[HN Gopher] Can a Passenger Hack an Airplane?
___________________________________________________________________
Can a Passenger Hack an Airplane?
Author : meatjuice
Score : 67 points
Date : 2023-11-26 11:03 UTC (11 hours ago)
(HTM) web link (blog.1password.com)
(TXT) w3m dump (blog.1password.com)
| coolThingsFirst wrote:
| How hard can it be. Just brute force the admin password and fly
| the plane like in GTA as the pilots lose their minds.
| wombat-man wrote:
| WASD will work right?
| cantSpellSober wrote:
| Hah, brute forcing is more complicated than what they even had
| to do
|
| > Some of them had [PINs] as simple as four zeros. Some of them
| had the pilot's birthdate as the PIN, which obviously you can
| get from open sources.
| photoGrant wrote:
| If 1Password are beginning to drop clickbait blog posts like this
| -- it tells me something.
| cantSpellSober wrote:
| Holiday promo season has arrived?
| mrabcx wrote:
| The passenger entertainment system typically displays some
| information related to flight location, speed, altitude, ETA and
| so on. Where does that info come from ? If it does come from the
| "Aircraft Control Domain, or ACD" then these two systems are
| probably not "completely isolated" as claimed in the article?
| mschuster91 wrote:
| A 10$ GPS antenna can give you this information... just without
| the performance guarantees that come with glass cockpit
| equipment.
| kzrdude wrote:
| A regular phone can also give you this information, just be
| seated at the window (I guess) for best reception of GPS
| data. The GPS test app is nice for this.
| maayank wrote:
| Can it though? The chips in 10$ AFAIK have hardware
| limitation built in to cut/fudge output on high (air traffic
| scale) speeds.
| zaxomi wrote:
| Coordinating Committee for Multilateral Export Controls
| (COCOM) limits is 1,000 knots (510 m/s) and/or at an
| altitude higher than 18,000 m (59,000 feet).
|
| Commercial airliners usually have a service ceiling at
| about 40000 feet and a speed below the speed of sound (343
| m/s). Even with a very strong jet stream of 100 m/s it's
| below the limit.
|
| The Concorde had a service ceiling of 60000 feet and
| maximum speed of 605 m/s.
| dharmab wrote:
| COCOM is technically AND, so you can buy some receivers
| which will work with one or the other condition.
| wafflemaker wrote:
| You can use Open Street Maps to monitor the flight without
| the internet connection.
|
| I often use it to watch how the plane speeds up for take
| off and slows down for landing.
|
| Sometimes you have to keep the phone closer to the window.
| Luckily you get the list of currently connected GPS sats so
| you can debug whether hiccups are software/hardware related
| or poor GPS coverage.
|
| It's lot of fun observing how early planes start going down
| in altitude before landing or trying to guess river and
| city names from up top.
| sva_ wrote:
| > luckily you get the list of currently connected GPS
| sats
|
| How do you get this list?
| etskinner wrote:
| The almanac, which is part of every GPS transmission
| https://en.wikipedia.org/wiki/GPS_Almanac?wprov=sfla1
| closewith wrote:
| GPS really is amazing. It's hard to believe it works at
| all.
| fragmede wrote:
| My favorite part about GPS is that it only works because
| we understand relativity, proving Einstein right.
| davchana wrote:
| I have used Google's My Tracks (now defunct but apk still
| works) app, and Various GPS Speedometer apps at window seat
| to get the air speed and such for fun.
| ryandrake wrote:
| I don't know why you are getting downvoted. You are
| absolutely right. There is no need for any kind of connection
| to the system that flies the plane, even a read-only one. The
| entertainment network should be completely isolated and if
| one of the entertainment apps requires the aircraft's
| location, they could use a separate GPS receiver and antenna.
| sva_ wrote:
| I've been on planes where you can request that data as json
| over the planes wifi.
| amelius wrote:
| It can be a one-directional connection. A port that can only
| transmit, not receive.
| kylebenzle wrote:
| As always, the answer to the headline is, no.
| n_ary wrote:
| > Where does that info come from ? If it does come from the
| "Aircraft Control Domain, or ACD" then these two systems are
| probably not "completely isolated" as claimed in the article?
|
| You are indeed right, there is a connection to the BUS that
| shares some information. You can also write back some of the
| information(flight number, flight leg etc.) back to it.
| However, rest of the things are read-only. So, no way to do
| weird things like modifying the altitude or ground speed etc.
|
| Basically, the main computer is completely isolated from the
| infotainment system, except for the BUS emitting these minor
| information.
|
| You can however, probably get near the main computer if you can
| get the jump seat ...
|
| Disclaimer: Work in aviation tech.
| closewith wrote:
| > Basically, the main computer is completely isolated from
| the infotainment system, except for the BUS emitting these
| minor information.
