Feeds

back to article Researcher hacks aircraft controls with Android smartphone

A presentation at the Hack In The Box security summit in Amsterdam has demonstrated that it's possible to take control of aircraft flight systems and communications using an Android smartphone and some specialized attack code. Hugo Teso, a security researcher at N.Runs and a commercial airline pilot, spent three years developing …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Meh

Knew It Was Coming

This sort of thing has been discussed in military confrences in the past but considered low risk mainly because:

A) It was assumed that technology to interfere/control civilian aircraft systems could not be obtained by civilians.

B) State entities that could exploit civilian aircraft systems vulnerabilities would not because they are civilian aircraft and not considered military targets.

Guess that's all out the window now.

19
0
Bronze badge
Childcatcher

Re: Knew It Was Coming

To paraphrase T. H. White, if it is not completely bulletproof, it will be exploited. Just because I cannot think of a reason that someone might want to exploit a particular flaw does not mean that someone else will not come up with one, even if it amounts to sheer bloodymindedness. To take the given reasons apart

A) Where there is money, there is a way.

B) Because no state entity has ever gone after non-military targets or used civilian tech to go after the same?

C) Left off: non-state actors. There may be a few of these out there.

15
0
Devil

Re: Knew It Was Coming

I'd love to be in a plane where this was done...

With a back door, a parachute and plenty of altitude....

Just in case.... or as a matter of course.

Don't fancy a lap-top landing.

2
1
Silver badge
Coffee/keyboard

Re: lap-top landing

hahaha!

But then again, I bet it happens all the time with Predator Drones!

2
0
Bronze badge
Thumb Up

Re: Knew It Was Coming

Jetliners are notoriously bad to jump out. What you would need is a old 727 with the staircase in the tail. I believe a hijacker once used that to escape said plane.

3
1
Joke

Re: Knew It Was Coming

Wasn't it obvious when they put an "airplane mode" into your phone?

I just never knew what it was really for.

Who needs MS flight sim now!

19
0
Bronze badge
Thumb Up

Re: Knew It Was Coming

@Pepper - See 'D.B Cooper'.

Also that Channel 4 programme a few months ago where they intentionally crashed a 727 a) for TV ratings and b) sheets and giggles. Oh, and some science too.

2
0
FAIL

Re: Knew It Was Coming

"A) It was assumed that technology to interfere/control civilian aircraft systems could not be obtained by civilians."

what? a smartphone?

Captain crunch interfered with the Telephone system by whistling at it!

4
0
Boffin

Re: Knew It Was Coming

@ Pepper Your referring to the infamous DB Cooper case and several others who tried to copy his escape, and while some of the money was found I believe the case is still open and there is some speculation around if he survived the experience. The 727's now have a interlock called the cooper vane to prevent the rear stair from opening if the plane is not on the ground wheels down specifically to prevent this from happening again.

3
0
Gold badge
Unhappy

Re: Knew It Was Coming

"This sort of thing has been discussed in military confrences in the past but considered low risk mainly because:

A) It was assumed that technology to interfere/control civilian aircraft systems could not be obtained by civilians.

B) State entities that could exploit civilian aircraft systems vulnerabilities would not because they are civilian aircraft and not considered military targets."

So the first, last and onlylime of defense has turned out to be the assumption that "smart people who want to do this cannot get hold of the tech to do so"

Remember the video feeds from drones in Afghanistan which also were thought "secure" because a) They can't do this and b) What use would insurgents have with seen themselves? Answer by seeing what you see they can know where you are not looking.

3
1
Boffin

Re: Knew It Was Coming

"With a back door, a parachute and plenty of altitude...." Really?

At 33,000 ft (10,000m), the usual airliner cruising height, the temperature is around -50 C! If you didn't suffocate from hypoxia you'd freeze before you hit the ground. Stick to buses.

0
0
Meh

kinda fittng...

http://i.imgur.com/Z6008g0.jpg

19
0
Pint

Re: kinda fittng...

Thanks! I've been looking for that one for years :)

0
0
Megaphone

Sky's the limit

I'm afraid this hits my limit on public disclosure and it is plain irresponsible to do this. Always assume there are people out there much cleverer than you are. This jerk's work of 3 years might just be reproducible in 3 weeks by someone else. Once realizing that small fact he'll be rather sleepless too. Nothing like having your name publicly associated with "how could that disaster happen?" Ahh, fame at last.

