Plane not actually commandeered by wi-fi that was not actually hacked


  • :belt_onion:

    http://www.msn.com/en-us/travel/news/hackers-could-commandeer-new-planes-through-passenger-wi-fi/ar-AAb6eY9

    As long as they aren't installing Dischorse on the planes...

    It’s unclear if the authors of the new GAO report tested or examined Boeing’s solution and found it was still vulnerable to hacking or if they simply based their report on statements from experts that any design that doesn’t involve complete air-gapping of networks is vulnerable to hacking.
    oh wait, they didn't even hack anything, they just reported that it's vulnerable basically because it involves computers and networks and they think it's a safer bet to bet that it can get hacked than to say it's secure.


  • If everything can be hacked, why can't I make my toaster print counterfeit money?

    Better yet, why can't I make my neighbor's toaster print counterfeit money?


  • mod

    @ben_lubar said:

    Better yet, why can't I make my neighbor's toaster print counterfeit money?

    Milwaukee PC. That's why.

    Now the rest of us ...


  • area_deu

    Is there really no air gap between the avionics systems' network and the passenger entertainment systems' network?!

    That really sounds like a security WTF.



  • @darkmatter said:

    they think it's a safer bet to bet that it can get hacked than to say it's secure

    To be fair... that's not a particularly unreasonable position.



  • @ben_lubar said:

    If everything can be hacked, why can't I make my toaster print counterfeit money?

    Better yet, why can't I make my neighbor's toaster print counterfeit money?

    Fie on counterfeit money: if your toaster is web connected, it may be able to print real money.



  • @darkmatter said:

    vulnerable basically because it involves computers and networks

    Can't argue with that. OTOH there are still much bettereasier ways to hijack an aircraft.



  • @aliceif said:

    Is there really no air gap between the avionics systems' network and the passenger entertainment systems' network?!

    That really sounds like a security WTF.

    The avionics systems largely use a completely different protocol to talk to each other. They're not doing TCP/IP.
    That's only the first hurdle.

    You're more at risk from outside signals than from those inside the plane (and even that risk is tiny).





  • @darkmatter said:

    that doesn’t involve complete air-gapping

    That is the real WTF. Why the hell would it not?



  • So the plane engines can automatically send updates to Twitter ofc.



  • With the Internet of Things becoming the new hotness, and gas ovens potentially connected to the web, people are actually worried about hackers blowing up their houses.



  • This new high-sulphur jet fuel is delicious! #geoengineering



  • Devices in the IoT should NEVER EVER UNDER ANY CIRCUMSTANCE manage their own security. Because they will fail. Make a central computer in your house authenticate you and send commands to your gas oven.



  • @anonymous234 said:

    Make a central computer in your house authenticate you and send commands to your gas oven.

    A gas oven I can remote control without seeing, hearing and smelling it? DO NOT WANT.



  • @Rhywden said:

    They're not doing TCP/IP.

    Not true. See below.

    @Rhywden said:

    largely

    Questionable.

    Avionics definitely uses variations of the CAN bus, which is over TCP/IP. This is the same thing that we have seen posts previously on, detailing how people have been able to take control of cars with a laptop. Nowhere does it detail which bits of equipment are using what protocols, but it wouldn't surprise me if at least some models of aircraft have most control systems running through TCP/IP.

    @darkmatter said:

    it's a safer bet to bet that it can get hacked than to say it's secure

    This is true and as far as I am concerned the only correct/reasonable position. I have run into this problem at work too, wherein our hardware is on an airgapped network but they want some equipment to be able to communicate through wireless, which isn't available on the airgapped network (only the office network) so there is a security debate happening at our customer's end. If they asked me, I'd tell them not to add wireless to the airgapped network as it would be too high a potential risk of someone compromising a wifi router, turning it into a wifi bridge with dd-wrt or similar and then compromising the airgapped network and wreaking havok. It's a teeny tiny weeny risk, but a MASSIVE problem if it happens.

    If the impact is high enough - as it is in an aircraft, and in the situation I described above, it doesn't matter how low the probability is, it's just a big deal.

    Considering the lengths that software developers have to go to to get their software legally permitted to be used in flight, for any purpose, even just keeping track of coffee. you'd better believe that they will take even a tiny risk seriously, because otherwise bad shit happens.



