Remote Hack of a Boeing 757

Last month, the DHS announced that it was able to remotely hack a Boeing 757:

“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.

“[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.” Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft’s systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, “you can come to grips pretty quickly where we went” on the aircraft.

Tags: , , , ,

Posted on December 12, 2017 at 6:08 AM61 Comments

Comments

David Rudling December 12, 2017 6:20 AM

An informative note for the likes of those who read this column but what is required is that, if the flight control system is one that can be compromised, a 757 full of members of both houses of congress and selected journalists be subjected to a remotely controlled nausea-inducing manouvre as a practical demonstration. That will achieve more than 100 reports like Mr Hickey’s.

David Rudling December 12, 2017 6:26 AM

Sorry, I should have said both chambers of congress. I am betraying my English origins where we have 2 houses of parliament.

Brian G December 12, 2017 6:31 AM

@Riding Don’t worry about it, you still know more about the U.S. political system than most Americans.

Wael December 12, 2017 6:49 AM

I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”

Spook-talk for: I pinged the WiFi system on the plane and got “something” back. Establish a presence, typical stuff? Seriously? Boogie boogie!!!

me December 12, 2017 7:16 AM

@Wael

i think more or less the same; i can’t find anymore the link but i saw a presentation from InversePath (an italian security company).
they showed that planes have 3 different networks:
-the pilot area network that is isolated from the rest of the plane (isolated means that THE RECEIVING SIDE of the optical fiber is phisically cutted)
-another intermediate network less trusted
-and the passengers wifi wich ic completly unstrusted.

so if we suppose that they have hacked the untrused area, well they got persistence and so? is not that they can remote control the plane.
also there is no information about what has been compromised, how, in which conditions, the effects… nothing. i assume that this news is real but come on… i understand that thay can’t give details but this is just no sense news.

Wael December 12, 2017 7:39 AM

@me,

so if we suppose that they have hacked the untrused area, well they got persistence and so?

So they can spy on the movie you watch or what you order for food. They can also send a message on behalf of a roudy traveler to frame him… the possibilities are endless. I won’t speculate more on what else can be done.

nothing. i assume that this news is real but come on…

Yea. They must have found something. But all they told us is: we found something and we won’t tell you what it is! So they’re telling you they know something that (they think) you don’t know 😉

on… i understand that thay can’t give details

Wouldn’t surprise me if that’s the same report they sent to their upper management to justify more funding: hey! We found “stuff” and we need more money to find more stuff.

I have a feeling they “established presence” on a Boeing version of one of these bad boys 🙂

RndmNmbr December 12, 2017 7:40 AM

This was quite possibly done using a software defined radio against the ACARS, ADSB, TCAS, or some combination of these. Unlike WiFi, these all directly communicate with the flight deck avionics in a bi-directional manner.

The security on these RF interfaces is somewhere between horrid and non-existent. The safety design of the software that runs on these types of boxes (DO178 DALA, DALB, etc.) is well thought out, but the security is not.

Those of us in the industry with any kind of security awareness have been complaining about this for a very long time. The FAA has their collective heads firmly in the sand on this issue, and will probably leave them there until something catastrophic happens.

Peter A. December 12, 2017 7:52 AM

I can’t remember where I’ve seen this, but I’ve read some rumors that they got some result by transmitting crafted ACARS messages. No details, though.

I can imagine you could social-engineer pilots into accepting a somewhat sketchy flight plan update sent via ACARS or cause a diversion by sending fake emergency “news”, but were the researchers able to exploit some vulnerability (like a buffer overflow) in the flight management system by sending corrupted messages? What subsystems could they disable/control? Were they able to inject their own code into some of the computers? Was it permanent? What are the real consequences? It is all “secret”.

Flight automation is connected to external digital radio input so there’s a potential for remote exploits. However, pilots are trained to fly with a lot of the flight automation subsystems out of service. They know which circuit-breakers to trip in order to disable or power-cycle most of them and when to do or not to do it. Disabling or disturbing FMS makes pilots’ work harder but is no emergency.

Is it possible to “jump” from there to the flight-by-wire system and send commands to control surfaces actuators? Or control the engines controllers? The latter are quite strongly isolated, so probably no chance to mess with engine internals, but is it possible to send power off or idle trust commands and override/jam commands generated in the normal way from cockpit controls? These would be the real issues. So far, nobody demonstrated it’s doable. I’m still much more afraid of the TSA, CBP and the likes of them screwing up my life then of Airbus/Boeing engineers screwing up control systems security.

Wael December 12, 2017 7:58 AM

@RndmNmbr,

This was quite possibly done using a software defined radio against the ACARS, ADSB, TCAS, or some combination of these…

The most likely scenario. But will require the attack to be mounted from another plane flying close to the target, or the attack to be mounted on a terrestrial station, unless one can compromise a satellite link, which isn’t evident from the brief description given.

and will probably leave them there until something catastrophic happens.

Maybe that has already happened! A backdoor that has been compromised?

SecurityPro2704 December 12, 2017 8:05 AM

The inherent issue is that there is constant communication with the ground operations and even the manufacturer of the planes to alert them of any technical difficulties with the systems.

If there’s an open line of communication with the plane that means that anyone who has the knowledge of how to make a connection to those same systems. Fly be wire is a huge leap in aviation industry but it also means that there is more that can go wrong.

Wael December 12, 2017 8:09 AM

@Peter A,

I can imagine you could social-engineer pilots into accepting a somewhat sketchy flight plan update sent via ACARS or cause a diversion…

MH370 is a prime candidate. Except it’s not social engineering; it would look like a legitimate system update that pilots need to trust.

RndmNmbr December 12, 2017 8:33 AM

@Wael

I think you underestimate the range of the VHF and UHF datalinks involved here. ACARS VHF is an air-to-ground link that has surprisingly long range. Similarly, ADS-B has very long range when the aircraft is in line-of-sight. Communicating with a transport aircraft at cruising altitude from the ground is trivial.

The SATCOM side is much more difficult to compromise.

