How to crash an airplane by cheating at Tetris
February 11, 2007 2:19 PM   Subscribe

This simple hack actually only crashes the in-flight entertainment system (perhaps this one?), but that's already enough to cause concern with the kind of people who comment anonymously on a blog for "security executives."

I'm certain that this vulnerability (like this vulnerability) will be taken seriously.
posted by jdfalk (44 comments total) 2 users marked this as a favorite

 
yikes. and yikes. Swissair111.org.
posted by nickyskye at 2:43 PM on February 11, 2007


Always cut the red wire. NEVER the blue (though you can hover over it with the wire cutters to first build tension). When the large LED numbers countdown to 1 second and the strings section is loudest, cut quickly. Try and do this from an aisle seat (coach, of course) to give everyone a better view. Including the relieved air marshalls who will, no doubt, buy you a drink.
posted by hal9k at 2:46 PM on February 11, 2007


Maybe that's why it took them 2 hours to get the inflight movies working on my last flight. Stupid hackers!
posted by graventy at 2:46 PM on February 11, 2007


This was also discussed by the author at the RSA conference in San Francisco last week.
posted by aberrant at 3:08 PM on February 11, 2007


cool
posted by caddis at 3:24 PM on February 11, 2007


This is awesome, although ya, I'm glad this didn't impact the navigation system.
posted by serazin at 3:29 PM on February 11, 2007


I think it goes without saying that the inflight entertainment server is usually a simple linux box stuffed into one of the forward or aft overhead baggage compartments next to some other mundane equipment and is not wired into any system related to the actual flight of the aircraft. You knew that, right?
posted by Burhanistan at 3:37 PM on February 11, 2007


I think it goes without saying that the inflight entertainment server is usually a simple linux box stuffed into one of the forward or aft overhead baggage compartments next to some other mundane equipment and is not wired into any system related to the actual flight of the aircraft. You knew that, right?

Except for the animated map channel. Which will kill us all.
posted by cillit bang at 3:50 PM on February 11, 2007


Ah, yes, I forgot about the map channel. A properly motivated deviant could very well hack into that and steer the plane with the old Nintendo style entertainment system controller to Cuba or something. Viva la revolution.
posted by Burhanistan at 3:53 PM on February 11, 2007


Of course. Everyone knows that the entire avionics system on a modern aircraft is triply-redundant.

What they don't know is that the third redundant layer of electronic control is that Linux box in the overhead baggage compartment. That guy was messing with shit he had no business messing with. I hope they hang him in a public square.
posted by mr_crash_davis at 3:54 PM on February 11, 2007


I don't fully understand the appeal of breaking something just because you can spot the vulnerability - it's akin to smashing a vase with a baseball bat and then proclaiming "Wow, they never thought I'd do that! I'm smart!"
posted by jimmythefish at 4:16 PM on February 11, 2007 [1 favorite]


Well, you could probably freak the fuck out of the other passengers by messing with the flight path on the map channel. A good solid air riot, that's where it's at.
posted by graventy at 4:42 PM on February 11, 2007


A vase isn't supposed to be "secure", jimmy. A vase is a delicate object that requires care. And more important, a broken vase is just that: a broken vase. No other harm except for the broken vase is incurred. OTOH, the electronic systems controlling an airplane, or an operating system, or an ATM, etc etc ARE supposed to be secured, because these three items, when compromised, can cause serious damage to anyone who comes in contact with them.
posted by SeizeTheDay at 4:43 PM on February 11, 2007


A vase isn't supposed to be "secure", jimmy. A vase is a delicate object that requires care. And more important, a broken vase is just that: a broken vase. No other harm except for the broken vase is incurred. OTOH, the electronic systems controlling an airplane, or an operating system, or an ATM, etc etc ARE supposed to be secured, because these three items, when compromised, can cause serious damage to anyone who comes in contact with them.

...and isn't this further reason not to fuck with it?
posted by jimmythefish at 4:47 PM on February 11, 2007


...and the security has nothing to do with it. It boils down to this person, who can see the vulnerability of the system, breaking it because he can. It's not a beta-testing situation. It's a plane in flight. In that regard it's entirely similar to a vase in that it doesn't get treated as it was designed for no other reason than you can.

Oh, and I also don't really agree that a vase isn't designed to be secure in its surroundings. It has a base which is flat, and therefore designed to prevent it from falling over, etc. Some important vases have glass surrounding them, too.

/pedantry.
posted by jimmythefish at 4:53 PM on February 11, 2007


I hope they hang him in a public square.

And would that solve the problem ? No, it's just a mentality that's hard to get rid off.

Yes , he was slightly mad. Trying anything on a flying plane is idiotic unless there is a compelling reason, and there was none. But I seriously doubt thay ANY control avaiable to the crewmembers or passenger is even _connected_ to the redundant flying systems.

