Please disable your adblock and script blockers to view this page

A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts


Boeing
Santamarta
Santa­marta
IOActive
Crew Information Service/Maintenance System
CIS/MS
Honeywell
UCSDIOActive
Dream­liner
Open Data Network
Isolated Data Network
the Common Data Network
ODN
CDN
IDN
the Federal Aviation Administration
the Department of Homeland Security
DHS
FAA
Panasonic Avionics
The Aviation Industry Sharing and Analysis Center
the University of California at San Diego
VxWorks
Savage
the University of Washington
EFB
Santamarta's
CNMN Collection
Nast
Condé Nast


Ruben Santamarta
’d
manufac­turer
Stefan Savage
Karl Koscher

No matching tags

No matching tags


Santamarta
101
California Privacy Rights


Madrid
Las Vegas
Santamarta
Stratolaunch

No matching tags

Positivity     33.00%   
   Negativity   67.00%
The New York Times
SOURCE: https://www.wired.com/story/boeing-787-code-leak-security-flaws/
Write a review: Wired
Summary

An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors. While we appreciate responsible engagement from independent cybersecurity researchers, we’re disappointed in IOActive’s irresponsible presentation."In a follow-up call with WIRED, a company spokesperson said that in investigating IOActive's claims, Boeing had gone so far as to put an actual Boeing 787 in "flight mode" for testing, and then had its security engineers attempt to exploit the vulnerabilities that Santamarta had exposed. That second barrier, the company argues, allows only data to pass from one part of the network to the other, rather than the executable commands that would be necessary to affect the plane's critical systems."Although we do not provide details about our cybersecurity measures and protections for security reasons, Boeing is confident that its airplanes are safe from cyberattack," the company's statement concludes.Boeing says it also consulted with the Federal Aviation Administration and the Department of Homeland Security about Santamarta's attack. The Aviation Industry Sharing and Analysis Center shot back in a press release that his findings were based on "technical errors." Santamarta countered that the A-ISAC was "killing the messenger," attempting to discredit him rather than address his research.But even granting Boeing's claims about its security barriers, the flaws Santamarta found are egregious enough that they shouldn't be dismissed, says Stefan Savage, a computer science professor at the University of California at San Diego, who is currently working with other academic researchers on an avionics cybersecurity testing platform. In this day and age, it would be inconceivable for a consumer operating system to not check user pointer parameters, so I'd expect the same of an airplane.""This shouldn’t happen."Ruben Santamarta, IOActiveAnother academic avionics cybersecurity researcher, Karl Koscher at the University of Washington, says he's found such serious security flaws in an aircraft component as those Santamarta reported in the CIS/MS.

As said here by Andy Greenberg