Blog

Ruben Santamarta, an IOActive Principal Security Consultant found vulnerabilities in the Boeing 787 Dreamliner’s components. He said these vulnerabilities could be misused by hackers. There are security flaws in the code for a component known as Crew Information Service/Maintenance System. 

Security researcher discovers a major flaw in the code 

The security researcher discovered a fully unprotected server on Boeing’s network, that could be accessed publicly and be open to anyone who found it, so he downloaded everything he could see. Santamarta dug into the code, reverse engineered it and analyzed the configuration files. This unleashed many security vulnerabilities that could allow an attacker to remotely access sensitive Boeing’s avionics network. 

Possible Attacks on Boeing 787:

Looks like there was a major loophole and exploiting those bugs could be responsible for an attack when a plane’s in-flight entertainment system starts along with other critical systems like flight controls and sensors. 787 models come with various:

• Communication channels
• Satellite devices
• Wireless connections 

And these connect to GateLink – an airline network for downloading information regarding the airplane’s arrival. So an attacker could either hack into the network such as its wireless terminal and connect to the airline’s wireless network. Or a hacker could control the maintenance systems by running rogue tests or giving false information to the maintenance engineer about a certain system function. 

Boeing pushes back and states these claims are ‘false’

However, Boeing has denied any such vulnerability in the code and also rejects Santamarta’s claim of discovering the potential for such an attack. While Santamarta also admits that he does not have a full picture of the aircraft or access to a $250 million jet. However, cybersecurity researchers reviewed his findings and argue that these flaws in 787’s code can be due to a lack of attention to cybersecurity from Boeing. It also means that Boeing needs to invest in performance testing services to remove these vulnerabilities. Even though the importance of keeping commercial airplanes safe from hackers is high, Boeing has not paid much attention to it. 

Currently, it is difficult to state whether the research findings of the aircraft’s security issues are true. Although companies like Boeing have a million-dollar budget to spend on the aircraft’s security, yet they also have conflicts about their results. Hackers like Santamarta don’t have resources to conduct in-depth investigations for these aircraft. 

Food for thought

Boeing’s 787 Dreamliner is said to be troubled with cybersecurity issues ever since it went live in 2013. Research similar to IOActive’s is a reminder that aircraft security is at risk. And the increasing dependency on a networked computer system should not get away with vulnerabilities like these.