Collins Aerospace: Sending text messages to the cockpit with test:test
22 comments
·October 29, 2025tantalor
tjr
Unfortunately, RTX did not respond to our vulnerability report. The account was disabled.
Some sort of acknowledgement of the report certainly would have been good here, but at least they did disable the account. I presume the reported vulnerability no longer exists.
deepsun
They will respond after a year or two with a lawsuit and SWAT busting doors.
0_____0
They're not in the US. I'm not familiar with German law enforcement practices but I wouldn't be surprised if they had a process that was a little less door-kicky.
stronglikedan
According to my German friends, it's worse over there.
BoredPositron
Cybercrime is pretty door-kicky in germany and they usually keep all your gear for two years even if you are found not guilty...
rwmj
Collins Aerospace, the same company responsible days of outages at airport check-in kiosks https://www.bbc.co.uk/news/articles/c3drpgv33pxo
cactacea
Interesting choice of tail number and date... https://www.faa.gov/lessons_learned/transport_airplane/accid...
netsharc
Looks like the PDF is just to show what the messaging interface looks like, and what they've found as a publicly available screenshot is from the crash report involving that plane.
If they logged in, took a screenshot, and published that (even if lots of things are blurred), there's probably more attack surface for some three-letter-agency to bust down their doors and disappear them...
psunavy03
I'll take "things that happen in movies a lot more than in real life" for $600 please.
avs733
I would guess it limits their ability to be accused of anythign to pick a plane, flight, and time that meets at least three criteria:
1) no passengers on board - you can't be accussed of endangering passengers
2) long past - you can't be accused of anything that happened recently
3) the plan literally no longer exists - you can't be accussed of damaging a plane
constantcrying
Well, this is just standard Aerospace grade software. I would be surprised if you could find a single controller in an airplane without some trivial login credentials.
Exposing software like that to the internet is of course a completely insane step.
sumnole
> Well, this is just standard Aerospace grade software
Can't be further from the truth. DOD software is given huge budgets where it's not surprising to see 3 separate teams performing QA for one software milestone. It's one of the few sectors that still plan software upfront waterfall style and implement strict procedures for traceability, change management, etc. Who else is using formal methods or safety critical stacks like ADA/Spark?
Jtsummers
> Who else is using formal methods or safety critical stacks like ADA/Spark?
This is not actually as common as many people seem to believe. The mandate died almost two decades ago. DOD aircraft fly on Fortran, JOVIAL, C, and C++ more than Ada. And DOD IT systems are a clusterfuck.
> It's one of the few sectors that still plan software upfront waterfall style
That's not the good thing you seem to think it is.
Also, why do you call it ADA? It's not an acronym. Amusingly, SPARK is, or was, and you write it as "Spark". It originally stood for "SPADE Ada Kernel" and the language continues to be stylized as SPARK.
ghc
LOL
constantcrying
You have to be kidding! Have you worked on any of these projects?
I wrote DO-178 Software, literally every single project I ever worked on has trivial login credentials.
>DOD software is given huge budgets where it's not surprising to see 3 separate teams performing QA for one software milestone. It's one of the few sectors that still plan software upfront waterfall style and implement strict procedures for traceability, change management, etc. Who else is using formal methods or safety critical stacks like ADA/Spark?
None of this matters or contradicts what I said. You will be able to get into it with user:root password:root or some variation. In all likelihood you will even find a requirement for this, which is of course verified.
If you apply the methodology practiced to a web application, the OP is exactly what you will get.
Jtsummers
> Well, this is just standard Aerospace grade software.
This is a groundside problem, and perhaps it is insane to have it exposed to the open internet but it's not on the aircraft. It needs to be exposed to some network because the intent is that fleet controllers (airlines, or in this case Navy) use it to reach out to their aircraft wherever they may be.
That said, it absolutely fits the quality I've come to expect from IT systems developed by aerospace and defense companies.
2OEH8eoCRo0
It meets all requirements! /s
null
zppln
Aerospace have been dealing with /safety/ for a long time, /security/ is another matter...
deepsun
Nowadays it's actually hard to not connect anything to internet. Better (and easier) to assume it's connected.
downrightmike
root:root
> RTX did not respond to our vulnerability report
I guess they mean you should sell the vulnerability to highest bidder instead of reporting? Weird choice.