 Hello everyone and welcome to this virtual 747-400 walk-through. I guess one of the advantages of Defcon Safe Mode this year is that we're able to bring you things like this, but nothing beats being able to climb around and poke on a real airframe, so hopefully this gives you some insights into the avionics and some secret spaces on board this very recently retired aircraft. Ken and I work for PENTA's partners in the UK and we've been very fortunate to have access to end-of-life airframes at a breakers yard from which we've learned an awful lot and we look forward to sharing some of these things with you, especially if you've never seen the inside of avionics bay before. So here we are walking up the stairs to door B2, which is the second from the front on the starboard side and gives us a nice view back over the wing. The observant amongst you will probably notice that there are some engines missing. There should be four, but three have already been sold on as these tend to be the most expensive and sought after components. On board now and we're straight into one of the galley areas and this will be where the ground services teams load those trolleys full of your drinks and in-flight meals, but sadly no fine dining today as the aircraft is basically pretty empty of everything except the seats. Let's firstly walk through to the back of the aircraft past the stairs to the upper deck. The 747 is truly a monster at 71 meters long, that's 230 feet, so there's plenty of space on this aircraft for a full-class cabin layout. Down here right at the back is the first of our secret areas, which is in fact the crew rest area. One of two this is primarily for the cabin crew. Through this door at the back are some vaguely comfy seats and then a small spiral stair leading up to the crew bunk area. Back up to the pointy end now and first class and towards the back of this section is perhaps the lesser known floor access hatch down into the electrical engineering or avionics bay. You won't find this kind of access in smaller aircraft though. You can just see the outside hatch is open as well down below at the bottom of this ladder. Let's climb down into the avionics bay then. This is our main set of avionics all neatly racked up. Each black box carries out an individual function and are called line replaceable units or LRUs. For example here we have LRUs for cabin heating control, data management and at the bottom the three inertial reference units for navigation. Looking at the same rack from the other side now we can see big bundles of cabling running from the back of the racks to other areas mostly to the cockpit which is now two decks above us. Each individual LRU will have discrete cabling up to the switches or displays in the cockpit and if needed discrete cabling to any other LRUs it needs to talk to. Most of the cables carry data in the ARINC 429 protocol on the aircraft and this needs a pair for both transmits and receive. There is no network in the traditional sense to connect to. You can't just clip into a pair of wires at the back of the aircraft and gain access to all of these other LRUs. Perhaps fortunately it doesn't work like that on this older aircraft. One other little secret is that behind the LRU rack are doors leading to the forward cargo bay. The cargo and avionics bay are pressurized and although it would be pretty cold and noisy you could in theory use this area in flight I really wouldn't want to. This aircraft has huge tanks of water in here now and this is because with the engines removed it would be too tail heavy when actually fall backwards without the equivalent weight. Let's take a closer look at one of these LRUs. This particular one is for the para visual display and indicates which shows the pilots if they're aligned on the runway. They're held onto a standard size rack with a screw thread and rubber vibration mount. Some LRUs have more than one locking screw. If we pull these out we find a custom multi-pin connector on the back of the LRU for a cable breakout. This will then run off to where it needs to go in the cockpit. Here we have two of the units involved with ACARS which is the aircraft's data length system. The CMU acts like a router sending ACARS traffic between the various radios and the output devices like display units and printers which we'll see later. Okay let's follow those cables back upstairs via a fairly unique set of stairs to the upper deck bubble. There's a galley up here too if you remember that for later. Right at the front we find the cockpit behind the armoured doors. Here we are in the cockpit then. On the left is the captain's seat and to the right is the first offices. There are two jump seats as well and behind me is the flight crew rest area just a bunk bed again and a separate toilet that they can use without going back into the passenger area. On long flights there will be three pilots or more which they rotate through so someone is always getting some rest. The Dash 400 was the first 747 with a glass cockpit and the flight instruments are screens rather than what are termed steam-driven dials and gauges. It would have been a flight engineer too but their role is now computerised for the most part. Each pilot has their own control column or yoke which is directly connected to the control services by wires, pulleys and gears on a Boeing. The center console is mostly taken up with the multifunction control and display units, thruffles and controls for the radios. They also have a primary flight display right ahead of them and an navigational display. Both are independent. In the center are the ICAS engine indicating and crew alerting system displays which show the status of all the major systems like engines, fuel, electrics, hydraulics and also comes up with a log style set of messages in yellow or red depending on severity. So let's power up. We have a single ground power unit available. We should have two really for a 747 so we need to be a bit careful on power use. By pressing the overhead button to tie in ground power one most things come alive. You'll notice there's definitely no key. After a few minutes the primary flight display showing the artificial horizon and flight director bars and the navigational display come up. Here I'm setting the first officer seat on the right so the primary flight display is on the right and the navigational display on the left. My lower ICAS display shows the electrical buses, one free engine but as you can see from the upper display we have three engines missing. The aircraft will think has a fire as the detection loops aren't connected but obviously we're not really on fire. I can also use my MCDU to access the ACAR system that we saw downstairs in the Avionics Bay. There are lots of things I can do through ACARs but that's the topic for another of my talks. Also in the cockpit are some other interesting bits of Avionics like this navigation database loader that still uses three and a half inch floppy disks. This database has to be updated every 28 days so you can see how much of a chore this must be for an engineer to visit each one. There is also a quick access recorder which is used for gathering lots of data about the aircraft's health. At the end of each flight, more near enough, an engineer will remove the PC card although this one actually has a CF to PC card converter and download the data which helps with predicted maintenance or detecting if there's been a heavy landing or tail strike for example. More and more aircraft are starting to become E enabled which means this data is streamed in near real-time back to the airlines and engine makers over SAC on so they can have replacement parts ready and waiting for when the aircraft next lands. Now then, in-flight entertainment. There's no Wi-Fi on this 747 but under the stairs, down from the upper deck, the cabin services director has a small office and this is where the 747's IFE is driven from. There is a small touchscreen PC here which is actually running in T4. This can be used to change aspects of the system, add the day's news broadcast video, reboot seat boxes and even turn individual seat lights on and off. Above this are the digital media servers themselves which contain all the movies and so on, ready to stream to each seat. There's also the boarding music and safety announcement controller which just plays off digital audio tape. There's even a little printer in here which is linked to the ACAR system so the cabin services director can print things off if they need to. And lastly, I want to leave you with a little secret. Remember the upper galley? Well, there's a lift to take catering cars between the main and the upper deck which is pretty cool. Thank you for the tour of the 747. Absolutely fascinating. Now, why didn't you do this interview in the 747 itself? Well, yeah, we should have done but it was a bit, you know, kind of confined in there and in the current Covid environment. Doing it with masks and things would have been a bit weird. So yeah, we've come back to do it in the same. So it's our simulator rather than the cockpit of the 747, that's fine. Great. Yeah. Safety first, right? Quite right too. Now, one of the things that I think is a bit of a game changer is the fact that so many airframes are being retired right now. What difference does that make for us as researchers? Aircraft themselves are really expensive piece, you know, and even if you had the all the will in the world, airlines and airframe manufacturers won't just let you go and pen test an aircraft because you don't really know what state you're going to leave in. It's not like an office network where you can go and reinstall and clean things up. Re-certifying avionics and whole airframes is ludicrously expensive. And even if you were able to have some assurance that you've cleaned up the mess, the pen tester is left. So being able to sort of do more adversarial testing of an aircraft in a flying state is not something that we really get to be able to do. So, you know, it's not a silver lining, I have to say, but one of the results of the COVID crisis and is that airlines are bringing forward a lot of their scrapping programs, particularly of these larger types, like the 747 and 380s. And as a result, they're going to salvage yards. They're not really going to fly again in their current state. No one really wants 747s anymore. So yes, the avionics make a second lease of life, but the actual aircraft themselves are unlikely to be able to fly again. And that gives us a really good opportunity to go and have a poke around. Yeah, so in the past, we've looked at airframes. I think probably the oldest one we got to have a play with was a 10-year-old A320 or so. But even then, it doesn't really represent what's coming off the production line right now, does it? So, you know, last year for DEF CON for the village, we went and bought some LRUs. But even those were upwards of 20 years old. So do you think it's the game changer, the