"The hacked aircraft could even be controlled using a smartphone's accelerometer to vary its course and speed by moving the handset about."

Assuming the handset would need to be in proximity to said aircraft, as in inside, this would be the classic mad scientist's belated education in unintended consequences, as having moved the handset and induced a reaction, the reaction would induce a further reaction in the now flailing handset, culminating in the now doomed passengers telling said sad sack "we could have told you that would happen - don't you ever watch movies?"

4
48
Silver badge
FAIL

Re: Sky's the limit

"Always assume there are people out there much cleverer than you are."

I think you just invalidated your own argument. You are none too clever.

26
3
Anonymous Coward

Re: Sky's the limit

my independent non-governmental lab did similar private security research and submitted the draft report to the security authorities. The security authorities gave me a short interview (with coffee) in 2008.

Fast forward 5 years.....and Nothing in the way of security/authentication/verification/repudiation technology has yet seemed to change - with the orchestrated industry/regulatory momentum favoring upgrading SSR to an unencrypted unauthenticated megabit/sec data link as part of the interesting NextGen push. This can now be played with using an eleven dollar (US$11) software defined DVB-T receiver dongle (http://www.reddit.com/r/RTLSDR/comments/s6ddo/rtlsdr_compatibility_list_v2_work_in_progress/)

many researchers have independently discovered these vulns. Shirley something should be done?

27
0
Bronze badge

Re: Sky's the limit

"we could have told you that would happen - don't you ever watch movies?"

I probably will do when it comes out. Someone's probably drafting up a script based around the idea even as we speak.

1
0
FAIL

Re: Sky's the limit @Notas Badoff

"Always assume there are people out there much cleverer than you are"

And in your case it should read "Always assume that all people out there much cleverer than me"

2
0
Anonymous Coward

Re: Sky's the limit

> I'm afraid this hits my limit on public disclosure and it is plain irresponsible to do this.

Well as the AC says

> y independent non-governmental lab did similar private security research and submitted the draft report ... Fast forward 5 years.....and Nothing....

Sometimes being responsible just means that nothing gets done.

I remember many years back working in support for a big company. I customer reported a security vulnerability to me. I confirmed it and fed it back to the developers. Their management said, we're half way through cutting tapes for the next release its too expensive to fix now, it can wait for the next release after that.

One of my friends hit the roof when he read this response.

So he went onto the internal forum and posted something along the lines of

"Hey guys try this

type .....

Then .....

count to 5

now do ....

and ....

now see who you are

have a nice day!"

The shit hit the fan

Our manger stormed round to see what the F*&^ we'd done

We explained

Our manger said, "OK, that's now my shit" and went on the war path.

Two days later the company had procedures in place to handle urgent security cockups.

There are times when you scream till you're blue in the face and get nowhere

And if you really want things to happen you just have to put your balls on the chopping block and make a big enough scene no one can brush it under the carpet.

Hats off to guys with bigger balls than I had.

33
0
Silver badge

Re: Sky's the limit

This jerk's work of 3 years might just be reproducible in 3 weeks by someone else.

Sigh.

Repeat after me;

Security by obscurity is no security.

What this 'jerk' has done is to demonstrate that the systems that are in place have been built without proper consideration to security, which should have been built into it from the start. If your PC can securely communicate with your bank over the public internet using SSL, then there is absolutely no reason the communications between an aeroplane and a ground control station cannot be encrypted and authenticated in exactly the same way.

The fact that they haven't shows that the system has either:

a) been deliberately designed this way so that the information being broadcast CAN be eavesdropped and/or overridden (possibly at the behest of governments/military),

b) been designed in a hurry without any thought about security, or

c) designed by a committee of idiots with no knowledge of basic security principles.

I'm cynical enough to consider any or all of these a strong possibility.

17
2

Re: Sky's the limit

I think we all agree that something should be done. Very typical for this sort of thing to be ignored.

And, don't call me Shirley.

1
0

Re: Sky's the limit

"Assuming the handset would need to be in proximity to said aircraft"

I read nothing that said the handset had to be in the aircraft. It looks like this is being done over the internet. Banning devices on the plane would do nothing to stop this if it gets in the field.