Peter A. December 12, 2017 9:51 AM

@Wael: MH370 is a prime candidate for what? A remote hack removing pilots from the control loop? We do not know what has happened and there’s zero evidence of such a scenario, so it is not a “candidate”. It is possible, theoretically, but such a “theory” has no facts to back it up.

To clarify, ACARS flight plan update I was writing about is just a message on the screen with instructions: waypoints, flight levels etc. a pilot has to enter into FMS by a button press and then allow the automation to fly that plan. It could be possible to convince a pilot in this way to start flying towards a different airport to cause confusion or along a somewhat dangerous route – bad weather, airspace temporarily closed for any reason etc. but only if the pilot is complacent and does not observe his weather radar, has not read NOTAMs regarding closed airspace and so on. This is why I called it social engineering. Anyway it would be acted upon by traffic control quite soon unless the plane is out of radar range – which was not the case of MH370. Furthermore, no sane pilot will fly out to Indian Ocean because some message told him so. Even if the plan update looks mostly sane, but dubious, the pilot has AM radio to confirm. Many planes have satellite phones on board so a pilot can call his airline operations in this way as well, and clarify. He has no-comms procedures in case all radio is out, so he can land safely by flying a predefined approach and ATC is obliged to move everybody else out of the way.

Iggy December 12, 2017 10:11 AM

We’ve all known exploit by RC was not just possible, but likely. The devil is in the details. And those dedicated to a diabolical mission make the time to identify those details friendly to their needs.

That we’ve been given a very generalized heads-up by an agency not the FAA tells me that DHS has hit a wall with the entrenched deadwood at the FAA and they’re hoping a little leak will elicit some powerful help.

The FAA needs to go away. They’ve outlived their original usefulness; now they just hoover away good dollars after bad.

Iggy December 12, 2017 10:20 AM

@Wael,

very interesting take on MH370. I closely followed that unfolding disaster and still keep an ear out. It could explain its turnback and purposeful continuation on that course change. Until we can collect any evidence to help determine what in fact happened, it still looks like a hijacking transformed into an accident by circumstances unforeseen by, and/or outside the skill set of, the hijacker/s.

Petre Peter December 12, 2017 10:23 AM

Remember, remember…. Leverage plot—historically, how much damage can 10 people do before caught. When fighting terrorism it’s better to get the hands out of the airplane than to get the weapons out of the hands. Clearly if the weapon is the hands, finger cuffing is the solution for those who can type. Clearly, if the weapon is the tounge, a small incision is the solution for speech recognition. Boogie man gets a hand on laptops and the plot to Click Here…is exposed under enjoy your flight.

Rhys December 12, 2017 10:25 AM

It is unclear that any conclusions can be drawn from all these speculations.

IMHO, if everyone would start with testing- you will see where the voids/omissions are today.

Simply put- where is the test bed (infrastructure) to assess the multiple interactive entanglements of the operationally deployed inventory?

Flight decks (and railroad loco-pilots and now automobiles) are morphing beyond the isolated cocoon under monolithic C2 to a complex web of interactions that the legacy regulatory enclaves and government agencies are unable to keep pace with.

These control system platforms are a system within a system of systems of systems of systems.

The human operator has a high-level dialogue with an on-board computer network. Increasingly about incomes only. That on-board computer network is also having dialogues with other internal and external networks and hosts.

All under the oversight of legacy (& distinct) regulatory bureaucracies whose primary purpose is the survival of the bureaucracy. Regardless of whether it is a government regulatory agency or private regulatory enclave.

Some of you w/interest in ACARS might benefit from this reading: https://www.theweakestlink.es/index.php/2016/03/18/insecurity-in-acars-system-is-it-really-something-new-part-ii/

Clive Robinson December 12, 2017 10:49 AM

@ me, Wael,

[A] presentation from InversePath … they showed that planes have 3 different networks:

Modern commercial aircraft have a lot more than three different networks, it realy depends on how you view it. In essence they are taking a 20,000ft view and that can be a dangerous thing to do…

-the pilot area network that is isolated from the rest of the plane (isolated means that THE RECEIVING SIDE of the optical fiber is phisically cutted)
-another intermediate network less trusted
-and the passengers wifi wich ic completly unstrusted.

Take the first network you give as “Pilot Area”, and the claim that it is “issolated” because the “receiving side” is cut. It’s easy to show that it’s not realy “issolated” just that one of it’s potential inputs can not directly send data to it…

If you take a closer look you will count up all the direct and indirect conbections to the “Pilot Area” network most of which are directly or indirectly bi-directional.

For instance an indirect input would be where the pilot reads the GPS, altimeter and other instruments, evaluates what they are telling him and adjusts the controls that feed into the “Pilot Area” network. A more direct path is where the auto pilot does a similar task.

If you “fritz” one or more of these inputs you can make the pilot or auto pilot make mistakes.

Asside from inertial navigation systems nearly all other forms of navigation system the pilot / auto pilot depend on are derived from external man made signals. Which end up in the “Pilot Area” network. Thus there is plenty of opportunity there, because in part for various reasons these signals are broadcast without crypto level authentication. Which means they are all vulnerable to “spoofing”.

That is they have no meaningfull security end point, let alone one beyond the communications end point. This is a major RED FLAG for those who know a modicum about communications security.

Where a system such as the “Pilot Area” network is implemented there are two basic forms of communications asynchronous and synchronous, also often incorrectly refered to as half and full duplex. The modes have quite different properties.

As an asynchronous signal is in effect “just transmitted” it is sent rather more frequently than it is going to need to be. This makes it an inefficient user of the data input communications channel. A synchronous system would use both a data input channel but a request / acknowledge channel. This second channel alows the system to make a request for data input, but also enables it to acknowledge the reply. In effect the use of the two channels in this way makes it Full Duplex. Under most circumsyances rhis method of operation makes it more efficient.

The same argument applies to data out of the system, full duplex operation is generaly more efficient and robust than half duplex operation.

What few people talk about is what happens when you play with the data request/acknowledge channel. The answer is a lot of often unexpected thus unprepared for behaviour.

I’ve gone into the asspects of channel blocking and error channel fault injections before, so I won’t go through it’s dangers again.

