FAA and security researchers at odds over airplane hack security

Airplane. Image from Shutterstock

Cock pit. Image from ShutterstockTwo big flight organizations and two avionics manufacturers have released statements refuting last week’s claims by a security researcher that planes can be hacked with an Android app he created.

Hugo Teso, who is both a security consultant at n.runs AG and a trained commercial pilot, gave a talk about his research and subsequent creation of an exploit framework and “PlaneSploit” app at the Hack in the Box conference in Amsterdam last week.

Teso tested the app on aircraft hardware and software he acquired from eBay and other sources.

He maintained that the app could be used to potentially gain information about an aircraft’s onboard computer, to change a flight’s intended destination, to flash interior lights, to deliver spoofed malicious messages that affect the behavior of the plane, and, just maybe, if pilots don’t manage to turn off autopilot and/or have difficulty with manual flight operation, to crash a plane.

The Federal Aviation Administration (FAA) says it’s all rot.

The statement:

The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer.

FAAThe FAA has determined that the hacking technique described during a recent computer security conference does not pose a flight safety concern because it does not work on certified flight hardware.

The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot. Therefore, a hacker cannot obtain “full control of an aircraft” as the technology consultant has claimed.

And the European Aviation Safety Agency (EASA) pretty much says, “Yea, exactly, what they said”.

The EASA’s statement, as provided to Forbes’ Andy Greenberg:

For more than 30 years now, the development of certifiable embedded software has been following strict guidance and best practices that include in particular robustness that is not present on ground-based simulation software.

Two avionics equipment manufacturers, Honeywell and Rockwell Collins, have also dismissed Teso’s claims.

Rockwell Collins’ statement, again from Forbes:

Today’s certified avionics systems are designed and built with high levels of redundancy and security.

The research by Hugo Teso involves testing with virtual aircraft in a lab environment, which is not analogous to certified aircraft and systems operating in regulated airspace.

True, Teso only tested his hack on simulated flight software. Certified software well might not be open to tampering or disabling in the same way he demonstrated.

But as VentureBeat pointed out, Teso isn’t the first researcher to bring up vulnerabilities in avionics protocols.

Researcher and hacker Brad “Renderman” Haines knew airplanes could be hacked a year ago.

When he heard of his German counterpart’s research and the FAA’s subsequent naysaying, Renderman’s response was direct: If it’s all so safe, let’s put it to the test.

From Venture Beat:

Really, it’s put up or shut up. If they say it’s secure, there should be no harm in publicly giving access to a test lab. … Now, you don’t have to be a nation state in order to tinker with this stuff. You can be some bored guy on a couch.

Prove that your systems are safe, Renderman suggested to the FAA, and do the same with drones – which, he says, have similar security issues.

True false chatter. Image from ShutterstockAt this level of “they’re safe!” vs. “no they’re not!” squabbling, the issue has turned into security theater.

What else could it be, given that Teso, in his talk, spoke of how pleased he was to get such buy-in from the avionics companies and organizations?

Did Teso fictionalize that cooperation? Or did the avionics industry only start its naysaying when headlines about airplane hijacking started to – pardon the pun – fly?

Either way, somebody’s not playing it straight. Either Teso or the FAA and its ilk are playing PR games.

Opening up the FAA’s test labs might be the best way to get past this theater to get to the truth.

What do you think? Should the FAA and other avionics players play ball, or would that result in more potential danger to us all?

Image of cockpit and true-false courtesy of Shutterstock.