Hidden Content
LAS VEGAS—The Black Hat security conference is no stranger to controversy, but it has been a while since a presentation elicited much pushback. That changed when a security researcher from IOActive presented what he says are vulnerabilities in the Boeing 787 Dreamliner that could be used for several different attacks. Boeing disputes the firm's findings and its disclosure process, highlighting the cracks between security researchers and the subjects of their work.

Black Hat Bug ArtThe research was presented by IOActive Principal Security Consultant Ruben Santamarta, a Black Hat veteran. His previous talks have looked at hijacking satellite phones and even remotely hijacking SATCOM antenna controls to cause physical damage.
"I have been afraid of flying for many years, and there are different ways to deal with this," Santamarta said. "My way was to learn as much as possible about aircraft."
A lengthy whitepapaer on his work with the 787 was released on Wednesday. But Santamarta said several times that there are limitations to the conclusions that could be drawn from his work.
"We couldn't verify whether the vulnerabilities we are presenting today pose a safety threat for the aircraft. We don't have access to the avionics, we don't have access to the hardware components. Obviously it's not possible to assess that possibility without such access."

Constructing Attacks From Deconstructed Code
But Santamarta did have some access. With some clever Google queries, he discovered a public Boeing server, which housed the firmware for the Boeing 787 core network cabinet, some of the Boeing 737 firmware (he did not examine that troubled aircraft), and VPN information for accessing a Boeing network.
By deconstructing this firmware, and using other documentation, Santamarta mapped out the Boeing 787's internal networking system.
The core network cabinet is key to Santamarta's work—it was "a window into the core network system of the 787," he said. "If we oversimplify it, it's a way to interact with the outside world."
This is partly because of a unique facet of the 787. Instead of physically separating the networks that can be accessed from the outside world—such as the inflight entertainment system or radios the plane uses to communicate maintenance data—all the networks come together in the core network cabinet.
Santamarta identified three networks in the 787: the Open Data Network (ODN), the Isolated Data Network (IDN), and the Common Data Network (CDN).

The ODN talks with the outside, handling communication with potentially dangerous devices.
The IDN handles secure devices, but not necessarily ones that are connected to aircraft safety systems; a flight data recorder is an example.
Santamarta described the CDN as the "backbone communication of the entire network," connecting to electronics that could impact the safety of the aircraft.
The broadest sketch of an attack on this system starts with the ODN, and then finds a path to the CDN, where the attacker can directly access critical systems. At each step, Santamarta explained how an attacker could continue through the maze of the 787 network. At one stage, he found, "hundreds of references to insecure functions" that could be used to proceed to the next step, eventually leading to the CDN.

Not content with a single potential attack, Santamarta outlined several more. One hinged on being able to trigger a firmware update on the system. An attacker could then "initiate a malicious firmware update against safety critical units," he explained. He cautioned, however, that there may be a mitigation in place that would recognize a bogus update.
Another avenue he explored was the emergency lighting system. "What you probably didn't know is that they're running a wireless protocol," Santamarta explained, which could potentially be a useful point of entry for attack.

In another outlined attack, Santamarta turned his attention to the Gatelink system. When the 787 lands and pulls up to the gate, it connects wirelessly via Gatelink. The plane then reaches out to servers operated by the airport, reports diagnostic data, and receives firmware updates.
"We discovered at least two different internet-facing [servers]," said Santamarta. "We notified Boeing about this and at this point those servers are no longer available." These servers, however, were "running vulnerable services" and were "pretty easy to find." The idea would be that an attacker could use a misconfigured server like the ones he discovered as a way to feed a bad update to a 787.

Boeing: IOActive Is Irresponsible and Misleading
Santamarta was clear that there are serious limitations to his research, since he did not have access to a 787 aircraft. Still, IOActive is confident in its findings. "We have been doing this for many years, we know how to do this kind of research."
Boeing and the FAA disagree. In a statement provided to PCMag, Boeing disputed the idea that Santamarta's research poses any threat to its aircraft and described Santamarta's presentation as misleading.
"IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system.
"After working with IOActive to understand its research, Boeing and its partners tested their findings in integrated environments, both in labs and on an airplane. Our extensive testing confirmed that existing defenses in the broader 787 network prevent the scenarios claimed.

"IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible and misleading presentation."
Likewise, the Federal Aviation Administration told PCMag that it is satisfied with Boeing's assessment.
"The Federal Aviation Administration (FAA) is aware of recent claims alleging potential cybersecurity vulnerabilities of the Boeing 787. We have been working with the Department of Homeland Security and Boeing from the moment the research was disclosed and are satisfied with the assessment of the issue. For security and proprietary reasons, the FAA does not disclose details about certificate holders' cybersecurity protections.