Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/7/2019
03:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Boeing 787 On-Board Network Vulnerable to Remote Hacking, Researcher Says

Boeing disputes IOActive findings ahead of security firm's Black Hat USA presentation.

BLACK HAT USA – Las Vegas – IOActive industrial cybersecurity expert Ruben Santamarta last fall discovered an Internet-exposed Boeing Co. server housing firmware specifications for the aviation manufacturer's 787 and 737 airplane networks.

Intrigued, Santamarta dug into the firmware for the 787, Boeing's highly networked plane. He meticulously reverse-engineered the binary code and analyzed configuration files – uncovering multiple security vulnerabilities that could allow an attacker to remotely gain access to the sensitive avionics network of the aircraft, also known as the crew information systems network.

"It turns out the firmware I was analyzing is part of the aircraft that is segregating between the different networks," he told Dark Reading prior to publicly disclosing his findings here today. The firmware belongs to a core network component in the 787's network and was riddled with buffer overflow, memory corruption, stack overflows, and denial-of-service flaws that he says could be exploited by a hacker to remotely reach the aircraft's sensitive crew information systems network module.

The flawed firmware Santamarta found, a VxWorks 6.2-based system from Honeywell known as the 787's Crew Information System File Server/Maintenance System Module, could be abused by a remote attacker who could then wrest control of that system, according to Santamarta's findings.

But Boeing maintains that its network defenses would thwart the attack cases IOActive is presenting, arguing that an attacker couldn't reach its avionics systems via these methods.

"IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," a Boeing spokesperson said. "After working with IOActive to understand its research, Boeing and its partners tested their findings in integrated environments, both in labs and on an airplane. Our extensive testing confirmed that existing defenses in the broader 787 network prevent the scenarios claimed."

IOActive, meanwhile, says Boeing is mischaracterizing the research and contents of Santamarta's findings. "We have and will very clearly state the limitations of our purview in this research. We believe these limitations are clearly described in our white paper at a level even a layperson is able to comprehend," says John Sheehy, director of strategic security services at IOActive. 
 
Santamarta conducted his research in a lab setting and notes that the ultimate effect on the avionics system is unclear without access to an actual 787 aircraft. Even so, he says, an attacker exploiting the firmware could bypass security controls on the network and reach the avionics network. He or she then could attempt to update firmware of avionics systems, for instance, he says.
 
"We don't know if those [avionics] units are encrypted or [digitally] signed or how those units are verified, so I don't know if you can really affect the functionality or state of those critical units," he says. "We don't know what can be done after that because we don't have the avionics hardware" to test it.

The 787 has a core network cabinet system on-board that includes multiple network modules that segregate and provide network interfaces among the sensitive avionics network, the passenger information and in-flight entertainment system, and the aircraft maintenance system used by engineers, crew, and airline employees.

Boeing's 787 models come with various communications channels, including satellite devices and wireless connections for when the plane lands and connects to GateLink, an airline network that downloads information about the plane's arrival; it's also used by airlines or vendors to push firmware updates to the plane's network components, for example. The planes also have a wired port for maintenance operations while parked at the airport.

An attacker could hack into the network via the Internet or another network link to the plane, such as its wireless terminal that connects the plane to the airline's wireless network, Santamarta says.

Another possible attack could sabotage maintenance systems by running rogue tests or giving the maintenance engineer false information about a system function.

Santamarta also spotted two cases where proxy servers used by airlines to communicate with their 787 aircrafts on the ground via GateLink were exposed on the public Internet. "So it was possible to compromise those servers," which could allow an attacker to reach the plane's network over the Internet, he says.

But Santamarta is careful to emphasize that he didn't perform any live tests against a 787 aircraft: All of his research was conducted in a lab setting. "These airport networks are exposed on the Internet. We analyzed those systems and networks, but at a very high level, and didn't perform any aggressive testing," he notes.

At the heart of the firmware issue, according to Santamarta, is that the Honeywell firmware was based on a version of VxWorks that was not certified for use in avionics. That left the systems vulnerable to flaws that then could be used to wage an attack on sensitive avionics systems, he says.

Just how much damage or danger an attacker could execute remains unknown without actually hacking a 787, he says. "We don't have a 787. Basically, you need a 787 to determine the impact of these vulnerabilities," he says. "We know they can be exploited; we don't know what we can do after exploiting those vulnerabilities."

Boeing Pushes Back
IOActive's Sheehy helped coordinate the firmware vulnerability disclosure process with Boeing, which he says removed the exposed firmware files within 24 hours of IOActive alerting them about finding the server online. Once Santamarta had identified the Honeywell device on the Boeing network, IOActive then worked with the vendor to study and troubleshoot the vulnerabilities. Sheehy says IOActive, Boeing, and Honeywell since have been meeting weekly about the issues.

But Boeing disputes IOActive's research conclusions.

"IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments," Boeing said in a statement provided to Dark Reading. "IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation."  

The Boeing 787 core network security controls includes IP table-filtering in the Ethernet gateway module of the core network, where different rules determine which traffic goes from the open data network to the internal data network, for example. The aircraft also runs a firewall packet-filtering function based on a VxWorks library and employs system rules in the network interface module that help isolate the networks, Santamarta says.

Santamarta says that both Boeing and Honeywell confirmed the flaws in the 787 firmware. "However, Boeing did not share with IOActive the version of the CIS/MS firmware they were using in their testing, despite the fact that this information was requested several times. So technically, all of the 787 currently in production contain the vulnerabilities, but Boeing denies those vulnerabilities are exploitable," he says.

Boeing's 787 Dreamliner, which has been plagued with manufacturing quality control and safety issues since it first went live in 2013, remains one of the most electronic-enabled and networked airplanes.

Santamarta now has published technical details of his research.

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19589
PUBLISHED: 2019-12-05
The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are valid JAR archives.
CVE-2019-19597
PUBLISHED: 2019-12-05
D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary remote code execution as root without authentication via shell metacharacters within an HNAP_AUTH HTTP header.
CVE-2019-19598
PUBLISHED: 2019-12-05
D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to t...
CVE-2019-19596
PUBLISHED: 2019-12-05
GitBook through 2.6.9 allows XSS via a local .md file.
CVE-2019-19590
PUBLISHED: 2019-12-05
In radare2 through 4.0, there is an integer overflow for the variable new_token_size in the function r_asm_massemble at libr/asm/asm.c. This integer overflow will result in a Use-After-Free for the buffer tokens, which can be filled with arbitrary malicious data after the free. This allows remote at...