Code leak in a Boeing 787 Dreamliner reveals security flaw which could allow hackers to access flight controls, expert claims
- Security researcher, Ruben Santamarta, reportedly discovered a code leak in a Dreamliner that would allow hackers access to in-flight entertainment system
- He said a hacker could exploit the plane's systems beginning with aircraft's entertainment system and reaching to the critical systems like flight controls
- If his claim is confirmed, it could prompt a serious review of aircraft security
- But Boeing denies that such an attack is possible, saying in a statement that the 'scenarios cannot affect any critical or essential airplane system'
A security researcher has reportedly discovered a code leak in a Boeing 787 Dreamliner that would allow hackers access to the in-flight entertainment system and possibly systems like controls.
Ruben Santamarta, a consultant with cyber security firm IOActive, is scheduled to explain his method at this week's Black Hat hacking conference in Las Vegas.
If his claim is confirmed, it could prompt a serious review of aircraft security.
Santamarta said he initially made the discovery of publicly accessible code for the company's 737 and 787 passenger jets on an unprotected server on Boeing's network in September 2018.
According to Wired, Santamarta is now claiming that the code has led him to uncover a security flaw in one of the 787 Dreamliners.
Ruben Santamarta (pictured in 2014), a security researcher has reportedly discovered a code leak in a Boeing 787 Dreamliner that would allow hackers access to the in-flight entertainment system
Santamarta claims the code has led him to uncover a security flaw in one of the 787 Dreamliners. He said that a hacker could exploit the plane's systems beginning with the aircraft's entertainment system (file image) and reaching to the critical systems
He said that a hacker could exploit the plane's systems beginning with the aircraft's entertainment system and reaching to the critical systems like flight controls and sensors that could pose a much greater risk to safety.
Despite his findings, Santamarta did say that he doesn't have a full enough picture of the aircraft or access to one of the jets to confirm his theory.
But he and others who have reviewed his findings believe that the flaws uncovered in the code represent a lack of attention to cybersecurity from Boeing, according to Wired.
Santamarta also plans to present other findings at the Black Hat conference such as the a code flaw in the Crew Information Service/Maintenance System, which controls the applications like maintenance systems.
In that code, Santamarta claims he found memory corruption vulnerabilities in the CIS/MS, and he claims that a hacker could use those flaws to get inside a restricted part of a plane's network.
Share this article
Boeing has denied that such an attack is possible, saying in a statement to Wired that 'IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system'.
The aircraft company then went on to accuse IOActive of choosing to 'ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system'.
'While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation,' the statement added.
Black Hat, which was founded in 1997, has often been a venue for hackers to present breakthrough research.
In 2009, Charlie Miller and Collin Mulliner demonstrated a method for attacking iPhones with malicious text messages, prompting Apple Inc to release a patch.
Boeing has denied that such an attack is possible, saying that 'IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system'. Pictured is a 787 Dreamliner
In 2011, Jay Radcliffe demonstrated methods for attacking Medtronic Inc's insulin pumps, which helped prompt an industry review of security.
The news of the code flaw comes just a day after Boeing's chief executive, Dennis Muilenburg, reaffirmed that he expects the 737 MAX to be cleared to return to the skies this year, but reiterated the company could further cut production in case of regulatory delays.
Muilenburg said Boeing planned to submit its certification package to the Federal Aviation Administration around September, with expected approval around a month later.
The planes have been grounded since mid-March following two crashes that claimed 346 lives.
But Boeing could trim cut or even halt production on the MAX if the approval process with civil regulatory authorities drags out much longer.
'Those are not decisions we would make lightly,' he said at a New York investment conference.
A halt to the MAX would affect '600-some suppliers, hundreds of thousands of jobs,' he added.
The news of the code flaw comes just a day after Boeing's chief executive, Dennis Muilenburg (pictured), reaffirmed that he expects the 737 MAX to be cleared to return to the skies this year, but reiterated the company could further cut production in case of regulatory delays
While the company is 'very focused' on the aircraft returning to service 'early in the fourth quarter,' Muilenburg said, 'I think it also behooves us to make sure we are doing disciplined contingency management and trying to be transparent on this.'
Boeing has been working closely with the FAA and other bodies on a software fix to address a problem with a flight handling system tied to both the Lion Air and Ethiopian Airlines crashes.
But the FAA in June identified problems with microprocessor which extended the timeframe.
Muilenburg warned during an earnings conference call last month that 'there's always some risk of new items' until the process is complete.
The airline and the US regulator have faced stiff criticism from pilots and others over the way the MAX was approved to fly, which seemed to allow Boeing to self-certify many of the systems, as well as the response to the deadly crashes.
In addition, the FAA did not ground the plane after the first crash in October 2018.
Muilenburg said the company was in close contact with airlines about compensation for canceled flights and delayed aircraft deliveries and over strategies to reassure the public once the planes are given the green light to fly.
'We know that it will take some time to rebuild public confidence,' he said.
