A security researcher and trained commercial pilot combined his interests and cooked up an exploit framework and Android app that can be used, at least theoretically, to hack a plane.
That includes potentially gaining information about an aircraft’s onboard computer, changing the intended destination, flashing interior lights, delivering spoofed malicious messages that affect the behavior of the plane, and, just maybe, if pilots don’t manage to turn off autopilot and/or have difficulty with manual flight operation, crashing the plane.
These are theoretical exploits demonstrated by Hugo Teso, a security consultant at n.runs AG in Germany, who gave a talk about his research at the Hack in the Box conference in Amsterdam on Wednesday.
Of course, Teso hasn’t tried any of this out on real planes, given that there aren’t many planes lying around waiting for people/plane/landscape annihilation, which would, at any rate, be illegal and amoral.
Rather, he conducted his research on aircraft hardware and software he acquired from various places.
That includes equipment from vendors offering simulation tools that use actual aircraft code and from eBay, where he found a flight management system (FMS) manufactured by Honeywell and a Teledyne Aircraft Communications Addressing and Reporting System (ACARS) aircraft management unit, according to Network World.
According to Help Net Security’s Zeljka Zorz and Berislav Kucan, Teso’s demonstration shed light on “the sorry state of security of aviation computer systems and communication protocols.”
Teso created these two tools to exploit vulnerabilities in new aircraft management and communication technologies:
- An exploit framework named SIMON, and
- An Android app named, appropriately enough, PlaneSploit, which delivers attack messages to the airplanes’ FMSes.
The two vulnerable technologies Teso exploited with these tools:
- The Automatic Dependent Surveillance-Broadcast (ADS-B) (this surveillance technology, used for tracking aircraft, will be required by the majority of aircraft operating in US airspace by Jan. 1, 2020), and
- The Aircraft Communications Addressing and Reporting System (ACARS), a protocol for exchange of short, relatively simple messages between aircraft and ground stations via radio or satellite that also automatically delivers information about each flight phase to air traffic controllers.
According to Help Net Security, Teso abused these “massively insecure” technologies, using the ADS-B to select targets.
He used ACARS to siphon data about the onboard computer and to exploit its weaknesses by delivering spoofed messages that tweak the plane’s behavior.
Using the Flightradar24 flight tracker – a publicly available tool that shows air traffic in real time – Teso’s PlaneSploit Android app allows the user to tap on any plane found within range – range that would be limited, outside of a virtual testing environment, to antenna use, among other things.
The application has four functions: discovery, information gathering, exploitation and post exploitation.
According to Help Net Security, these are some of the functions Teso showed to the conference audience:
- Please go here: Allows user to change the targeted plane’s course by tapping locations on the map.
- Define area: Set detailed filters related to the airplane, such as activating something when a plane is in the area of X kilometers or when it starts flying on a predefined altitude.
- Visit ground: Crash.
- Kiss off: Remove plane from the system.
- Be puckish: Trigger flashing lights and buzzing alarms to alert the pilots that something is seriously wrong.
Teso has, thankfully, responsibly, refrained from disclosing details about the attack tools, given that the vulnerabilities have yet to be fixed.
In fact, he told his listeners that he’s been pleasantly surprised by the receptivity he’s received by the industry, with companies vowing to aid his research.
Given Teso’s belief in responsible disclosure, the industry can take steps to patch the security holes before someone with more malicious intent has an opportunity to exploit them.
From the sound of things, this researcher has garnered plenty of media attention but still values aircraft and passenger safety well over fame and glory.
Kudos, Mr. Teso, and thanks.