However you also need to know that a half duplex system can not guaranty “data delivery” even when using quite demanding Forward Error Correction (FEC) codes. Which in turn means you have to have way more complex and vulnerable systems because you have to try and remove communications state dependency in the system. The result is a system with probabilistic issues that would be vulnerable to DoS attacks, amoungst others.

Which makes life interesting at the best of times, and near impossible when an active and intelligent attacker is involved.

CallMeLateForSupper December 12, 2017 11:36 AM

As written, this is a YUGE nothing-burger.

And poorly written. To wit: “you can come to grips pretty quickly where we went”

So, when someone tells me, “Get a grip”, I could accelerate the process by going to wherever DHS went? But where was that, exactly? (rhetorical)

Food for thought:
https://www.theguardian.com/commentisfree/2017/dec/11/climate-scientists-emit-30000-tonnes-c02

I do not fly. That mode was painful enough when seemingly every itinerary dumped me in either Pittsburgh, PA or Huntington, WV[1], to wait for hours for a connecting flight. “Hurry up and wait”, as we said in the military. Today the torture is worse; TSA has “enhanced” it by poking and prodding and confiscating and otherwise treating every passenger as “the enemy”. I would not submit to the pile of indignities even if tickets were free.

On a lighter note…
“Flying is the safest way to … fly” – Shelley Berman

[1] The Huntington airport used to be on top of a flattened mountain, which often was in the clouds. You haven’t lived until your plane descends into soup that totally obscures the ground until seconds before the gear touches it!

Insignificant Troublemaker December 12, 2017 11:47 AM

Just an observation on perverse incentives…

As a SW Engineer on safety-critical (but not-fully-networked) avionics, early during our planning discussions about field-loadable software, as we discussed detection of corrupt loads, I suggested considering detection of malicious tampering of loads (e.g., code signing vice CRCing). PM shut me down so fast, [tasteless expression of frustration elided by author]. He clearly and specifically defined airplane security as the operators’ concern. I got the message.

No one said, but I’m GUESSING the reasoning is that if we were to take ANY action specific to malicious changes, any subsequent compromise would be our fault (because we thought about it and failed). If “we’re all friends here”, then who can blame us for failing to detect a deliberately-crafted load that triggers a hard-over under inconvenient circumstances?

Wael December 12, 2017 12:06 PM

@Clive Robinson,

I refuse to believe that Thales doesn’t know what they’re doing. We can speculate all we want, but they do have established credentials in the field.

@CallMeLateForSupper,

On a lighter note…

You came to the right place… On a lighter note, I hated my last landing

And I wonder if the same unlucky passengers were on this takeoff and landing trip

@Iggy,

it still looks like a hijacking transformed into an accident by circumstances unforeseen by…

I don’t know. Followed the story for a while, then forgot about it… Just like every other major news event…

Wael December 12, 2017 12:32 PM

@Peter A.,

It is possible, theoretically, but such a “theory” has no facts to back it up.

True. My use of the word ‘candidate’ wasn’t correct. It’s the most likely scenario in my mind given the information we have. Could be navigation systems failure or foul play – circumstantial evidence and trying to weave possible scenarios. No ‘facts’ yet.

Iggy December 12, 2017 12:56 PM

My “favorite” aviation gut check happened when I accepted an invite from a friend to go to Catalina Island in his Piper Cub. Always went there by boat, so, I was clueless.

Good thing I wore my kevlar shorts.

tomb December 12, 2017 1:41 PM

Fast Food for thought: 9/11 conspiracy theorist Rebekka Roth claimed firsthand knowledge that control of Boeing commercial aircraft can be remotely executed and override manual controls. This was purportedly implemented to combat hijacking prior to 9/11.

AlexT December 12, 2017 2:55 PM

Sorry but unless I see something more substantial on this one I will call bull.
I just don’t believe that a 757 can be meaningfully hacked via RF. I could obviously be wrong but it is an extraordinary claim that needs some more proof.

Clive Robinson December 12, 2017 6:08 PM

@ Wael,

I refuse to believe that Thales doesn’t know what they’re doing.

That one will make me chuckle untill oh atleast christmass, and I suspect several other people as well.

Yes Thales has a reputation to protect and they do so in various ways, some not nice at all…

One way is to “not step out from the herd”. Lawyers have a term “best practice” and it does not realy mean what you might think it does… What it realy means is “group think” and “common behaviour” you do those things and those things alone, you do not stand out/alone. Because if you are “Mr Average” then you are a difficult target to hit in a law court, because for everything you do you have plenty of examples of people doing the same, likewise for the things you don’t do. What is hated in such circles are the new small “maverick” organisations that change the “Mr Average” point, because that makes liability harder to defend against.

In effect large companies do not realy inovate they re-paint, what they acquire, and sometimes only the front door, whilst they slaughter what’s behind it to protect other product lines…

Have a think about what that realy means for their customers and their customers customers customers, who think the lack of leg room and potential DVTs are their main worry…

For real “conservative design” look into the “Space Industry” where RCA / Intersil 1802 8bit microprocessors designed into Satellites prior to 1980 (such as MagSat Galileo and a number of the University of Surrey UoSAT satellites). That very very old microprocessor can still be found with modern (USB based) development boards,

http://www.cpushack.com/rca-cosmac-1802-and-180x-test-boards-for-sale/

And I’ve worked in companies that used 1802’s about a decade before I worked there and they are still in their current products a quater of a century after I left… Yup other idustries especially large ones like the Petro-Chem are just as conservative. Oh and the replacments I designed bassed around 8088/6 parts for them, they are still touted as leading edge, even though getting the parts is to put it mildly somewhat difficult (NASA had the same problem with the Space Shuttle, and it’s been said it was one of the main drivers to EOL it).

Both the Space / AeroSpace and industrial control industries are conservative and almost always will not use anything that is not already “flight-qualified” or “field-proven” which if you think about it is a chicken and egg situation.

It’s why there is a bit of a worry in some circles currently about rechargable batteries… The only batteries that have been long space flight tested in that size and rating, are nolonger made by the manufacturer… but there are no other flight tested batteries to replace them, thus their value is going up almost as fast as Bitcoins 😉

It’s why the likes of Surrey Satellite Systems, put up “technology demonstrator flights” of COTS parts. To cover the cost of such flights they tend to “horse trade” for spare flight space/capacity, but this is becoming a very rare commodity (as are licencable satellite radio frequencies). So we are starting to see “shared tech” cubesat designs.

