Need a new reason to be terrified of air travel?
German security consultant Hugo Teso exposed massive holes in aircraft security when he showed at the "Hack in the Box" conference in Amsterdam on Wednesday evening how to completely take over – and even crash – a commercial airplane. All you need is an Android phone, a radio transmitter and some knowledge about flight-management software.
Perhaps the most frightening part is that you don’t even have to be on the airplane when you hijack it. The entire attack can be done remotely from the ground, so not even full-body scans at the airport can prevent it.
Turns out that the Automatic Dependent Surveillance-Broadcast, the technology used to track aircrafts, is unencrypted and unauthenticated. This lack of security was exposed in 2012 when hackers inserted ghost airplanes into radar.
The Aircraft Communications Addressing and Reporting System, the digital system for sending short messages between aircrafts and ground stations via radio, also lacks security. Teso exploited these vulnerabilities for his attack.
After purchasing a flight-management system from eBay to study flight code, Teso learned how to read and send Aircraft Communications Addressing and Reporting System messages. He then used a radio transmitter to audit actual aircraft code, and built an Android app that delivers attack messages to an airplane’s computer.
Teso could use the app to completely commandeer the steering of a Boeing jet once it goes on autopilot. The only countermeasure would be for pilots to turn off autopilot. The problem, as a Computer World blog post pointed out, is that even if the pilots realized the steering had been hijacked, many airplanes no longer have the equipment necessary for manual flying.
The app, which Teso named PlaneSploit, could take control of almost all of an airplane’s systems. He could manipulate the pilots’ lights and alarms, trigger the oxygen masks to drop, and even make the airplane crash.
Using a Samsung Galaxy smartphone and some virtual airplanes, Teso demonstrated live how to hack an airplane’s computer. The slides from the presentation can be found here.
Thankfully, Teso has no plans to release PlaneSploit to the Google Play Store -- not that it would be accepted; however, his presentation showed that airlines need to take immediate steps to protect their networks before a more malevolent hacker makes plans.