I just got done reading this cool article over at Wired about how the 787 may be vulnerable to a hacker attack. Apparently the plane is designed to provide in air internet service by having a network in the passenger compartment. As we all know from network design 101, what you want to do is make sure that an insecure network like the passenger network is directly connected to the network that all of the plane's control, navigation and communications systems are on. Holy lack of firewall batman!!
Sometimes it amazes me that today folks still make network design errors of this magnitude. Thankfully they caught it before the plane is in production (can you imagine the terrorism potential?) and will hopefully do something effective to remedy this. I have to admit though; I'm less than impressed by Boeings vague comments of "there are protections in place". I'd like to think that for something as critical as keeping a plane in the air that a more open approach to security (I've never been a fan of security through obscurity) would be adhered to.
Wes Noonan
The plane is supposed to be hacked, BY THE FEDS
But the whole point was so the feds could take control of the plane from the ground if it were hi jacked. If you look on the internet there are articles about the feds wanted to be able to take control of an aircraft from the ground if its reported its been hi jacked by terrorists, so its the FAA who is putting national security at risk by making this information public. Why would you tell the public the technical specification of an aircraft, is that not tipping off the bad guys? The good guys the feds have been trying to get aircraft like this for a long time, but it was supposed to be secret that the feds are able to take over an aircraft from the ground to stop terrorists from doing another 9/11. Sure we need to address this issue so un authorised folks can't take control of the aircraft, but I don't think any of this should of been made public for security reasons, this could of all of been sorted out behind closed doors.
I'm not sure about feds
I'm not sure about feds wanting to take control from the ground, but I will say this. Being able to take control from the ground, and being able to take contral from the passenger compartment are two totally different things in my mind. You can implement the prior without implementing the latter.
On the subject of secrecy, I think that history has proven these kinds of things don't stay secret, so if secrecy was the defense against hacking, it was a very ineffective security measure.
Either way, it would appear the story has been picked up by the AP/Fox News - http://www.foxnews.com/story/0,2933,321326,00.html
Thanks for the response!
Wes
http://www.netiq.com
Your bit of hysteria is
Your bit of hysteria is based on an article posted on 'Wired', and that item was based on a lame understanding of the system. Take a chill pill.
Quoting the FAA document found in The Federal Register, as filed by Boeing:
Separate networks on the same data bus is nothing new nor is it particularly prone to hacking. How do you suppose TimeWarner is able to deliver TV, phone and Internet access, all on the same cable?
An excellent post by the
An excellent post by the previous anonymous. Fortunately, your perspective on security by obscurity isn't shared by everyone. If that perspective were followed you'd have large passenger jets running Linux. Can you say "I'll drive, thanks"!
I think you have confused
I think you have confused security through obscurity with open source software development. The two have nothing to do with each other, especially in this context.
Security through obscurity is nothing more than the belief that the security of something can be kept through secrecy. For example, by not telling someone what cryptography is being used, that the data is being kept more secure than if it was known.
I'll freely admit it, I don't buy into that process. I think that security is delivered by ensuring that the security precautions being undertaken are open. This allows more folks to review the security precautions, and increases the likelihood that deficiencies can be discovered before they can be exploited.
Let's take this discussion to what some might say is a silly end. What if one of the security measures is to run a system with Vista with ICS and Windows firewall to provide one of the "other technical solutions". Is that acceptable, or is there a better technical solution that could and should be used?
Without open security discussions, we have to trust that Boeing (or anyone else for that matter) is doing the most appropriate thing when they implement "other technical solutions". With open security, we can all* review it and either validate or invalidate the solution, which ultimately creates a better solution IMO.
*in this context, I'd qualify all to be any kind of independent audit. I don't expect Boeing or anyone else to run their security measures past the internet community at large.
Hopefully I have clarified some of my position here. Thanks for the response!
Wes
http://www.netiq.com
I like the discussion this
I like the discussion this has generated. Most excellent, and what I was hoping for.
I think you are missing my point. I've never been an adherent of the belief that because someone or some company says something is secure, that it actually is. I've spent too much time working with R&D shops to believe that. I do believe that in cases where peoples lives can be on the line, it’s important to have open security to do the best to ensure that as much as can be done has been done.
1) There is no question there were some concerns about security. The FAA document makes that clear. It not only makes it clear, it makes it clear that current regulations are not adequate.
That’s not a bad thing. That’s a good thing that they recognize this. It means that they are looking to improve.
2) Boeing claims to be addressing those concerns
What technical solutions aren’t appropriate to discuss in public? Public scrutiny of security precautions, especially in this context, is a good thing.
3) Let’s looks at the FAA document and your quote. What are those “special conditions”?
That seems like a terribly vague statement to me. It is more of a generic guideline than anything of substance. Airbus seems to agree that the special conditions “leave too much room for interpretation, and related guidance and acceptable means of compliance should be developed in an advisory circular for use by future applicants”.
4) I can't speak for anyone else, but when it comes to things like what keep planes in the air, I'd be much more comfortable with full disclosure and an open audit, especially for new systems. I haven't seen anything to indicate that Boeing is doing that. And that is the real concern IMO.
5) If someone manages to interrupt my phone or cable service because they compromise my data service, I think the impact is far less than a situation with flight control systems. Granted, I can get kind of ornery when football gets interrupted…
Thanks for the response!!
Wes
http://www.netiq.com