Last month, technology news sites and blogs breathlessly reported on a Federal Aviation Administration document suggesting that Boeing's new 787 Dreamliner passenger jet may be vulnerable to computer hackers.
Boeing now says that the problem was fixed even before the FAA issued its warning. But there may be yet another way bad guys could get into the plane's control system, one that neither the company nor the FAA may have noticed.
The FAA was specifically concerned that a passenger could use the on-board entertainment network, which personal laptops can plug into, to access the plane's navigation system and disable or take over the plane.
"The proposed architecture of the 787," the FAA stated, "allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane."
One trail leads to another
All three variants of the jetliner — the medium-range 787-8, going into service next year, the short-range 787-3 and long-range 787-9, expected in 2010 — have three on-board computer networks.
One network is for flight safety and navigation, a second is for administrative functions and the third handles passenger entertainment and Internet access.
The problem is that all three are linked.
"Any time you have a physical connection (between computer networks), there is a possibility someone could bridge from one to the other," says Jonathan Ezor, an assistant professor at the Touro College Institute for Business, Law & Technology in Central Islip, N.Y.
As security experts know, any link between systems is exploitable. That's why you pay for Internet protection software — and why government defense and intelligence agencies keep some of their computers completely off-line.
The FAA's document, called a "special condition," goes on to say: "The proposed data network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane."
In other words, it's possible this plane could be hacked.
"Special conditions" are issued by the FAA when it finds problems with technologies so new that they're not yet covered by existing regulations.
In such cases, manufacturers must meet the new criteria before aircraft can be certified as safe to carry passengers. Ten special conditions have been issued for the 787-8.
Boeing denies that a computer-security problem exists, and says further that if it does, it's already been corrected.
"There is a limited amount of information between networks [on the 787]," said company spokeswoman Lori Gunter. "The least amount is between passenger and flight control."
She added that Boeing is not working on a solution to the security problem — because the company has already resolved it, having known the FAA was drafting the special condition months in advance.
"All aspects of the condition are addressed in the airplane," said Gunter.
Multiple onboard servers operate the three networks, which do not run commercial operating systems, she said.
Instead, they use a non-proprietary operating system "written to aerospace standards" by multiple contractors, and Boeing will be testing every line of code to the FAA's satisfaction, tracing each decision branch along the way.
Within each network, Gunter assured, there are multiple layers of network security involving both hardware and software.
As an example, she described how an input panel in the main cabin lets flight attendants type in how many passengers are aboard each flight.
The data is passed to the administrative servers, which automatically adjust the humidity level in the passenger cabin according to capacity.
"There is no return path," said Gunter about the connection.
In other words, even if a hacker could access the humidity function, he'd be unable to get any further without a returning stream of data.
But don't all network interactions require some kind of acknowledgement — a "handshake" — between computers?
"The answer really depends by what Boeing means by 'no return path,'" says Ezor. "Do they mean there's no physical connection, or do they mean the software doesn't solicit info coming back? If it's software making it only go one way, then a hacker may be able to compromise it with more software."
Glenn Fleishman, a tech columnist with the Seattle Times and the editor of the blog Wi-Fi Networking News, thinks Boeing might be able to build a foolproof system, even with physical connections.
"You can design secure systems so that there are limited paths for one-way information," Fleishman says. "With encryption and digital certificates, you can create a message that, when it arrives at an intermediate system, cannot be forged. You can't simply send bad data to a gateway and have it pass it through."
"You can design a system that accepts, but never returns information in that fashion," he adds.
Gunter says initial deliveries of the 787-8 will be only "Internet tech enabled."
Ethernet ports will be built into seat handles, and wiring will be in place to support those ports, but they'll be dead links.
Exactly what kind of Internet access each airplane offers, and how it is delivered, will be left to the airlines.
But what happens if a cost-cutting or clueless airline installs security software that doesn't work very well?
Gunter wouldn't comment, saying only that since the technology for in-flight Internet access hasn't been developed yet, it's impossible to know how it would work and how its security could be defeated.
Still vulnerable to Wi-Fi attack?
There may also be another vulnerability, one the FAA did not seem to address.
Gunter, the Boeing spokeswoman, mentioned that maintenance technicians with laptops will be able to wirelessly access and download information from the 787's administrative network while the plane is on the ground.
Likewise, gate personnel in the terminal can upload flight plans and passenger information via Wi-Fi to the cabin crew's onboard intranet.
Gunter noted that actual maintenance requires physical access to the plane, and that Wi-Fi's short range prevents hackers on the ground from accessing a plane in flight.
But it doesn't take a Tom Clancy to imagine an anonymous bad guy wirelessly hacking into a plane's flight systems while he's sitting at the gate, tapping away at his laptop while waiting to board with all the other passengers.
Ezor cited a 2003 case in which two young men got into the central network of the Lowe's home-improvement chain, located in Charlotte, N.C., via a Wi-Fi connection accessible outside a Lowe's store in Southfield, Mich.
Once inside, they installed a program to capture customers' credit-card information, though they netted few numbers before being caught. The men pleaded guilty to wire fraud and conspiracy, with one receiving a 9-year federal prison sentence.
The Wi-Fi danger to the 787 doesn't end on the ground.
If a plane's Wi-Fi access isn't turned off after takeoff, wouldn't it be possible for a malicious in-flight passenger to bypass the Ethernet network entirely — and just wirelessly access the admin or passenger-cabin systems from his laptop or iPhone?
"There are ways to build entirely secure Wi-Fi networks that are absolutely separated logically from other networks," counters Fleishman. "This is the basic principle behind how corporate Wi-Fi has evolved: using government-grade security and often using 'two-factor' logins, where a user name and password has to be paired with a number read off a hardware key that you have to have on you and which changes every minute."
Fleishman's referring to public-key cryptography, which many corporate virtual private networks rely upon.
It's not entirely secure, but so far has only been broken by computers doing brute-force number-crunching for years at a stretch.
"You [now] have the kind of security only dreamed of a few years ago," Fleishman adds.
Boeing intends to flight-test the 787 in June or July, a process which will continue for six to seven months. The FAA must then certify the plane before it can enter commercial service.
"It is important to note that special conditions are written for novel technologies having potential vulnerabilities not accounted for in the current regulations," states an FAA fact sheet on the issue. "The fact that special conditions are written does not mean a specific design is vulnerable."
Still, that doesn't explain why Boeing thought it was necessary to hook the passenger entertainment and information network to the rest of the plane, or whether such an integrated system can ever really be secure.
"The best firewall is six inches of air," says Ezor. "If you don't physically connect, you don't have to worry about someone defeating your security."