This is cute. Wired magazine reports that the Federal Aviation Administration, the US air regulator, is worried that the Boeing 787 Dreamliner’s in-flight passenger network is physically connected to the network that manages the aircraft’s control systems and also connects to ground-based maintenance and booking networks.
One might have expected the aircraft’s control network to be physically isolated from outward-facing networks, since any such connection in principle poses a security threat. Who needs box cutters when you can just hack your way into the cockpit, fire up a flight sim client, and fly the plane yourself?
Boeing’s new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane’s control systems, according to the U.S. Federal Aviation Administration.
The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals.
The revelation is causing concern in security circles because the physical connection of the networks makes the plane’s control systems vulnerable to hackers. A more secure design would physically separate the two computer networks. Boeing said it’s aware of the issue and has designed a solution it will test shortly. [...]
Currently in the final stages of production, the 787 Dreamliner is Boeing’s new mid-sized jet, which will seat between 210 and 330 passengers, depending on configuration.
Boeing says it has taken more than 800 advance orders for the new plane, which is due to enter service in November 2008. But the FAA is requiring Boeing to demonstrate that it has addressed the computer-network issue before the planes begin service.
According to the FAA document published in the Federal Register, the vulnerability exists because the plane’s computer systems connect the passenger network with the flight-safety, control and navigation network. It also connects to the airline’s business and administrative-support network, which communicates maintenance issues to ground crews.
ZDNet picked up on the report, and quotes Bruce Schneier on the subject.
PS. The Wired article quotes one Mark Loveless, which it calls “a network security analyst with Autonomic Networks, a company in stealth mode, who presented a conference talk last year on Hacking the Friendly Skies“. If you’re in stealth mode, isn’t giving presentations at conferences a dead giveaway?
Update: Blue Crab Boulevard notes a new form of spam, which reaches printers directly from the internet, via a browser vulnerability, and demonstrates the inherent dangers of connecting networks. That they’re supposed to be separate and designed to be separate is no guarantee that they really will be separate.