The great Boeing Dreamliner false-positive hack of 2019

IOActive security researcher Ruben Santamarta dropped a bombshell at Black Hat 2019 that the Boeing Dreamliner is susceptible to hacking. Cause for concern or false alarm.

Ben Rothke
11 min readAug 26, 2019

--

Photo by Josh M on Unsplash

Introduction

It’s only August, and 2019 is undoubtedly a terrible year for Boeing. The problems with the 737 MAX are perhaps the biggest crisis the legendary firm has ever faced. Add to that several major airlines, including Etihad and KLM, have complained to Boeing about poor quality control in new deliveries of the 787–10 Dreamliner, and claim the airplanes were delivered well below acceptable standards. Also, just last week, Boeing pushed back the entry into service of an ultra-long-range version of its forthcoming 777X widebody.

As misery loves company, Boeing is again finding itself in the crosshairs of yet another crisis with the recently released report of serious software flaws within their flagship airplane — the 787 Dreamliner. On August 7, well-respected information security researcher Ruben Santamarta of IOActive released his report Arm IDA and Cross Check: Reversing the 787’s Core Network. The report details supposed software security flaws within some of the systems on the Boeing 787 Dreamliner.

In describing the findings, the report states that the researchers have found the first plausible, detailed public attack paths to effectively reach the avionics network on a commercial airplane from either non-critical domains such as passenger information and entertainment services, or even external systems.

Neil Rubenking and Max Eddy write in Black Hat 2019: The Craziest, Most Terrifying Things We Saw, of The Great Boeing 787 Hack Fight of 2019. They note that Santamarta unveiled his potential attacks on the Boeing 787 network and believes it’s possible to reach sensitive systems through a variety of entry points, to which Boeing says it’s all bogus.

A nerdy joke says that “there are two types of people in this world — those that can extrapolate from incomplete data sets.” As I’d like to show — Santamarta has an incomplete data set. His initial findings are indeed cause for very, very serious concern. However, when…

--

--

Ben Rothke

I work in information security at Tapad. Write book reviews for the RSA blog, & a Founding member of the Cloud Security Alliance and Cybersecurity Canon.