Pen Test Partners: Boeing 747s receive critical software updates over 3.5" floppy disks

Industry binning old aircraft is an opportunity for aviation infosec

DEF CON Boeing 747-400s still use floppy disks for loading critical navigation databases, Pen Test Partners has revealed to the infosec community after poking about one of the recently abandoned aircraft.

The eye-catching factoid emerged during a DEF CON video interview of PTP's Alex Lomas, where the man himself gave a walkthrough of a 747-400, its avionics bay and the flight deck.

Although airliners are not normally available to curious infosec researchers, a certain UK-based Big Airline's decision to scrap its B747 fleet gave Pen Test Partners a unique opportunity to get aboard one and have a poke about before the scrap merchants set about their grim task.

"Aircraft themselves are really expensive beasts, you know," said Lomas as he filmed inside the big Boeing. "Even if you had all the will in the world, airlines and manufacturers won't just let you pentest an aircraft because [they] don't know what state you're going to leave it in."

While giving a tour of the aircraft on video (full embed below), Lomas pointed out the navigation database loader. To readers of a certain vintage it'll look very familiar indeed.

Navigation data aboard Boeing 747-436 airliners is updated via a 3.5" floppy drive. The aircraft were built in the late 1990s

Navigation data aboard Boeing 747-436 airliners is updated via a 3.5" floppy drive. The aircraft were built in the late 1990s

"This database has to be updated every 28 days, so you can see how much of a chore this has to be for an engineer to visit," Lomas said, pointing out the floppy drive – which in normal operations is tucked away behind a locked panel.

Youtube Video

A quick tour of the avionics bay, buried beneath the floor of the lower passenger deck, revealed a server-room-esque array of line replaceable units and cabling, prompting Lomas to bust lots of Hollywood-grade dreams by saying: "You can't just clip into a pair of wires into the back of the aircraft and gain access to all of these."

In a subsequent Q&A for DEF CON's virtual attendees (this year's hacking conference was done remotely thanks to COVID-19), Pen Test Partners chief Ken Munro asked Lomas about points of interest to aviation infosec researchers. The latter then described various aviation-specific ARINC equipment and connectivity standards, including ARINC 664 ("...Ethernet with some extra quality-of-service layers on top to make sure flight-critical things can talk to each other") as used in the Boeing 787 and the latest generation of airliners, ARINC 629 ("really only used in the [Boeing] 777"), and other potential areas of research interest including VxWorks' real-time OS, which is used in a number of airliners' internal networks.

British Airways Boeing 747-400

From 'Queen of the Skies' to Queen of the Scrapheap: British Airways chops 747 fleet as folk stay at home


The key question everyone wants to know the answer to, though, is whether you can hack an airliner from the cheap seats, using the in-flight entertainment (IFE) as an attack vector. Lomas observed: "Where we've gone deliberately looking, we've not found, at this point, any two-way communication between passenger domain systems like the IFE and the control domain. There is the DMZ of the information services domain that sits between the two; to jump between two layers of segregation would be tricky in my view."

That hasn't stopped some people from trying, most notably an infosec researcher from a Scottish university who deployed a well-known pentesting technique against IFE equipment at the start of a nine-hour transatlantic flight. Mercifully he only managed to KO his own screen.

There is a long and storied history of otherwise obsolete technologies being retained in use because they're built into something bigger and yet work well, not least aboard Royal Navy survey ship HMS Enterprise. Last seen in these hallowed pages a couple of years ago when the Navy invited your correspondent aboard the warship during a NATO exercise in Norway, Enterprise's hotchpotch of Windows ME-based survey software is now helping port authorities in Beirut assess the damage caused by the disastrous ammonium nitrate explosion earlier this month. ®


Of potential interest to researchers who don't have access to a spare 747 for a spot of pentesting is the new Microsoft Flight Simulator. Due for release in just over a week, the latest version of the classic sim franchise will include and support the use of ARINC 429-compatible navigation datasets, of the exact same type loaded into the 747 on a 3.5" floppy.