  • @flabdablet said:

    A gas oven I can remote control without seeing, hearing and smelling it? DO NOT WANT.

    Smokin'. Powered by Tizen(TM).



  • @algorythmics said:

    Not true. See below.

    Avionics definitely uses variations of the CAN bus, which is over TCP/IP. This is the same thing that we have seen posts previously on, detailing how people have been able to take control of cars with a laptop. Nowhere does it detail which bits of equipment are using what protocols, but it wouldn't surprise me if at least some models of aircraft have most control systems running through TCP/IP..


    They're actually using UDP because ADFX provides both determinism and QoS, rendering TCP unneeded. This still does not mean that you can simply talk to any nodes in an aircraft - you need hardware access because any nodes are hard-configured and accept data only from known nodes.
    Which means that any attack would first require you to reprogram a node and then actually plugin hardware physically. That's about the same security-level as for any other computer - if you have hardware access there's very little you can do to prevent unauthorized access if the attacker knows what he's doing.

    But wireless hacking? Nope. Not with the current configuration, not possible.



  • @aliceif said:

    Is there really no air gap between the avionics systems' network and the passenger entertainment systems' network?!

    That really sounds like a security WTF.

    We know for sure there cannot be an air gap: the entertainment system displays flight information (speed, altitude, position, temperature) that comes from the avionics, so one of them must talk to the other.



  • @Rhywden said:

    The avionics systems largely use a completely different protocol to talk to each other. They're not doing TCP/IP.
    That's only the first hurdle.

    Doesn't sound like much of a hurdle. If you want to learn a bit about computer security, you should probably first look up "security by obscurity" (hint: it doesn't work).



  • @Planar said:

    Doesn't sound like much of a hurdle. If you want to learn a bit about computer security, you should probably first look up "security by obscurity" (hint: it doesn't work).

    Which part of "only the first hurdle" is hard to grasp?

    Next up: A hardcoded routing table ("hardcoded" in the sense of: You need physical access to the switch).



  • @Rhywden said:

    Which part of "only the first hurdle" is hard to grasp?

    If you count it as a hurdle (first or otherwise) I don't want you managing my security.



  • @Planar said:

    If you count it as a hurdle (first or otherwise) I don't want you managing my security.

    Yes, of course. Well, don't expect me to hold my breath while I wait for you to come up with a WiFi-to-AFDX-converter.


  • Discourse touched me in a no-no place

    @Rhywden said:

    you need hardware access because any nodes are hard-configured and accept data only from known nodes.

    No, you just need to inject packets with IDs that claim to be those from known nodes, which is info you can get fairly easily if you can just watch the raw network traffic. There are tools for doing that once you've got physical access in the first place…



  • @dkf said:

    No, you just need to inject packets with IDs that claim to be those from known nodes, which is info you can get fairly easily if you can just watch the raw network traffic. There are tools for doing that once you've got physical access in the first place…

    Well, there's one problem with that: An ADFX switch doesn't only filter according to nodes. It also filters by destination and physical ports.

    So if a port to a monitoring device (which only receives data) suddenly begins to send data, those packets will be dropped faster than you can say: "D'oh!"

    So, in order to actually influence the engine, for example, you either need to access the control node, the switch or the engine (or one of the cables). Physical access, that is.
    And if you can do that then you have bigger problems anyway.

    An airplane network isn't like the Enterprise where you can reroute power or data channels as needed.



  • :facepalm: Not this nonsense again. Since I work in the avionics industry I'll try to lay out why the article is full of crap.

    There are Ethernet-based avionics protocols (AFDX/ARINC-664) but they are not quite stock Ethernet and not quite stock UDP/IP either. They have extensions to make it deterministic and reliable. If the passenger Wi-Fi was connected to the avionics network, it would certainly violate any scheduling constraints and BAG limits, not to mention it would be dealing out frames without any virtual link info. The avionics switch would think it's a piece of malfunctioning hardware, turn off its port leading to the wireless access point so the network doesn't get flooded and bring down the plane, and probably trigger a cockpit warning too.

    We occasionally have contact from vendors who think they can save a buck and try using off-the-shelf Ethernet hardware while designing a new plane network. It NEVER works and they always have to backtrack and spend a few hundred grand on the real equipment.


