On Wednesday, Hugo Teso, a security researcher for a German consultancy company named N. Runs spoke at the “Hack In The Box” security conference in Amsterdam. In his presentation, he demonstrated how he could use his Android smart phone in order to hijack an airplane. With the use of the Android, he would be able to control the steering of the plane without even being in the aircraft itself. It is a protocol, called Aircraft Communications Addressing and Report System (ACARS), that is used to deliver data to the aircrafts that makes them vulnerable to this type of security breach.
Teso exploited the flaws of the protocol, maintaining that he could control the actions and directions of the plane with a few simple taps of his finger on his Droid. The program that would allow him to do this is an App he designed, named “Planesploit”. The App allows the user to communicate with the planes Flight Management Systems (FMS), thus giving them control over the aircraft. In an interview with Forbes, Teso is quoted as claiming “You can use this system to modify approximately everything related to the navigation of the plane… That includes a lot of nasty things.”
ACARS major problem is that they do not have any sort of protection or security software that allows a plane to distinguish between what is coming from authorized plane sources, and what is coming from other, unofficial sources. Teso demonstrated, with a digital plane simulation, how he would be able to hijack the plane using his Droid. However, there are some that do not believe that what he is claiming is entirely true, such as the Federal Aviation Administration. After hearing about Teso’s presentation, the FAA stated:
“[Teso’s technique] does not pose a flight safety concern because it does not work on certified flight hardware… The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot…Therefore, a hacker cannot obtain ‘full control of an aircraft’ as the technology consultant has claimed.”
Teso confirmed that indeed the pilot might be able to override anything that the app is used to do on board, but that does not mean that there are not other things that one could do to throw off the pilot. The software would allow people to do things such as set off lights on the panel of the plane, and make the emergency air masks drop.
Personally, I was shocked by this article and that Teso even thought to make this type of technology in the first place. Why make an App that allows people to gain partial control of an aircraft. To me, the App was a foolish idea to begin with, because who, other than people looking to do harm, is going to want that App? Why even make that type of power available, especially when the only requirement to gaining access to it is owning a smart phone, which nowadays is extremely common to have. Even though Teso’s claims may not be 100% accurate, they did manage to expose flaws in aircraft control security, which should be corrected immediately, especially in a time where people are already scared to fly because of the physical threat of terrorists, let alone the electronic threat.
For more tech updates, follow me on twitter! @shawnmcniff
link to original article: http://www.theage.com.au/technology/technology-news/hijacking-planes-with-an-android-phone-20130412-2hp59.html