1
0
Headmaster

Re: Sky's the limit

"Always assume there are people out there much cleverer than you are."

I think you just invalidated your own argument. You are none too clever.

Well, then he validated his argument.

0
0
Holmes

In the plane... In the field...

0
0
Bronze badge

Re: Sky's the limit

AC 9:28, not every company doesn't listen, some do, just no one ever hears about it.

I started working for Gateway as a service tech back in 2000, and my first day on the job my co-worker was showing me their awesome program that the company was bundling with all their computers called "Cybermedia First Aid 98". He was showing me how it could "show" customers how to install things like printers or remove programs, and by show I mean take control of the mouse and use it as a person to interact with objects on the screen. I was like, "Cool, I wonder what else it can do and how it works." So I figured out how to use it to control and open everything, then I wondered how much security it had in it because it was using web-page based help documents (I thought, it has to check that the webpage is local), so I wrote a "Format the A: drive" web-page, and uploaded it to a Geocities site I had, and sure enough, the instant I viewed the webpage with the embedded commands, my mouse pointer was off clicking and right clicking. I sent an email to my district manager detailing what I had done, and a link to the Geocities site with the now more benign "Install a printer webpage", I never heard anything back, ever. But 3 weeks later I noticed that we stopped bundling that First Aid software with every new computer. They had been installing it on EVERY computer they had made for the past 3 years. No one ever thought to question how their magic little program was taking control of the mouse, except the new guy. They never even thanked me, can you image if CNN had gotten a hold of that story? "Every Gateway computer can be hijacked by visiting webpages." I never told anyone until now, I figure 13 years is long enough.

3
0
Black Helicopters

There goes the use of in-flight devices....

7
0
Bod
Bronze badge

RE: There goes the use of in-flight devices....

Not just having to turn off your phone or stick them in flight mode, they'll be confiscated entirely or have to go in the hold luggage where they'll never be seen again when they go through Thiefrow and the like. Even then in the hold they could be programmed to wake up and attack the plane in flight.

Faraday cage in the cabin perhaps.

7
0
JDX
Gold badge

Re: RE: There goes the use of in-flight devices....

And just as they were starting to see sense and I would've been able to use my Kindle during take-off..

2
0
Bronze badge
WTF?

Re: RE: There goes the use of in-flight devices....

I always use my kindle during take off, and landing.

Most of the time it's an idle device - when I hit a physical button it reads a little data from memory and pushes it to the e-ink screen.

I'm normally somewhat distracted at the moment of take off (into the clouds at any rate) and from the clouds to touchdown, since I enjoy looking out of the windows - but I've never had a flight attendant say anything to me about the kindle...

1
0
Unhappy

We won't even be allowed to play snakes on a plane.

6
0
Silver badge
Holmes

Now I know how these russian dudes managed to crash an airliner in Die Hard II by just moving the ground's representation on a CRT.

No wait, planes weren't as computerized back then...

Anyway, this all seems rather far-fetched and complicated to pull off when it's easier to blow up a 4x4 at a mall.

2
8
Bronze badge
Paris Hilton

Blow up a 4x4?

And I'll huff, and I'll puff

And I'll bloooooowwwww your mall down

<- I'm sure she's been adequately blown.

0
1
Coat

Die Hard

They were americans not russians...

1
0

Re: Die Hard

Had this been an article about Die Hard 6.0 where terrorists take over a plane using an iPad, I have no doubt a lot of critical commentards will have been droning on how this could never happen, and surely aeroplane systems will have been thoroughly tested and segrated and anyone suggesting otherwise, well is plainly stupid. A bit like they did with the GCHQ screw ups :p

3
1
Joke

Re: Die Hard

Well, to be fair, it CAN'T happen with an iPad. You barely get access to the bloody thing itself, let alone any other devices it could connect to. Plus of course, we'd have to wait for Apple to release drivers for the plane you happen to be in, and that could take months.

Unless you jailbreak it, which is what you'll be needing to do yourself when the nice men with tasers appear after the unscheduled emergency landing...

