActive's Santamarta don't have the resources to carry out those complete investigations—even as highly
resourced state hackers or others willing to test on live, airborne planes might.
Santamarta's research, despite Boeing's denials and assurances, should be a reminder that aircraft security is far from a
solved area of cybersecurity research. "This is a reminder that planes, like cars, depend on increasingly complex networked
computer systems," Savage says. "They don't get to escape the vulnerabilities that come with this."
|