back to article Researcher hacks aircraft controls with Android smartphone

A presentation at the Hack In The Box security summit in Amsterdam has demonstrated that it's possible to take control of aircraft flight systems and communications using an Android smartphone and some specialized attack code. Hugo Teso, a security researcher at N.Runs and a commercial airline pilot, spent three years …

COMMENTS

This topic is closed for new posts.

Page:

  1. ecofeco Silver badge
    Facepalm

    Idiocrary

    Yer livin' in it.

  2. Lamont Cranston

    It's called SIMON,

    and it can reset a plane's navigation coordinates? That's Die Hard 2 and 3 covered, then. Does it "schieß dem Fenster", for the hat-trick?

    1. JeffyPooh
      Pint

      Re: It's called SIMON,

      In 'Die Hard', everyone was on the same channel. Police. Fire. Aircraft. Even the CB'ers. Everyone was fully interoperable without respect to channel frequency nor modulation mode. The DoD was impressed. They could've used this technology during the invasion of Grenada.

  3. ma1010
    Trollface

    This is nothing new. The BOFH did this years ago.

    http://tigay.net/rafi/bofh/1998/bofh_1998_024_152.php

  4. Anonymous Coward
    Anonymous Coward

    This should make a point

    One more very good reason to not allow electronic toys to be used in-flight.

    1. Intractable Potsherd

      Re: This should make a point

      What are the others? I've not seen one yet.

  5. JeffyPooh
    Pint

    He found - LOL

    "...Automatic Dependent Surveillance-Broadcast (ADS-B) system ...has no security at all, he found..."

    Really??!!?? Say it isn't so!!

    D-oh! That explains all those ADS-B dongles being sold on the Interweb, and all the aircraft 'radar' apps that rely on 5-minute delayed FAA data and real time crowd-sourced ADS-B data. Wow - this explains it all. I wonder if anyone else knew this before this researcher found out this amazing tidbit. Like, for example, the perhaps-Chinese vendor that designed, built and sold him the ADS-B dongle that he undoubtedly used.

    1. Anonymous Coward
      Anonymous Coward

      Re: He found - LOL

      Jeffy, I think the journo who wrote the piece is to blame for that bit of extrapolation.

      I assume Mr. Teso knew full well ADS-B is not encrypted, as neither is ACARS or any of the other radio data links we use in civil aviation.

      Those of us involved in civil aviation (like Mr. Teso, I am also a commercial pilot) have known all this all along, but what Mr. Teso did which is interesting is that he built a (presumably) working proof of concept.

      His is a nice PR coup and it might perhaps have an impact in systems design, especially on the CHI (Computer Human Interaction) side of things. On the other hand he did not *discover* anything as such, neither does he claim to have, to my knowledge. Without getting into details (only because I do not have the details fresh in my memory and neither have any references handy), for this kind of "exploit" to cause any real problems you would also need a clever bit of social engineering to go with it, since at least two humans in the cockpit are part of the loop, plus usually a bunch more of them in the ground and in other cockpits around you.

      In other words, the system when considered as a whole rather than looking at its parts in isolation, is fairly resilient to intentional or unintentional data corruption.

      And BTW, phones have nothing to do with any of this. He just used them, instead of any other computer, for PR effect.

  6. Reg. Blank
    Facepalm

    It's worse than we thought

    Those incompetent fools in civil aviation don't even encrypt voice communications!!1 I mean, _anybody_ could wave an accelerometer equipped mobe around and also use an air band transciever like an icom ic-a24 bought off ebay to impersonate ATC and cause just about any radio equipped aircraft to land away from their desired destination by saying it's closed or the weather's bad. They might as well be directly manipulating the controls... as if by remote control! They even use AM mudulation just like an AM RADIO!!!! and everyone can listen to an AM radio!!! even terrierists.

    1. JeffyPooh
      Pint

      Re: It's worse than we thought

      I was about to correct "transcEIver", but then I saw "mudulation and "terrierists".

      Well done. This beer is for you.

    2. Anonymous Coward
      Anonymous Coward

      Re: It's worse than we thought

      « and everyone can listen to an AM radio!!! even terrierists. »

      I would have thought they would be busy walking their dogs.

  7. Anonymous Coward
    Anonymous Coward

    Who the hell makes an FMS that accepts ANY code via ACARS? I hope it is none of the major players, it really makes no sense that the capability would even be there. Or it is misunderstood and he can really just update flight plans and such without pilot interaction, using flaws in their system? I have my doubts about the veracity of this part of the story.

    Spoofing location data to control a plane has always been possible if you have a powerful enough transmitter, I'm surprised that no one has actually tried it before. Everyone in the industry knows about it, your system is only as good as the data it is receiving. This part is very real, although I do wonder about the feasibility in the real world.

  8. Alan Thompson
    Flame

    The next step will be to criminalize the purchase of commercial aviation parts from "non authorized" resellers by "non authorized" buyers.

