A presentation at the Hack In The Box security conference in Amsterdam demonstrated just how easy it is to hijack an airplane with an Android.
First things first: “Easy” is a relative term, and people aren’t about to start swatting airliners out of the sky with a 99 cent app. But with the growing reliance on computers and wireless connectivity in just about everything, Hugo Teso’s presentation at the recent Hack in the Box conference may well be cause for, if not alarm, then at least some concern.
The details will be prohibitively arcane for anyone not familiar with aircraft systems but the “Baby’s First Avionics” version is that some rather important surface-to-air communications channels are completely insecure, and people with the right kind of knowledge and equipment can read and send messages along those systems.
Teso searched for exploitable vulnerabilities in real aircraft code but opted to use virtual planes in a lab setting to demonstrate his technique, since hijacking real planes in flight is “too dangerous and unethical.” He used ACARS [Aircraft Communications Addressing and Reporting System] to break into the craft’s onboard computer and upload Flight Management System data; he was then able to steer the craft while it was in autopilot mode.
Pilots can counteract that attack by switching off autopilot, but the greater problem is that many planes no longer have analog flight instruments and are thus susceptible to other kinds of manipulation. Teso said he could control most aircraft systems, put planes on collision courses and even give passengers a fun and exciting surprise by forcing the oxygen masks to drop.
Again, for emphasis: People aren’t about to start using their HTCs to turn Dreamliners into RC toys. But Teso made it clear that current systems aren’t exactly safe, either, and it will be a long time before that situation improves: The successor to ACARS, which will be encrypted, will take 20 years to be fully deployed.
Hugo Teso’s “Aircraft Hacking: Practical Aero Series” slideshow presentation can be seen in full at Hack In The Box.
Source: Computerworld