Before we dive into this, no one is saying that this could take down a plane. However, growing sentiment from the world of cyber security including researchers, hackers and professors feels that this is an issue Boeing needs to take more seriously. Today, that could become even more apparent, as Ruben Santamarta, the cyber security expert who uncovered the flaws leads a presentation on his findings at the Black Hat convention in Las Vegas.
Santamarta says it all began quite simply: with a Google search. According to a fantastic piece in Wired by Andy Greenberg, the noted cyber security expert was searching online for vulnerable tech documents which could be exploited online. Apparently, just a few minutes of creative searching allowed Mr. Santamarta to find a completely unprotected Boeing server with a treasure trove of code which would run on Boeing 787, and 737 aircraft.
“IOActive’s scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system.”
Unfortunately for Boeing, they seem to be alone in this analysis and like many major corporations with outsized hubris, despite tragic recent events, have chosen to simply discredit Mr. Santamarta, rather than engage, adding their disappointment to the “irresponsible presentation”.
In layman’s terms, Mr. Santamarta isn’t saying he could make a plane turn left, right, up or down solely with the flaws he’s found thus far. He’s simply stating that hackers always look for a way in, and once they’ve found it, they typically will find another yet to be exposed flaw which allows them a backdoor into other systems, and in theory – potentially ones which could cause problems.
“The claim that one shouldn’t worry about a vulnerability because other protections prevent it from being exploited has a very bad history in computer security. Typically, where there’s smoke there’s fire. Every piece of software has bugs. But this is not where I’d like to find the bugs. Checking user parameters is security 101.
They shouldn’t have these kinds of straightforward vulnerabilities, especially in the kernel. In this day and age, it would be inconceivable for a consumer operating system to not check user pointer parameters, so I’d expect the same of an airplane.”
With due respect to Boeing, simply dismissing these claims after repeated presentations and opinions from those in the relevant field seems nonsensical. Boeing has yet to give Mr. Santamarta or his team at IOActive access to run live tests with a real aircraft, which seems to me like a great starting point. At the very least, it could quell some fears – and at the very best, it could patch some crucial software updates.
I’m not sure if Mr. Santamarta’s presentation from the Black Hat Conference in Las Vegas is streaming today, but if it is, I’ll absolutely be grabbing the popcorn. Watch this space.