  • Discourse touched me in a no-no place

    @Rhywden said:

    An ADFX switch doesn't only filter according to nodes. It also filters by destination and physical ports.

    You're assuming that it is actually doing that. It might be supposed to be doing that, and it might not be supposed to reassign connections based on messages coming in, but it does not pay to just assume things, especially when it is so much more convenient for people to just hook things up in insecure mode where everything autoconfigures and then Just Works™. Our network at work is in a terrible way because of those sorts of assumptions; the network team have assumed for years that their VLAN configuration is right, when the rest of us know full well it isn't, given the sheer quantity of global polling traffic coming from Windows clusters. (Some of the things in there are really noisy, especially some of the software for auditing what untrusted users are doing.)

    Oh well, at least they didn't put it in a configuration that stopped people from working. Or if they did, they got shouted at immediately long ago and stopped that. (We can't really lock the user-facing network down that hard; too many strange pieces of software about that we need for courses.)



  • AFDX doesn't autoconfigure. Throw out everything you know about networking from standard work networks, a lot of that doesn't apply.



  • @dkf said:

    You're assuming that it is actually doing that. It might be supposed to be doing that, and it might not be supposed to reassign connections based on messages coming in, but it does not pay to just assume things,

    If it didn't do that it won't be allowed to fly. Why do you think those Boeings and Airbuses are so expensive?

    And please remove your tinfoil hat. I read some of the documentation from Airbus on ADFX and while I don't propose to have understood all of it, this "don't reroute traffic" is a basic security feature - you don't want rerouting-on-the-fly for the simple reason that a device might malfunction and thus flood the network.



  • @dkf said:

    No, you just need to inject packets with IDs that claim to be those from known nodes,

    True, but...

    @dkf said:

    which is info you can get fairly easily if you can just watch the raw network traffic.

    You can only monitor the network if you have in-line monitors on all cable runs, or you have a monitoring port configured on the switch. Also note that in my experience monitoring ports can only transmit, they can't receive. And if the switch gets messages on the wrong port it drops them. "What? According to the configuration set when this network was designed in the factory, flap control messages only come from interface 2. Who's this joker sending flap control messages on interface 16? Shutting down interface 16 and sending a warning up to MFD #1 now..."

    @dkf said:

    There are tools for doing that once you've got physical access in the first place…

    Costly tools, my company produces them. You could buy a nice house with the funds you'd need to get started...


  • :belt_onion:

    @Planar said:

    We know for sure there cannot be an air gap: the entertainment system displays flight information (speed, altitude, position, temperature) that comes from the avionics, so one of them must talk to the other.

    Which is likely sent from the plane to control tower, then sent to some server to host it, and then read by the entertainment system to display.
    So hacking that way would be the longest possible route to get in.

    FUCK


  • mod

    @darkmatter said:

    Which is likely sent from the plane to control tower, then sent to some server to host it, and then read by the entertainment system to display.

    Such information is often displayed on intercontinental flights, and there are long legs of said flights when that information is displayed and the plane is out of contact with ground towers. How does your theory account for that?



  • One-way UDP status updates?



  • Air gap on the physical port, receive pins removed, no fallback to half duplex.



  • @TwelveBaud said:

    Air gap on the physical port, receive pins removed, no fallback to half duplex.

    Or simply a switch which does not accept certain directional data flows...



  • That's my thought - hardcoded routing tables seems to be the key word here.



  • @Rhywden said:

    nodes are hard-configured and accept data only from known nodes

    are you sure about that? I obviously only know about CAN bus, but it would surprise me if it was THAT different.



  • @algorythmics said:

    are you sure about that? I obviously only know about CAN bus, but it would surprise me if it was THAT different.

    Yes, I am sure about that. I actually read the specifications on one of the switches in use and they are very fussy about which packets they route and where. Granted, it's not the nodes themselves but the switch which does the filtering but it amounts to the same result.

    Think about it for a moment: You have a network where you want to guarantee delivery of packets with minimal latency and zero losses. This means that you implement some stuff which makes certain that there are no collisions and that data is routed with the minimal amount of hops and then only data you actually need.

