Hugo Teso, a security researcher from German consultancy agency N.Runs, claims he can hijack an airplane's navigation systems using a smartphone app, radio transmitter, and flight software he purchased off eBay.
Speaking at this week's Hack in the Box conference in Amsterdam, Tesso "employed a Samsung Galaxy smartphone to demonstrate how he could adjust the heading, altitude, and speed of a virtual airplane by sending it false navigation data," reports InformationWeek.
"You can use this system to modify approximately everything related to the navigation of the plane," Teso tells Forbes. "That includes a lot of nasty things."
The smartphone app he developed, nicknamed PlaneSploit, takes advantage of a plane's Aircraft Communications Addressing and Report System (ACARS), which uses short transmissions to beam data between aircraft and satellites. The problem, says Teso, is that "ACARS has no security at all." Anyone can transmit fake data to alter an aircraft's trajectory.
The airplane has no means to know if the messages it receives are valid or not. So they accept them and you can use them to upload data to the airplane that triggers these vulnerabilities. And then it's game over. [Forbes]
Once he was into the airplane's computer, he was able to manipulate the steering of a Boeing jet while the aircraft was in "autopilot" mode. The only countermeasure available to pilots, if they even realized they were being hacked, would be to turn off autopilot. Yet many planes no longer have old analog instruments for manual flying. Teso said he could take control of most all airplane systems; he could even cause the plane to crash by setting it on a collision course with another plane. He could also give the passengers a serious adrenaline rush by making the oxygen masks drop down.[Computerworld]
Honeywell, one of the aerospace companies behind the ACARS system, says that it is taking the alleged exploit very seriously, and confirmed that it's been in talks with N.Runs to review Teso's research. However, a Honeywell spokesperson says Teso's ability to commandeer an aircraft remotely may be overblown.
The software is "normally available as an online pilot training aid," a Honeywell rep tells InformationWeek. "In other words, what Teso did was hack a PC-based training version of [the flight management system] that's used to simulate the flight environment, not the actual certified flight software installed on an aircraft."
Teso says his firm has alerted the Federal Aviation Administration (FAA) and the European Aviation Safety Administration (EASA), and is working with them to fix the vulnerabilities.
THE WEEK'S AUDIOPHILE PODCASTS: LISTEN SMARTER
- 43 TV shows to watch in 2014
- The U.S. is about to sell weapons to Vietnam. That's bad news for China.
- Why is the Pentagon stuffing caves in Norway full of tanks?
- 3 horrific inaccuracies in Homeland's depiction of Islamabad
- How to be the most productive person in your office — and still get home by 5:30 p.m.
- Gamergate has backfired spectacularly on its nincompoop perpetrators
- What the Middle Ages can tell us about the GOP's big charity myth
- 10 soldiers welcomed home by very happy dogs
- The simple trick to making better decisions in every aspect of life
- What would a U.S.-Russia war look like?
Subscribe to the Week