Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:30 PM
Connect Directly

Boeing 787 On-Board Network Vulnerable to Remote Hacking, Researcher Says

Boeing disputes IOActive findings ahead of security firm's Black Hat USA presentation.

BLACK HAT USA – Las Vegas – IOActive industrial cybersecurity expert Ruben Santamarta last fall discovered an Internet-exposed Boeing Co. server housing firmware specifications for the aviation manufacturer's 787 and 737 airplane networks.

Intrigued, Santamarta dug into the firmware for the 787, Boeing's highly networked plane. He meticulously reverse-engineered the binary code and analyzed configuration files – uncovering multiple security vulnerabilities that could allow an attacker to remotely gain access to the sensitive avionics network of the aircraft, also known as the crew information systems network.

"It turns out the firmware I was analyzing is part of the aircraft that is segregating between the different networks," he told Dark Reading prior to publicly disclosing his findings here today. The firmware belongs to a core network component in the 787's network and was riddled with buffer overflow, memory corruption, stack overflows, and denial-of-service flaws that he says could be exploited by a hacker to remotely reach the aircraft's sensitive crew information systems network module.

The flawed firmware Santamarta found, a VxWorks 6.2-based system from Honeywell known as the 787's Crew Information System File Server/Maintenance System Module, could be abused by a remote attacker who could then wrest control of that system, according to Santamarta's findings.

But Boeing maintains that its network defenses would thwart the attack cases IOActive is presenting, arguing that an attacker couldn't reach its avionics systems via these methods.

"IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," a Boeing spokesperson said. "After working with IOActive to understand its research, Boeing and its partners tested their findings in integrated environments, both in labs and on an airplane. Our extensive testing confirmed that existing defenses in the broader 787 network prevent the scenarios claimed."

IOActive, meanwhile, says Boeing is mischaracterizing the research and contents of Santamarta's findings. "We have and will very clearly state the limitations of our purview in this research. We believe these limitations are clearly described in our white paper at a level even a layperson is able to comprehend," says John Sheehy, director of strategic security services at IOActive. 
Santamarta conducted his research in a lab setting and notes that the ultimate effect on the avionics system is unclear without access to an actual 787 aircraft. Even so, he says, an attacker exploiting the firmware could bypass security controls on the network and reach the avionics network. He or she then could attempt to update firmware of avionics systems, for instance, he says.
"We don't know if those [avionics] units are encrypted or [digitally] signed or how those units are verified, so I don't know if you can really affect the functionality or state of those critical units," he says. "We don't know what can be done after that because we don't have the avionics hardware" to test it.

The 787 has a core network cabinet system on-board that includes multiple network modules that segregate and provide network interfaces among the sensitive avionics network, the passenger information and in-flight entertainment system, and the aircraft maintenance system used by engineers, crew, and airline employees.

Boeing's 787 models come with various communications channels, including satellite devices and wireless connections for when the plane lands and connects to GateLink, an airline network that downloads information about the plane's arrival; it's also used by airlines or vendors to push firmware updates to the plane's network components, for example. The planes also have a wired port for maintenance operations while parked at the airport.

An attacker could hack into the network via the Internet or another network link to the plane, such as its wireless terminal that connects the plane to the airline's wireless network, Santamarta says.

Another possible attack could sabotage maintenance systems by running rogue tests or giving the maintenance engineer false information about a system function.

Santamarta also spotted two cases where proxy servers used by airlines to communicate with their 787 aircrafts on the ground via GateLink were exposed on the public Internet. "So it was possible to compromise those servers," which could allow an attacker to reach the plane's network over the Internet, he says.

But Santamarta is careful to emphasize that he didn't perform any live tests against a 787 aircraft: All of his research was conducted in a lab setting. "These airport networks are exposed on the Internet. We analyzed those systems and networks, but at a very high level, and didn't perform any aggressive testing," he notes.

At the heart of the firmware issue, according to Santamarta, is that the Honeywell firmware was based on a version of VxWorks that was not certified for use in avionics. That left the systems vulnerable to flaws that then could be used to wage an attack on sensitive avionics systems, he says.

Just how much damage or danger an attacker could execute remains unknown without actually hacking a 787, he says. "We don't have a 787. Basically, you need a 787 to determine the impact of these vulnerabilities," he says. "We know they can be exploited; we don't know what we can do after exploiting those vulnerabilities."

Boeing Pushes Back
IOActive's Sheehy helped coordinate the firmware vulnerability disclosure process with Boeing, which he says removed the exposed firmware files within 24 hours of IOActive alerting them about finding the server online. Once Santamarta had identified the Honeywell device on the Boeing network, IOActive then worked with the vendor to study and troubleshoot the vulnerabilities. Sheehy says IOActive, Boeing, and Honeywell since have been meeting weekly about the issues.

But Boeing disputes IOActive's research conclusions.

"IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments," Boeing said in a statement provided to Dark Reading. "IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation."  

The Boeing 787 core network security controls includes IP table-filtering in the Ethernet gateway module of the core network, where different rules determine which traffic goes from the open data network to the internal data network, for example. The aircraft also runs a firewall packet-filtering function based on a VxWorks library and employs system rules in the network interface module that help isolate the networks, Santamarta says.

Santamarta says that both Boeing and Honeywell confirmed the flaws in the 787 firmware. "However, Boeing did not share with IOActive the version of the CIS/MS firmware they were using in their testing, despite the fact that this information was requested several times. So technically, all of the 787 currently in production contain the vulnerabilities, but Boeing denies those vulnerabilities are exploitable," he says.

Boeing's 787 Dreamliner, which has been plagued with manufacturing quality control and safety issues since it first went live in 2013, remains one of the most electronic-enabled and networked airplanes.

Santamarta now has published technical details of his research.

Related Content:


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-04
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.
PUBLISHED: 2020-04-04
Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode.
PUBLISHED: 2020-04-03
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was how...
PUBLISHED: 2020-04-03
An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination.The CSRF protection of the “/...
PUBLISHED: 2020-04-03
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend.