If that's the case, I'd assert that it's even less likely he was able to hack in.
I've written more than my share of ARINC 429 drivers and code that uses them. Hacking into a box at one end of a 429 connection so you can pass the data you want is significantly harder, especially in older aircraft which use more primitive operating systems (if they use an operating system at all). It's not like they're running off-the-shelf Linux with everything enabled. If they have a full operating system it will be something like VxWorks or Green Hills Integrity. Beyond that, you're not using the full RTOS, you're using the ARINC 653 compliant subset that has some pretty robust partitioning. And when you set them up for your system, you take out the parts you aren't planning on using so you have less to certify. There are no service ports left open on the IP stack. There are no terminals or file transfer services to hack into. Hell, many (most?) of those types of systems don't even have a file system at all. And if you're trying to hack a pre-RTOS era box, you have an IP stack that was customized specifically for the box to provide only the services required for that box and every other port will be closed. They were pretty adamant that the ports we were going to use were the only ones you could use when I had to run my IP stack through the testing gauntlet in the pre-RTOS days, not to mention that every single packet had to be screened for validity before it was accepted. They did quite a bit of testing to make sure we didn't have any "undefined behavior" resulting from corrupted or incorrectly formatted packets.
If you manage to get hacked packets to the box, you still have to find your way through the very custom software to get anything specific out of the 429 port at the other side. Which in most cases is virtually impossible because it's specifically designed to pass only the data it expects to pass. Then you have to deal with how to get the data you want through the 429 network. That's a network which has very specific message handling built into it and each computer using it configures their software to route the 32 bit packets very specifically. Keep in mind that 8 bits out of those 32 bits is the routing label that determines what the packet is used for. If the receiver isn't expecting a specific label, it will drop the packet. Beyond that, 429 is a single point to single point connection. The protocol has no provision for routing packets past that. You have to specifically design a computer to forward the data between two connections. And when you do that, you only route just the very specific data you want to route. You don't design it to accept any data from anywhere and pass it on to everywhere else. That's a huge safety hazard. Engine control data coming from the GPS interface simply doesn't get passed through the data concentrator because that's not where it's designed to come from.
If that weren't enough, you have to add in the fact that out of the 32 bit packet, you really only have 21 bits for payload, broken up in a couple of different ways depending on what you're sending. Every given routing label identifies what data is being sent. And for a lot of it, they only ever send one packet on a periodic basis for status update. It's a lot less common to send multi-word packet sequences. Even then, they're very specifically formatted and there's heavy range checking and so forth on expected vs received values for safety reasons. So it's not like there's a lot of room to pack in anything to hack with.
The more I read about this the less I believe he could actually hack a real plane.
The reason they have multiple engines on a plane is to eliminate a single point failure that would make the plane have "premature contact with the ground". And on trans-pacific flights, having 3 or 4 engines gives you a significant safety margin for you to reach dry land. As engines have gotten better and more reliable, the requirement for 4 engines has been reduced to 2, starting with the Boeing 777 and going forward.
You can still make it to your destination after you lose your single GPS. Try making it to your destination after losing your single engine and let me know how it works out for you.
Perhaps he setup a test system in his basement with normal Ethernet switches and was able to do something interesting that would not have worked in the air with real AFDX switches?
That's where the uncertainty comes in. Near as I can tell, it's "very unlikely" that what he built could hack an actual plane. But I can't say with 100% certainty that he hasn't found a weakness that can be exploited. I doubt he has. But it is theoretically possible.
Logical? Yes. Physical? No.
Speaking as someone who worked for a Boeing subcontractor who designed their on board computers, I can tell you that there is a physical connection. There's only one set of SATCOM radios on board. The avionics systems use it for some of their communications and have for a long time. The airlines wanted to monetize the extra bandwidth by selling access to the passengers for a price. I am told they didn't add a second set of radios to provide bandwidth to the passengers.
So at the very least, there is a switch that connects the avionics network, the in flight entertainment network, and the SATCOM radios. And while this is a physical connection, there is a fair amount of confidence that it's still a logical separation. The AFDX/ARINC 664 standard is pretty extensive and allows for very strict connection management. While Roberts may have been able to get a packet out of the IFE network and have it look like an engine control message, there's very little chance that packet would make it anywhere close to the engine control computer. Of course, that assumes that the avionics network was set up correctly. And that's a pretty good assumption given the safety requirements in place for avionics design. Still, there's that one in a million shot that there is an exploitable flaw. It's probably less chance than that, but it's not guaranteed to be zero.
The systems are completely, physically separate.
Considering that both the Avionics systems and the in flight entertainment systems are both able to reach the SATCOM radios, I'm not sure this assertion is true.
I've spent a great deal of my career working on avionics systems and did work on early Ethernet implementations in the late 90's, well before ARINC came up with AFDX/664 standards. Back then we restricted Ethernet to single point to single point dedicated channels with no switching or routing of any kind. The first vague ideas of having an in-flight entertainment network were starting to form. But at the time, it was just high level R&D.
From what I've been able to piece together is that Chris Roberts bought an under-seat device and hooked up something in his basement for proof-of-concept attacks into the avionics network. But without all of the rest of the equipment, he had to build up his system with commercial grade equipment. And that's where his "hacking the engine controls" story falls apart. Sure, he may have been able to get a specifically formatted packet through the IFE network and send it out the port that connects to the rest of the plane. And with his generic Ethernet switches, he may have been able to get that packet through to where he thought the engine control computer was. But his model is flawed.
AFDX/ARINC 664 is an entire structure built on top of the physical layer of Ethernet. While it may use Ethernet frames to pass the data, there's a ton of bandwidth management and strict routing management built on top of it. Assuming for the sake of argument that the avionics network was indeed set up correctly, there's no way an engine control packet coming from the IFE network would be routed. The filters would see that the IFE port isn't authorized to send that data and it would be dropped, perhaps with an error log of some kind. The only thing the IFE network should be able to talk to is the SATCOM radio and only within very specific parameters. There's no way a properly set up avionics network is vulnerable to an attack like this.
Of course, that begs the question. Did they set up their avionics network correctly? It's highly likely that they did, but I'm not going to say with 100% certainty that there are absolutely zero vulnerabilities. Suffice it to say, I'm extremely skeptical of Roberts' claims. But I will stop short of saying that he is, without question, full of it.