fact that we're seeing some slightly more recent kit being scrapped or decommissioned? Yeah, for sure. I mean, the 747 that we just did the video to around was 23 years old. But remember, the design lifecycle of these things is 30 years. There's a decade or more design work that goes into an aircraft before it even goes into production and then 20 odd years of service. So what people are designing today will still be in service in 30 years time. And it's really difficult to anticipate all of sort of future security needs and requirements. So, yeah, what we've seen today is obviously not state of the art. And there are differences between 747 that we looked at and more modern aircraft like A380 that are flying today. Big differences in the way that their avionics are set up and how the networking is done on board. Yeah, so it's important to remember that particular plane was still flying just over two and a half months ago. And I think actually flew in that very plane as a passenger last year. So it is representative. It's just the scrappage programs are being accelerated. And I also went through the avionics bay actually dating the install dates from many of the components. And there's a lot of kit in there that it's only five to 10 years old in some cases. So it's not all 23 years out of date. No, no, and a lot of it is reused. So the ground proximity warning system, for example, those LRUs are pretty much interchangeable between any aircraft. I mean, I've seen the same exact LRU maker model on the 74 as I did an Airbus A320. And they go for $20,000. I mean, it's like a tiny little box and it's $20,000. So it shows you, you know, yes, stuff is coming off things that have been scrapped, but it is still current and flying. And it is mega box if you want to go bugger. So obviously 49 carries a lot of heavy wiring as a result of it. Now I know that the triple seven used an inductively coupled bus called our 629 but that was really only used in the triple seven itself. Well, recently we've seen a move towards FTX or our 664. How does that change the risk profile of the plane to you? So 664 and aviation loves its acronyms and numbers and stuff. So but 664 is basically based on Ethernet. It is Ethernet with some extra quality of service layers on top to make sure that flight critical things can almost talk to each other. So there is basically a fiber network around more recent aircraft like the triple seven acts, the 787 and the A380. So there is a fiber network and everything plugs into that fiber network. And instead of these discrete black boxes that we saw on the 747 and this whole rack of individual black boxes for one of a better word. Then there is basically a single computer crate where there's a pair for redundancy. But there's an A side and a B side computer. And things just run a software. So there's typically a real time and operating system like VX works that handles the flight critical stuff and then tends to be a Linux side for less important things and things are just run as applications on these computational nodes. So that does mean it starts to look a bit more like a traditional IT network, albeit one that's kind of hardened and more resilient in that regard. But yeah, if you don't get things right, and I'm sure we will see it on office networks and traditional office firewalling, if you don't get IP tables right, then that potentially means that traffic can move from one segmented zone to another. And that that is true on aircraft. But obviously, you're still going to need physical access and things that I think I think we noticed from looking at some navigational databases we recovered from from airplanes, particularly those on floppies is there wasn't any code signing. There wasn't any any cryptographic validity. So again, less of a problem where you're physically having to visit the plane and there's physical security in place. But as we move towards the idea of updating remotely over the air, do you think that's more of a problem? Well, where manufacturers have moved to this over the deployment model, they have implemented some code signing, which has brought it for its own problems actually recently because that code validity certificate is also only valid for a month. So if you're trying to do updates on to an Airbus at the moment, you actually have to update the certificate verification list in the certificate chain before you can do anything else. So they have thought about this as they've started to make these E&A aircraft, for example. And on the Boeing side, there are so much physical data interlocks on the aircraft. So although you can stage software updates and navigational updates, for example, onto the aircraft, they are held in an area until either a pilot or a maintenance engineer physically operates a key switch and selects where that software update should go. And there are other physical interlocks. So the aircraft actually has to have its weight on wheels switch closed as well. So the aircraft has to be on the ground, it can't be flying. And someone has to physically operate a mechanical switch in order to update that particular part. So there are some safeguards. But yeah, you're right. There are still a great reliance on CRCs and that kind of thing floating around in the aviation industry. And if you speak to people that there does seem to be a bit of a misunderstanding between integrity in that there is some sort of CRC magic number type thing to make sure the message or update hasn't been