Boeing 787 « Special Conditions »

Date : February 01, 2008

In the beginning of this year, press talks a lot of the fact that on-board information systems on Boeing 787 (plane named "Dreamliner" by Boeing and scheduled for 2008) would have security flaws. These flaws could allow hackers present on board to hyjack plane fly systems.

It seems that the media have exaggerated the problem, which is what we are going to present in this article.

At the origin of these publications there is a FAA ("Federal Aviation Administration") document named "Special Conditions: Boeing Model 787-8 Airplane; Systems and Data Networks Security--Isolation or Protection From Unauthorized Passenger Domain Systems Access". This document, as other "Special Conditions" released by the FAA, aims at demonstrating that a new feature does not introduce a security risk.

In this document, the FAA insists on the fact that Boeing 787 use a new architecture framework in which the passenger computer network (PIED - "Passenger Information and Entertainment Domain") can have connections with the aircraft network (ACD - "Aircraft Control Domain") and/or the airline network (AID - "Airline Information Domain"). This phenomenon, new in the aeronautic area, corresponds to a trend that had been observed in entreprises some years ago. We went from a model with disconnected networks (physically separated) to a model enabling network l'interconnection (logically separated).

The FAA says that this new feature, which is insured by the standard certification process, may present specific threats and should therefore be dealt in a "Special Condition" in order to prove that this new architecture does not introduce security risks.

Today, there is no reason to state that Boeing 787 on-board systems are vulnerable to attacks. There was indeed a media rush regarding possible hyjacking of these planes : the first article published by the FAA called "FAA Cautions on Airliner Electronic Hazards", we went to more mediatic titles such as "787 could be vulnerable to hackers" to end up with really provocative titles like "787 vulnerable to hackers"… We wanted to clarify this point.

For more information :

First Wired article (alarmiste) : http://www.wired.com/politics/security/news/2008/01/dreamliner_security (4 janvier 2008 )
Secon Wired article (spekaing of the FAA response) : http://blog.wired.com/27bstroke6/2008/01/faa-responds-to.html (9 janvier 2008 )
Analysis published by Cédric Blancher : http://sid.rstack.org/blog/index.php/245-y-a-t-il-un-pirate-dans-l-avion