WTF is Boeing on? Not just customer databases lying around on the web. 787 jetliner code, too, security bugs and all

Black Hat A Black Hat presentation on how to potentially hijack a 787 – by exploiting bugs found in internal code left lying around on a public-facing server – was last night slammed as "irresponsible and misleading" by Boeing.

At the hacking conference in Las Vegas on Wednesday, Ruben Santamarta, principal security consultant at pen-testing biz IOActive, told attendees he had found holes in software used in a computer network aboard the jetliners.

It is important to note here that there are essentially three electronic networks on a 787: the first is home to non-critical stuff like the in-flight entertainment system; the second is used by slightly more important applications reserved for crew and maintenance teams; and the third is used by the vital avionics gear that controls the airplane's flight and reads its sensors.

The software Santamarta probed – a crew information service – lives in the second network. He suggested it may be possible to exploit holes in, say, the in-flight entertainment system on the first network to access the adjoining second network where one could abuse the flaws he found in the crew information software to then reach into the adjoining third network. Once there, one could tap into the avionics equipment to hijack the 787, in theory.

Boeing, however, insists the software on the second network cannot be exploited as IOActive described, nor can a miscreant direct the avionics from other networks, due to restrictions in place, such as hardware filters that only allow data to flow between networks rather than instructions or commands. El Reg quietly hopes the avionics can't be taken over by malformed data that triggers vulnerabilities within the flight control systems on the third network.

'Limited'

During his talk, Santamarta acknowledged he had no way of proving he could actually commandeer the flight control systems via the holes he found in the crew-facing software. For one thing, he couldn’t persuade Boeing to let him loose on a real passenger jet.

“We have confirmed the vulnerabilities, but not that they are exploitable, so we are presenting why we think they are,” he said. “We have got very limited data, so it’s impossible to say if the mitigation factors Boeing say they have work. We offer them our assistance.”

The Register spoke to Boeing engineers to get their side of the story. They told us work-in-progress software destined for the 787 was stored on a server belonging to the aircraft manufacturer's research and development labs. This box had been, like so many databases and other systems recently, accidentally left open to the internet, which isn't particularly wise. Boeing's eggheads were alerted to the exposed machine by someone who wasn’t from IOActive, we're told, suggesting God-only-knows how many people found the thing.

According to IOActive, in September, Santamarta stumbled upon the software on the server, while it was exposed to the web, using a Google search. He set to work studying the materials, eventually finding a bunch of bugs that could be exploited to achieve arbitrary code execution in the crew information application.

Boeing's engineers claimed to us they first knew of IOActive’s investigation into the leaked code when Black Hat's organizers published the conference schedule some months ago, revealing that a talk was due to take place on hacking 787 aircraft. According to the techies, IOActive had contacted the crew information software's external developer, Honeywell, about its findings, and not Boeing. IOActive categorically denied this to us, and said it spoke to the Dreamliner maker directly about its discoveries.

In any case, a Boeing engineer told us the bugs in the software have been ironed out, and even if they were present, it would not be possible to hijack the avionics network from another network anyway. Once Boeing was aware of the nature of the programming blunders in the Honeywell software found by Santamarta, the manufacturer verified in the lab and then on an actual 787 that it was not possible to seize control of a $150-million-ish jetliner via the holes Santamarta discovered.

And yes, it's all very vague because no one wants to spill too many beans about the cyber-security of a passenger jet. And Boeing is really quite cross about the whole thing.

“IOActive’s scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system,” a spokesperson for the airliner maker said.

“IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we’re disappointed in IOActive’s irresponsible and misleading presentation.” ®