While the fidelity of the simulator software reading and executing that data may not be comparable with the real thing, inexpensive access to a real dataset can offer insights into further research areas – though the tale of the Boeing 787 and Warsaw's BIMPA 4U arrival is unlikely to be repeatable.

Ethernet failure on Swiss business jet prompted emergency descent, say aviation safety bods

Solution? A software update, natch

An Ethernet failure aboard popular Swiss-made business jets could prompt the aircraft to move into an emergency descent as flight systems entered a "degraded" mode, the European Aviation Safety Agency (EASA) has warned.

In a recently issued airworthiness directive, EASA has ordered operators of the Pilatus PC-24 to install new software aboard PC-24 business jets after "a dual Ethernet communication channel failure on a dual-channel data concentration and processing unit".

Like all complex machines in the modern era, jet aircraft are essentially flying servers. Most airliners and business jets contain Ethernet-based internal networks that allow flight control computers to talk to other systems dotted around the airframe, as explained in a previous article about the Boeing 787. Data concentration units share some similarities with network switches down on terra firma, as detailed here.

Continue reading

Meet the new aviation insecurity, same as the old aviation insecurity: Next-gen ACAS X just as vulnerable to spoofing as its predecessor

Faking an emergency collision alarm - just what you don't need over Heathrow

Aviation boffins have found that next-gen collision aircraft avoidance systems appear to be just as vulnerable to signal spoofing attacks as older kit.

In a paper distributed via ArXiv, computer scientists at the UK's University of Oxford and Switzerland's Federal Office for Defence Procurement analyzed the Airborne Collision Avoidance System X (ACAS X), due to be deployed on commercial aircraft in the next few years, and found that it can be manipulated by a miscreant to produce fake collision alerts that prompt pilots to take evasive action.

Boffins Matthew Smith, Martin Strohmeier, Vincent Lenders, and Ivan Martinovic conducted their tests using laboratory simulations, so the work is theoretical. However, they argue that their findings suggest more work needs to be done to improve aviation system security before the identified flaws can be translated into a real-world threat.

Continue reading

Aviation regulator outlines fixes that will get the 737 MAX flying again

Software upgrade to deliver less lethally-stubborn automation

The United States' Federal Aviation Administration (FAA) has revealed the conditions under which it will permit Boeing's beleaguered 737 MAX to resume commercial flights.

The 737 MAX was grounded after two crashes in 2018 and 2019 revealed that the plane had shipped with largely undocumented automation features called the "Maneuvering Characteristics Augmentation System" (MCAS) that could push its nose downwards. In the two accidents MCAS could not be overridden despite receiving erroneous data from an Angle Of Attack (AOA) sensor. When the MCAS pointed the plane down, and kept doing so despite the AOA data being wrong, pilots could not disengage automation.

Those errors cost 346 lives and saw Boeing pay at least $19bn in compensation to families of the deceased, payments to airline customers and lost revenue.

Continue reading

Boeing 737 Max will return to flight after software updates, says EU's aviation regulator

It flew OK without MCAS – but not well enough to be certified as safe

The Boeing 737 Max was safe enough to fly without the controversial MCAS system but would not have met safety certification rules, the EU Aviation Safety Agency has said after confirming the airliner will return to European skies in January 2021.

Flights will resume once airline pilots have received extra training to the EU regulator's satisfaction, EASA added, having previously said it would not be following in the US Federal Aviation Administration's footsteps.

The EASA announcement is very similar to the US FAA's return to service for the Max but with a couple of extra pilot training requirements added.

Continue reading

Garmin staggers back to its feet: Aviation systems seem to be lagging, though. Here's why

Somebody light that pilot light

Updated Garmin services appear to be in the process of being restored after the company was reportedly hit with ransomware, though its aviation services remain offline at the time of writing.

The company, which makes various navigational and location-tracking services and products, abruptly fell over last week, and continued to stay offline for a prolonged period. The company has so far not confirmed ransomware publicly, referring to it as an "outage" that just so happened to also affect its phones, emails, online chats and all services.

