Boeing’s insecure networks threaten security and safety

November 8, 2019 posted by


hey everyone welcome back to Tech Talk
I’m Julia Beauchamp I am here with CSO senior writer JM Porup as well as
Chris Kubecka the CEO and founder of hypo sec which is located in netherlands
JM just launched a story earlier today about security issues at Boeing so we’re
gonna be diving into that what that means for national security as well as
passenger safety so stick around JM Chris thank you so much for calling
in really really appreciate it always a pleasure Julia thank you so
much for having me Julia so can we talk a little bit just what you got into in
your story JM this is obviously Boeing has had a rash of pretty large issues I
mean obviously the 737 max crash has come to mind and they’re currently under
there’s tests there have executives testified in front of Congress about
those security concerns but this is something different this is information
security so can you tell us a little bit about what you uncovered in your article
Jam and Chris what you uncovered independently as a researcher sure so
the gist of the article then went live if you haven’t seen it is that Chris
discovered numerous security issues in Boeing’s internet facing networks that
could and may already have been exploited so yeah so Chris would you
like to tell us more about your research yes starting in April when I just
finally got out of a hospital and Weill chapter a bunch of awfulness I got
curious about Boeing to see if there might be any particular correlation
between poor coding quality if it was evident sorry
to be seen externally on any of the Boeing assets using open-source
intelligence and to see if I could find anything of significance
after the Ethiopian Airlines crash when Boeing did not take immediate
responsibilities I just wanted to look see around and using a variety of
different tools census net craft Rob text duck go is an alternate search
engine Foca which is a software from Spain
which looks at metadata of documents page source itself which is just right
click and see a page source of HTML code and some of the things that I found were
very interesting starting with the live aviation ID system that particular
website that system is the one where once you’re authorized you are given
access to flight control software for any plane type that you have permission
for and i right-clicked saw the page source and noticed towards the bottom a
developer had left in a comment which stated I have no way I have no idea what
this line of code is supposed to do it just prints null now that would signify
that the developer did not escape something called special characters for
programming code which is very important and ampersand does not always mean an
ampersand and it can allow for an injection risk and this is one of the
things on a top 10 top security risks out of a group called a wasp and then I
started looking further where I could go due to various other vulnerabilities or
weak configurations on but the live aviation ID system finding 6 cross-site
scripting exploitable vulnerabilities and some of the code of Boeing in
addition to the fact that Boeing wasn’t even encrypted they they Boeing comm is
just HTTP clear text there are bevy of issues and that
concern me about it because it doesn’t seem like overall Boeing has
the greatest level of basic security externally and that worries me about
anything else internally especially the systems that
they handle the fact that flight control software they were broken into could be
tainted they had some issues with how they were Thunder getting back into the
systems so that was a very very concerning matter so I found some things
that I would wish I had not actually found but unfortunately I did
it’s obviously concerning if you have any sort of company that has a risk of
being hacked due to what seems like in some situations common sense I mean the
fact that their website is not doesn’t is just HTTP HTTP I feel like it’s
almost commonplace to have a more secure connection there so it’s concerning when
you have any sort of enterprise any sort of business anything but I would imagine
it’s especially concerning when you have something a company like Boeing which is
obviously in charge of aircrafts helicopters for not only consumers
across the globe but also defense organizations exactly exactly
so how JME did you sort of go and go back over
to see these flaws because so Chris you discovered this in April yes I began
discovering it in April and then it started trying to find contact within
Boeing to report these things in a coordinated and responsible manner using
coordinated disclosure and unfortunately I didn’t find any method of securely
getting doing information to Boeing have you tried to use their new PGP key I was
reading that today which was quite curious because that isn’t how you’re
supposed to set up these programs you need that PGP key because the email
address that they’re using would be something that a lot of very
interesting parties would want to monitor for all the traffic as much as
possible and any chance that it is sent unencrypted leaves possibly a very
dangerous exploits or vulnerabilities being reported to Boeing at risk of
somebody else who’s not very friendly picking up on that traffic and sniffing
it because you can just sniff and read all HTTP traffic or an email sent that
is not an ascension a secure manner of course encrypted manner so of course
when do you think boeing became aware of these vulnerabilities disclosed by you i
was a bit frustrated with nothing able to get a hold of boeing i had even tried
several friends who are pilots and we’re having difficulty so i ended up sending
a suite which says basically i’m wearing a face sheet mask already found six
cross-site scripting vulnerabilities does anybody know anyone in boeing type
of tweet mmm-hmm so let’s say that boeing was perhaps aware of these
vulnerabilities after some point that you had disclosed them at this point
semi publicly jam how did you go and sort of double check those
vulnerabilities and what did you find when you were doing your research had
any of these been fixed do you think boeing took chris’s information and then
