If it can be built, it can be taken down.

 

I think (and it scares me) that this is true. Somebody (somebod-ies) will always find a way to get into something. Especially if that person(s) has an understanding of how that system works. With enough pressure and time, anything can be broken/overcome. <~~~isn't that basically one of the ending lines of "Shawshank Redemption? Crap, I love that movie...... But the statement is true regardless.

What of this sort of technology was integrated with the virtual FMC in say the NGX so that I could program my flight management computer without having to boot up the PC?

 

There are add-ons that will allow you to create a route file that can be loaded by the NGX FMC right? Just run one of those on a different computer.

 

 

There are add-ons that will allow you to create a route file that can be loaded by the NGX FMC right? Just run one of those on a different computer.

Was thinking of something more practical like an iphone or iPad. Just imagine getting your flight ready during breakfast! At the moment I find FS2 Kneeboard of good use but has nothing to do with the FMC.

I think (and it scares me) that this is true. Somebody (somebod-ies) will always find a way to get into something. Especially if that person(s) has an understanding of how that system works. With enough pressure and time, anything can be broken/overcome. <~~~isn't that basically one of the ending lines of "Shawshank Redemption? Crap, I love that movie...... But the statement is true regardless.

 

Good movie, for sure, but there's no need to get agoraphobic about life because of the potential for attack (I'm not saying you are, I'm just saying life isn't all as scary as tech news makes it out to be).

 

Cyber security is a bit like life in general:

How do I not get hurt/robbed (personally)?

Don't provoke people to do harm. Don't walk into the bad sections of town. Don't put valuables in plain sight. Put measures in place as deterrents (doors, locks, fences, blinds - as appropriate).

 

How do I not get attacked/compromised (computing)?

Don't provoke people to attack. Don't browse to sites that look sketchy. Don't put valuable information in plain sight (on public networks). Put measurements in place as deterrents (firewalls, passwords, hide network infrastructure - as appropriate).

 

Like I said before. Hacking isn't all about being a genius with great computing power. It's knowing most people don't secure themselves. Hacking isn't like running up against Fort Knox all day. Hacking is more like the thief on the streets that knows where to find the tourists, what they look like, and knowing generally where they keep their wallet. That is to say, people make it easy because they use "password" as a password, use default firewall and network settings, and hardly put up a fight. Sure, some hackers are geniuses with awesome computing power at their finger tips.

 

By and large, though, the issue is that people are essentially still leaving their "doors" unlocked.

Captain: "Do you have our Flightplan???"

1st: "Yes i got it on my ipad and a security Backup on my Blackberry. Just let me start Bluetooth "

 

:LMAO: :LMAO: :LMAO:

Once again,

I'm not saying it's probable, I'm just saying it's possible with enough time and knowledge.

The systems of a modern tubeliner consist of millions of lines of code. The chances of not having a single fault in there are zero (not even nearly zero). Is it likely those systems will ever be hacked? Nope, not at all, because it's not nearly the most effective way to bring an aircraft down (or make it do what you want.), the weakest link is not in the systems, not even close.

BUT, the way everything is interconnected these days, means that more possible ways of entry become available. You seem to know quite a bit about ICT too, so I don't have to tell you this means there will be more unexpected behavior. This in turn means more debugging needs to take place.

Protocols like CPDLC or even ACARS are an ideal way for hackers to gain entry to the systems.

Airgapping systems was surely used on older aircraft, but is becoming less and less common on newer models. Especially since it's a lot easier for maintenance, dispatching(troubleshooting in the air, sending flightplans straight to the aircraft,...) and of course it will save a lot of fuel over the lifespan of the aircraft (databus systems like FBW are becoming common in other places too), which is still one of the main goals of the customers.

Of course these systems are going to be secured, but as with everything, there's a limit to the funding. Also, there's a limit to how extensive the security has to be. The maximum someone with bad intentions is going to be on the plane, will be about 20 hours. (Passengers on a 777-200LR, with a couple of hours delay). If you can make sure you can keep somebody out for about 30 hours, you're going to be safe.

In this case, it's going to be highly improbable anyone will ever gain unauthorized access to the system. BUT, let's say a hacker thinks about a point of entry and a way nobody considered before, and he can reduce the time to access the systems from 30 hours to 15 or even 10... Now you're got yourself a problem.

 

You say your computer will not be able to print... It will not. But if one can access your computer, they can also make it send commands to the printer which is attached to it. This is how real hacking works. You don't try to take down the reinforced gate, you try to find a door which is less secure and gives access to the gate's control panel. What you were explaining is pure guesswork and trial and error. (the second is involved in decent hacking, the first is frowned upon.)

