There’s now another reason to be aerophobic after a German hacker demonstrated how to remotely hijack and bring down an airplane using an app for the Android phone.
The presentation called ‘Aircraft Hacking: Practical Aero Series' by Hugo Teso has become the highlight of the Hack In The Box security conference in Amsterdam on April 10-11, terrifying most of those, who attended it.
Teso, who currently works as a security consultant at the German
n.runs IT-company, has used his experience of being a commercial
pilot to create the software, which grants him full control of a
It took the researcher three years to come up with the PlaneSploit app for Android based on his SIMON code, which proved that – despite the tightened security in airports and on-board – air carriers are completely defenceless when it comes cyber-attacks.
Teso’s presentation revealed that the Automated Dependent Surveillance-Broadcast (ADS-B), which is a surveillance technology for tracking planes, is unencrypted and unauthenticated.
He said that the possible attacks on this system can “range from passive attacks (eavesdropping) to active attacks (message jamming, replaying, injection)”.
Meanwhile, the US government demands all aircrafts to be equipped with ADS-B by the 2020.
It turned out that the Aircraft Communications Addressing and Reporting System (ACARS), which is used for exchanging messages between aircraft and stations via radio or satellite, is also extremely vulnerable.
"ACARS has no security at all.
The airplane has no means to know if the messages it receives are
valid or not. So they accept them, and you can use them to upload
data to the airplane that triggers these vulnerabilities. And then
it's game over," Teso is cited as saying by The
The hacker added that just a little knowledge is required to read and send ACARS messages as it’s sometimes as easy as ordering goods from an online store.
Teso has demonstrated how to upload Flight Management System (FMS) data through ACARS, using a lab of virtual airplanes, which are based on real aircraft codes.
Once he got into the system, he was able to manipulate the steering of a Boeing jet in autopilot mode, saying he could also change the plane's course, crash it, make oxygen masks fall out and etc.
"You can use this system to modify approximately everything related to the navigation of the plane. That includes a lot of nasty things," the hacker told Forbes.
Another problem, which Teso pointed out during his presentation, is that lots of aircraft computers run outdated software, which doesn’t meet modern safety requirements.
The hacker said that during his research he only experimented
with second-hand flight system software and hardware as hijacking a
real plane during a flight was “too dangerous and
Thankfully, the PlaneSploit is proof-of-concept software, which will not be making its way to the app stores.