Android App Could Hijack Plane in Flight
The cockpit of a Hawker 4000 business jet. The flight-management-system control interfaces are the black screens with keyboards in the center console between the joysticks.
CREDIT: JetRequest.com/Creative Commons
For years, security researchers have warned about vulnerabilities in the navigation and communication systems of modern aircraft.
There's little or no security on many of these systems, and "white hat" hackers have shown how to hijack air-to-ground communications and even make "ghost" planes appear on air-traffic-control systems.
Yesterday (April 10) at the Hack in the Box security conference in Amsterdam, Spanish researcher Hugo Teso took the game one step further: He demonstrated how an Android smartphone app could take over and control a commercial aircraft in flight.
"You can use this system to modify approximately everything related to the navigation of the plane," Teso told Forbes' Andy Greenberg in a phone interview.
We'll talk to anybody
Teso, who holds a commercial pilot's license, exploited the lack of security on a 35-year-old air-to-ground-communications standard called the Aircraft Communications Addressing and Reporting System, or ACARS. (His presentation slides have been posted online.)
ACARS is used to transmit a lot of information between aircraft and control towers, including navigational data used by an aircraft's flight management system, or FMS.
Modern FMSs are computerized modules that are crammed into cockpits with many other computer boxes; latter-day FMSs are so sophisticated that many planes no longer need human navigators.
Despite their sophistication, FMSs don't verify the data that they receive through ACARS from control towers.
"ACARS has no security at all. The airplane has no means to know if the messages it receives are valid or not," Teso told Greenberg. "You can use them to upload data to the airplane that triggers these vulnerabilities. And then it's game over."
That's a big remote-controlled plane
Experimenting on used FMS modules he bought on eBay, Teso was able to craft a malicious piece of software that he called SIMON, which effectively took over the FMS software.
Tinkering with Android app-development software and software-defined-radio standards, Teso was also able to create an app he called PlaneSploit.
PlaneSploit can import data from the well-known FlightRadar24 app to locate flights within radio range and then use ACARS to upload SIMON to the targeted plane's FMS.
Once SIMON is onboard, PlaneSploit can control the plane remotely. Teso even built in an accelerometer feature so that tilting his smartphone would cause a plane to do the same.
Teso didn't elaborate on the vulnerabilities he found in ACARS and the FMS software; he's providing full details only to the manufacturers and air-safety agencies concerned.
Nor did Teso try out his creations on a real aircraft. Instead, he used PC-based flight-simulator software.
Contacted by Forbes and the BBC, both the European Aviation and Safety Agency and FMS manufacturer Honeywell stressed that there were major differences between PC flight simulators and real aircraft systems.
But Teso's boss at German security firm N.Runs, Roland Ehlies, told Greenberg the flaws were in the real FMS software, not the PC emulator, and that Teso's malicious software wouldn't need much tweaking to affect a real aircraft.
"From our perspective, it would work with a minimum a bit of adaptation," Ehlies said.