According to a report, a security researcher revealed that leaked code in Boeing 787 internal systems exposed several vulnerabilities. Read on to know more…
According to a new report from Wired, a security researcher revealed that leaked code in Boeing 787 has exposed potential security flaws in the 787 Dreamliner systems, which could allegedly allow an individual to access a restricted part of the plane’s network. That access may permit the individual to potentially gain control of things ranging from the aircraft’s in-flight entertainment system to its flight controls and sensors.
Last year, a security researcher Ruben Santamarta had uncovered a fully unprotected server on Boeing’s network. This server contained code used to run on the company’s giant 737 and 787 passenger jets. Now nearly a year later, IOActive industrial cybersecurity expert Ruben Santamarta claims that the leaked code can be used to conduct cyberattacks on Boeing 787 Dreamliner systems.
At the recent Black Hat security conference in Las Vegas, Santamarta revealed that there are multiple serious security flaws in the code for a component of the 787 known as Crew Information Service/Maintenance System (CIS/MS). The CIS/MS is responsible for applications like maintenance systems and the electronic flight bag. Santamarta found that the CIS/MS module of Boeing 787 Dreamliner is affected by a slew of memory-corruption vulnerabilities. These vulnerabilities can be abused by an attacker to send malicious commands to far more sensitive components that control the plane’s safety-critical systems, including its engine, brakes, and sensors. The vulnerabilities found in the CIS/MS sandwiched between the Open Data Network (ODN) and Common Data Network (CDN).
Boeing’s 787 models also come with various communication channels, including satellite devices and wireless connections. These communications channels are used to receive and send information about the plane’s arrival and departure. An attacker could hack into the network via the internet or another network link to the plane to give the maintenance engineer false information about a system function.
Boeing investigated Santamarta’s claim and concluded that they do not represent serious threats for cyberattacks. “IOActive’s scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system,”
Wired reported a statement from Boeing which read, “After working with IOActive to understand its research, Boeing and its partners tested their findings in integrated environments, both in labs and on an airplane. Our extensive testing confirmed that existing defenses in the broader 787 network prevent the scenarios claimed,” Boeing added.
Boeing said the researcher did not have access to its larger system or working environments, calling the presentation “irresponsible and misleading.” Wired noted that the security researcher admitted that he doesn’t have a full enough picture of the jet, or access to one, to be able to confirm his claims. Other experts told Wired that — based on the initial findings alone — a thief would not be able to cause immediate danger to passengers.
Nonetheless, the experts believe he has found a potential vulnerability that could lead to larger problems if not addressed. The claims could bring more attention to the issue of security regarding Boeing’s jets – which has been an ongoing challenge for the company after two of its 737 Max jets were involved in fatal crashes.