Plane not actually commandeered by wi-fi that was not actually hacked
-
Yes, but they might do it while the plane is in maintenance, pre-programming it to automatically hit the twin towers on its next flight.
-
You can't just get away with asserting that things must be secure because there's redundancy.
I don't see how @Rhywden's post equated redundancy to security. Rather, he was indicating that redundancy is one of several practices used to protect against any number of things that could go wrong in the avionics network on a plane. Sure, some of the other practices also help to enhance security (such as strict forwarding rules and port disabling).
Yes, but they might do it while the plane is in maintenance, pre-programming it to automatically hit the twin towers on its next flight.
People who perform such maintenance undergo pretty strict background checks, and are supposed to be re-checked on occasion.
Also, what twin towers are you talking about? Is this mythical plane of yours capable of time travel as well?
-
To me it sounds like, "Hacking a flight sim is a far cry from hacking a real flight, come back when you've done something that actually applies to the real world."
But isn't that strange, for a team that was supposed to be evaluating the security of the real system?
Think about it. They're working on a sim instead of the real thing; they find weaknesses; they publish weaknesses; company says, "Oh you're not using the real system you're using a sim that's nothing like the real system. But the real system is secure, have no doubt. Trust us." You don't see anything odd about that?
It's possible to develop software to that level of perfection,
But have we ever-- ever! -- seen that level of perfection? In the case of security, "possible" does not mean "likely" or even "plausible".
Just as an example: Microsoft boasts on how "secure" Internet Explorer is...versus Chrome. You buying that? After all the hundreds (thousands?) of exploits found in IE?
(I agree with everything else.)
This is false, but not because "security by obscurity" is any bit a good idea. Sometimes, the behavior the attacker wants (sending data to the avionics network from the IFE network), can be ruled to be completely useless/undesired for normal operation; in that case, the best security approach is to make the system physically incapable of bending to the attacker's will. (Cue my hardwired data diode.)
But it isn't on the "wire" that is the most likely failure point anyway: It is in endpoint devices that are handled by software (whether firmware or more dynamic).
Look at Ethernet: Few people try to break the cable itself. There's been some effort, but not that much, with switches and routers. But what everyone goes after is the endpoint computers: Break one of those and you have access to the whole network, from an authorized endpoint.
The avionics on a plane is not just a matter of the network, it's a matter of every device an attacker can find a way to reach...and possibly breach. One of the time-honored strategies of system breaking is to gain a beachhead and use that as a stepping stone to other systems.
-
But isn't that strange, for a team that was supposed to be evaluating the security of the real system?
Think about it. They're working on a sim instead of the real thing; they find weaknesses; they publish weaknesses; company says, "Oh you're not using the real system you're using a sim that's nothing like the real system. But the real system is secure, have no doubt. Trust us." You don't see anything odd about that?
I'm a bit mystified as to why a simulation should simulate something the simulation was not meant for?
-
But the real system is secure, have no doubt. Trust us." You don't see anything odd about that?
The only odd thing I see is that you said that, not the official guy you're fake-quoting.
No one challenged him to hack a sim, the guy hacked the sim on his own time. Hacking the sim turns out to be basically pointless because IT'S NOT HOW THE REAL FUCKING PLANE COMS WORK. The sim is NOT EVEN SUPPOSED to be representative of an actual airplane's security, because IT'S A FUCKING TRAINING SIM. WHO CARES.
Not sure how many times it has to be said.
Hell, they're even working with him to see if any of it could possibly relate to a real plane. But still, unless he demos a hack for a real plane, it doesn't mean much of jack shit.
-
Also, the "hacked a plane" article linked (http://www.darkreading.com/vulnerabilities-and-threats/airplane-takeover-demonstrated-via-android-app/d/d-id/1109503 not the OP link) was
Posted on April 12, 2013 at 10:50 AM
Guess what happened with that.... approximately how many planes got grounded due to that flight sim program's security flaws?
Oh that's right. None.
Filed Under: grumpy cat is grumpy today.
-
But have we ever-- ever! -- seen that level of perfection?
It's rare, but does happen. You develop it in a totally different way to normal code, and avionics used to be one of the places where that level of assurance was sought. That was all prior to putting a network on a plane though, when all the sensors and actuators were directly wired, so the focus was much more on ensuring correct response to (authorised) stimuli. Networks have more failure modes.
The forces pushing for the use of networking on planes are pretty significant though, as it reduces the plane's weight quite a lot. That's very nice to have indeed. I've seen pictures of old-style plane wiring…
-
I've seen pictures of old-style plane wiring…
Oh yes...my company still does some pretty significant business in ARINC-429 which is a point-to-point system. Every device needs a cable directly to any other device it communicates with, meaning there are large bundles of heavy cabling going all over the place.
-
The avionics on a plane is not just a matter of the network, it's a matter of every device an attacker can find a way to reach...and possibly breach
And that generally requires either cockpit access or crawling through access ports from the plane's exterior. And if you have cockpit access, there are much better ways of taking control of the airplane than ripping out an avionics device and replacing it with something fishy.
-
