Researcher shows how to hack (and crash) a passenger aircraft with an Android phone...

 

If you're nervous about flying, this won't allay your fears about hopping on a plane, so you might want to look away now. The Hack In The Box security conference taking place in Amsterdam this week has thrown up some interesting talks - but none so concerning as 'Aircraft Hacking: Practical Aero Series' by Hugo Teso.

Teso works as a security consultant at n.runs in Germany, and his Aircraft Hacking talk promised a practical demonstration of how to remotely attack and take full control of an aircraft. His talk was the product of three years of developing code and tinkering with second-hand flight system software and hardware. It comes a fortnight after the Federal Aviation Administration (FAA) have expressed hopes that they will be able to relax rules for reading devices during take-off and landing - and with this research, they may want to reconsider their position.

The results of Teso's hard work are terrifying. Firstly, the Automated Dependent Surveillance-Broadcast (ADS-B), which is a surveillance technology for tracking aircraft, has no security. The United States government will require all aircraft to be equipped with ADS-B by the year 2020 - however, the system has been proven to be unencrypted and unauthenticated. Teso's presentation stated that the attacks on this system "range from passive attacks (eavesdropping) to active attacks (message jamming, replaying, injection)".

Secondly, the Aircraft Communications Addressing and Reporting System (ACARS) - which is used for exchanging messages between aircraft and stations via radio or satellite - also has no security. Teso pointed out that anyone with a little knowledge can read and send ACARS messages - and it may be as simple as purchasing some hardware from eBay.

Using a lab of virtual planes based on real aircraft codes, Teso gave a practical demonstration of how to use ACARS to upload Flight Management System (FMS) data. Once in, he was able to manipulate the steering of a Boeing jet in 'autopilot' mode, and said he could make oxygen masks drop down, and even cause the plane to crash by setting it on a collision course with another plane.

Teso explained to Forbes: "ACARS has no security at all. The plane has no means to know if the messages it receives are valid or not. So they accept them, and you can use them to upload data to the plane that triggers these vulnerabilities. And then it's game over."

The hijack was all carried out using Teso's code, SIMON, and a specially-made Android app called PlaneSploit (fortunately, it's not available for the masses) which enable the user to: change the plane's course; crash the plane; set lights flashing in the cockpit; activate something when the plane is in a certain area.

As well as ACARS and ADS-B having serious security failings, Teso also pointed out that lots of aircraft computers run outdated software which don't meet modern safety requirements.

Teso told Forbes: "You can use this system to modify approximately everything related to the navigation of the plane. That includes a lot of nasty things."

Although this makes for uncomfortable reading for those of us who love to jet off on holidays, rest assured that the Federal Aviation Administration and the European Aviation Safety Administration have been informed and are working to patch up these security flaws.

Life and Style
ebookNow available in paperback
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Guru Careers: Marketing Manager / Marketing Communications Manager

    £35-40k (DOE) + Benefits: Guru Careers: We are seeking a Marketing Communicati...

    Recruitment Genius: IT Support Technician / Helpdesk - 2nd / 3rd Line

    £22000 - £25000 per annum: Recruitment Genius: IT Support Technician is requir...

    Recruitment Genius: Application Developer

    £20000 - £28000 per annum: Recruitment Genius: Based in the centre of Glasgow,...

    SThree: Trainee Recruitment Consultant - Manchester

    £18000 - £23000 per annum + OTE: SThree: Recruitment and Sales People wanted f...

    Day In a Page

    Blundering Tony Blair quits as Middle East peace envoy – only Israel will miss him

    Blundering Blair quits as Middle East peace envoy – only Israel will miss him

    For Arabs – and for Britons who lost their loved ones in his shambolic war in Iraq – his appointment was an insult, says Robert Fisk
    Fifa corruption arrests: All hail the Feds for riding to football's rescue

    Fifa corruption arrests

    All hail the Feds for riding to football's rescue, says Ian Herbert
    Isis in Syria: The Kurdish enclave still resisting the tyranny of President Assad and militant fighters

    The Kurdish enclave still resisting the tyranny of Assad and Isis

    In Syrian Kurdish cantons along the Turkish border, the progressive aims of the 2011 uprising are being enacted despite the war. Patrick Cockburn returns to Amuda
    How I survived Cambodia's Killing Fields: Acclaimed surgeon SreyRam Kuy celebrates her mother's determination to escape the US

    How I survived Cambodia's Killing Fields

    Acclaimed surgeon SreyRam Kuy celebrates her mother's determination to escape to the US
    Stephen Mangan interview: From posh buffoon to pregnant dad, the actor has quite a range

    How Stephen Mangan got his range

    Posh buffoon, hapless writer, pregnant dad - Mangan is certainly a versatile actor
    The ZX Spectrum has been crowd-funded back into play - with some 21st-century tweaks

    The ZX Spectrum is back

    The ZX Spectrum was the original - and for some players, still the best. David Crookes meets the fans who've kept the games' flames lit
    Grace of Monaco film panned: even the screenwriter pours scorn on biopic starring Nicole Kidman

    Even the screenwriter pours scorn on Grace of Monaco biopic

    The critics had a field day after last year's premiere, but the savaging goes on
    Menstrual Hygiene Day: The strange ideas people used to believe about periods

    Menstrual Hygiene Day: The strange ideas people once had about periods

    If one was missed, vomiting blood was seen as a viable alternative
    The best work perks: From free travel cards to making dreams come true (really)

    The quirks of work perks

    From free travel cards to making dreams come true (really)
    Is bridge the latest twee pastime to get hip?

    Is bridge becoming hip?

    The number of young players has trebled in the past year. Gillian Orr discovers if this old game has new tricks
    Long author-lists on research papers are threatening the academic work system

    The rise of 'hyperauthorship'

    Now that academic papers are written by thousands (yes, thousands) of contributors, it's getting hard to tell workers from shirkers
    The rise of Lego Clubs: How toys are helping children struggling with social interaction to build better relationships

    The rise of Lego Clubs

    How toys are helping children struggling with social interaction to build better relationships
    5 best running glasses

    On your marks: 5 best running glasses

    Whether you’re pounding pavements, parks or hill passes, keep your eyes protected in all weathers
    Joe Root: 'Ben Stokes gives everything – he’s rubbing off on us all'

    'Ben Stokes gives everything – he’s rubbing off on us all'

    Joe Root says the England dressing room is a happy place again – and Stokes is the catalyst
    Raif Badawi: Wife pleads for fresh EU help as Saudi blogger's health worsens

    Please save my husband

    As the health of blogger Raif Badawi worsens in prison, his wife urges EU governments to put pressure on the Saudi Arabian royal family to allow her husband to join his family in Canada