Pen Test Partners: Boeing 747s receive critical software updates over 3.5" floppy disks
Industry binning old aircraft is an opportunity for aviation infosec
DEF CON Boeing 747-400s still use floppy disks for loading critical navigation databases, Pen Test Partners has revealed to the infosec community after poking about one of the recently abandoned aircraft.
The eye-catching factoid emerged during a DEF CON video interview of PTP's Alex Lomas, where the man himself gave a walkthrough of a 747-400, its avionics bay and the flight deck.
Although airliners are not normally available to curious infosec researchers, a certain UK-based Big Airline's decision to scrap its B747 fleet gave Pen Test Partners a unique opportunity to get aboard one and have a poke about before the scrap merchants set about their grim task.
"Aircraft themselves are really expensive beasts, you know," said Lomas as he filmed inside the big Boeing. "Even if you had all the will in the world, airlines and manufacturers won't just let you pentest an aircraft because [they] don't know what state you're going to leave it in."
While giving a tour of the aircraft on video (full embed below), Lomas pointed out the navigation database loader. To readers of a certain vintage it'll look very familiar indeed.
Navigation data aboard Boeing 747-436 airliners is updated via a 3.5" floppy drive. The aircraft were built in the late 1990s
"This database has to be updated every 28 days, so you can see how much of a chore this has to be for an engineer to visit," Lomas said, pointing out the floppy drive – which in normal operations is tucked away behind a locked panel.
A quick tour of the avionics bay, buried beneath the floor of the lower passenger deck, revealed a server-room-esque array of line replaceable units and cabling, prompting Lomas to bust lots of Hollywood-grade dreams by saying: "You can't just clip into a pair of wires into the back of the aircraft and gain access to all of these."
In a subsequent Q&A for DEF CON's virtual attendees (this year's hacking conference was done remotely thanks to COVID-19), Pen Test Partners chief Ken Munro asked Lomas about points of interest to aviation infosec researchers. The latter then described various aviation-specific ARINC equipment and connectivity standards, including ARINC 664 ("...Ethernet with some extra quality-of-service layers on top to make sure flight-critical things can talk to each other") as used in the Boeing 787 and the latest generation of airliners, ARINC 629 ("really only used in the [Boeing] 777"), and other potential areas of research interest including VxWorks' real-time OS, which is used in a number of airliners' internal networks.
From 'Queen of the Skies' to Queen of the Scrapheap: British Airways chops 747 fleet as folk stay at homeREAD MORE
The key question everyone wants to know the answer to, though, is whether you can hack an airliner from the cheap seats, using the in-flight entertainment (IFE) as an attack vector. Lomas observed: "Where we've gone deliberately looking, we've not found, at this point, any two-way communication between passenger domain systems like the IFE and the control domain. There is the DMZ of the information services domain that sits between the two; to jump between two layers of segregation would be tricky in my view."
That hasn't stopped some people from trying, most notably an infosec researcher from a Scottish university who deployed a well-known pentesting technique against IFE equipment at the start of a nine-hour transatlantic flight. Mercifully he only managed to KO his own screen.
There is a long and storied history of otherwise obsolete technologies being retained in use because they're built into something bigger and yet work well, not least aboard Royal Navy survey ship HMS Enterprise. Last seen in these hallowed pages a couple of years ago when the Navy invited your correspondent aboard the warship during a NATO exercise in Norway, Enterprise's hotchpotch of Windows ME-based survey software is now helping port authorities in Beirut assess the damage caused by the disastrous ammonium nitrate explosion earlier this month. ®
Of potential interest to researchers who don't have access to a spare 747 for a spot of pentesting is the new Microsoft Flight Simulator. Due for release in just over a week, the latest version of the classic sim franchise will include and support the use of ARINC 429-compatible navigation datasets, of the exact same type loaded into the 747 on a 3.5" floppy.
While the fidelity of the simulator software reading and executing that data may not be comparable with the real thing, inexpensive access to a real dataset can offer insights into further research areas – though the tale of the Boeing 787 and Warsaw's BIMPA 4U arrival is unlikely to be repeatable.