Boeing said there's no "quick" patch program for software in the aviation industry, and development of software for planes follows specific regulatory guidelines.
Jeffrey Troy, executive director of the Aviation-ISAC, the official threat intelligence-sharing arm of the industry, describes patching in avionics systems as a "case-by-case" situation. "Every instance of a vulnerability is a unique case," he says. "You also have to understand what the impact is and how to address it based on that impact."
He says aviation companies, when contacted by researchers, listen and then vet the findings. "They go out and conduct tests to validate whether or not the vuln that has been made known can be replicated. And if so, they do their assessments to determine what they need to do," he notes.
It's only a matter of time before Boeing and other aviation industry vendors are forced to find common ground with the researcher community, experts say. The increasingly networked aircraft fleet naturally will open avenues for security holes that need spotting and fixing.
"We've gone literally from having to physically go to planes and their avionics and upload a floppy [disk] for 20 minutes to now updating them over the air," Pen Test Partners' Munro notes. "You get reduced costs, but it [brings] security implications, too."
And aviation firms have invested large amounts of money in developing safe and secure code, he says. "It will be some time before avionics opens up their source code" to security researchers, though, he says.
John Sheehy, IOActive's director of strategic security services, worked with Santamarta on his disclosure with Boeing. He believes some good progress has been made in relationships between researchers and the avionics industry over the past three years.
"Boeing clearly understood what Ruben was going to present [at Black Hat]," Sheehy says. "They did not take any aggressive action to stop us from doing so. I think they understand the value of this kind of research."