Industrial / Space / Areospace Engineers are conservative with good reason, have a look at the European Global Positioning Satellite System Galileo and it’s atomic clock problems from this year,

https://m.phys.org/news/2017-07-europe-galileo-satnav-problems-clocks.html

Supposadly the most accurate clocks in space made by a very high reputation Swiss company. But they are “new tech” and a large number have failed, even though rigorously designed and tested. ESA have indicated that they have found the issues… however I would not want to be the design engineer on the leading edge of that problem, not with the price flights cost… It’s just as well there is so much redundancy built into each satellite… Even though those clocks are heavy, realy heavy, sometimes it pays to be conservative in outlook not just cautious…

Wael December 12, 2017 6:24 PM

@Clive Robinson,

That one will make me chuckle untill oh atleast christmass, and I suspect several other people as well.

Good! So you’re saying they know what they’re doing. It’s just they won’t do it for the reasons you listed. I accept that 🙂

Sancho_P December 12, 2017 6:32 PM

@all (&@Wael)

No need to control the plane like a hobby drone, no hack, no backdoor.
It’ about cutting out (or even falsifying) info from or to the plane while standing in line or already in the air. Think: One plain is never alone.

I think we can not fully imagine the pain being out there with 300 people in the back, in a region of heavy air traffic, without any or false information for more than a couple of minutes.
The simplest case would be a total comm black out (as either side will see it), say a broadband-jammer, e.g. on board(s!).
Chaos.
But that’s not the topic here I guess.

Check the other link from Poland to get a feeling for some ACARS (?) plane unconsciousness:
https://www.wired.com/2015/06/airlines-security-hole-grounded-polish-planes/

Rejecting bogus flight plans is only the beginning of a problem.

For the Thales point slowly re-read what @Insignificant Troublemaker wrote here:
https://www.schneier.com/blog/archives/2017/12/remote_hack_of_.html#c6765840

Wael December 12, 2017 6:55 PM

@Sancho_P,

slowly re-read what @Insignificant Troublemaker wrote here:

That wasn’t nice! Are you insinuating that I’m stooopid? I work in the industry, bubba. His story is not uncommon, and I can tell you much worse stories but it wouldn’t be wise. I’m not that stooopid. I’ll check the rest later, after I get that sour taste out of my mouth. Actually about to cook dinner. I bet you I cook better than you do. There… we’re even now 🙂

Clive Robinson December 12, 2017 7:14 PM

@ AlexT,

Sorry but unless I see something more substantial on this one I will call bull.

That is your choice on your viewpoint. But would you go to court on it and sit there being told you have a couple of hundred deaths on your hands and a few hundred million dollars worth of insurance payments about to make it impossible for the company you work for to carry on trading let alone employing you?

I start from the viewpoint “nothing is perfect, it all fails one way or another” and “Black Swans exist” and just like rats it’s “too costly to hunt them all down” not that you would want to anyway, because there are better things to be doing with your time.

As a young engineer I used to find lots of new exciting ways to make things fail. It did not make me very popular because they would then need to be fixed one way or another. The cheapest way is to “shoot the messanger” and “loose the paperwork”… Seriously that is how it works. As an organisation you design products to meet standards and to a price, nothing more. You most certainly do not find problems you can not fix within cost.

I’ve been in engineering meetings where the wrong $1 wafer switch has been fitted, it was “Break before make” when it should be “Make before break” as it was in the power rail not a signal rail. Every one was sweating, even the guys that had nothing what so ever to do with the switch. You would not believe the suggestions made to get around “not changing the switch” because that would be catasteophicaly expensive. Which every one knew would be “plank walking time”. I found a cheap workable solution, which made me the “steely eyed missile man” for a day or so. At another company there was a problem with the way rechargable batteries worked and the CPU occasionaly drawing large currents at low voltage start up. You would not believe the number of suggested solutions and their many problems and costs. I came up with a solution in a couple of days and indicated it needed proper testing and should be put in a patent as it had real worth. The company chose to do neither, another company a while later did patent the idea, and tried to be a patent troll with it… Not my worry but they are still in business, where as the company I worked for is not.

With regards,

I just don’t believe that a 757 can be meaningfully hacked via RF.

I most certainly do, it all depends on what you mean by “hacked” and “RF”. For instance very few believed in DDoS before it became obvious to all.

Those few who knew for various reasons had kept quiet that thr problem with the design was,

1, DoS was easily possible.
2, DoS was impossible to stop with the design.

But any one who had heard about ECM and Jamming should have known that it was easily possible.

Which begs the question “Why was the technology built this way?”. The answer to that is almost always “resource limitations”. That is there was only so much that could be done with the technology or the technology available at a given price point.

It’s the reason we use the US DoD TCP/IP protocols not the European OSI protocols. IP was cheaper to deliver to the customer even though it was known to be broken in ways OSI had designed out.

The reality was that a price point had to be met then. Which is a hugh price to pay now. Call it “technical debt” if it makes you feel better about it. It is how the world works get used to it, as opting out is for resource/cost reasons impossible for most people.

Oh and remember because you did not get bit in the swamp today, does not mean you will not get bit tommorow, especially when you are trying to drain it…

echo December 12, 2017 7:37 PM

@Clive

I agree with your observations about success should be designed in and lawyers avoid standing out. My experience is neither doctors or lawyers cope very well with the none routine and exceptional. Both tend to be rigid and go with the average and what the historical record suggests. Neither are very good at solving problems or innovating or even communicating.

I have an academic essay which describes how a patient/client can be an expert within their domain more so than the professionals and both sides of the medical-legal fence would benefit from both listening to the expert patient and each other. In practice this can be effectively impossible even where professional regulations indictate a compelling need. (I also have statutory policies and authoritative guidelines and essays by professionals on patient/client expertise which help round out this point of view.)

