Boeing 787 On-Board Network Vulnerable to Remote Hacking, Researcher SaysBoeing disputes IOActive findings ahead of security firm's Black Hat USA presentation.
BLACK HAT USA – Las Vegas – IOActive industrial cybersecurity expert Ruben Santamarta last fall discovered an Internet-exposed Boeing Co. server housing firmware specifications for the aviation manufacturer's 787 and 737 airplane networks.
Intrigued, Santamarta dug into the firmware for the 787, Boeing's highly networked plane. He meticulously reverse-engineered the binary code and analyzed configuration files – uncovering multiple security vulnerabilities that could allow an attacker to remotely gain access to the sensitive avionics network of the aircraft, also known as the crew information systems network.
"It turns out the firmware I was analyzing is part of the aircraft that is segregating between the different networks," he told Dark Reading prior to publicly disclosing his findings here today. The firmware belongs to a core network component in the 787's network and was riddled with buffer overflow, memory corruption, stack overflows, and denial-of-service flaws that he says could be exploited by a hacker to remotely reach the aircraft's sensitive crew information systems network module.
The flawed firmware Santamarta found, a VxWorks 6.2-based system from Honeywell known as the 787's Crew Information System File Server/Maintenance System Module, could be abused by a remote attacker who could then wrest control of that system, according to Santamarta's findings.
But Boeing maintains that its network defenses would thwart the attack cases IOActive is presenting, arguing that an attacker couldn't reach its avionics systems via these methods.
"IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," a Boeing spokesperson said. "After working with IOActive to understand its research, Boeing and its partners tested their findings in integrated environments, both in labs and on an airplane. Our extensive testing confirmed that existing defenses in the broader 787 network prevent the scenarios claimed."
IOActive, meanwhile, says Boeing is mischaracterizing the research and contents of Santamarta's findings. "We have and will very clearly state the limitations of our purview in this research. We believe these limitations are clearly described in our white paper at a level even a layperson is able to comprehend," says John Sheehy, director of strategic security services at IOActive.
Santamarta conducted his research in a lab setting and notes that the ultimate effect on the avionics system is unclear without access to an actual 787 aircraft. Even so, he says, an attacker exploiting the firmware could bypass security controls on the network and reach the avionics network. He or she then could attempt to update firmware of avionics systems, for instance, he says.
"We don't know if those [avionics] units are encrypted or [digitally] signed or how those units are verified, so I don't know if you can really affect the functionality or state of those critical units," he says. "We don't know what can be done after that because we don't have the avionics hardware" to test it.
The 787 has a core network cabinet system on-board that includes multiple network modules that segregate and provide network interfaces among the sensitive avionics network, the passenger information and in-flight entertainment system, and the aircraft maintenance system used by engineers, crew, and airline employees.
Boeing's 787 models come with various communications channels, including satellite devices and wireless connections for when the plane lands and connects to GateLink, an airline network that downloads information about the plane's arrival; it's also used by airlines or vendors to push firmware updates to the plane's network components, for example. The planes also have a wired port for maintenance operations while parked at the airport.
An attacker could hack into the network via the Internet or another network link to the plane, such as its wireless terminal that connects the plane to the airline's wireless network, Santamarta says.
Another possible attack could sabotage maintenance systems by running rogue tests or giving the maintenance engineer false information about a system function.
Santamarta also spotted two cases where proxy servers used by airlines to communicate with their 787 aircrafts on the ground via GateLink were exposed on the public Internet. "So it was possible to compromise those servers," which could allow an attacker to reach the plane's network over the Internet, he says.
But Santamarta is careful to emphasize that he didn't perform any live tests against a 787 aircraft: All of his research was conducted in a lab setting. "These airport networks are exposed on the Internet. We analyzed those systems and networks, but at a very high level, and didn't perform any aggressive testing," he notes.
At the heart of the firmware issue, according to Santamarta, is that the Honeywell firmware was based on a version of VxWorks that was not certified for use in avionics. That left the systems vulnerable to flaws that then could be used to wage an attack on sensitive avionics systems, he says.
Just how much damage or danger an attacker could execute remains unknown without actually hacking a 787, he says. "We don't have a 787. Basically, you need a 787 to determine the impact of these vulnerabilities," he says. "We know they can be exploited; we don't know what we can do after exploiting those vulnerabilities."
Boeing Pushes Back
IOActive's Sheehy helped coordinate the firmware vulnerability disclosure process with Boeing, which he says removed the exposed firmware files within 24 hours of IOActive alerting them about finding the server online. Once Santamarta had identified the Honeywell device on the Boeing network, IOActive then worked with the vendor to study and troubleshoot the vulnerabilities. Sheehy says IOActive, Boeing, and Honeywell since have been meeting weekly about the issues.
But Boeing disputes IOActive's research conclusions.
"IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments," Boeing said in a statement provided to Dark Reading. "IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation."
The Boeing 787 core network security controls includes IP table-filtering in the Ethernet gateway module of the core network, where different rules determine which traffic goes from the open data network to the internal data network, for example. The aircraft also runs a firewall packet-filtering function based on a VxWorks library and employs system rules in the network interface module that help isolate the networks, Santamarta says.
Santamarta says that both Boeing and Honeywell confirmed the flaws in the 787 firmware. "However, Boeing did not share with IOActive the version of the CIS/MS firmware they were using in their testing, despite the fact that this information was requested several times. So technically, all of the 787 currently in production contain the vulnerabilities, but Boeing denies those vulnerabilities are exploitable," he says.
Boeing's 787 Dreamliner, which has been plagued with manufacturing quality control and safety issues since it first went live in 2013, remains one of the most electronic-enabled and networked airplanes.
Santamarta now has published technical details of his research.
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio