Holy airgap, Batman!

| Comments (4) | SYSSEC Security: Airport
Check out this Wired article and the FAA Report on which it is based about how the Boeing 787 control network is connected to the in-cabin entertainment network, which is probably not the design your average security guy would have chosen:
These special conditions are issued for the Boeing Model 787-8 airplane. This airplane will have novel or unusual design features when compared to the state of technology envisioned in the airworthiness standards for transport category airplanes. These novel or unusual design features are associated with connectivity of the passenger domain computer systems to the airplane critical systems and data networks. For these design features, the applicable airworthiness regulations do not contain adequate or appropriate safety standards for protection and security of airplane systems and data networks against unauthorized access. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing standards.

The FAA imposes the following requirement:

The design shall prevent all inadvertent or malicious changes to, and all adverse impacts upon, all systems, networks, hardware, software, and data in the Aircraft Control Domain and in the Airline Information Domain from all points within the Passenger Information and Entertainment Domain.

Obviously, this specifies a goal rather than a design, but it's pretty hard to see how this goal could be met without at minimum an airgap between the ACD/AID, and the PIED. I'm unaware of any networking technologogy which allows you to connect two networking domains together which can also guarantee that computers in the untrusted domains can't negatively impact computers in the trusted domains. The classic solution that falls short of airgaps is of course firewalls, but then you have to worry about vulnerabilities in the firewall, so this certainly doesn't prevent all attacks.

The more interesting question is whether an airgap is enough? An airgap provides good protection against logical attacks from the PIED network, but not against physical ones. Even if the ACD/AID cables are physically separate from the PIED cables, do they run through areas which are potentially accessible from the passenger cabin (especially the lavs!)? Do they use cryptography so that an attacker who accessed them couldn't directly talk to the ACD/AID network? Note that this isn't perfect protection, but it could substantially lower the attack surface.

Two other things worth noting here:

  • The Air Line Pilots Association (ALPA) comments suggest that: "a backup means must also be provided for the flightcrew to disable passengers' ability to connect to these specific systems.". This is enough to protect against some attacks (e.g., traffic flooding) but obviously doesn't help against subversion of the flight control systems, since it's not clear that once they have been subverted any plausible in-flight mechanism will allow you to regain control.
  • Airbus also provided several comments which seem mostly oriented towards covering their own future designs. For instance:
    AIRBUS Comment (b): Airbus stated that in the sentence ``The design shall prevent all inadvertent or malicious changes to, and all adverse impacts * * *'', the wording ``shall prevent ALL'' can be interpreted as a zero allowance. According to the commenter, demonstration of compliance with such a requirement during the entire life cycle of the aircraft is quite impossible because security threats evolve very rapidly. The only possible solution to such a requirement would be to physically segregate the Passenger Information and Entertainment Domain from the other domains. This would mean, for example, no shared resources like SATCOM (satellite communications), and no network connections. Airbus maintained that such a solution is not technically and operationally viable, saying that a minimum of communications is always necessary. Airbus preferred a less categorical requirement which allows more flexibility and does not prevent possible residual vulnerabilities if they are assessed as acceptable from a safety point of view. Airbus said this security assessment could be based on a security risk analysis process during the design, validation, and verification of the systems architecture that assesses risks as either acceptable or requiring mitigations even through operational procedures if necessary. Airbus noted that this process, based on similarities with the SAE ARP 4754 safety process, is already proposed by the European Organization for Civil Aviation Equipment (EUROCAE) Working Group 72 for consideration of safety risks posed by security threats or by the FAA through the document ``National Airspace System Communication System Safety Hazard Analysis and Security Threat Analysis,'' version v1.0, dated Feb. 21, 2006. Airbus said such a security risk analysis process could be used as an acceptable means of compliance addressed by an advisory circular.

I don't know that much about how this kind of in-flight network is usually designed or how much security analysis usually goes into it, but to the extent to which we're concerned about passenger subversion of flight control systems, this seems like an unusually hostile threat environment. In particular, if the plane is completely fly by wire, does that mean that someone who controlled the computers could potentially fly the plane where (or into) anything they wanted? What features are provided for regaining manual control in the case of such subversion?


Dude, I think you've got a great idea here for a cyberthriller movie! I can see it now. When the crew realizes that they're no longer in control and cut off from ground communications, the flight attendant announces, "Is there an information security expert on the plane?"

Clearly, a design like this should start with an airgap, and then add limited bridges where and if necessary. For example, say you want to feed GPS data to the passengers, or maybe you want them to be able to listen in on the pilot's radio communications. You could easily build one-way signaling for this sort of data with fiber optical cables that have a transmitter on one side and a receiver on the other.

The only example of true "sharing" that's in your quotations is some kind of shared satellite communications system. To the extent that pilots need to be using the same communications system as passengers, they certainly don't need that communication system interconnected with the airplane's control system. If you want to share the same pilot's headset with both airplane-critical stuff and non-critical stuff, you could always fork the output of the microphone in the analog domain, before you ever even digitize the speech. Likewise, you could use relays or some other basic analog technology to switch the output to the headset. If somebody is jamming garbage into the pilot's ears, it should be straightforward to switch that part off.

I assume that one I get access to the wires of the plane, I can mess it up in seriously harmful ways.

The entertainment system provides an interesting access path, though, because I could put in, say, a hostile DVD with my code on it, without needing to open panels. Just need to distract the crew for a minute.

Or I could compromise the entertainment system before it ever gets onto the plane.

Like Dan Wallach said, you need to start with an airgap, and then make a few explicit one-way routines into the entertainment system. The crew needs to be able to turn off the sound or just kill the power entirely. Your control system shouldn't even process ACK's from the entertainment system; if something goes wrong, you pull its plug and the passengers have to read books until the plane lands.

It's been a long time since I was up on this stuff but my understanding is that if the full ARINC 629 bus total froze, it's not like the plan is going to crash or the pilots can't fly it. They just loose some of the tools. They can still navigate, communicate, and fly. Of course, that said, I still agree with comments above.

Leave a comment