[Infowarrior] - FAA: 747s may be vulnerable to external hacks

Richard Forno rforno at infowarrior.org
Mon Jan 18 17:26:50 UTC 2010 

(This is not very reassuring. -rf)

http://www.gpo.gov/fdsys/pkg/FR-2009-10-02/html/E9-23753.htm
SUMMARY: This action proposes special conditions for the Boeing Model  
747-8/-8F airplane. This airplane will have novel or unusual design  
features associated with the architecture and connectivity  
capabilities of the airplane's computer systems and networks, which  
may allow access to external computer systems and networks.  
Connectivity to external systems and networks may result in security  
vulnerabilities to the airplane's systems. The applicable  
airworthiness regulations do not contain adequate or appropriate  
safety standards for these design features. These proposed special  
conditions contain the additional safety standards that the  
Administrator.
< - >
The Boeing Model 747-8/-8F airplane will incorporate the following
novel or unusual design features: Digital systems architecture composed
of several connected networks. The proposed architecture and network
configuration may be used for, or interfaced with, a diverse set of
functions, including:
     1. Flight-safety related control, communication, and navigation
systems (aircraft control domain),
     2. Airline business and administrative support (airline information
domain),
     3. Passenger information and entertainment systems (passenger
entertainment domain), and
     4. The capability to allow access to or by external network
sources.

Discussion

     The proposed Model 747-8/-8F architecture and network configuration
may allow increased connectivity to and access from external network
sources and airline operations and maintenance networks to the aircraft
control domain and airline information domain. The aircraft control
domain and airline information domain perform functions required for
the safe operation and maintenance of the airplane. Previously these
domains had very limited connectivity with external network sources.

     The architecture and network configuration may allow the
exploitation of network security vulnerabilities resulting in
intentional or unintentional destruction, disruption, degradation, or
exploitation of data, systems, and networks critical to the safety and
maintenance of the airplane.

     The existing regulations and guidance material did not anticipate
these types of airplane system architectures. Furthermore, 14 CFR
regulations and current system safety assessment policy and techniques
do not address potential security vulnerabilities, which could be
exploited by unauthorized access to airplane networks, data buses, and
servers. Therefore, these special conditions and a means of compliance
are proposed to ensure that the security (i.e., confidentiality,
integrity, and availability) of airplane systems is not compromised by
unauthorized wired or wireless electronic connections.
< - >

More information about the Infowarrior mailing list