|
| Unless this is a one-way optical bus or similar, I'd be very
| skeptical of that claim.
| gruez wrote:
| You're making it sound like isolation requires exotic
| components, but a GPIO pin on a raspberry pi is basically
| one way only unless you explicitly write code to read data
| from it.
| gte525u wrote:
| FWIW - ARINC429 is a common one way serial bus used in
| commercial aviation.
| closewith wrote:
| Thanks for this comment. It seems that ARINC 429 has been
| replaced by ARINC 644 in most new aircraft.
|
| From reading the Wikipedia article, they are indeed
| logically one-way (although the underlying protocol
| involves two-way communication). It has no security at
| all.
|
| However, it seems that communication between any avionics
| systems and anything user-accessible goes through a
| Network Extension Device (NED). These are required to
| either be physically (not only logically) unidirectional
| _or_ have built-in security.
|
| So it might be physically impermeable or it might be a
| buggy 10-year old firewall. Doesn't exactly inspire
| confidence given the subject of the article.
| tyingq wrote:
| You can get the same info at places like FlightAware...
|
| https://www.flightaware.com/live/flight/random
| notahacker wrote:
| Yep. Its broadcast by ADS-B transponders. Suffice to say
| hobbyists with ADS-B transponders and people using
| FlightAware and its competitors' APIs don't all have write
| access to flight computers...
| sandworm101 wrote:
| >> What's the worst that could happen? Bad press coverage?
|
| A flashed bomb threat. Flight doesn't take off, or is diverted to
| an alternate airfield, or otherwise misses its connection. That
| sort of thing can quickly cascade into six or seven cost figures.
| A widespread attack across a fleet could be crippling, at least
| the first time it happens.
| svantana wrote:
| Right, but if the perpetrator has to be on board, they run a
| pretty big risk of getting caught for a serious crime. While I
| imagine a called-in threat can have a similar effect, with much
| less risk.
| mike_hock wrote:
| The perpetrator doesn't have to be on board, only a device
| previously hacked by the perpetrator has to be on board.
| tycho-newman wrote:
| Pfft. Just make a GUI in HTML using Visual Basic.
| usrbinbash wrote:
| So the answer is: "No they cannot".
| cantSpellSober wrote:
| No it's not, granted the headline makes it sound scarier than
| the reality.
|
| > we did find ways to compromise the in-flight entertainment
| systems. But one of the limitations of our research is that the
| airplanes that are being retired - they're the old ones. One of
| the systems we were working on was 27 years old. It was running
| Windows NT 4.0.
|
| > We also discovered vulnerabilities in some of the apps, which
| meant if someone had compromised one of these tablets, they
| could mess around with the calculations [that] tell the pilot
| how much power they need
|
| > the first vulnerability we found, Boeing came back to us
| within 24 hours and said, "We agree with you"
| sbarre wrote:
| Security researcher Chris Roberts FAFO'ed with this some years
| back. It cost him his consulting company if I recall?
|
| https://www.wired.com/2015/05/feds-say-banned-researcher-com...
| replwoacause wrote:
| Wow, that guy sounds like a total idiot. I was shocked to read
| how brazen his actions were and if it's true he commandeered
| control over the plane and made it list to the side as stated
| in the article, he belongs in jail.
| closewith wrote:
| Even if it's not true, the fact he thought that's what he was
| doing and he continued should ban him from air travel.
| sbarre wrote:
| Ironically he is now the CISO for Boom Supersonic[0].
|
| 0: https://boomsupersonic.com/
| rafram wrote:
| Wow, I can't believe that they've actually secured orders
| from major airlines. Didn't they learn their lesson with
| the Concorde?
| speedgoose wrote:
| AirFrance and British Airways are not listed.
| wsgeorge wrote:
| > Didn't they learn their lesson with the Concorde?
|
| What was the lesson?
| constantly wrote:
| No one wants to get to Paris quickly.
| rafram wrote:
| Cost-agnostic business travelers are not a large enough
| segment of the market for transatlantic flights to
| justify flying a plane that only seats business class and
| costs a lot of money. (Boom says they're targeting $5,000
| fares between NYC and London [1], and I bet they'll end
| up being even higher, if/when it gets off the ground.)
|
| [1]:
| https://www.theverge.com/2022/8/16/23308514/american-
| airline...
| closewith wrote:
| I think the lesson was that business travellers prefer
| comfort to speed, as business class funds the entirety of
| transatlantic passenger aviation. There's plenty of
| business-class-only flights.
| ThePowerOfFuet wrote:
| https://archive.is/Q1jdu
|
| >According to the FBI affidavit, however, when he mentioned
| this to agents last February he told them that he also had
| briefly commandeered a plane during one of those flights.
|
| So he admitted to a federal felony, lol. That's even beyond
| simple FAFO.