I have a letter obtained at personal expense from a high profile medical practicioner who is an expert in their field and who has a widely acknowledged high satisfaction patient rating. Their opinion notes unlawful institutional practice and that lawyers will not understand the case. I am currently struggling to acquire both professional medical and legal assistance to the point where the door is slammed in my face before I have an opportunity to show this letter.

This is especially annoying as my medical condition and relevant psycho-social circumstances indicate the condition is both none routine and exceptional, and that I am also inclined to be a none conformist i.e. mavarick. I have concluded this is all about power or money with NIH and shoot the messenger following on.

My office politcs/social engineering skills suck.

Clive Robinson December 12, 2017 8:09 PM

@ Wael,

Good! So you’re saying they know what they’re doing.

No, I’m saying that some of their legal types know how to play a certain game to draw, not even win, because “burden of proof” gets them home undefeated…

Some of the engineers at Thales and the like will conclude there are “better for the soul” places to work and leave, and to their horror get dragged back again come “take over time”. A place I worked for started in on the “take over” route” and I left pronto, the company now is part of Thales but I don’t know anybody there now (it happened again for the third time to a friend not so long ago[1]).

Before “you say no way” this has happened to engineers before… Back in the days of “Star-Wars” and earlier their employers had lied to them about what they were realy working on (offensive capabilities for nukes etc). So they left and joined other companies who did not lie to them, then their new employers got taken over for various reasons and they were back in the hated defence contractor world again being given the mushroom treatment.

Thankfully other markets opened up and they could finally escape, or so they thought… But some have found there is worse than the defence contractor world, much worse, more personal, more betraying and it’s what makes Silicon Valley what it currently is… Life can be tough and soul destroying when you have to Kow-tow as the only option is “Money or Morals” but not both and you’ve a family to feed.

[1] He gave up trying to be an engineer with ethics, and left with his wife to do charity work in Africa building wells, pumps and power systems for villages and the like along with teaching them the skills to maintain and improve them.

Herman December 13, 2017 5:59 AM

Well, it would be fairly easy to spoof an ADS-B message to trigger a collision avoidance maneuvre. It could be done from the ground, to a plane anywhere more or less overhead and would be rather nausea inducing to everyone on board the target plane if you repeat it a few times before the pilot can clue in and turn the thing off.

albert December 13, 2017 12:06 PM

From the article:
“…The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement….”

That’s really the bottom line, isn’t it?r

. .. . .. — ….

Clive Robinson December 13, 2017 3:31 PM

@ Albert,

That’s really the bottom line, isn’t it?r

If only it was… As I’ve commented to @Wael, there’s the “liability Game” that the lawyers play as well.

You can look on the $1million/line/year as the lowest of the change inhibitory costs. When you have to role that out on one product you usually have to do it on many, as products have “common code”[1].

Hence the “liability game” has a very wide playing pitch and “upkeep costs”.

The one thing some of those involved have realised is that whilst “code patching” is in theory a good idea, in practice it sucks in many ways. Stuxnet was an all important example of why code signing via public keys is not a very good idea in very high liability systems. Some lawyer will point at it and say “It’s not secure” –which it is not– and then go on about the lack of security in the underlying patch communications system. Thus the safe option liability wise is to go with “Custom Mask Programed” CPU parts that can not be altered in any way. To upgrade you get sent a new part with a qualified technician who takes the system out, breaks the seals, opens the case, pulls out the old chip, puts in the new chip runs a whole heap of diagnostics, closes up, reseals, puts back in the system and runs a whole bunch of further tests. You sign a bit of paper and of the tech goes with the old part and the $1000 + expenses invoice arives within a very short period.

You have alternatives but they don’t realy work out any cheaper, because even if you buy a new system it still has to be installation tested by a qualified technician[2]…

[1] If you think back to the Ransomware incident earlier this year that hit many WinXP users. People were supprised at just how quickly MS produced a patch for the supposadly unsupported WinXP. The reason is that below the UI level little changes from one MS OS to the next, so there is a big chunk of common or nearly common code. The same is true for nearly every product that uses a four bit microprocessor upwards. If you talk to embedded systems designers who still work on 8bit processors, you discover they have their own “toolbox” of code that drops into a simple RTOS or Shedular framework, thus is in efect a BIOS or low level OS. Some of us built high level tools that were like low end compilers/neta-assemblers, where the code was written in a way that was “independent” of the underlying architecture. The assembler it chucked out was generic, thus required “hand tuning / Optimization”.

[2] When I was working at a company the PM approachrd me on a thursday afternoon with a bunch of tickets and other paperwork. As the usuall technician was not available I had to fly out a quater of the world away wait in a hotel for a day (the countries religiuous day off) then go to a customer site. Be shown where a box was, undo two screws, slide out a card, move a link jumper from 1-2 to 2-3 put the card back. Press a button which their tech then confirmed gave the right signal polarity. I did the screws back up, pressed the button again to check, got two pieces of paper signed (FAT and time sheet) was driven back to the hotel to wait for two days for a return flight to get back in the office a day and a half after that… Oh I did not get Time Off In Lieu and was only payed overtime for the two hours I was on site for and they would not pay my laundry expenses as “I was an engineer not a technician”… And the PM was most supprised the next time when he tried the same stunt I told him “no” I was going mountain climbing and it was all aranged and payed for so he could go do the job instead… So whilst he trudged around the world over the bank holiday weekend, I stayed with friends in Brecon (Wales) and yomped over seven peaks and had a jolly nice time 😉

ShavedMyWhiskers December 13, 2017 5:18 PM

The range of the attack needs to have some disclosure for this to be discussed. Line of sight to an aircraft at 30,000 is a long way.
On the ground less than 20 miles mostly.
Power and antenna gain can reach out and touch someone…
That van can have an RF transparent shell.

We demand more and more telemetry. When an aircraft lands parts and service orders are expected to be ready to go. Services, drinks, food, alcohol, ice, bathroom supplies… Location and arrival updates depend on data from the aircraft.
Barometer data, GPS fudge factors, approach envelopes… Some data would be updated on the ground but wires break when data links fail to unplug. IR or RF is not a wire or connector to break. Recall the wired phone on the back of a tank… Is it still wired? Visualize the umbilical cord of a rocket as it falls away in the last seconds.

