Is an App the New Box Cutter Terrorist Tool?

11_Hacker

“You can use this system to modify approximately everything related to the navigation of the plane,” says a security specialist in aircraft computer hacking. “That includes a lot of nasty things.”

Hack in the Box, a security conference being held in Amsterdam, yesterday was told it was possible to “send radio signals to planes that would cause them to execute arbitrary commands such as changes in direction, altitude, speed, and the pilots’ displays.

And it could be done with an Android app.

Apparently radio signals managed by the app take control of the cockpit computer screens and planes’ flight control systems.

“You can use this system to modify approximately everything related to the navigation of the plane,” Hugo Teso, a security researcher for a German IT consulting firm specializing in aircraft computer systems, told Forbes.

Apparently the app exploits weaknesses in commands that send data to planes as well as the flight management software used in many commercial flights.

Teso spent three years figuring out “the airplane has no means to know if the messages it receives are valid or not.”

With a Samsung Galaxy smartphone Teso took control of a virtual airplane.

But Honeywell, one of the companies that make flight management software, says that a PC virtual plane does not have the same protections found on commercial aircraft.

Security specialists say it wouldn’t take much to “adapt” the app to target commercial aircraft.

“It’s amazing to discover that aviation—an industry where safety is of vital importance and every physical element has one or even two fail-safe mechanisms—is failing to secure the onboard computer, the heart and brain of the plane,” reports net-security.org.

The app is not yet available for iPhone.

MORE FROM THE TARMAC

Twitter:
@flyertalk
Facebook:
flyertalk
More in:

Comments (Showing 5 of 5)

  • fedup flyer at 12:16am April 12, 2013

    You can claim alot of things but it doesn’t necessarily mean that it is true.

  • PHL at 1:50am April 12, 2013

    So lemme get this straight…someone was able to foil a simulator with a smartphone app?

    “With a Samsung Galaxy smartphone Teso took control of a virtual airplane.”

  • HDQDD at 2:05am April 12, 2013

    If you actually read the article, you see how failed this “hackers” logic is. He’s confusing ACARS with ADS-B, neither of which run in a frequency the phone would innately be able to receive/transmit without an external transceiver (read: how does that get through TSA). Also, all FMS changes must be approved by the pilots. Not to mention they must have a proper checksum to be accepted in the first place (which this “app” won’t be able to simulate).

    This dude is looking for his 15 minutes of fame. Congrats FT et al. on giving it to him.

  • UAL1200 at 12:47pm April 12, 2013

    ADS-B and ACARS only convey information between the ground and the aircraft. However, ADS-B can also be used to issue ATC clearances, but like HDQDD mentioned it must be accepted by the pilot AND the dispatcher.

  • jaysona at 5:51pm April 12, 2013

    Fud, fud, fud and more fud!

    This was a great PC computer based PoC (proof of concept), but a real attack of this class is impractical and the severity is over-hyped, there are some important bits of information that seem to have been lost in the sensationalism of the story.

    He did not test the attack on a real aircraft with real aircraft systems. The system used to validate the exploit is a simulation version of the FMS code, this code is not the same as the code used in primary avionics systems and does not meet the DO-178 certification for software, the personal computer used does not meet the DO-254 certification for hardware. The “full control” claim is not valid, there is no way to engage the autopilot from the FMS. Of course, when engaged in “managed mode” the aircraft will follow the FMS, but getting the invalid instruction on the FMS is unlikely without the pilots knowledge.

    The aviation industry has known about this particular presentation for a while now.

    Other things left out of consideration are the multiple layers of the human factor that are involved in flying an airplane, such as the pilots quickly realizing something is a miss, since their printed flight plan would not match what is in the FMS. ATC would be squawking all over the place trying to determine why is the airplane deviating for its flight plan, etc.

    All in all this makes for some great headlines and talking point for bobbing heads and arm chair experts and generating more business opportunities for Hugo, but that’s about all. :rollseyes:

    That being said, both ADS-B and ACARS could use some protocol strengthening up for other reasons though.

Leave Reply

You must be a logged in member to post a comment. Click here to Register.