Late one night last September, security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised to discover a fully unprotected server on Boeing’s network, seemingly full of code designed to run on the company’s giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it.
So he downloaded everything he could see.
Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner’s components, deep in the plane’s multi-tiered network. He suggests that for a hacker, exploiting those bugs could represent one step in a multistage attack that starts in the plane’s in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.
Boeing flatly denies that such an attack is possible, and it rejects his claim of having discovered a potential path to pull it off. Santamarta himself admits that he doesn’t have a full enough picture of the aircraft—or access to a $250 million jet—to confirm his claims. But he and other avionics cybersecurity researchers who have reviewed his findings argue that while a full-on cyberattack on a plane’s most sensitive systems remains far from a material threat, the flaws uncovered in the 787’s code nonetheless represent a troubling lack of attention to cybersecurity from Boeing. They also say that the company’s responses have not been altogether reassuring, given the critical importance of keeping commercial airplanes safe from hackers.
At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS is responsible for applications like maintenance systems and the so-called electronic flight bag, a collection of navigation documents and manuals used by pilots. Santamarta says he found a slew of memory corruption vulnerabilities in that CIS/MS, and he claims that a hacker could use those flaws as a foothold inside a restricted part of a plane’s network. An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane’s safety-critical systems, including its engine, brakes, and sensors. Boeing maintains that other security barriers in the 787’s network architecture would make that progression impossible.
Santamarta admits that he doesn’t have enough visibility into the 787’s internals to know if those security barriers are circumventable. But he says his research nonetheless represents a significant step toward showing the possibility of an actual plane-hacking technique. “We don’t have a 787 to test, so we can’t assess the impact,” Santamarta says. “We’re not saying it’s doomsday, or that we can take a plane down. But we can say: This shouldn’t happen.”
In a statement, Boeing said it had investigated IOActive’s claims and concluded that they don’t represent any real threat of a cyberattack. “IOActive’s scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system,” the company’s statement reads. “IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we’re disappointed in IOActive’s irresponsible presentation.”
In a follow-up call with WIRED, a company spokesperson said that in investigating IOActive’s claims, Boeing had gone so far as to put an actual Boeing 787 in “flight mode” for testing, and then had its security engineers attempt to exploit the vulnerabilities that Santamarta had exposed. They found that they couldn’t carry out a successful attack. Honeywell, which supplied Boeing with the code for the CIS/MS, also wrote in a statement to WIRED that “after extensive testing, Honeywell and its partners determined there is no threat to flight safety as the 787’s critical systems cannot be affected.”
IOActive’s attack claims—as well as Honeywell’s and Boeing’s denials—are based on the specific architecture of the 787’s internals. The Dreamliner’s digital systems are divided into three networks: an Open Data Network, where non-sensitive components like the in-flight entertainment system live; an Isolated Data Network, which includes somewhat more sensitive components like the CIS/MS that IOActive targeted; and finally the Common Data Network, the most sensitive of the three, which connects to the plane’s avionics and safety systems. Santamarta claims that the vulnerabilities he found in the CIS/MS, sandwiched between the ODN and CDN, provide a bridge from one to the other.
But Boeing counters that it has both “additional protection mechanisms” in the CIS/MS that would prevent its bugs from being exploited from the ODN, and another hardware device between the semi-sensitive IDN—where the CIS/MS is located—and the highly sensitive CDN. That second barrier, the company argues, allows only data to pass from one part of the network to the other, rather than the executable commands that would be necessary to affect the plane’s critical systems.
“Although we do not provide details about our cybersecurity measures and protections for security reasons, Boeing is confident that its airplanes are safe from cyberattack,” the company’s statement concludes.
Boeing says it also consulted with the Federal Aviation Administration and the Department of Homeland Security about Santamarta’s attack. While the DHS didn’t respond to a request for comment, an FAA spokesperson wrote in a statement to WIRED that it’s “satisfied with the manufacturer’s assessment of the issue.”
