A Security Researcher Discovers A Fully Unprotected Server On An Aerospace Company’s Network

A security researcher for security firm IOActive, discovered a completely unprotected server on an aerospace company’s network, apparently loaded with code designed in a way to keep running on the company's giant 737 and 787 passenger jets, left openly available and accessible to any individual who found it.

After a year Ruben Santamarta, the security researcher guarantees that the said leaked code has led him to further discover security flaws in one of the 787 Dreamliner's segments, somewhere down in the plane's multi-tiered system. Which he recommends that for a hacker, abusing those bugs could 'represent' one stage in a multi­stage attack that begins in the plane's in-flight entertainment system and stretches out to the highly protected, safe-critical systems like flight controls and sensors.

Despite the fact that the aerospace company Boeing, straight out denies that such an attack is even conceivable, it even rejects Santamarta's claims of having found a potential way to pull it off. Despite the fact that Santamarta himself concedes that he doesn't the possess the right evidence to affirm his claims, yet he along with the various avionics cybersecurity researchers who have inspected and reviewed his discoveries argue that while an all-out cyberattack on a plane's most sensitive frameworks 'remains a long way' from a material threat, the flaws revealed in the 787's code regardless speak to a rather troubled lacking of attention regarding cybersecurity from Boeing.

We don't have a 787 to test, so we can't assess the impact, we’re not saying it’s doomsday, or that we can take a plane down. But we can say: This shouldn’t happen," says Santamarta at the Black Hat security conference on the 8th of August in Las Vegas.

When Boeing investigated IOActive's claims they reasoned that there doesn't exist any genuine danger of a cyberattack and issued an announcement with respect to the issue ,” IOActive’s scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," the company's statement reads.

"IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we’re disappointed in IOActive’s irresponsible presentation."

The company spokesperson even said that while investigating IOActive's claims, Boeing had even put an actual Boeing 787 in "flight mode" for testing, and after that had its security engineers attempt to misuse the vulnerabilities that Santamarta had uncovered.

Boeing says it likewise counselled with the  Federal Aviation Administration and the Department of Homeland Security about Santamarta's attack. While the DHS didn't react to a solicitation for input, a FAA spokesperson wrote in a statement that it's  "satisfied with the manufac­turer’s assessment of the issue."

However there are quite a few security researchers who accept that, in light of Santamarta's discoveries alone, a hacker could make any impending threat to an aircraft or its passengers, other than that Santamarta's research, in spite of Boeing's dissents and affirmations, as indicated by them ought to be a reminder to everybody that aircraft security is a long way from a 'solved area of cybersecurity research.'