Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/7/2019
03:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Boeing 787 On-Board Network Vulnerable to Remote Hacking, Researcher Says

Boeing disputes IOActive findings ahead of security firm's Black Hat USA presentation.

BLACK HAT USA – Las Vegas – IOActive industrial cybersecurity expert Ruben Santamarta last fall discovered an Internet-exposed Boeing Co. server housing firmware specifications for the aviation manufacturer's 787 and 737 airplane networks.

Intrigued, Santamarta dug into the firmware for the 787, Boeing's highly networked plane. He meticulously reverse-engineered the binary code and analyzed configuration files – uncovering multiple security vulnerabilities that could allow an attacker to remotely gain access to the sensitive avionics network of the aircraft, also known as the crew information systems network.

"It turns out the firmware I was analyzing is part of the aircraft that is segregating between the different networks," he told Dark Reading prior to publicly disclosing his findings here today. The firmware belongs to a core network component in the 787's network and was riddled with buffer overflow, memory corruption, stack overflows, and denial-of-service flaws that he says could be exploited by a hacker to remotely reach the aircraft's sensitive crew information systems network module.

The flawed firmware Santamarta found, a VxWorks 6.2-based system from Honeywell known as the 787's Crew Information System File Server/Maintenance System Module, could be abused by a remote attacker who could then wrest control of that system, according to Santamarta's findings.

But Boeing maintains that its network defenses would thwart the attack cases IOActive is presenting, arguing that an attacker couldn't reach its avionics systems via these methods.

"IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," a Boeing spokesperson said. "After working with IOActive to understand its research, Boeing and its partners tested their findings in integrated environments, both in labs and on an airplane. Our extensive testing confirmed that existing defenses in the broader 787 network prevent the scenarios claimed."

IOActive, meanwhile, says Boeing is mischaracterizing the research and contents of Santamarta's findings. "We have and will very clearly state the limitations of our purview in this research. We believe these limitations are clearly described in our white paper at a level even a layperson is able to comprehend," says John Sheehy, director of strategic security services at IOActive. 
 
Santamarta conducted his research in a lab setting and notes that the ultimate effect on the avionics system is unclear without access to an actual 787 aircraft. Even so, he says, an attacker exploiting the firmware could bypass security controls on the network and reach the avionics network. He or she then could attempt to update firmware of avionics systems, for instance, he says.
 
"We don't know if those [avionics] units are encrypted or [digitally] signed or how those units are verified, so I don't know if you can really affect the functionality or state of those critical units," he says. "We don't know what can be done after that because we don't have the avionics hardware" to test it.

The 787 has a core network cabinet system on-board that includes multiple network modules that segregate and provide network interfaces among the sensitive avionics network, the passenger information and in-flight entertainment system, and the aircraft maintenance system used by engineers, crew, and airline employees.

Boeing's 787 models come with various communications channels, including satellite devices and wireless connections for when the plane lands and connects to GateLink, an airline network that downloads information about the plane's arrival; it's also used by airlines or vendors to push firmware updates to the plane's network components, for example. The planes also have a wired port for maintenance operations while parked at the airport.

An attacker could hack into the network via the Internet or another network link to the plane, such as its wireless terminal that connects the plane to the airline's wireless network, Santamarta says.

Another possible attack could sabotage maintenance systems by running rogue tests or giving the maintenance engineer false information about a system function.

Santamarta also spotted two cases where proxy servers used by airlines to communicate with their 787 aircrafts on the ground via GateLink were exposed on the public Internet. "So it was possible to compromise those servers," which could allow an attacker to reach the plane's network over the Internet, he says.

But Santamarta is careful to emphasize that he didn't perform any live tests against a 787 aircraft: All of his research was conducted in a lab setting. "These airport networks are exposed on the Internet. We analyzed those systems and networks, but at a very high level, and didn't perform any aggressive testing," he notes.

At the heart of the firmware issue, according to Santamarta, is that the Honeywell firmware was based on a version of VxWorks that was not certified for use in avionics. That left the systems vulnerable to flaws that then could be used to wage an attack on sensitive avionics systems, he says.

Just how much damage or danger an attacker could execute remains unknown without actually hacking a 787, he says. "We don't have a 787. Basically, you need a 787 to determine the impact of these vulnerabilities," he says. "We know they can be exploited; we don't know what we can do after exploiting those vulnerabilities."

Boeing Pushes Back
IOActive's Sheehy helped coordinate the firmware vulnerability disclosure process with Boeing, which he says removed the exposed firmware files within 24 hours of IOActive alerting them about finding the server online. Once Santamarta had identified the Honeywell device on the Boeing network, IOActive then worked with the vendor to study and troubleshoot the vulnerabilities. Sheehy says IOActive, Boeing, and Honeywell since have been meeting weekly about the issues.

But Boeing disputes IOActive's research conclusions.

"IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments," Boeing said in a statement provided to Dark Reading. "IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation."  

The Boeing 787 core network security controls includes IP table-filtering in the Ethernet gateway module of the core network, where different rules determine which traffic goes from the open data network to the internal data network, for example. The aircraft also runs a firewall packet-filtering function based on a VxWorks library and employs system rules in the network interface module that help isolate the networks, Santamarta says.

Santamarta says that both Boeing and Honeywell confirmed the flaws in the 787 firmware. "However, Boeing did not share with IOActive the version of the CIS/MS firmware they were using in their testing, despite the fact that this information was requested several times. So technically, all of the 787 currently in production contain the vulnerabilities, but Boeing denies those vulnerabilities are exploitable," he says.

Boeing's 787 Dreamliner, which has been plagued with manufacturing quality control and safety issues since it first went live in 2013, remains one of the most electronic-enabled and networked airplanes.

Santamarta now has published technical details of his research.

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...