    1. Idocrase

      That will REALLY upset the Mythbusters

  9. Idocrase

    It's a fake name, and they misnamed the phone.

    It was actually Tony Stark.

  10. This post has been deleted by its author

  11. Alan Firminger

    11 September 2001

    I have already posted on The Register that no civil airliner as large as a Boeing 757 hit the Pentagon.

    The rest is speculation.

    Shortly after the atrocity happened among the doubters people were asking whether an airliner could be controlled from the ground. I knew about the beacon which transmitted and received between the ground station and the a/c flight control computer, which also provided the autopilot flying through gps co-ordinates. I was shocked then, clearly a conspiracy could provide a vulnerable rom as an update. So I was wrong, every a/c is vulnerable.

    Vulnerabilities are even easier to utilise when the attacker has the code of the target system.

    In researching this well before 2003 I found several pages that proposed that to beat hijacking every airliner should be subject to an overriding control from the ground. A link from 2001 is below. I was troubled because hijacking is still a threat and ground control of the system through the existing radio channels was always possible if it was coded in.

    http://everything2.com/title/How+to+build+a+hijack-proof+airplane

    At the time a forum post reported that Lufthansa when they took a delivery of Boeing airliners refused the standard control code and wrote their own. Fly Lufthansa.

    When did Boeing system managers know that they were equipping their a/c with an OS as vulnerable as Windows ?

  12. Herby
    Joke

    Feedback?

    "The hacked aircraft could even be controlled using a smartphone's accelerometer to vary its course and speed by moving the handset about."

    Feedback loop, It'll only end one way.

    Of course, this is why LOT airlines only fills part of the plane. Everyone knows that you can't have poles in the right half of the plane, as it leads to instability of the control system.

    Sorry, I couldn't resist!

  13. John Smith 19 Gold badge
    Joke

    On the up side. *Lots* more mobiles available at *very* reasonable prices on eBay

    Courtesy of the "hard" working men and women of the Thieves Support Association.

    Hurrah!

  14. Anonymous Coward
    Anonymous Coward

    Validity?

    Yes, all very interesting, however while trying this you would generate an exception in the FMS - basically your ACARS message properly crafted may be able to influence aircraft movement - the ADS-B would be broadcasting the new position to ground, and the GPS would be indicating "true" position as an input.

    Result - autopilot disengages as one of the alternate flight modes is engaged.

    This hack ignores the redundancy of multiple inputs.

  15. AvSec Dude
    WTF?

    fud, fud, fud and more fud.

    This was a great PoC (proof of concept), but there are some important bits of information that seem to have been lost in the sensationalism of the story. They did not test the attack on a real aircraft with real aircraft systems. The system used to validate the exploit is a simulation version of the FMS code, this code is not the same as the code used in primary avionics systems and does not meet the DO-178 certification and the PC does not meet the DO-254 certification. The “full control” claim is not valid, there is no way to engage the autopilot from the FMS. Of course, when engaged in “managed mode” the A/C will follow the FMS.

    The aviation industry has known about this particular presentation for a while now.

    Other things left out of consideration are the multiple layers of the human factor that are involved in flying an airplane, such as the pilots quickly realizing something is a miss, since their printed flight plan would not match what is in the FMS. ATC would be squawking all over the place trying to determine why is the airplane deviating for its flight plan, etc.

    All in all this makes for some great headlines and talking point for bobbing heads and arm chair experts and generating more business opportunities for Hugo, but that's about all

    That being said, both ADS-B and ACARS could use some protocol strengthening up though.

  16. Boris S.

    Now we know...

    ...that the FAA was wrong again to allow electronic devices to be use on board.

  17. Anonymous Coward
    Anonymous Coward

    Remote Control

    EgyptAir Flight 990 anyone?

  18. Ex-fed
    Stop

    Thirty years later?

    This type of crime is often refered to as "Phantom Controlling". I ran a federal task force that resulted in the first and only arrest of an individual for issuing false air traffic control commands to passenger aircraft thirty years ago. The incident was briefed to the White House with several solutions to stop future occurrences. Once again, it looks like the FAA is waiting for people to die before doing their job. If you want to read about the crime, read the novel "Phantom Controller".

  19. Alan Firminger

    We need to know.

    Quite often military aircraft have to join civil traffic streams, so their systems have to be compatible.

    Does the military fly with vulnerable systems ?

    That question puts a civil servant on the spot. If the answer is no then it it another betrayal of aircrew and implies that nuclear weapons could be brought down on city centres to disintegrate; and if yes then how dare they knowingly deny civil aircraft the same security.

    1. Vic

      Re: We need to know.

      > Does the military fly with vulnerable systems ?

      That would be the wrong question, and give rise to very misleading statements.

      The proper question would be "Does the military *rely on* vulnerable systems?"

      Just because you have a vulnerable unit for compatability, it doesn't mean it's your only manner of obtaining that information...

      Vic.

Page:

This topic is closed for new posts.

Other stories you might like