Pen Test Partners: Boeing 747s receive critical software updates over 3.5" floppy disks

Industry binning old aircraft is an opportunity for aviation infosec

DEF CON Boeing 747-400s still use floppy disks for loading critical navigation databases, Pen Test Partners has revealed to the infosec community after poking about one of the recently abandoned aircraft.

The eye-catching factoid emerged during a DEF CON video interview of PTP's Alex Lomas, where the man himself gave a walkthrough of a 747-400, its avionics bay and the flight deck.

Although airliners are not normally available to curious infosec researchers, a certain UK-based Big Airline's decision to scrap its B747 fleet gave Pen Test Partners a unique opportunity to get aboard one and have a poke about before the scrap merchants set about their grim task.

"Aircraft themselves are really expensive beasts, you know," said Lomas as he filmed inside the big Boeing. "Even if you had all the will in the world, airlines and manufacturers won't just let you pentest an aircraft because [they] don't know what state you're going to leave it in."

While giving a tour of the aircraft on video (full embed below), Lomas pointed out the navigation database loader. To readers of a certain vintage it'll look very familiar indeed.

Navigation data aboard Boeing 747-436 airliners is updated via a 3.5" floppy drive. The aircraft were built in the late 1990s

Navigation data aboard Boeing 747-436 airliners is updated via a 3.5" floppy drive. The aircraft were built in the late 1990s

"This database has to be updated every 28 days, so you can see how much of a chore this has to be for an engineer to visit," Lomas said, pointing out the floppy drive – which in normal operations is tucked away behind a locked panel.

Youtube Video

A quick tour of the avionics bay, buried beneath the floor of the lower passenger deck, revealed a server-room-esque array of line replaceable units and cabling, prompting Lomas to bust lots of Hollywood-grade dreams by saying: "You can't just clip into a pair of wires into the back of the aircraft and gain access to all of these."

In a subsequent Q&A for DEF CON's virtual attendees (this year's hacking conference was done remotely thanks to COVID-19), Pen Test Partners chief Ken Munro asked Lomas about points of interest to aviation infosec researchers. The latter then described various aviation-specific ARINC equipment and connectivity standards, including ARINC 664 ("...Ethernet with some extra quality-of-service layers on top to make sure flight-critical things can talk to each other") as used in the Boeing 787 and the latest generation of airliners, ARINC 629 ("really only used in the [Boeing] 777"), and other potential areas of research interest including VxWorks' real-time OS, which is used in a number of airliners' internal networks.

British Airways Boeing 747-400

From 'Queen of the Skies' to Queen of the Scrapheap: British Airways chops 747 fleet as folk stay at home


The key question everyone wants to know the answer to, though, is whether you can hack an airliner from the cheap seats, using the in-flight entertainment (IFE) as an attack vector. Lomas observed: "Where we've gone deliberately looking, we've not found, at this point, any two-way communication between passenger domain systems like the IFE and the control domain. There is the DMZ of the information services domain that sits between the two; to jump between two layers of segregation would be tricky in my view."

That hasn't stopped some people from trying, most notably an infosec researcher from a Scottish university who deployed a well-known pentesting technique against IFE equipment at the start of a nine-hour transatlantic flight. Mercifully he only managed to KO his own screen.

There is a long and storied history of otherwise obsolete technologies being retained in use because they're built into something bigger and yet work well, not least aboard Royal Navy survey ship HMS Enterprise. Last seen in these hallowed pages a couple of years ago when the Navy invited your correspondent aboard the warship during a NATO exercise in Norway, Enterprise's hotchpotch of Windows ME-based survey software is now helping port authorities in Beirut assess the damage caused by the disastrous ammonium nitrate explosion earlier this month. ®


Of potential interest to researchers who don't have access to a spare 747 for a spot of pentesting is the new Microsoft Flight Simulator. Due for release in just over a week, the latest version of the classic sim franchise will include and support the use of ARINC 429-compatible navigation datasets, of the exact same type loaded into the 747 on a 3.5" floppy.

While the fidelity of the simulator software reading and executing that data may not be comparable with the real thing, inexpensive access to a real dataset can offer insights into further research areas – though the tale of the Boeing 787 and Warsaw's BIMPA 4U arrival is unlikely to be repeatable.

Similar topics

Broader topics

Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022