garbled in transmission versus actual message signing so that you know that that software update or message has actually come from the person that says it's come from. There's a lot of connectivity being established on planes and a particular technology I'm quite interested in is gate link, which is used to upload and download, for example, pasture and manifest information, but also things like movies and stuff. So someone physically doesn't have to put a CD or floppy crikey into the IFE. What other things are we seeing connected to planes on the ground? Primarily, it's the health and maintenance data of the aircraft that there's this big drive from the path the manufacturers to have literally cloud offerings so that you as an operator can see the status of your aircraft in real time. I mean, some of it is really cool in that, you know, they can even see, you know, how long it takes an individual valve to open or close that if this particular valve is now taking a fraction of a second longer to open or close than it was, then maybe we need to arrange maintenance to come out and change that valve before, you know, it becomes a problem and the aircraft requires more maintenance and more downtime. And remember that every time the aircraft is sitting on the tarmac, it's losing money for the airline. So to keep our fares down, we want to maximize how often these things are flying, but in a safe way. That picks up an interesting piece from a couple of years ago, a security researcher claimed to have accessed the thrush management computer from the Empire Entertainment System. What's what's your view on that? Do you think that was that was a real issue? Or do you think perhaps the media got a bit excited about it? I think it was it was thoroughly investigated by everyone and knowing the airframe manufacturers, they do genuinely take reports of this nature pretty seriously. Most of them have avionics labs where they have everything in pieces on the bench and they often have a dedicated cyber security team that can take reports of this nature and actually go and replay them on the bench and even on real airframes if they want to. So I know it was thoroughly investigated and kind of debunked at the time. I think it was perhaps a media jumping on the story rather than the individual in that particular case. But as we briefly spoke about earlier, then there is a Harank 49 flying around between the fly management system and the inflight entertainment for, you know, telling you where you are. That's just part of how it works. But that is a worn by system and we have found that in in our research. I also can't speak as to the exact operator and aircraft involved in that previous instance. But, you know, where we've gone and deliberately looking, we've not found at this point any two way communication between passenger domain systems like IFE and the control domain. And there is actually the sort of DMZ almost of the information services domain that sits between the two. So to jump between essentially two laser segregation will be tricky in my opinion. Yeah, from everything I think we've looked at, it doesn't substantiate some of the claims that we've seen. Certainly we haven't found a way to compromise aircraft control from the IFE. It strikes me that sometimes we're looking in the wrong place. Everyone gets very excited about airplanes because they're new and unusual technologies and it's great for us inquisitive researchers. But frankly, probably the most likely area to cause disruption is going to be the ground system. So if a plane can't dispatch because the ground systems are down or the maintenance systems are down, it doesn't go anywhere. So I often think that planes get really interesting and lots of fun and I think it's great that we can help assure their security. But really you need to watch out for those ground systems, right? Yeah, definitely. I mean, it just reminds me of flying out to Defcon almost a year ago and a particular airline that pretty much all of us were travelling with to Vegas had a massive outage of its passenger information system. So none of the checking crew at the airports could scan your boarding pass and get you on to the aircraft. They were having to do it like literally pen and paper all by hand. Thousands of people at this one airport of the queues or out of the terminal around the carpark. Yeah, and this was global. That's a huge amount of disruption and cost and it didn't really still a job of getting us on to the aircraft in time pretty much. But you can see just how little things like this can have a real snowball effect. So certainly before the lockdown I used to fly pretty much every single week. And I don't know about your eyes. I feel very comfortable with flying and being a passenger, even fully in the knowledge of how aviation systems work. I'm very confident in their security. How do you feel about it? Yeah, I mean, I think it's really important that we're not here to scan a bunker. Like any industry, there are areas of improvement. And I'm pretty sure they would be the first to admit that. But do any of these deficiencies mean that it's unsafe for people to fly? No. And I'm a pilot. I want to carry on flying for work. You know, I'm friends and family flying around. So I don't wish them any harm either. So no, I don't think there are any any risks. Great. Alex, thank you very much. Cheers again. So thanks for watching. I hope it was useful to you. If you have any comments or questions, let us know.