IF it is, then it's not only a mistake, it's begging for troubles, it's criminal endangerment and I wouldn't have faulted him for bringing down the plane, I would have faulted the company.By analogy one would say that I would fault the company for building a door that doesn't lock out terrorist all the time from the cabin ; I would not as I think there probably are compelling reasons for keeping an access door connecting cabin to passengers.

Yet if there isn't one, a separated pilot hatch would be more secure than a door. Similarly, I am not aware of any strict need to connected a redundant flying system to other easily accessible electronics.
posted by elpapacito at 5:54 PM on February 11, 2007


jimmy, the system is 100% separated from the flight control. It's like worrying that if your laptop crashes, the plane will lose control. Chill.
posted by tehloki at 6:03 PM on February 11, 2007


Jesus. Talk about flapping over nothing.

It's an entertainment system. It just happens to be on a plane (without snakes). Think of it as a Playstation wired to the seats. When you are playing Tekken and beating the crap out of the control pad (no-one actually *knows* the special moves, do they?), you don't flap that the cooker might suddenly explode and join the meltdown that the washing machine is undergoing and blast the house into the following week, do you?

The entertainment system is utterly, utterly isolated from anything important - safety or otherwise. It has a power feed, but that's it. You lot (of all people) should know that crashing software doesn't produce massive power surges that will suddenly ignite the insides of a plane.

What utter knee jerking in the articles. I was astonished to find it continuing here. Or do you all perhaps flush aeroplane toilets carefully and try not to crap too hard (not necessarily in that order) in case the movement suddenly unsettles the control surfaces and the plane flips on its back?
posted by Brockles at 6:22 PM on February 11, 2007 [3 favorites]


Or do you all perhaps flush aeroplane toilets carefully and try not to crap too hard (not necessarily in that order) in case the movement suddenly unsettles the control surfaces and the plane flips on its back?

Not before, but thanks to you I'm going to be extra paranoid the next time I have to occupy the lavatory. Thanks a lot.
posted by Burhanistan at 6:29 PM on February 11, 2007


Frankly, I'd feel like my plane deserved to crash if it turned out the flight controls had any interaction whatsoever with the entertainment system.
posted by maxwelton at 6:54 PM on February 11, 2007 [1 favorite]


As an aviation consultant, you've piqued my curiosity as to how a map/nav display is tied into the entertainment system. I'm assuming the map display is purely a video output from the navigation system with complete isolation, but hey - you never know. Thanks for the post!
posted by matty at 7:01 PM on February 11, 2007


matty, I'm guessing here, but the feed for the "map channel" is probably a dump from one of the nav systems. Then it is further finessed by its own dedicated box (probably a small one) that gives it the cycling screens such as eta, distance traveled, etc. This newly created feed is then piped into the server that all the headrest consoles are networked into. So, in this scenario the possibility, however remote, of hacking from one box to the other to get into one of the navigation computers is open. Hmm.
posted by Burhanistan at 7:10 PM on February 11, 2007


But on second thought, if the nav computer is just sending data via an analog video signal, then it's highly unlikely one could hack through that. Guessing leads to more of the same.
posted by Burhanistan at 7:14 PM on February 11, 2007


I don't fully understand the appeal of breaking something just because you can spot the vulnerability - it's akin to smashing a vase with a baseball bat and then proclaiming "Wow, they never thought I'd do that! I'm smart!"

Because attempting to break security systems is exactly how you strengthen them. It's exactly how you find bugs and vulnerabilities like the one in this in-flight entertainment center.

You really should be extremely grateful that there are hackers in the world that try to break shit, otherwise your browser/bank/ATM/flight systems would be even more vulnerable to attack or system errors through bugs and the world would be a vastly more messy place.

Not only could people steal easier, but systems would be buggier the world over, records would get lost or destroyed more often and computer science in general would be much worse to deal with. It's not simply about "people who behave" vs. "people who don't behave".

When it comes to computer science, there's a direct relation between "hacking" systems, "troubleshooting" for bugs and "engineering" for reliability - they're all exactly the same procedures, with different goals and intents in mind.


Finally, the difference between your fragile vase and computer science and security is this: That vase is a physical object with a form and function.

Computer security is nothing but clever puzzles and symbology and math in the form of code. It exists in a realm apart from physical objects, in a realm of pure mathematics and thought exercises.

While your vase does not benefit from being "smashed", computer security does benefit from scientifically applied stress, in attempts to replicate as many real-world attack scenarios as possible. It is the only way.

Instead of a vase, a better analogy would be forging metal. How you hit, fold, forge and temper the metal alters the end product and result, and the particular qualities of the metal - like hardness or flexibility.