“This Is Security 101”
The new claims of software flaws come against the backdrop of the ongoing scandal over Boeing’s grounded 737 Max aircraft, after that aircraft’s faulty controls contributed to two crashes that killed 346 people. At the same time, Santamarta has his own history of unresolved disagreements with the aerospace industry over its cybersecurity measures. He previously hacked a Panasonic Avionics in-flight entertainment system. And at last year’s Black Hat conference, for instance, he presented vulnerabilities in satellite communication systems that he said could be used to hack some non-sensitive airplane systems. The Aviation Industry Sharing and Analysis Center shot back in a press release that his findings were based on “technical errors.” Santamarta countered that the A-ISAC was “killing the messenger,” attempting to discredit him rather than address his research.
But even granting Boeing’s claims about its security barriers, the flaws Santamarta found are egregious enough that they shouldn’t be dismissed, says Stefan Savage, a computer science professor at the University of California at San Diego, who is currently working with other academic researchers on an avionics cybersecurity testing platform. “The claim that one shouldn’t worry about a vulnerability because other protections prevent it from being exploited has a very bad history in computer security,” Savage says. “Typically, where there’s smoke there’s fire.”
Savage points in particular to a vulnerability Santamarta highlighted in a version of the embedded operating system VxWorks, in this case customized for Boeing by Honeywell. Santamarta found that when an application asks to write to the underlying computer’s memory, the tailored operating system doesn’t properly check that it’s not instead overwriting the kernel, the most sensitive core of the operating system. Combined with several application-level bugs Santamarta found, that so-called parameter-check privilege escalation vulnerability represents a serious flaw, Savage argues, made more serious by the notion that VxWorks likely runs in many other components on the plane that might have the same bug.
“Every piece of software has bugs. But this is not where I’d like to find the bugs. Checking user parameters is security 101,” Savage says. “They shouldn’t have these kinds of straightforward vulnerabilities, especially in the kernel. In this day and age, it would be inconceivable for a consumer operating system to not check user pointer parameters, so I’d expect the same of an airplane.”
Another academic avionics cybersecurity researcher, Karl Koscher at the University of Washington, says he’s found such serious security flaws in an aircraft component as those Santamarta reported in the CIS/MS. “Perhaps Boeing intentionally treated it as untrusted, and the rest of the system can handle that untrusted bit,” Koscher says.”But saying, ‘It doesn’t matter because there are mitigations further down’ isn’t that good an answer. Especially if some of the mitigations turn out to be not as robust as you think they are.”
Koscher also points to the CIS/MS access to the Electronic Flight Bag, full of documents and navigation materials a plane’s pilot might refer to via a tablet in the cockpit. Corrupting that data could cause its own form of mayhem. “If you can create confusion and misinformation in the cockpit, that could lead to some pretty bad outcomes,” Koscher notes. (A Boeing spokesperson says that the EFB can’t be compromised from the CIS/MS, either, despite both being located in the same part of the 787’s network.)
Big, flying collections of computers
To be clear, neither Savage nor Koscher believe that, based on Santamarta’s findings alone, a hacker could cause any immediate danger to an aircraft or its passengers. “This is a long way from an imminent safety threat. Based on what they have now, I think you could let the IOActive guys run amok on a 787 and I’d still be comfortable flying on it,” Savage says. “But Boeing has work to do.”
Assessing whether IOActive’s findings truly represent a step toward a serious attack is difficult, Savage points out, simply due to the impossible logistics of airplane security research. Companies like Boeing have the means to comprehensively test a quarter-billion-dollar aircraft’s security, but also have deep conflicts of interest about what results they publish. Independent hackers like IOActive’s Santamarta don’t have the resources to carry out those complete investigations—even as highly resourced state hackers or others willing to test on live, airborne planes might.
Santamarta’s research, despite Boeing’s denials and assurances, should be a reminder that aircraft security is far from a solved area of cybersecurity research. “This is a reminder that planes, like cars, depend on increasingly complex networked computer systems,” Savage says. “They don’t get to escape the vulnerabilities that come with this.”