Interesting discussion has popped up on my LinkedIn feed over a picture showing an ancient version of Linux used in an In-Flight Entertainment (IFE) system. The question was raised again (over and over) whether a passenger can issue safety critical commands or access functions from the cockpit.
IFE’s are typically certified to Design Assurance Level (DAL) E under the FAA’s DO-178B software guidance for airborne systems. Level E is the least stringent level of rigor put into design, verification and testing, as a fault is expected to have no effect on the safe operation of the aircraft. By contrast, radios are certified as Level D and avionics are Level C.
Security researcher Chris Roberts has jokingly speculated last year about “issuing a ‘climb'” command from the IFE to the cockpit causing the aircraft to fly sideways. While this caused quite a stir and led to questioning by the FBI (see also the search warrant), there was not much in the media other than rumours and some neutrally worded statements by the Boeing and Airbus.
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? 🙂
— Chris Roberts (@Sidragon1) April 15, 2015
I got curios after Wired claimed it found a document that seemed to contradict the official safety claims of Airbus:
“But WIRED was able to find a document online (.pdf), which indicates that Boeing’s line of 777 planes use ARINC 629 buses. These buses are designed for two-way communication.”
This sounds like Wired hasn’t fully understood the concept of Virtual Links (VL) within ADFX networks or they conveniently ignored it for the purpose of making headlines. Here is how IEEE802.org explains ADFX Virtual Links with an example of two independent networks A + B:
ADFX Virtual Links Security benefits:
- Full duplication of network
- Separate power & different routing of cables
- End-Devices handle redundancy
- Packets duplicated on device only
- Network unaware of duplication / redundancy
Both cockpit and IFE receive coordinates, speed and other data through the same comms link, however the networks can not see each other. The cockpit uses a different network and hence a malicious passenger won’t see it after breaking into the IFE.
Both Boing and Airbus use ADFX. It is designed according to ARINC which is the underlying industry standard for safety critical comms.
What causes confusion in public discussion and media is that:
- There are different versions of the ARINC standards that apply for different types of aircraft.
- People misunderstand the concept of Virtual Links.
- People read “full duplex” and see old versions of Linux on an IFE and automatically assume that the data link layer is a simple Ethernet like they’re familiar with.
ADFX IP Core is bespoke Ethernet technology for safety critical systems. Instead of a full-duplex channel, the VL is a logical 1 way data path. The hardware would not allow you to break out from that path. Here is a good video that explains the ARINC 664 as used in Boing 787 (the virtual Link (VL) concept is explained at 04:45):
A possible attack vector on the ADFX Core would be sending bogus ICMP or SNMP packets after gaining root privileges and control of the network interface. Though it would be impossible to send commands such as “climb” to the cockpit as Chris Roberts joked last year. Certainly one could break their own IFE terminal. After all they’re just COTS based hardware and probably the cheapest components on the ADFX network.
None of this would affect safety critical comms or the sensors and actuators on the CAN bus though.
One interesting question which I haven’t yet found any answer is: Are individual IFE terminals protected from each other? If this is possible then a serious attacker like a terrorist might chose to take over the IFE terminals in order to amplify the fear and terror factor during an attack. E.g.:
- to publish information to all IFE’s for the purpose of instilling fear and terror, or
- to create the impression among the passengers that the cockpit is actually no longer in charge of the plane
- to alter the perception of passengers of what is going on
Intrusion Detection on the IFE:
What features are in place within the IFE to track the activities of the user and to alert the cockpit if malicious activities were detected. Information about this is hard to find and contradictory. The ARINC standard doesn’t seem to enforce such additional measures on the IFE. Also it is undisputed that the IFE is the cheapest system on the aircraft and no consideration are given to it’s security since it’s not safety critical for the journey. Therefore I’d personally doubt that any such alert mechanisms are in place. If they are in place I’d doubt they can be relied upon without false positives (the issue with every IDS). Also by the time such an alert is triggered, airline staff on board might not be qualified to decide whether the person in seat XYZ is a tech-savvy terrorist, a bored security researcher gone rouge, or the IFE simply acting up again for no reason (remember these components are cheap therefore staff might even be used to seeing problems and dismiss an ongoing attack until it’s too late).
A variety of different technologies are coming into play during different parts of the journey. An aircraft at the gate might have an additional wireless gatelink for example to help transfer large amounts of data before takeoff. Hence there may be additional attack vectors nobody considered yet.
It would be great if professionals could share their views if whether this scenario above is at all possible.
The industry claims that ADFX is “unhackable” make it an attractive platform for attackers to prove the contrary. Even if we assume that the ADFX design is solid as a fortress, having the cheapest possible solution in front of the passengers face will most likely raise questions whether the rest of the plane is built on such shoddy systems and prompt a bored tech-savvy passenger to probe further. Once the individual penetrates the first layer of the IFE and sees the data-traffic (incorrectly assumes there is a lack of compartmentalization) they might get the wrong impression and conclude the worst based on how they think the system might work.
- ARINC 629 is a Data Bus Standard that is used on Aircrafts (Boing 777): http://www.wseas.us/e-library/conferences/2010/Vouliagmeni/CSECS/CSECS-34.pdf
- Security & Availability of ARINC 629 Avionic Data Bus (Boeing 777): http://web.univ-pau.fr/~gallon/publis/jnw2007.pdf
- Challenges of security and trust in avionics wireless networks: http://personal.strath.ac.uk/robert.c.atkinson/papers/dasc2015.pdf
- The FBI search warrant for Chris Roberts equipment: http://aptn.ca/news/wp-content/uploads/sites/4/2015/05/warrant-for-Roberts-electronics.pdf
- ADFX Protocol Tutorial http://www.cems.uwe.ac.uk/~a2-lenz/n-gunton/afdx_detailed.pdf
- What hackers can actually do with modern aircraft? https://blog.kaspersky.com/hack-it-in-the-air/8504/
- Aircraft Hacking Practical Aero Series https://conference.hitb.org/hitbsecconf2013ams/materials/D1T1%20-%20Hugo%20Teso%20-%20Aircraft%20Hacking%20-%20Practical%20Aero%20Series.pdf
- DefCon Talk “Cyber-hijacking Airplanes: Truth or Fiction?” https://defcon.org/images/defcon-22/dc-22-presentations/Polstra/DEFCON-22-Phil-Polstra-Cyber-hijacking-Airplanes-Truth-or-Fiction-Updated.pdf
- More on ARINC: Can you hack a modern airliner? https://eforensicsmag.com/can-you-hack-a-modern-airliner/
Valbonne Consulting provides Research & Consulting for emerging technologies in Internet/Web of Things (WoT/IoT/M2M) and Emerging-Tech. We specialise in decentralisation, security and privacy. We work across a variety of traditional industry verticals (Telecommunications, Automotive, Energy, ...). We support Open Source and technologies built on open standards.