And that's why nerds are always trying to break things. It is only by breaking systems that we can learn their limits and learn how to make them stronger.
posted by loquacious at 8:09 PM on February 11, 2007 [1 favorite]


And that's why nerds are always trying to break things.

Well. That and the fact that girls won't let them play with them and they have nothing to do with their hands otherwise that won't damage their eyesight.
posted by Brockles at 8:11 PM on February 11, 2007


matty, I'm guessing here, but the feed for the "map channel" is probably a dump from one of the nav systems. Then it is further finessed by its own dedicated box (probably a small one) that gives it the cycling screens such as eta, distance traveled, etc.

It's probably none of these things. It's probably raw NMEA or other GPS data being dumped from an on-board or dedicated GPS reciever and decoder. These datatypes are widely variable, from plaintext to Garmin's protocol to RTCM and more.

This type of data from a GPS decoder is usually serial, one-way, and nothing more than a simple 8 or 16 bit serial datastream.

Even if they were dumping the GPS datastream directly from the plane's primary naviagation computers to the linux media server box, it wouldn't be easy or likely to hack.

In such a scenario it's possible you could physically locate the cable providing the data and zap it with some voltage to damage stuff up-stream, but you could do that with a number of other cables available in the airframe, and I strongly hope that if you began dis-assembling bulkheads on a flying plane that someone would knock your stupid ass out.

It may also be possible to hack into the linux server and get it to do all manner of nasty stuff to the serial input or whatever physical connection, but again, it's not likely that this GPS datastream is anything more than a standardized one-way datastream. And you'd still have to actually crack the linux box and gain root or sudo, and it's not even known if there's any console access at all outside of the applications it is serving. (Remember, you can drastically restrict the access levels of any program or script in linux.)

And finally, the most likely scenario: considering what little FAA and international avionics laws and rules I do know - I am not a pilot or aerospace engineer, the linux media server probably just has it's own, dedicated GPS antennae and reciever/decoder. That shit is dirt cheap, and it's a hell of a lot easier than trying to secure it and isolate it from the flight systems and avionics. It'd hardly weigh anything on a jetliner, and it would make all kinds of sense considering the media server system is a total retrofit and aftermarket install.

In either case, the media server probably simply takes the raw GPS data and does the mapping and updating stuff for the passenger in-flight maps - not the plane's avionics. There's no reason to tie them together. Hell, my 8mhz Palm OS device can handle graphical maps and a GPS datastream, it'd be nothing at all for a dedicated multi-CPU linux server.
posted by loquacious at 8:26 PM on February 11, 2007 [1 favorite]


Well. That and the fact that girls won't let them play with them and they have nothing to do with their hands otherwise that won't damage their eyesight.

Shush, you. Hie thyself gonelike, or I'll replace you with a single-line Perl script that resembles modem linenoise.
posted by loquacious at 8:28 PM on February 11, 2007


/grows a long beak

Wha? Oh. Not gonzo-like. Right.
posted by Brockles at 8:46 PM on February 11, 2007


Dude, if you can turn into Gonzo and love a chicken the way a chicken deserves to be loved - which is fully, without reservation, and with every last spark of your soul - I'll replace myself with a single-line Perl script.
posted by loquacious at 8:49 PM on February 11, 2007 [1 favorite]


Perhaps not in all cases, but I'm fairly sure in at least one case (where my international flight was stuck in a holding pattern for nearly an hour before landing) that the animated map thingy is nothing more than a video playback or equally non-interactive display.

Mostly, I think this, because I watched my plane land at the appointed time while a glance out the window confirmed we were still very much airborne.

This was in the mid 90's, and I'm more confident it has some sort of reality behind it since then, however.
posted by abulafa at 8:55 PM on February 11, 2007


Hmmm. I have no soul, so where does that leave us? Do we replace the rest of the world? You may need to write the Perl stuff, as I have no idea at all what it is (other than 'code').

because I watched my plane land at the appointed time while a glance out the window confirmed we were still very much airborne.

"But! I saw it on the TV! It MUST be true!"

Someone actually used that sentence, out loud, in front of me the other day... The look I gave them was, to say the least, 'withering'.
posted by Brockles at 9:03 PM on February 11, 2007


Obsessed with Tetris in 1998? That's one behind-the-times nerd.
posted by staggernation at 10:03 PM on February 11, 2007


those are textbook examples of things not to do. put code like that on the internet and it'd be hacked within weeks.

what boggles my mind isn't that the guy broke it, it's that it was so easy to break -- and yet all the reaction is about the guy, not about the code.
posted by jdfalk at 10:30 PM on February 11, 2007


One safe way to get data from the mission critical nav system to the entertainment map display is via something like an EAL7-level certified "data diode". I don't know if that's how it's done in practice, but I'd trust my life to that level of isolation (as long as other aspects of isolation were similarly-well enforced).
posted by dylanjames at 10:40 PM on February 11, 2007


Burhanistan and Loquacious - thanks for the info. One of my current clients (insert a 3-letter acronym here) would be very interested in stuff like this - so I appreciate the breakdown of possibiliites.