This is perhaps one reason to check laptops, but phones are sufficient computers.

albert December 13, 2017 5:31 PM

@Clive,

And that’s why manufacturers are so in love with remote reprogramming capabilities*. According to some commenters here, avionic code itself is well written, and I agree, but the 362.87kg elephant in the room is the security of those systems when networked. What do avionics manufacturers do when they absolutely -have- to reprogram a system? An aircraft can’t pull over like the Amtrak locomotive that stopped to download new software. (True story)

We used to make products with OTP CPUs. Better have your stuff together when you code for those babies! I like the EPROM route, with a jumper for reprogramming. A simple memory module is read into the EPROM, by the CPU, following its own ROMed code.

Increasing complexity becomes self-defeating at a certain point. I believe we’ve past that point.

At another Co., our boss walked in and said, “Stop work on XX!”. We said why? We just fixed the last problem; its good to go. “No”, he said, “The lawyers have it now”. BTW, it was our boss, not the customer, who started the process. The Co. had a ‘pay-as- you-go’ contract, so he ended up with 80% of the contract price in the bank. I don’t recall what the customer did to incur his wrath.

Re: Stuxnet. I like the theory that it was injected into a system being produced by a local supplier for the enrichment facilities. So much for isolated networks.

*Worse, programs like PC Anywhere allowed us to operate a computer anywhere in the world from our desk. It’s just like being there.

. .. . .. — ….

Sancho_P December 13, 2017 5:40 PM

@Wael, (Herman)

Nice, but to be nice wasn’t my intention 😉 … As a chef you’ll appreciate the value of spices.
Yes, some at Thales know what to do, and esp. what not to do.
A mentor once told me something like:
“Sancho, you can’t protect the world, but probably your family. Decide well!”
-You’ve learned that the hard way and wrote in favor of their credentials?
Guess I’ll slowly re-read your last comment? Btw. what were you preparing?

But, in addition to @Clive Robinson’s reasoning, I think very often at the beginning of big things the driving force isn’t money but pure fun, as in ‘let’s see what we can do’. Later, with the first success, mangers, lawyers and bean counters jump in. From that moment on it would be suicide to say ‘oh, wait a moment, … ’.

@Herman

Right, one plane = small problem, but one plane is never alone.

Clive Robinson December 13, 2017 6:06 PM

@ ShavedMyWhiskers,

Line of sight to an aircraft at 30,000 is a long way.

At 5280tf per statute mile 30,000ft is a little under 5.7miles.

I used to quite regularly work well over sixty miles from a 1.5W 144MHz VHF NBFM hand held radio with vertical quaterwave antenna that was not realy line of sight. In the UHF band about the same power but into a seven element I worked Wales to Scotland across open water and also into Northern Ireland. Similar kit is used by radio hams to work through satellites in low earth orbit (LEO) and the ISS at an orbit hight of between 330-435KM ASL.

Several decades ago now a friend and I made a jury rigged system of a little low power (5-10mW) transmitter in the VHF band that ran of a little 9V battery (PP3) we used some “British Army Issue” condoms and filled them with party ballon gas. We let it go near a famous Race Course in Epsom Surrey and we and others tracked it all the way to Belgium.

Whilst “ballon flights” can nolonger be made from the UK mainland, they can from Ireland and you can easily track them across the UK and into Europe often at a two hundred mile stretch from the same receiver location with a reasonable elevation.

In most cases to take over and hold a receiver from another transmitter you only need to be about 12dB stronger at the receiver antenna which is not a lot with receiver front ends having atleast a 90dB dynamic range and -126dBm sensitivity.

Wael December 13, 2017 6:29 PM

@ShavedMyWhiskers,

That van can have an RF transparent shell.

λ/4 impedance transformer.

Line of sight to an aircraft at 30,000 is a long way.

238.9 Miles at an altitude of 38,000 feet.

@Sancho_P,

Btw. what were you preparing?

Beef shank with potatoes, onions, peas&carrorts and tomatoes. And Saffron basmati rice. Messed up the beef (one of the very rare occasions, really) but the cats liked it.

Clive Robinson December 13, 2017 10:45 PM

@ Wael,

238.9 Miles at an altitude of 38,000 feet.

It’s quite a bit longer than that for a couple of reasons.

Firstly the lower the frequency the greater the “skirt effect” where the RF gets dragged past geometric line of sight[1]. You can find online calculators for VHF/UHF such as,

http://www.vwlowen.co.uk/java/horizon.htm

(!!!JavaScript required WARNING!!!)

Which gives you 276miles or ~37miles more for an observer at 0ft ASL of a 38000ft object. But the range goes up as the hight of the observer goes up. For instance there is Lieth Hill in Surrey South of London that had a tower built on it to “make it a mountain” at 1000ff ASL this adds extra range, which would now be 321miles ~82miles more giving a maximum track distance of twice that or ~640miles which for a passenger aircraft that flies around that “ground speed”[2] gives around an hour of effective attack time…

The second effect that increases the radio line of sight distance is the “knife-edge effect” which is a little like light defraction through a slit, it in effect bends the radio signal further around the curve of the Earth and can add another 10% or so to the horizon, however there is significant loss so TX power, antenna gain or both have to be significantly larger.

I will leave out other phenomena such as Tropospheric ducting / scattering and Fresnel Zone effects because they are very situation dependent and in some cases can work to shorten range.

[1] The usual “geometric” calculations for the horizon are wrong. Below around 1000ft ASL you can assume the earth is spherical. However above 1000ft you have to alow for the fact the earth is an oblate spheroid and actually changes shape with the effects of the Sun, Moon, Jupiter etc. Which means that the distance around the equator is larger than you would think and constantly changing. Not by much but you have to alow for it in keppler etc calculations to detetmin observed positions of satellites and also their track times. I can assure you the calculations are tedious but make a measurable difference against polar projection tracks.

[2] As the earth is approximately spherical you need to fly a little bit faster for each foot above ASL to retain the same “ground track” speed as that of 0ft ASL. That is under the spherical model the Earth’s circumference goes up 2Pi feet for every foot above 0ft ASL… As it says in all the best texts “The calculation for the oblate spheroid model is left as an excercise for the reader” 😉

Wael December 13, 2017 11:20 PM

Captain Joe has a nice channel on YouTube. Here he talks about airplane WiFi (but confuses bits and bytes.)

