1 2
GameboyRMH
GameboyRMH GRM+ Memberand MegaDork
4/15/15 1:11 p.m.

Passenger wifi on Boeing 787s, Airbus 350s and A380s is on the same network as avionics systems Repeat, they are NOT AIRGAPPED FROM EACH OTHER

http://www.wired.com/2015/04/hackers-commandeer-new-planes-passenger-wi-fi/

A mere software firewall separates the two. This is the computer equivalent of having just one thick, barbwire-topped brick wall between the yards of Arkham Asylum and a daycare center. Sure it's a good defense in itself, but why the berkeley are those things in contact with each other in the first place? It's not 100% impossible to breach the defense and there is no benefit to having them together, and the downside of highly unlikely but massively horrific consequences.

How the hell does the FAA allow this? There's no remotely sane reason to do this, and the aircraft manufacturers have an attitude toward the problem that makes '90s Microsoft look good.

People are going to think that computers can never be secure if elementary mistakes like this keep happening, and automation will become the new nuclear energy - some people will think that humans just aren't good enough to use it.

Appleseed
Appleseed MegaDork
4/15/15 1:20 p.m.

That is NOT good.

bgkast
bgkast GRM+ Memberand UltraDork
4/15/15 1:24 p.m.

GameboyRMH
GameboyRMH GRM+ Memberand MegaDork
4/15/15 1:30 p.m.

This line is priceless:

She wouldn’t go into detail about how Boeing was tackling the problem but said Boeing was employing a combination of solutions that involved some physical air-gapping of the networks as well as software firewalls. “There are places where the networks are not touching, and there are places where they are,” she had said.

You can't be partly airgapped any more than you can be slightly pregnant you moron!!!

Giant Purple Snorklewacker
Giant Purple Snorklewacker MegaDork
4/15/15 1:34 p.m.

Have we learned nothing from the Cylon invasion?

pinchvalve
pinchvalve MegaDork
4/15/15 1:36 p.m.

I'm still laughing about Arkam and the Preschool.

Kendall_Jones
Kendall_Jones HalfDork
4/15/15 1:45 p.m.

total clickbait.

"Could Hack in" not "OMFG they hacked the planet". The GD link states "commandeer" (really?)

GameboyRMH
GameboyRMH GRM+ Memberand MegaDork
4/15/15 1:49 p.m.
Kendall_Jones wrote: total clickbait. "Could Hack in" not "OMFG they hacked the planet". The GD link states "commandeer" (really?)

Not clickbait, this is a serious problem that has no reason to exist. Commandeering could be possible if the firewall is breached, for all we know.

Kendall_Jones
Kendall_Jones HalfDork
4/15/15 1:52 p.m.
GameboyRMH wrote:
Kendall_Jones wrote: total clickbait. "Could Hack in" not "OMFG they hacked the planet". The GD link states "commandeer" (really?)
Not clickbait, this is a serious problem that has no reason to exist. Commandeering could be possible if the firewall is breached, for all we know.

the link says "hackers commandeer new plane" - to my knowledge they haven't.

turboswede
turboswede GRM+ Memberand MegaDork
4/15/15 1:55 p.m.

You know that the same problem likely exists on the newer cars that now feature onboard wifi, etc. Its less of an issue, but still when you've got things built by committee, directed by internal and external politics without starting at security first and working downstream by leveraging subject matter experts in the various categories, you end up with this sort of nonsense.

Look at Linux/Unix versus Windows. One was built with security in mind from day one, the other wasn't. One is known for security vulnerabilities and the other is known to be capable of being incredibly secure. Both perform essentially the same functions.

Grtechguy
Grtechguy UltimaDork
4/15/15 1:59 p.m.

Considering that certain Airbus planes can damn near land themselves via the computer. Big issue.

GameboyRMH
GameboyRMH GRM+ Memberand MegaDork
4/15/15 2:11 p.m.
Kendall_Jones wrote: the link says "hackers commandeer new plane" - to my knowledge they haven't.

That's the human-readable URL which is always a shortened version of the headline...

kanaric
kanaric Dork
4/15/15 2:12 p.m.

lmao. Makes the Fast and the Furious "hacking peoples cars" scene seem viable once we have full automatic cars especially.

How are they even? They shouldn't even be on the same network. They shouldn't even have a physical connection.

Kenny_McCormic
Kenny_McCormic PowerDork
4/15/15 2:36 p.m.

