Android app hacks virtual aeroplanes
The researcher's lab setup
Source: Hugo Teso
Hugo Teso is a security expert as well as a trained pilot. At the Hack in the Box security conference in Amsterdam, Teso demonstrated what happens when someone combines these two fields and does three years of research. When analysing the communication systems that are typically used in air traffic control, the researcher identified several vulnerabilities that allowed him to take control of virtual planes
in a lab setup. Teso says that he used his findings to develop a framework, complete with Android app, that allows users to hack and take control of planes.
The researcher examined implementations such as that of the Aircraft Communications Addressing and Report Systems (ACARSs) that are used in various manufacturers' Flight Management Systems (FMSs). ACARSs are used to feed cockpit FMSs with information such as weather data or flight plan alterations. Apparently, the protocol's security mechanisms are inadequate. FMSs help pilots navigate and supply data to the autopilot.
For his proof of concept, Teso assembled a system of hardware and software components that allowed him to create realistic simulations of the communication between planes and ground control systems. The researcher said that he bought the required genuine aeroplane hardware components from outlets such as eBay and from scrap yards. The identified vulnerabilities enabled Teso to inject his specially developed SIMON attack framework into the FMS. The researcher explained that the injected code allows him to send control instructions to the on-board computer at any time, although commands are only executed while the autopilot is enabled.
The attack is currently only successful in lab conditions but can, in theory, also be used to hack actual planes. Teso says that the ACARS communication with a plane can be implemented locally via a software-defined radio system or globally via one of the two major ACARS providers, ARINC and SITA. The researcher added that a vulnerability would need to be found with the providers.
The "PlaneSploit" app offers various features that are as playful as they are dangerous: for example, FlightRadar allows attackers to select a nearby plane as their target. Teso said that the smartphone movements are detected via the phone's gyroscope and are then converted into control signals. Apparently, the app also allows attackers to define new waypoints and even crash the plane using the "Visit ground" feature.
In a statement, FMS manufacturer Honeywell pointed out that the identified security issues in its products refer to PC software versions, and that these versions differ from the hardware implementations that are used on planes. To what extent the problems could potentially apply to the hardware implementations is currently being investigated, added the vendor.
Teso said that the software in modern planes can be fixed with a relatively simple software update. With older devices that have been in use since the 1970s, however, an update would be difficult or altogether impossible, said the researcher.
(Marc Heuse / fab)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
