Hugo Teso, a security researcher for the German IT consultancy firm N.Runs – he is a trained commercial pilot as well – explained at the Hack in the Box security conference that a protocol used to transmit data to commercial airplanes can be hacked, turning the hacker into a full-fledged hijacker.
The flawed protocol is a data exchange system called Aircraft Communications Addressing and Report System, or ACARS. Exploiting its flaws, as well as the bugs found in flight management software made by companies like Honeywell, Thales, and Rockwell Collins, Teso maintains he can take over a plane by sending it his own malicious radio signals. To do that, he has created an exploit framework, codenamed SIMON, and an Android app called PlaneSploit that can communicate with the airplanes’ Flight Management Systems (FMS).
“You can use this system to modify approximately everything related to the navigation of the plane,” Teso told Forbes’ Andy Greenberg in an interview. “That includes a lot of nasty things.”
The key to Teso’s hack is that ACARS doesn’t have any encryption or authentication features, so the plane can’t distinguish between signals that are coming from a hacker or an airport’s ground station. That way, he or she could potentially send spoofed malicious signals to affect the behavior of the plane. In the presentation (see the slides here), Teso showed how he could control a virtual plane using the Android app he developed, and explained that he experimented on hardware purchased on eBay along with FMS training simulation software.
Authorities like the Federal Aviation Administration (FAA), as well as Honeywell, however, don’t believe his hack could be reproduced in real life.
In a statement sent to Mashable, the FAA said it is aware of Teso’s presentation on Wednesday, but noted that the “hacking technique” he described “does not pose a flight safety concern because it does not work on certified flight hardware.”
In fact, “the described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot,” the statement continues. “Therefore, a hacker cannot obtain ‘full control of an aircraft’ as the technology consultant has claimed.”
Honeywell, on its part, has expressed the same view. “As Teso readily admits, the version he used of our flight management system is a publicly available PC simulation, and that doesn’t have the same protections against overwriting or corrupting as our certified flight software,” Honeywell spokesperson Scott Sayres told Forbes. Teso’s fellow security researcher and supervisor Roland Ehlies counters that the hack “would work with at minimum a bit of adaptation” on real planes and software.
Either way, both Teso and Sayres agree that whatever a hacker might do, the pilots could be able to override the malicious commands on board. In any case, instead of hijacking the plane, the hacker might still be able to make the cockpit’s lights blink wildly or the passenger’s pressurized air masks drop.
Even if Teso’s hack proves not to be reproducible on real planes, some of the flaws he exposed could still cause issues. And this is not the first time security researchers and hackers have exposed serious flaws in modern aviation systems.
Last year, at the famed Black Hat security conference in Las Vegas, another researcher showed the vulnerabilities of the next generation air traffic control system, the Automatic Dependent Surveillance-Broadcast (ADS-B). In his presentation, Andrei Costin, a doctoral candidate in France, showed that it was possible to send and inject spoofed messages into the systems, making imaginary planes appear on the screens of air traffic controllers.
Update, 6:47 p.m.: The European Aviation Safety Agency (EASA) is in accordance with its American counterpart and Honeywell in downplaying the hack. In an email statement to Mashable Jeremie Teahan, an EASA spokesperson, said that “this presentation was based on a PC training simulator and did not reveal potential vulnerabilities on actual flying systems,” and “in particular, the FMS simulation software does not have the same overwriting protection and redundancies that is included in the certified flight software.”
( via mashable.com )