Yikes!!! Australian tester of Boeing 747 video system claims breaking in to the aircraft engine system

November 14, 2011 Comments Off on Yikes!!! Australian tester of Boeing 747 video system claims breaking in to the aircraft engine system 270 Views

Boeing image. Boeing 747-8 Intercontinental.

At a time when every stakeholder, governments to airlines and airports on to tax-payers and everyone in-between is spending obscene amounts of money, loss of privacy, and other resources to make the skies safer, this story is downright scary.

The worst part of this story is that this vulnerability exists due to a lack of timely updating of operating system patches. May be the Australian Transport Safety Bureau (ATSB) should be black-listing this airline.

Dr. Craig S Wright GSE in Australia, on his blog claims he broke in to the engine control system of a Boeing 747 of a certain airline, while contracted to test their new video system.

A while back now, but many of the same systems are in place in the same way, I was contracted to test the systems on a Boeing 747. They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 – VLANs. We managed to break the VLANs and access other systems and with source routing could access the Engine management systems.

The response, “the engine management system is out of scope.”

For those who do not know, 747’s are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.

The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no extrusion controls. They filter incoming traffic, but all outgoing traffic is allowed. For those who engage in Pen Testing and know what a shoveled shell is… I need not say more.

All I can say is YIKES!!!!! May be Unix gurus can elaborate a little more on this story.

A huge huge hat tip to Mary Kirby the Runway Girl for the heads-up on this story.

About Devesh Agarwal

A electronics and automotive product management, marketing and branding expert, he was awarded a silver medal at the Lockheed Martin innovation competition 2010. He is ranked 6th on Mashable's list of aviation pros on Twitter and in addition to Bangalore Aviation, he has contributed to leading publications like Aviation Week, Conde Nast Traveller India, The Economic Times, and The Mint (a Wall Street Journal content partner). He remains a frequent flier and shares the good, the bad, and the ugly about the Indian aviation industry without fear or favour.

Check Also

In new strategy Etihad invests in Darwin Airlines, re-brands it Etihad Regional

by Devesh Agarwal Etihad Airways, the national carrier of the United Arab Emirates, today announced …

+OK
+OK