BleepingComputer reported on Sunday that a company employee confirmed the precise strain of infection, adding that files on corporate systems were encrypted with a new, seemingly custom extension: .garminwasted. It also quoted a source as saying a ransom had been demanded to the tune of $10m.

Continue reading

US aviation regulator issues safety bulletins over flaws in software updates for Boeing 747, 777, 787 airliners

Autothrottle cuts to idle and flight computers fail after latest updates, warns FAA

Software updates to Boeing's Jumbo Jet, Dreamliner, and 777 introduced flaws that degraded flight safety and caused the US Federal Aviation Administration (FAA) to publish warnings to aviators.

Recent updates to the Boeing 777 and 787 autothrottle have changed how the safety-critical systems operated, prompting a warning from the FAA to airlines advising them to carefully read updates from Boeing about the flaws.

The FAA stated in November: "The 787 Flight Management Block Point 4 (FMF BP4) software currently installed introduced an auto-throttle software anomaly, which disables one element of the automatic throttle disconnect logic."

Continue reading

EU aviation wonks give all-electric training aeroplane the green light – but noob pilots only have 50 mins before they have to land it

So don't expect to go very far

The EU Aviation Safety Agency (EASA) has certified its first all-electric aeroplane for routine use, marking a small but significant step on the route to all-electric airliners.

"This is an exciting breakthrough," said EASA executive director Patrick Ky in a canned statement as he boasted about the Pipistrel Velis Electro gaining its type approval from his agency.

A two-seater "intended primarily for pilot training," the Velis Electro is a development of Pipistrel's existing (and unfortunately named) Virus aeroplane, which features a piston engine instead of an electric motor.

Continue reading

'This repository is private' – so what's it doing on the public internet, GE Aviation?

DNS config snafu bares Jenkins instance contents to world+dog

GE Aviation managed to expose a pile of its private keys on a misconfigured Jenkins instance that was exposed to the public internet, according to a security researcher who found it through Shodan.

"It took me only a couple of clicks to stumble upon a Jenkins server which appeared to be part GE Aviation internal commercial infrastructure," blogged Bob Diachenko, a researcher for consultancy Security Discovery.

It appeared, from what he found, that Diachenko had got into a backend repository powering GE Aviation's customer portal. The server, he said, "contained source code, plaintext passwords, configuration details, private keys from a variety of GE Aviation internal infrastructure" and more.

Continue reading

The UK's Civil Aviation Authority asked drone orgs to email fliers' data in an Excel spreadsheet

Plus: Solution to 250g drone weight limit is 249g drone

The UK's Civil Aviation Authority (CAA) has caved in on its slow-motion disaster of a drone database – by asking flier associations to email it details of their members in a spreadsheet.

Rather than implementing some kind of secure web portal to harvest personal data on British drone fliers, which the CAA is obliged to collect thanks to incoming EU laws, the body has asked associations to send members' data for bulk registration on an "Excel template".

The low-tech revelation came in a CAA email newsletter issued in the name of Sophie O'Sullivan, its head of unmanned systems.

Continue reading

Aviation's been Boeing through a rough patch: Software tweaks blamed for Airbus A220 failures

Engine maker Pratt & Whitney says it's working on a fix

Software alterations have been fingered as the cause of Airbus A220 airliner problems that led to at least three emergency landings after excessive vibration caused engines to fail, according to reports.

Financial newswire Reuters reported that "recent changes in engine software ... may have caused parts that compress air inside the engine to be set in a way that caused mechanical resonance or destructive vibrations", citing sources familiar with an ongoing investigation.

That investigation is looking into why airlines, in particular Swiss International Air Lines (SIAL), are having problems with their new A220s. SIAL has been hit hard by issues with its new jets' Pratt & Whitney PW1500G engines; the airline has had three engine failures since buying the A220 three years ago.

Continue reading

Biting the hand that feeds IT © 1998–2021