@Clive Robinson,

It’s quite a bit longer than that for a couple of reasons…

True. This is under ideal situations, and on average though. I’ll skip the reader exercises for now 🙂

It’s quite a bit…

~16% more isn’t quite a bit; 2000% more is 🙂

Clive Robinson December 14, 2017 2:32 AM

@ Wael,

~16% more isn’t quite a bit; 2000% more is 🙂

Hmm it’s getting close to “Santa Time” therefore “Shall I be nasty or shall I be nice”…. :@ / 0:)

Well you did bring up the quater wave line, I hope you have your Smith Chart ready…

Here is the problem,

With a fifty ohm z cable terminated in 100R+J0, what would the input impedence be if you increased it’s length by,

A, 16%?
B, 2000%?

Just to make the “naughty question(A) just that little bit easier to answe, if you like I’ll let you make it 16.666% or an increase of 1/6th to it’s length.

I won’t make the “nice question(b)” any easier because that would be a give away…

Now which do you prefere to tell Santa, answer A or answer B, that is which is “quite a bit” harder to answer?

Wael December 14, 2017 4:31 AM

@Clive Robinson,

The only naughty thing here is you choosing a problem that supports your view. This is a line of site thing that depends on time and space. Driving for one hour and 10 minutes is not ‘quite a bit more’ than driving for one hour.

The impedance will be periodic because the coax isn’t terminated at its intrinsic impedance which will result in a reflected wave which will result in a periodic input impedance at different electrical length of the cable.

Wael December 14, 2017 4:50 AM

@Clive Robinson,

Impedance as a function of length increase amounts to a rotation on the Smith chart, which with 2000% will rotate many times on the chart. if we use λ//6 then…

Rotation equivalent to (2000 % λ/6) and will be the difference in ZIN; ‘%’ being the modulus operation. My turn to give you a problem? 🙂 Perhaps another time as the brain is drained.

Clive Robinson December 14, 2017 10:35 AM

@ Wael,

I thought you might go for the 2000%, because normalised that would be twenty times around the chart, which would bring you back exatly where you started on the chart[1]

[1] For those reading along, who don’t know a Smith Chart is named after it’s US inventor (Philip H.) Smith who published his idea during WWII in 1939. It shows the complex load on the end of a calibrated transmission line, in terms of amplitude and phase of a signal. This enables RF Engineers to make “good enough” calculations that would otherwise take hours by hand and tables. Thus the Smith Chart quickly gained popularity.

https://en.m.wikipedia.org/wiki/Smith_chart

Although they are quite expensive as instruments go, you can actually make one yourself using a handfull of components a signal generator and an X/Y display[2]. I used to do this to demonstrate to students that whilst precision is nice, knowing the principles can help you make your own “tools” which is a “right of passage” that all technicians should make if they want to become engineers or practical scientists.

Importantly though Philip Smith may not have been the original inventor, just an independent inventor. Because a couple years earlier in Japan Mizuhashi (Tosaku) came up with a different graphical calculator that does the same task as the Smith Chart. As the world was effectivly going to be or was at war at the time scientific and engineering papers considered of national etc importance did not get intetnational recognition. Further as with a lot of German Inventions, the “Victor Claims the Spoils” as they write the history.

[2] Called a Vector Network Analyser all you are realy doing is taking the Voltage Standing Wave Ratio as a signal for one signal and the phase difference signal out of a Double Balanced Mixer for the other signal to an XY display. You usually simply calibrate using three “loads” on the end of the calibrated line, a short, open, and charecteristic load.

Wael December 14, 2017 11:30 AM

@Clive Robinson,

Back in the day, I used Micro-Cap, MATLAB for these sort of calculations, along with a Smith Chart. Today you can use things like Wolfram CDF player (which I haven’t used for Microwaves / antennas yet.) Probably won’t either – no time.

Because a couple years earlier in Japan Mizuhashi (Tosaku) came up with a different graphical calculator that does the same task as the Smith Chart.

Wouldn’t surprise me. The inventor of the Fast Fourier transform wasn’t Fourier, supposedly to was Gauss. Anyway, when I read this sentence:

Importantly though Philip Smith may not have been the original inventor

I thought the follow up would be: It was invented in Bletchley Park back in the days you wore greens. Seems I was wrong, which as you very well know is next to impossible to believe 🙂

Wael December 14, 2017 11:46 AM

Serves me right!

The inventor of the Fast Fourier transform wasn’t Fourier

Should say;

…Weren’t J. W. Cooley and J. W. Tukey

As the FFT is an algorithm to calculate the Fourier Transform.

Clive Robinson December 14, 2017 12:32 PM

@ Wael,

Serves me right!

You could use the Robinson Family motto,

    We only drop our jaws to swap feet

As for the story behind the Fourier transform and how it came to be… It may be best to leave it to the mists of time as Babylonian astronomers and mathematicians are known to have used harmonic sequences for orbital calculations back in 2000-1600BC… However it was Fourier in 1807 who showed that the analysis would work on arbitary as well as periodic functions. Gauss’s fast method was from a couple of years before thus still dealt with harmonics of periodic functions (if the dusty book from my cave is to be believed).

Actually I’ve found in practice that often the DFT with lookup tables is prefreable to the FFT in low power micros for applications such as “frequency steering / tracking” especially when you use 3bit+Sign numbers…

JG4 December 14, 2017 7:22 PM

In the reference frame of a radio wave, emission from the transmitting antenna is simultaneous with coupling to the receiving antenna. It may be that only matter experiences time, but energy doesn’t.

A two-point Fourier transform is the two linearly independent combinations of the input data array. They correspond to DC, which is average of the two points, and the Nyquist frequency, which is the difference of the two points divided by two.

When I see Matlab mentioned these days, the first thing that springs to mind is SciLab. A bit easier to install than Octave. In case anyone wanted to have the source code to muck about, as they say on Clive’s side of the pond.