Based on their attitude, I'm imagining some low end business class router zip tied behind a panel somewhere with stock passwords being the only safeguard here.

Dr. Hess
Dr. Hess MegaDork
4/15/15 2:48 p.m.

UNIX was not built with security in mind from day 1. It was probably, I dunno, year 15? before they started to get serious about it and patch all the vulnerabilities. I remember many "here's how you root yourself on UNIX" things. And "here's how you plug that hole..." Windows, for whatever reason, just didn't bother with it, or deliberately created more holes. Take your pick.

GameboyRMH
GameboyRMH GRM+ Memberand MegaDork
4/15/15 3:36 p.m.

If anyone can get network access to the satellite uplink devices, apparently they're about as secure as a bargain-bin home router:

https://www.blackhat.com/docs/us-14/materials/us-14-Santamarta-SATCOM-Terminals-Hacking-By-Air-Sea-And-Land-WP.pdf

Curmudgeon
Curmudgeon MegaDork
4/15/15 3:49 p.m.

And people see nothing wrong with autonomous cars...

madmallard
madmallard Dork
4/15/15 4:43 p.m.

yeah, this is definitely not click bait. and how two different aircraft manufacturers are so dumb or arrogant to believe their soft firewall is due diligence blows me away.

SVreX
SVreX MegaDork
4/15/15 5:26 p.m.

Don't be such a Debbie Downer. You are taking all the fun out of air travel.

It will be OK. The airline has promised $70K worth of frequent flyer miles for every ticketed passenger. It's gonna be AWESOME!

Toyman01
Toyman01 GRM+ Memberand MegaDork
4/15/15 5:29 p.m.

The TSA has you covered. They don't let bad guys on planes anymore.

They already hired all of them.

Kenny_McCormic
Kenny_McCormic PowerDork
4/15/15 7:12 p.m.
Dr. Hess wrote: UNIX was not built with security in mind from day 1. It was probably, I dunno, year 15? before they started to get serious about it and patch all the vulnerabilities. I remember many "here's how you root yourself on UNIX" things. And "here's how you plug that hole..." Windows, for whatever reason, just didn't bother with it, or deliberately created more holes. Take your pick.

Unix started as a timeshare mainframe operating system. I suspect it's secure (and looked vulnerable early on) because it spent those first 15 years or so being relentlessly hacked at by students trying to get more/free time.

Dr. Hess
Dr. Hess MegaDork
4/15/15 7:35 p.m.

Actually, it was started on a PDP11, which wasn't a mainframe and wasn't timeshare. I used to have one. And, yes, all the computer geeks hacked the crap out of it, exposing multiple security problems. Throughout the 90's, patches came regularly and at some point coding philosophies were adopted that minimized the introduction of vulnerabilities.

Type Q
Type Q Dork
4/16/15 12:51 a.m.

Most of the automotive OEM's have labs here in silicon valley. They all would like to save money by having fewer discrete boxes to run the various computing functions in vehicles. I have heard some of the chipmakers here have proposed a vision where your all the drive train controls (ECU, transmission controller) safety systems (ABS, stability control, blind spot detection, tire pressure monitoring) and infotainment system would be run by one CPU for the whole vehicle. I am not sure how they propose to firewall off the safety functions from infotainment. I would certainly like to see them air gaped.

SVreX
SVreX MegaDork
4/16/15 6:35 a.m.

This morning NPR was discussing electronic voting. Apparently, some tests have been conducted where users were able to access voting machine wireless networks, change data in any number of ways (racial info, candidate name lists, numbers of votes, etc.) The changes they made were completely undetectable, and they were executed entirely from smartphones.

I don't want to flounder this thread, but the security issues made me think of this.

As much as I don't want airplanes falling from the sky, it seems to me that the ability to sway a US election and perhaps even alter the Commander in Chief is a much bigger computer vulnerability than this.

Electronic data (planes, cars, or voting machines) is at risk, and we are vulnerable.

This is a really big problem, and our typical response is that we'd rather be ostriches and pretend it's not a problem, because it is so darned cool.

The vulnerability is not the machines. It is our own corporate attitude about technology. We want stuff and convenience more than we care about security.

HappyAndy
HappyAndy UltraDork
4/16/15 6:46 a.m.

In reply to SVreX:

1 2

You'll need to log in to post.

Our Preferred Partners
JFuKnrTXdCvtUlUCy7el78XRVL06UOETnT7vkkS3oHicv7cnQgI8TPBBkWT0cpxZ