|
| >"It would appear from what I've seen that the federal guys
| took one paragraph out of a lot of discussions and a lot of
| meetings and notes and just chose that one as opposed to plenty
| of others."
|
| "Anything you say can and will be used against you", which is
| why you Don't Talk To The Police.
|
| https://youtube.com/watch?v=d-7o9xYp7eE
| tyjen wrote:
| Just to piggy back, people need to be aware how degraded
| their legal protections have become over the past two
| decades. For example, mens rea protections are becoming
| nonexistent, because certain administrations have eroded them
| and they may disappear if people don't stop voting for the
| political entities pushing for their erasure. It's an
| incredibly dangerous situation that most Americans are
| completely unaware of.
| vore wrote:
| I don't know about you but surely this person is definitely
| knowingly doing something negligent enough to constitute
| mens rea.
| simg wrote:
| wow, I came here to comment that of course passengers can't
| hack an airplane, at least in the sense of taking control of
| it, because there's no way that anyone with half a brain
| wouldn't have an absolute air gap between the passenger facing
| systems and the flight control systems.
|
| still not sure I believe it!
| winternewt wrote:
| Your car has the same problem
| JadeNB wrote:
| > Your car has the same problem
|
| My car is much less likely to be carrying hundreds of
| unidentified passengers, though, and any individual
| passenger messing around is harder to miss.
| eastbound wrote:
| But more prone to infotainment saturating the CAN bus.
| Infotainment can be hacked using the 5G connection
| facilities which no-one takes seriously. The CAN bus also
| drives the brakes.
|
| I wouldn't say it's as easy as cutting the brake cables
| in 1950, but it's as efficient.
| sokoloff wrote:
| > cutting the brake cables in 1950
|
| Service brakes were typically hydraulic long before 1950.
| Only parking brakes would have been cable operated on the
| overwhelming majority of cars on the road in 1950 (or
| since).
| CatWChainsaw wrote:
| If a car can receive OTA updates it can receive OTA
| hacks, no passenger in car required.
| davidw wrote:
| No one takes car safety very seriously though. Air travel
| has a better record of trying to eliminate dangerous
| things.
| croes wrote:
| After the Boing 737 Max disaster you still believe plane
| manufacturers don't make crude mistakes?
| Veserv wrote:
| The 737 MAX was not a "crude mistake". The failure mode was
| a multiple independent root cause sequence of low
| probability events. If I remember correctly there were
| about 200,000 flights before it was grounded after two
| airframe losses which is a failure rate of 1 in 100,000
| flights, 5 9s, which, when accounting for the average
| flight distance, is about as dangerous as driving per
| passenger-km.
|
| People downplay it as a "crude mistake" to claim that the
| people at Boeing are idiots who could have avoided the
| problem if they just applied average techniques and common
| sense. No, preventing these types of problems requires
| extremely sophisticated safety engineering the likes of
| which no other industry even attempts. Other industries
| have dreams about making systems as safe as cars; in
| aerospace they have nightmares about making systems that
| are only as safe as cars.
|
| The Boeing 737 MAX was a disaster because they made a plane
| around 100x-1000x more dangerous than average. It is
| unacceptable to have such a massive safety regression. But
| claiming it was a "crude" or stupid mistake is absurd. It
| was a extremely sophisticated mistake that demands a return
| to the extremely sophisticated safety engineering normally
| employed when designing aircraft.
| avar wrote:
| The only reason for that system to exist is because the
| 737 MAX is effectively a flying flight simulator for
| earlier versions of the 737, because Boeing and
| particularly Southwest didn't want to spend the money to
| recertify pilots on a "new" type of aircraft.
|
| So yes, it's pretty much a crude hack that wasn't needed
| for any objective reason other than to save some money
| for shareholders, and now people are dead.
| wslh wrote:
| I would add one more thing about hacking IN an airplane (not "a
| plane"): with the chat app included in many flights you can scam
| people and do other kind of funny things interacting between
| unknown people in the flight.
|
| Have done pranks to my family there.
| flemhans wrote:
| Will this article please get to the point!
| exegete wrote:
| Everyone is dismissing the headline as clickbait. The interesting
| part is the discussion on Electronic Flight Bags and their
| security. Seems like a gap.
| spacecadet wrote:
| My wife shared a tiktok with me last year, which was clips of an
| American Airlines flight, Airbus Plane, and someone had
| "hijacked" the speaker system. I combed the Airbus manuals and
| maintaince PDFs and found that those planes have several exposed
| compact flash ports for "pre-flight audio". I hypothesized that
| either the copilot lost a bet or someone slipped a pre-recorded
| track into one of those slots... /shrug, but Im still interested
| in those CF card slots...
| gloyoyo wrote:
| Wow. Given the amount of things that can be done with audio
| networking, and or connections via wireless to a CF card, this
| seems like something that should be considered.