One of the hottest Celtic redheads to walk the planet was a late boomer who sprang from the loins of a ferry pilot in the big war. Both smart as a whip. Though he was German (immigrant stock), he worked for the US. I realized a couple of months ago that there is a fine line separating the quick and the dead. It can be a career-ending decision to say, “Sorry, this plane’s not good enough to fly,” but it can be a life-ending decision to fly (or try to fly) a bad aircraft. He cut his teeth as a crewman on the mail runs in the mountains. When the war came around, they had a brilliant recruiting tool – fly a hot new plane around the area for 30 to 60 minutes, then land at the airport. Everyone interested in aviation would drive to the airport to see what the new plane was about and were treated to an interview. They were offered cash and papers on the spot, depending on their credentials. The ferry pilot had built and flown his own plane in the 20’s. And survived flying it in the mountains.

Sorry, the scumbags who run this country aren’t good enough for me. Did anyone catch the stunning proof in recent news articles that the FBI still are dirty? It’s a short step to concluding that they always have been. Can’t recall if I mentioned the part where their “crime lab” lived up to its name by fabricating fake evidence for decades.

Wael December 14, 2017 8:59 PM

@Clive Robinson,

We only drop our jaws to swap feet

No comprende. Lay the Clive’s notes version on me!

Wael December 14, 2017 9:02 PM

@JG4,

In the reference frame of a radio wave, emission from the transmitting antenna is simultaneous with coupling to the receiving antenna. It may be that only matter experiences time, but energy doesn’t.

How do you mean?

Clive Robinson December 15, 2017 1:27 AM

@ Wael,

No comprende. Lay the Clive’s notes version on me!

Ever heard of “Putting your foot in it when speaking”? It gives rise to “foot in mouth syndrome”, hence “I only open my mouth to change feet”.

Wael December 15, 2017 1:49 AM

@Clive Robinson,

If I were drinking something as I read this, I surely would have sprayed the room with it. Lol. Unexpected meaning.

JG4 December 15, 2017 6:00 AM

@Wael – it’s a nod to Einstein and his general theory. at the speed of light and other electromagnetic phenomena, there is no passage of time. so, the radio photons/waves experience departure (creation) and arrival (dissolution) simultaneously. matter, in most current theory, can only approach the speed of light, so time does not stop, but can slow down. calculations and discussions of relativistic phenomena use “frames of reference” as a term of art. there is a great article on Wired about Tom van Beek (sp?), which includes him aging his kids by an extra 300 nanoseconds by traveling into the mountains for the weekend. he took at least one atomic clock with him so that they would learn that in the lower gravity frame of reference (where they were camping) that time would flow faster than at their home.

Wael December 15, 2017 10:07 PM

@JG4,

it’s a nod to Einstein and his general theory.

General or special? General deals with gravitational forces, right? Either way I don’t think that’s true. But if true, it could explain entanglement at great distances? Quick, find the explanation and get a Nobel prize. My fee is 5%.

Pete December 16, 2017 4:49 AM

Nobody is saying anything about the fact that B-757 and B-767 aircraft are extremely similar. 2 weeks ago, I flew on a B-767 for 10 hrs from a foreign country. B-767 are used for international flights, almost constantly.

I haven’t flown on a B-757 in at least 8 yrs.

It is the still-flying B-767 and all the other Boeing aircraft that concern me most.

nanashi December 19, 2017 1:14 AM

@RndmNmbr

I can believe that the security of such systems is next to nonexistent, but don’t airplanes run software on something like INTEGRITY-127B to isolate breaches?

Commenter January 31, 2018 10:23 AM

I would question the DHS claim that newer aircraft can be considered more secure. Yes, the design of internal networks involved may be more secure than updated older aircraft. However, something to remember is the complexity of these networks and systems has risen exponentially, and the number of subsystems sending network traffic between aircraft, operators, governments and original manufacturers has increased.

I would suggest that appropriately hardened older aircraft (of course, depending on the model in question) could be more secure than newer models, which may have increased security in each system relative to older aircraft, but have added so many new systems with new (and old) attack surface that comparing the two is not a simple process.

Things to consider include

1) Security of underlying hardware, firmware and software – firmware bootkits on embedded systems? ARM has critical design and security issues that many have discussed. If we are talking about any form of modified linux, grsecurity has highlighted that simple security on linux even with a patched kernel is hard. Are embedded systems in aircraft running a secure, modern, hardened OS? After that, what about the firmware – secure, hardened, modern microkernels? Is there universal firmware and boot attestation for all subsystems on a modern aircraft? (Next, how is this attestation implemented?)

2) Even if all this has been dealt with, how well are aircraft protected from their own manufacturers and operators? It is understandable that it is desirable for operators, manufacturers and governments to gather data on commercial aircraft whether to analyze their business, to be able to access information during or after an accident or incident.

However, this opens attack surface from a compromised manufacturer or operator. Even if the embedded systems run signed software and firmware from manufacturers, given the increased number of systems with network connections to manufacturers, how well-protected are they from a situation where the manufacturer’s servers are compromised? Next question, are operators and manufacturers using secure servers and are they hosted in secure, dedicated datacenters, (so no cloud servers, or if so, with enhanced security, extremely detailed contracts with direct involvement of the operator/manufacturer in the security process).

Many OpenCompute boards out there today which are supposedly more secure often lack support for coreboot, let alone other EC ROMs. FaceBook is deploying systems that do support both coreboot (which of course will undergo undocumented internal hardening) firmware and openBMC (likely hardened for internal use) (BMC/ACPI EC/SMC), but this is still a new development and potentially not even something manufacturers are aware of.

The dramatic increase in embedded aircraft systems connected to the “mothership” (as Tesla refers internally to their gateway for the countless metadata their vehicles send hone) though perhaps not a privacy concern for aircraft operators (though maybe for private owners), nontheless does increase the possibility for covert, persistent attacks, despite some increased manufacturer awareness of security when designing individiual subsystems.

Despite this discussion being centered on aircraft, I consider this 2016 ZeroNights talk on Tesla somewhat relevant.

https://2016.zeronights.ru/wp-content/uploads/2016/12/Gateway_Internals_of_Tesla_Motors_v6.pdf

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.