This will give me a neat side-project of researching the various systems out there in use by the airlines. I'm guessing there's a slew of systems used by foreign carriers and only a handful used by US carriers.
posted by matty at 4:39 AM on February 12, 2007


I've always assumed that the in-flight map screen was totally bogus.
posted by Faint of Butt at 6:50 AM on February 12, 2007


"But! I saw it on the TV! It MUST be true!"
Someone actually used that sentence, out loud, in front of me the other day... The look I gave them was, to say the least, 'withering'.


Maybe it's just me, but I swear that no one tell their kids "Don't believe everything you see on television" anymore.
posted by PsychoKick at 10:56 AM on February 12, 2007


An off by one error that wasn't tested for, an equivalency bounds check where nothing would be lost for using a greater-than, and catastrophic failure enough to crash a Linux system for overflowing a signed char. Did the guy get hired right out of C 101?
posted by JHarris at 12:40 PM on February 12, 2007


Actually, matty and locq, thinking further about the interaction between the entertainment server and map channel, I think my original assesment is more accurate. I've only been on United, Continental, and EVA Air for international flights, but each one the basic concept worked the same. The map channel would be available during both takeoff and landing, at which times the media server was powered off (I tend to watch the flight crew and note when they press buttons). So, I think the map information screens are piped to the consoles via a shared coaxial cable and its designated channel slot is simply a bypass of the server feeds. Again, mostly speculation, but somewhat informed speculation.

matty, if your side project into researching this bears fruit, it would nice to read about it via mefi projects or something. I find these sorts of intricacies fascinating also.
posted by Burhanistan at 8:09 PM on February 12, 2007


Burhanistan - will do on the Projects angle.

Did you mean to say that you found the map channel would NOT be available during takeoff and landing? Those are the times when I usually found the system unavailable.
posted by matty at 4:35 AM on February 13, 2007


Matty, if memory serves correctly, the map channel is the only thing available during takeoff and landing. The rest of the entertainment server is offline or otherwise unavailable.
posted by Burhanistan at 6:18 AM on February 13, 2007


Thanks! It's been a while since I was on an international flight...
posted by matty at 6:20 AM on February 13, 2007


Oh, sure, you all think those systems are isolated, but let me tell you a story about one of my friends in the mid-80s.

He's got this system, right, kind of rigged together. Big weird floppies going into something looking like an Altair, some kind of homemade synth, whatever. We spent most of our free afternoons smoking joints and watching his system obsessively look for computer systems down in the Valley. Every so often we find a BBS -- mostly crap but sometimes we get some war3z board or some good ASCII pr0n. I mean, what better to do, right?

Well this one day he sees this ad for a game company -- game is coming out for Christmas and he calls bullshit on that. He's going to way zero-day this shit. Oh, foolishness of youth. So, like, he starts his crazy dailer app and up comes this term program.

The term welcomes him and asks if he'd like to play a game. I mean, that's what he's here for right? That and porn. Anyways, he dicks around with the chess game and tic-tac-toe -- its all pretty cool considering this is the mid 80s and its all ASCII and shit.

Anyhow, he tries this one called "Global Thermonuclear War" and goddamn if that game isn't a hoot. Only problem is apparently -- perhaps like today's modern flight avionics designers -- John Hacker on the other end didn't think about isolating the system and it turns out we're uplinked into goddamned Norad playing this fucker.

Next think you know we've got the federales on our tail and we're pulling a Mitnik, shotgun rounds through the harddrive all that but we're totally hosed.

App keeps running.

Turns out that the whole "isolation" thing wasn't that hot back then 'cause the damned game terminal is crosswired into the silos and guess what -- only his nukes are real and he's playing for keeps.

Fortunately my buddy finds a hax in the tic-tac-toe which is almost exactly like this SMALLINT overflow this joey is talking about, he zero-players it and overflows the box, crashing the stack on both that game and the thermonuke one, thank God.

I mean, it would have prevented 9/11, but we'd all be dead so whatever.

So, like, just be careful. Maybe you think "sure, it's just the entertainment system" but dude, everything's networked these days.

tho, really -- crashed the -entire- system with an overflow? WTF?
posted by Ogre Lawless at 3:54 PM on February 14, 2007


Ogre Lawless, that story needs alot more blinking lights on computer panels, beeping keystrokes and text before I will believe you.
posted by Burhanistan at 11:12 PM on February 14, 2007


« Older rideaccidents.com...  |  The mobile content market is b... Newer »


This thread has been archived and is closed to new comments