13
0
Anonymous Coward

Die Hard II

Actually planes were computerised back then with sophisticated autopilot systems. The system the American terrorists used to crash the plane was ILS (Instrument Landing System) which guides a plane down to the runway and is based on land. Commercial aircraft have been able to land themselves since the seventies (Autoland was introduced on the Hawker Siddeley Trident) using ILS. All commercial pilots use ILS as a guidance when landing to ensure they are on the correct glide path and heading for the runway.

The ILS Glide Path antennas transmit 2 signals one 0.7 degrees above the glide slope and one 0.7 below, with the glide slope of about 3 degrees.

Still, hacking ILS to readjust sea level is a bit far fetched and to achieve their goal they would need to change the defined glide slope (not sure how easy that would be), and there are also the inner, middle and outer beacons which are defined for the approach, giving altitudes required if on an ILS approach, so the pilots can confirm if they are on the correct glide path.

So it is possibly doable (even then), but requires a lot more work than in Die Hard.

4
0
Bronze badge
Joke

Re: Die Hard II

You mean that wasn't real! And you can't do it by pulling a line down a screen!

My world has just been torn apart

:''(

1
1
Silver badge

Re: Blow up a 4x4?

You will just burn your lips on the tail pipe.

1
0
Childcatcher

Re: Die Hard II

All they needed to do was give out an incorrect atmospheric pressure for the location.

Rememberer a documentary on a company that flew cargo (mostly) for the oil exploration - Lion Air. Pilot coming into land at a Nigerian field - pointed ouit the wreckage at the side of the runway where the tower had given out incorrect pressure, pilot thought he as a few metres above the runway when he, errr, wasn't. Bang,

0
0
Bronze badge

Well, to be fair to the researcher...

Well, to be fair to the researcher, the article did state that authorities were apprised before the conference.

This is just yet another example of the airlines and the FAA to some extent putting profit or budgets above safety and security. Until and unless researchers do what that one did, the flying public is safe only as long as the security holes are not exploited.

As for the pilot being able to manually regain control, that all depends on whether the in-flight or on-ground manipulator did not in advance figure out how to command the circuits to short out or overrun equipment into an overheat and shutdown mode just prior to commanding a fatal dive or stall-inducing climb.

5
3
Silver badge

Pilot can regain controll

Fly by wire anyone?

1
1
Alert

Re: Pilot can regain controll

If the hacker can control what the cockpit display is showing, how does a pilot know he isn't flying in the wrong direction?

This assumes the pilot knows his aircraft has been hacked. I suppose he could navigate by the sun / stars, but if the hacker was smart he could put the heading out by a few degrees and you'd soon be way off course..

3
0
Bronze badge

Re: Pilot can regain controll

Many planes still have a good old 'analogue' instrument backup. Offcourse a ILS approach might become difficult nor is VFR plausible under all conditions. So control is to be taken with a grain of salt I suppose.

2
1

Re: As for the pilot being able to manually regain control

It also depends on the pilot being able to maintain situational awareness if his instruments aren't telling him what he expects, and not, for example, continuing to pull the nose up when the plane is in a stall.

4
0
Gold badge

Re: Pilot can regain controll

You probably don't need *much* of a deviation in some parts of the world to send a plane into restricted airspace, at which point someone else will do the shooting down bit.

3
1

Re: Pilot can regain controll

Fly by wireless

2
0
Gold badge
Unhappy

Re: Pilot can regain controll

"You probably don't need *much* of a deviation in some parts of the world to send a plane into restricted airspace, at which point someone else will do the shooting down bit."

How about a tricky landing somewhere the airport is inside a mountain range, a slight deviation off line (and the pilots trusting the computer) and before you know it.....

Of course that could never happen IRL.

0
0
Silver badge

Wouldn't it be reasonable to have some sort of security?

I mean like having strictly separated networks? I mean those systems probably don't run Windows so you don't need to connect them to the Internet for updates.

2
5
Silver badge

Re: Wouldn't it be reasonable to have some sort of security?

You'd think.

Security from the start. It applies to engineers as well as developers!

4
0
Anonymous Coward

Re: Wouldn't it be reasonable to have some sort of security?

You need to connect the aircraft to the Internet so it can download the latest in-flight entertainment content. Too many separate segregated networks cost too much money. Put it all on one network, use WiFi to connect to the ground for updates while on station at the airport, job done dirt cheap. What could possibly go wrong?

2
1

Page:

This topic is closed for new posts.