Planes can be hacked remotely with Android app, researcher claims

Filed Under: Android, Featured, Vulnerability

Airplane. Image from ShutterstockA security researcher and trained commercial pilot combined his interests and cooked up an exploit framework and Android app that can be used, at least theoretically, to hack a plane.

That includes potentially gaining information about an aircraft's onboard computer, changing the intended destination, flashing interior lights, delivering spoofed malicious messages that affect the behavior of the plane, and, just maybe, if pilots don't manage to turn off autopilot and/or have difficulty with manual flight operation, crashing the plane.

These are theoretical exploits demonstrated by Hugo Teso, a security consultant at n.runs AG in Germany, who gave a talk about his research at the Hack in the Box conference in Amsterdam on Wednesday.

Of course, Teso hasn't tried any of this out on real planes, given that there aren't many planes lying around waiting for people/plane/landscape annihilation, which would, at any rate, be illegal and amoral.

Rather, he conducted his research on aircraft hardware and software he acquired from various places.

That includes equipment from vendors offering simulation tools that use actual aircraft code and from eBay, where he found a flight management system (FMS) manufactured by Honeywell and a Teledyne Aircraft Communications Addressing and Reporting System (ACARS) aircraft management unit, according to Network World.

According to Help Net Security's Zeljka Zorz and Berislav Kucan, Teso's demonstration shed light on "the sorry state of security of aviation computer systems and communication protocols."

Teso created these two tools to exploit vulnerabilities in new aircraft management and communication technologies:

  • An exploit framework named SIMON, and
  • An Android app named, appropriately enough, PlaneSploit, which delivers attack messages to the airplanes' FMSes.

The two vulnerable technologies Teso exploited with these tools:

  • The Automatic Dependent Surveillance-Broadcast (ADS-B) (this surveillance technology, used for tracking aircraft, will be required by the majority of aircraft operating in US airspace by Jan. 1, 2020), and
  • The Aircraft Communications Addressing and Reporting System (ACARS), a protocol for exchange of short, relatively simple messages between aircraft and ground stations via radio or satellite that also automatically delivers information about each flight phase to air traffic controllers.

According to Help Net Security, Teso abused these "massively insecure" technologies, using the ADS-B to select targets.

He used ACARS to siphon data about the onboard computer and to exploit its weaknesses by delivering spoofed messages that tweak the plane's behavior.

Using the Flightradar24 flight tracker - a publicly available tool that shows air traffic in real time - Teso's PlaneSploit Android app allows the user to tap on any plane found within range - range that would be limited, outside of a virtual testing environment, to antenna use, among other things.

Flight Radar 24The application has four functions: discovery, information gathering, exploitation and post exploitation.

According to Help Net Security, these are some of the functions Teso showed to the conference audience:

  • Please go here: Allows user to change the targeted plane's course by tapping locations on the map.
  • Define area: Set detailed filters related to the airplane, such as activating something when a plane is in the area of X kilometers or when it starts flying on a predefined altitude.
  • Visit ground: Crash.
  • Kiss off: Remove plane from the system.
  • Be puckish: Trigger flashing lights and buzzing alarms to alert the pilots that something is seriously wrong.

Teso has, thankfully, responsibly, refrained from disclosing details about the attack tools, given that the vulnerabilities have yet to be fixed.

In fact, he told his listeners that he's been pleasantly surprised by the receptivity he's received by the industry, with companies vowing to aid his research.

Given Teso's belief in responsible disclosure, the industry can take steps to patch the security holes before someone with more malicious intent has an opportunity to exploit them.

From the sound of things, this researcher has garnered plenty of media attention but still values aircraft and passenger safety well over fame and glory.

Kudos, Mr. Teso, and thanks.


Image of plane courtesy of Shutterstock.

, , , , , , ,

You might like

7 Responses to Planes can be hacked remotely with Android app, researcher claims

  1. njorl · 508 days ago

    Puckish? Or does Teso make a safety-pin materialise through the nose of the aeroplane?

  2. Amoral? Hacking and crashing a plane would be amoral?

    • Ambianca · 507 days ago

      No, it would be immoral...but the moral relativist cannot admit that anything is immoral. That would open the door to the possibility of an absolute standard of right and wrong. Can't have that.

    • Robert · 505 days ago

      I think you are confusing amoral with nonmoral?

      However, I agree that amoral was not the best word. A person committing an atrocity may or may not be amoral, but their behavior is certainly immoral

  3. Frank · 508 days ago

    I know y'all down south of the frozen chosen up here in Canada, enjoy a gauranteed freedom of speach and press. But this is a great example of responsible reporting. CSIS, CIA, Homeland securiy and avaiatioon need this information. Even tho theoretical, it is proof of concept, the Germans' had only theoretical Nuclear knowledge, look where that went. Dunno and apologies if offensive, but this just seem neligent on your part to report.

  4. Machin Shin · 508 days ago

    Of course...... Just as they start looking at dropping that annoying "please turn off all your electronic devices" someone comes along with something to make them think of banning all electronic devices.

    It is good though that these flaws have been pointed out and are going to get fixed. This is going to be an issue more and more though. Computers are going into everything these days and a lot of companies do not realize what that means. Car companies have been good examples, where $20 at radioshack builds a device that can steal a luxury car.

  5. AvSec Dude · 507 days ago

    Fud, fud, fud and more fud! Great example of where a little knowledge about something is a dangerous thing. *sigh*

    This was a great PC computer based PoC (proof of concept), but a real attack of this class is impractical and the severity is over-hyped, there are some important bits of information that seem to have been lost in the sensationalism of the story.

    He did not test the attack on a real aircraft with real aircraft systems. The system used to validate the exploit is a simulation version of the FMS code, this code is not the same as the code used in primary avionics systems and does not meet the DO-178 certification for software, the personal computer used does not meet the DO-254 certification for hardware. The “full control” claim is not valid, there is no way to engage the autopilot from the FMS. Of course, when engaged in “managed mode” the aircraft will follow the FMS, but getting the invalid instruction on the FMS is unlikely without the pilots knowledge.

    The aviation industry has known about this particular presentation for a while now.

    Other things left out of consideration are the multiple layers of the human factor that are involved in flying an airplane, such as the pilots quickly realizing something is a miss, since their printed flight plan would not match what is in the FMS. ATC would be squawking all over the place trying to determine why is the airplane deviating for its flight plan, etc.

    All in all this makes for some great headlines and talking point for bobbing heads and arm chair experts and generating more business opportunities for Hugo, but that’s about all. :rollseyes:

    That being said, both ADS-B and ACARS could use some protocol strengthening up for other reasons though.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.