    Plus, you have to make sure that malfunctioning devices don't take down the whole network or send a command where it's not supposed to go.

    Easiest way to support those agendas: Drop everything that is not going where it's supposed to go.

    The VL [VirtualLink] is received on an allowed destination port according to the configuration
    table
    (Page 26, Frame Filtering)



  • Not only are virtual links used to determine source/destination ports, IP source/destination address and UDP source/destination port also matter. It's like a strange triply-redundant routing system and if any of them are wrong, the switch will drop the frame. The core switch is configured at the factory and has intimate knowledge of all connected nodes and who they're allowed to talk to, at what data rate, and how often they can send messages. If anything is off, the switch ignores the node and it's time for maintenance to take a look.

    I could be getting a little mixed up between protocols because Airbus licensing has everyone trying to come up with their own Ethernet-based protocol that isn't quite AFDX so they don't owe Airbus for it, but they're all fairly similar and the important thing is it's all super-deterministic using a static configuration for the network. Topology changes can't and don't just happen.

    500 error
    500 error
    500 error
    500 error



  • the electrical current and molecular structure of the central processing unit is altered

    I thought altering the electrical current was the point of a CPU. As for molecular structure, I'm not so sure...

    To be fair, though, if you could execute arbitrary code on one of that-age computers, you probably could blow up that CRT monitor if you tried.


  • Discourse touched me in a no-no place

    @Maciejasjmj said:

    As for molecular structure, I'm not so sure...

    Put a big enough current through it (or, equivalently, voltage across it) and it's molecular structure will alter. Explosively.

    Exploding Overclocking Extreme AMD Duron Vaporizing – 01:48
    — m


  • sockdevs

    And that's why I'm fucking thankful AMD saw the light and added support for thermal shutdown to later CPUs :relieved:


  • Discourse touched me in a no-no place

    @RaceProUK said:

    thermal shutdown

    That just means you need more power!


  • sockdevs


  • :belt_onion:

    @RaceProUK said:

    And that's why I'm fucking thankful AMD saw the light and added support for thermal shutdown to later CPUs

    psh I used to enjoy cooking eggs on those things :)



  • @aliceif said:

    Is there really no air gap between the avionics systems' network and the passenger entertainment systems' network?!

    That really sounds like a security WTF.


    There's basically a security barrier device instead. I'd use something along the lines of a "data diode", which'd go:

    avionics protocol -> avionics protocol interface adapter (ARINC-429, AFDX) -> small processor -> simplex (ONE WAY) serial link, complete with one-way serial buffer (a '1G244 with its output enable tied low in hardware works just fine) -> other small processor -> Ethernet adapter -> passenger-visible Ethernet network
    

    The idea is that the avionics side can catch messages and forward them on to the passenger side, but the passenger side is physically prevented from sending a message in the reverse direction. Hack that.

    @Rhywden said:

    They're actually using UDP because ADFX provides both determinism and QoS, rendering TCP unneeded. This still does not mean that you can simply talk to any nodes in an aircraft - you need hardware access because any nodes are hard-configured and accept data only from known nodes.Which means that any attack would first require you to reprogram a node and then actually plugin hardware physically. That's about the same security-level as for any other computer - if you have hardware access there's very little you can do to prevent unauthorized access if the attacker knows what he's doing.

    But wireless hacking? Nope. Not with the current configuration, not possible.

    Furthermore, at least in the 777, the pilots have the ultimate "off" switch at their disposal -- there is a switch in the cockpit that renders the flight control computers irrelevant. (It's also used to reboot the FBW system in case of certain system faults.)



  • @tarunik said:

    reboot the FBW system in case of certain system faults

    Google finds some expansions of the acronym that might explain why pilots really like flying the 777, but are almost certainly not your intended meaning.



  • Fly-By-Wire, where the controls in the cockpit are basically very fancy joysticks <!-- :giggity: --> and the computers actually handle the flight surfaces.



  • @TwelveBaud said:

    Fly-By-Wire

    Ah. I was thinking Flatulent Bed-Wetter but that hardly seems applicable to aircraft systems.


    Filed Under: Unless we're talking some kind of combined septic-sucker and crop duster.



  • Yes, I found the real definition, but other definitions were amusing in the context.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.