You say your computer will not be able to print... It will not. But if one can access your computer, they can also make it send commands to the printer which is attached to it. This is how real hacking works. You don't try to take down the reinforced gate, you try to find a door which is less secure and gives access to the gate's control panel. What you were explaining is pure guesswork and trial and error. (the second is involved in decent hacking, the first is frowned upon.)

 

Right, but my point was the exact opposite, in order to mirror your radio argument. Of course I can make my computer print. Heck, I can make my computer at home print from my office, but that's not the point. My point is the inverse: that I can't gain access to my printer and take over my computer (or even the network). I'm sure if I were clever, I could use the networked printer as part of a bot in a DDoS, but that's not gaining control; that's preventing access. Similarly, I can't gain access to an aircraft's radios (from the radio frequency side, not through the physical radio unit), and have access to the entire aircraft (unless whoever made the radio is a complete idiot).

 

Sure, any time a computer is made to communicate, it becomes more susceptible to attack. The difference is in how the computer is set up to communicate. As I pointed out, the new 787 had issues pointed out to it where the systems were not as gapped as people would have liked. Nobody actually knows how the network is set up (external to Boeing or their NDA'd contractors anyway) and what parts are not gapped that, in theory, should be. That being said, yes, in theory, it's easier to attack seeing that more components are becoming networked, but none of us know any security that's likely being implemented in parallel.

 

I'm not sure what hacker class you took, but I'm not sure you have an accurate view of what hacking is. Sure, part of hacking is knowing the weak points of systems (as in my example earlier where I asked someone to find open wireless and enter that way, and then prevent access by reaching the wireless config page using the default passwords, which, given the default SSID, the router password is likely still at the default). Knowing weak aspects of systems is hacking 101, but advanced hacking is where you go in blind. In order to execute an attack that even you used the terms "nobody considered before," you have to operate on pure guesswork and trial and error. If you look in any textbook on the matter, or take a class on it, part of the process is footprinting and scanning. This first phase is not about gaining access, it's about finding weak spots in an act of trial. From there, you know open ports, or weak spots, but exploiting them may still be unknown.

 

For the record, cracking passwords is truly guesswork and trial and error. Even most password cracking software runs it against "most used" passwords and hashes, which is still guessing.

 

I see your point that there's concern, but what I don't agree with is that there needs to be more concern simply because there may be less gapping. Just because the diagnostics may be on the same network as ACARS for maintenance purposes, it doesn't mean that this is tied into the FBW. Look at a car: OBD-II allows reporting on the engine diagnostics, but is most cars today, the ECU is still airgapped. The same goes for aircraft in that the FADEC is still primarilly gapped.

I'm not saying there needs to be more concern, simply because there's a dozen of easier methods to gain control of an aircraft. I'm just saying that chances of a cyber attack are increasing exponentially.

Also, the more systems become interlaced, the more parameters influence each other. This calls for unexpected behaviour, especially since its going to be harder and harder to test for each possible scenario.

Think of it like this, to expand on our little computer-printer scenario. Your let's say your printer is connected through USB with your computer, but is also a WiFi printer.(Your computer could be the FMC, the printer the radio and the USB would be the databus.) While this specific system was designed to receive files and print them, and has been tested to make sure it is secure, chances are not every single scenario (packets and frames, but even hardware combinations make a lot of differences) was tested. Of course a plane will be a lot more secure, but that doesn't completely rule out every single chance of a cyber attack, which is what you're getting at. The chances of winning every single lottery at the same time, in every country worldwide are probably higher than finding that one little gap, but that doesn't mean the gap isn't there.

The number one mistake you can make in security, is thinking you're safe.

I may have wrongly explained myself in saying that hacking isn't just guesswork. Of course it is, but that's not the initial phase of it. At first you just sit, watch and inspect.

If my point came over differently, I guess I'll have to blame English not being my native language.

 

To expand on your car theory... I can't seem to find the source, but a couple of months ago a group of students made a proof of concept where they could actually take over a car by using the FM radio, and nothing more. A car isn't a plane, that much is obvious, but the same principle applies.

Once again, I'm not saying this is probable, just that it's probably possible (note the difference here.) with enough time and brainpower.

Makes sense.

 

As far as the car thing goes, I think that it may still be that the ECU is airgapped, but that doesn't mean that someone can't take advantage of it through a side-channel attack. If you can hack the channel for a remote start and get the car going, you've got that much. After that, if it has park assist, you'd have to find a way into that channel, but from there you have steering and throttle. With that, you've gotten the car started, and you have throttle and steering control. So, you never really attacked the ECU, but you're taking advantage of it because despite the air gap, it's meant to respond to throttle input, which you attacked through another channel.