| spacecadet wrote:
| Well, they are non-obvious slots near Flight Attendant
| stations and high traffic areas.
|
| I wont say I hung out near them on a flight and observed
| traffic patterns, nor did I observe periods in the rear of
| the plane where one CF slot was unattended.
|
| I forget the exact model now, but Im leaving out alot of
| detail. There are assumptions in the "unattended slot"
| hypothesis. For one, the slots need to be set to an autoplay,
| which is not a given, and if not- requires navigating a
| complex and dated touch screen.
| weinzierl wrote:
| If I remember correctly CF was just a stripped down PCMCIA
| which in principle is capable of DMA.
| ctxc wrote:
| Quite the acronym soup, but off I am to Google it...
| ctxc wrote:
| Andd I'm back. Got to love when it all comes together :P
|
| CF is compact flash card, kind of like the big memory card
| in cameras. PCMCIA is a PC card whose function is to
| "introduce peripheral capability to a laptop", kind of an
| interface. DMA is direct memory access.
| mips_r4300i wrote:
| It does have DMA but this only speeds up data transfer.
|
| You are probably thinking of PCI bus mastering, where the
| PCI slave temporarily takes control of the bus to read and
| write main system memory.
|
| This still exists in PCIe and thunderbolt, which is why bus
| mastering can be a security risk.
|
| CF poses no such risk. PCMCIA I don't think does either,
| since it is effectively a stripped down ISA. Later PC
| laptop cards look very similar but are actually CardBus,
| which is basically PCI.
|
| CardBus does support bus mastering. And the later Express
| card did too, in its PCIe forms
| cjbprime wrote:
| > The airplane networks are very carefully segregated. You have a
| bit in the cabin that's called the Passenger Information
| Entertainment Services Domain. That's completely isolated from
| what we call the Aircraft Control Domain, or ACD.
|
| Seems to raise the question of where the nearest connection to
| the ACD is, from the passenger cabin.
| grammers wrote:
| To save you some reading:
|
| > Can a passenger hack the airplane from their seat? They can't.
| eastbound wrote:
| However, I'm surprised they don't protect us more against
| hacked phones. When each iPhone is 4,000mAh, it could cause
| quite a fire, let alone entire laptops.
|
| Is the entire security theater based on the trust that
| terrorists won't short-circuit batteries?
| mynameisvlad wrote:
| Is there any documented case of a phone being hacked to make
| their batteries explode? This seems to be a reach at best.
| tempotemporary wrote:
| According to this article https://www.wired.com/2015/05/feds-
| say-banned-researcher-com... a researcher was able to take use
| cat6 ethernet from airplane entertainment module built into a
| seat.. So it depends.
| okdood64 wrote:
| https://archive.is/Q1jdu
|
| > Chris Roberts, a security researcher with One World Labs,
| told the FBI agent during an interview in February that he
| had hacked the in-flight entertainment system, or IFE, on an
| airplane and overwrote code on the plane's Thrust Management
| Computer while aboard the flight. He was able to issue a
| climb command and make the plane briefly change course, the
| document states.
|
| > "He stated that he thereby caused one of the airplane
| engines to climb resulting in a lateral or sideways movement
| of the plane during one of these flights," FBI Special Agent
| Mark Hurley wrote in his warrant application
|
| Goes without saying this is so reckless and dangerous. Was he
| ever charged? I couldn't find any information.
| 93po wrote:
| It's not clear if there's any validity to the claims
| Veserv wrote:
| "Roberts had previously told WIRED that he caused a plane to
| climb during a simulated test on a virtual environment he and
| a colleague created, but he insisted then that he had not
| interfered with the operation of a plane while in flight."
|
| So they wrote a simulation without knowing how any of it
| works and then showed they could hack their own cobbled
| together mess.
|
| "They built a test lab using demo software obtained from
| infotainment vendors and others in order to explore what they
| could to the networks."
|
| Yep, cobbled together random non-production info _tainment_
| software which is isolated from the actual flight systems.
| Generally only certified to DO-178 DAL Level D /E since they
| are isolated in such a way that total failure or even
| maliciousness can not possibly cause a meaningful safety
| impact.
|
| The functional equivalent of claiming you could totally steal
| from a bank vault because you successfully stole some pens
| from the counter. Just another self-aggrandizing idiot.
| dagurp wrote:
| Betteridge's law of headlines
| seeknotfind wrote:
| Script kiddies of the future would own the airplanes of today.
| dom96 wrote:
| This article has some of the most frustrating uses of quotations
| I've seen: they're placed right beside the paragraph they quote
| and they are exactly the same as the paragraph, so it's forcing
| you to read the same thing multiple times.
___________________________________________________________________
(page generated 2023-11-26 23:01 UTC)