Flaws in airline communication systems could lead to plane hijacks carried out just by software, a researcher has claimed, showing how this could be done using just an Android phone.
Whilst the findings appear initially terrifying, the researcher behind the findings, Hugo Teso, took four years to uncover the flaws in aircraft systems he needed to hijack a virtual plane, not a real one. And his work could and should get software developers to improve aircraft security.
Teso, who works at German IT consultancy N.Runs and used to test systems running critical infrastructure, found a range of different flaws that let him hijack a flight simulator session to send the jet in different directions and adjust its speed.
He showed off his work at the Hack In A Box conference in Amsterdam, hijacking two protocols called Automatic Dependent Surveillance-Broadcast (ADS-B) and Aircraft Communications Addressing and Report System (ACARS). The first is a replacement for radar and used to send location and altitude information to the ground, whilst ACARS is used for exchanging a variety of messages in text, via radio or satellite.
His attack also used flaws in flight management software dealing with ACARS interactions run by a number of firms, including French company Thales, which builds plenty of security systems itself, according to Forbes. Thales had not responded to a TechWeek request for comment at the time of publication.
Teso found there was very little security in ADS-B and ACARS, which was exploited to easily spoof messages to affect the behaviour of the plane, as noted in Teso’s presentation slides. However, Teso is understood to be talking with a number of the affected organisations and is not revealing any specifics on the vulnerabilities, due to their sensitive nature.
He built an Android app to easily execute his exploits and ran it on a Samsung Galaxy device, showing how he could set up an ACARS session and just tap on the map within the application to change the direction of the virtual plane. That plane was created using hardware bought from eBay and simulation software he believed contained the same code as found on real planes.
The Federal Aviation Administration and the European Aviation Safety Administration have been contacted about the findings.
Teso, a qualified commercial pilot as well as security researcher, and others have noted pilots should be able to override any dangerous commands manually.
What do you know about Internet security? Find out with our quiz!
German foreign minister warns Russia will face consequences for “absolutely intolerable” cyberattack on ruling party,…
Google is reportedly laying off at least 200 staff from its “Core” organisation, including key…
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…