Sophos Cloud Optix
Two big flight organizations and two avionics manufacturers have released statements refuting last week’s claims by a security researcher that planes can be hacked with an Android app he created.
Hugo Teso, who is both a security consultant at n.runs AG and a trained commercial pilot, gave a talk about his research and subsequent creation of an exploit framework and “PlaneSploit” app at the Hack in the Box conference in Amsterdam last week.
Teso tested the app on aircraft hardware and software he acquired from eBay and other sources.
He maintained that the app could be used to potentially gain information about an aircraft’s onboard computer, to change a flight’s intended destination, to flash interior lights, to deliver spoofed malicious messages that affect the behavior of the plane, and, just maybe, if pilots don’t manage to turn off autopilot and/or have difficulty with manual flight operation, to crash a plane.
The Federal Aviation Administration (FAA) says it’s all rot.
The statement:
The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer.
The FAA has determined that the hacking technique described during a recent computer security conference does not pose a flight safety concern because it does not work on certified flight hardware.
The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot. Therefore, a hacker cannot obtain “full control of an aircraft” as the technology consultant has claimed.
And the European Aviation Safety Agency (EASA) pretty much says, “Yea, exactly, what they said”.
The EASA’s statement, as provided to Forbes’ Andy Greenberg:
For more than 30 years now, the development of certifiable embedded software has been following strict guidance and best practices that include in particular robustness that is not present on ground-based simulation software.
Two avionics equipment manufacturers, Honeywell and Rockwell Collins, have also dismissed Teso’s claims.
Rockwell Collins’ statement, again from Forbes:
Today’s certified avionics systems are designed and built with high levels of redundancy and security.
The research by Hugo Teso involves testing with virtual aircraft in a lab environment, which is not analogous to certified aircraft and systems operating in regulated airspace.
True, Teso only tested his hack on simulated flight software. Certified software well might not be open to tampering or disabling in the same way he demonstrated.
But as VentureBeat pointed out, Teso isn’t the first researcher to bring up vulnerabilities in avionics protocols.
Researcher and hacker Brad “Renderman” Haines knew airplanes could be hacked a year ago.
When he heard of his German counterpart’s research and the FAA’s subsequent naysaying, Renderman’s response was direct: If it’s all so safe, let’s put it to the test.
From Venture Beat:
Really, it’s put up or shut up. If they say it’s secure, there should be no harm in publicly giving access to a test lab. … Now, you don’t have to be a nation state in order to tinker with this stuff. You can be some bored guy on a couch.
Prove that your systems are safe, Renderman suggested to the FAA, and do the same with drones – which, he says, have similar security issues.
At this level of “they’re safe!” vs. “no they’re not!” squabbling, the issue has turned into security theater.
What else could it be, given that Teso, in his talk, spoke of how pleased he was to get such buy-in from the avionics companies and organizations?
Did Teso fictionalize that cooperation? Or did the avionics industry only start its naysaying when headlines about airplane hijacking started to – pardon the pun – fly?
Either way, somebody’s not playing it straight. Either Teso or the FAA and its ilk are playing PR games.
Opening up the FAA’s test labs might be the best way to get past this theater to get to the truth.
What do you think? Should the FAA and other avionics players play ball, or would that result in more potential danger to us all?
Image of cockpit and true-false courtesy of Shutterstock.
what makes you think the FAA has test labs?
Doesn't the FAA engage the services of 3rd-party trusted ethical hackers already?
I have to admit, when this story was first posted I definitely had my doubts as to whether or not this was really a concern. I've been interested in aviation for some time now, and the things the developer was talking about didn't quite add up. The more I hear the less I believe him.
It's so well known in the security community that "security through obscurity" is at best an extremely weak design strategy, so–whatever the back story–the current positions of the FAA and EASA do not give me warm fuzzies.
I fail to understand now pithy one-liners about how simulators are not certified in the same way that production aircraft are must necessarily mean that all exploits against simulators must not exist with real aircraft.
But wait a minute. Doesn't the FAA still require passengers to turn off mobile devices while the plane is taking off and landing, just in case of interference with the plane's systems. Isn't that sort of trying to have it both ways?
Safety and open security first: at the very least take the work of Teso, Renderman and others like them, test against certified systems and be candid about the results.
Please provide a link to the FAA Statement. Searches of the FAA website dot not provide any results.
They didn't post it online, Irwin. I requested a copy from them.
I'm a software engineer, former USAF Navigator, and hold an FAA commercial pilot certificate.
The Teso claim is ridiculous on its face, for exactly the reasons listed by the FAA.
Teso is making an extraordinary claim (that he could take control of an airplane from a smartphone), it is Teso who must provide extraordinary proof.
Honeywell has better things to do than to devote test resources to undocumented claims from someone unwilling to publish the details of this so-called 'hack'.
Many airlines and aircraft fleet operators using a private sector data link system called ACARS.
It's essentially an email and data transfer system. Pilots can receive messages from ATC and their dispatchers using it, and ACARS can automatically report arbitrary data from an aircraft to ground stations. ACARS messages can be transmitted in a number of ways, with VHF radios and satellites being the most common. ACARS is not directly connected to the flight controls in any way.
It appears that Tesco's 'hack' sends a fake ACARS message to simulation software running on a PC. This is like claiming that plugging a usb joystick into a PC running MS Flight Simulator is a 'hack'. To call Teso's little demo a 'hack' is to insult real hackers.
There are real security issues in aviation communications and traffic control systems. Teso didn't find any though.
If the so-called "researcher" knew anything about the embedded systems aspects of computer engineering he would know enough to know that the two operating systems he is considering to be equal is like comparing apples to grass. I am beginning to doubt his intelligence as well as his motives.