did anything about it to the best of my knowledge boeing has not fixed anything
that chris reported to them ninety plus days ago some of these things may be
harder than others to fix but some seem to me trivial and well within reason for
a billion multi-billion dollar company to achieve we did not publish all of the
details that we have there’s no beyond we’ve already published there’s no need
to deliberately lay out red carpet for people who want to attack
Boeing of course like that would be irresponsible for us as well however
many things are easily verifiable is there a TLS cert on their website type
in boeing.com in your web browser there is not secure I try that is Demark
deployed there are half a dozen websites that are free online or just read the
raw DNS records is Demark deployed no this is a 5-minute web search you know
it is is the PGP key you’ve published valid PGP public key no try an important
a GPG it’s not a valid public key you know many of these things can be easily
verified by our readers with with you know less than half an hour of work I
mean I I’ve been able to end map bowing test production servers that are still
clearly attached to the Internet you know I have read the same web site
source code that Chris has it’s still there or was two days ago
you know I that that’s stupid comment and in the source code has not been
remembered and there’s no there’s no reason to think that I mean like if you
were going to fix it you would presumably you know remove the
embarrassing developer comment that Chris highlighted in her report so as
far as I can tell boeing has been fully aware of more than
just what we’ve reported because we haven’t published everything and that
boeing has fixed none of these things not even one so far as I’m aware if I’m
wrong Boeing yo send me an email so what is at stake here if they’re if Boeing
continues to have unsecured networks over to you Chris well one of the
concerns is the high threat profile that boeing has they aren’t just at risk for
low-hanging fruit script kitties to say your regular cybercrime they’re actually
at risk for nation-state corporate espionage
insider threat nation i think i think i already mention nation-state and so
forth so they’ve been a very high threat profile but that needs to be aware
and if we can find these things fairly easily and so can the viewers within
about 30 minutes so can an adversary or frenemy or someone who wants to steal IP
in a similar manner that the Lockheed Martin f-35 a plans for drifted away and
somehow because you have China felt a plane that looked very much like it
mm-hmm so what’s the solution here I mean this is for the most part publicly
available knowledge what is Boeing’s fix what how are they how do you think they
should attack this issue and how soon Chris what do you think well anything
that involves the aviation ID system is quite concerning because what if like
control software for planes and satellites and so forth were tainted and
then gotten by the avionics person and then uploaded into that plane what would
happen then so it’s very concerning and now I’ve been paying attention to sort
of the other big Boeing security issue with the 737 max and what I’ve seen is
that they’re sort of this the FAA is responsible boeing is responsible so who
in this situation is responsible for securing those networks Boeing yeah
their Boeing’s networks so of course it should be noted that Boeing offers
external cyber security services also not encrypted that’s not a good look No
so as far as I’m just thinking now in terms of regulation what do you think
that the FAA is going to get involved are they sort of saying this is Boeing’s
problem this doesn’t have to necessarily do with a physical aircraft no III think
that you know there was a major expose in The New York Times just two weeks ago
that basically said Boeing has achieved regulatory capture over the FAA and the
FAA does kidding and Congress needs to get
involved and say you know when people when planes start falling out of the sky
and killing people you’re sorry that’s not okay you know you know you the graft
corruption million-dollar bonuses friend competence whatever people start to die
Congress is going to get involved and we’re already seeing that with the
hearings in the 737 max and it would be nice for us to solve information
security issues now before planes start falling out of the skies because of this
so before I let you guys go and you sort of closing thoughts what do you expect
but I mean anything besides fixing these vulnerabilities is there anything you
can expect to see hope to see out of Boeing in the next I don’t know coming
days weeks months how long do you think this is going to take to fix well we’ll
take longer for example there’s a Boeing third-party supplier who happens to be a
supplier for UK and US government’s militaries and so forth that coded up a
lot of the aviation ID system they sent me a very interesting email and when
you’re dealing with the third-party supplier Boeing doesn’t seem to have
basic cybersecurity they probably don’t have contracts written to make their
third parties perform secure software development lifecycle and issue patches
updates and things in a very timely manner for these types of issues occur
and vulnerabilities are reported so that’s going to take probably the
longest mm-hmm well thank you guys so much for calling in I really really
appreciate it a really interesting if not disturbing story jam and Chris thank
you for your research and for being willing to talk to Jam about it I mean
I’ll thank you on his behalf I’m sure he already has thank you so much thanks
Julia thanks and thank you all for watching this episode of tech talk if
you liked this video be sure to give it a thumbs up and subscribe to our Channel
let me know in the comments what you think of all of this it’s obviously
not great for Boeing in turn with everything going on with the 737 max so
if you have any thoughts about it any solutions I guess let me know in the
comments thanks so much and I’ll see you next time

1 Comment

One Reply to “Boeing’s insecure networks threaten security and safety”

  1. Joe Meyer says:

    Third party: CATIA? 🤣

Leave a Comment

Your email address will not be published. Required fields are marked *