Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

03:30 PM
Connect Directly

Boeing 787 On-Board Network Vulnerable to Remote Hacking, Researcher Says

Boeing disputes IOActive findings ahead of security firm's Black Hat USA presentation.

BLACK HAT USA – Las Vegas – IOActive industrial cybersecurity expert Ruben Santamarta last fall discovered an Internet-exposed Boeing Co. server housing firmware specifications for the aviation manufacturer's 787 and 737 airplane networks.

Intrigued, Santamarta dug into the firmware for the 787, Boeing's highly networked plane. He meticulously reverse-engineered the binary code and analyzed configuration files – uncovering multiple security vulnerabilities that could allow an attacker to remotely gain access to the sensitive avionics network of the aircraft, also known as the crew information systems network.

"It turns out the firmware I was analyzing is part of the aircraft that is segregating between the different networks," he told Dark Reading prior to publicly disclosing his findings here today. The firmware belongs to a core network component in the 787's network and was riddled with buffer overflow, memory corruption, stack overflows, and denial-of-service flaws that he says could be exploited by a hacker to remotely reach the aircraft's sensitive crew information systems network module.

The flawed firmware Santamarta found, a VxWorks 6.2-based system from Honeywell known as the 787's Crew Information System File Server/Maintenance System Module, could be abused by a remote attacker who could then wrest control of that system, according to Santamarta's findings.

But Boeing maintains that its network defenses would thwart the attack cases IOActive is presenting, arguing that an attacker couldn't reach its avionics systems via these methods.

"IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," a Boeing spokesperson said. "After working with IOActive to understand its research, Boeing and its partners tested their findings in integrated environments, both in labs and on an airplane. Our extensive testing confirmed that existing defenses in the broader 787 network prevent the scenarios claimed."

IOActive, meanwhile, says Boeing is mischaracterizing the research and contents of Santamarta's findings. "We have and will very clearly state the limitations of our purview in this research. We believe these limitations are clearly described in our white paper at a level even a layperson is able to comprehend," says John Sheehy, director of strategic security services at IOActive. 
Santamarta conducted his research in a lab setting and notes that the ultimate effect on the avionics system is unclear without access to an actual 787 aircraft. Even so, he says, an attacker exploiting the firmware could bypass security controls on the network and reach the avionics network. He or she then could attempt to update firmware of avionics systems, for instance, he says.
"We don't know if those [avionics] units are encrypted or [digitally] signed or how those units are verified, so I don't know if you can really affect the functionality or state of those critical units," he says. "We don't know what can be done after that because we don't have the avionics hardware" to test it.

The 787 has a core network cabinet system on-board that includes multiple network modules that segregate and provide network interfaces among the sensitive avionics network, the passenger information and in-flight entertainment system, and the aircraft maintenance system used by engineers, crew, and airline employees.

Boeing's 787 models come with various communications channels, including satellite devices and wireless connections for when the plane lands and connects to GateLink, an airline network that downloads information about the plane's arrival; it's also used by airlines or vendors to push firmware updates to the plane's network components, for example. The planes also have a wired port for maintenance operations while parked at the airport.

An attacker could hack into the network via the Internet or another network link to the plane, such as its wireless terminal that connects the plane to the airline's wireless network, Santamarta says.

Another possible attack could sabotage maintenance systems by running rogue tests or giving the maintenance engineer false information about a system function.

Santamarta also spotted two cases where proxy servers used by airlines to communicate with their 787 aircrafts on the ground via GateLink were exposed on the public Internet. "So it was possible to compromise those servers," which could allow an attacker to reach the plane's network over the Internet, he says.

But Santamarta is careful to emphasize that he didn't perform any live tests against a 787 aircraft: All of his research was conducted in a lab setting. "These airport networks are exposed on the Internet. We analyzed those systems and networks, but at a very high level, and didn't perform any aggressive testing," he notes.

At the heart of the firmware issue, according to Santamarta, is that the Honeywell firmware was based on a version of VxWorks that was not certified for use in avionics. That left the systems vulnerable to flaws that then could be used to wage an attack on sensitive avionics systems, he says.

Just how much damage or danger an attacker could execute remains unknown without actually hacking a 787, he says. "We don't have a 787. Basically, you need a 787 to determine the impact of these vulnerabilities," he says. "We know they can be exploited; we don't know what we can do after exploiting those vulnerabilities."

Boeing Pushes Back
IOActive's Sheehy helped coordinate the firmware vulnerability disclosure process with Boeing, which he says removed the exposed firmware files within 24 hours of IOActive alerting them about finding the server online. Once Santamarta had identified the Honeywell device on the Boeing network, IOActive then worked with the vendor to study and troubleshoot the vulnerabilities. Sheehy says IOActive, Boeing, and Honeywell since have been meeting weekly about the issues.

But Boeing disputes IOActive's research conclusions.

"IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments," Boeing said in a statement provided to Dark Reading. "IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation."  

The Boeing 787 core network security controls includes IP table-filtering in the Ethernet gateway module of the core network, where different rules determine which traffic goes from the open data network to the internal data network, for example. The aircraft also runs a firewall packet-filtering function based on a VxWorks library and employs system rules in the network interface module that help isolate the networks, Santamarta says.

Santamarta says that both Boeing and Honeywell confirmed the flaws in the 787 firmware. "However, Boeing did not share with IOActive the version of the CIS/MS firmware they were using in their testing, despite the fact that this information was requested several times. So technically, all of the 787 currently in production contain the vulnerabilities, but Boeing denies those vulnerabilities are exploitable," he says.

Boeing's 787 Dreamliner, which has been plagued with manufacturing quality control and safety issues since it first went live in 2013, remains one of the most electronic-enabled and networked airplanes.

Santamarta now has published technical details of his research.

Related Content:


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...