When the software for most of today’s aircraft was in its development, its creators went to painstaking extremes to make sure planes were as safe as possible. Redundancy was the name of the game as they wanted to make sure in case one system failed, there would be a backup, and in case the backup system failed, there was another failsafe mechanism.
What they didn’t do was take into consideration the software they developed might fall into the hands of an attacker.
That is where Spanish security researcher Hugo Teso, of n.runs AG in Germany, comes in because he said it possible to hack into aircraft controls.
The problem is fixable, but the changes will be costly and difficult, he said at the Hack in the Box conference in Amsterdam. But, it appears the organizations he and his company contacted appear interested in learning more about these problems.
Everyone knows today’s aircraft rely on computers. Automatic Dependent Surveillance-Broadcast (ADS-B) is a sort of radar that represents the primary surveillance method for aircraft control.
Aircraft Communications Addressing and Reporting System (ACARS) sees use for exchanging messages between aircrafts and ground stations via radio (VHF) or satellite.
The flight management system (FMS) is also highly important for modern aviation for a wide range of tasks designed to reduce the workload of the flight crew, including navigation, flight planning, trajectory prediction, performance computations and guidance.
While these systems are highly efficient, they’re also highly vulnerable, Teso said.
The attack method developed by Teso has four phases: Discovery, information gathering, exploitation and post-exploitation.
By utilizing publicly available equipment, obtained for fairly small prices from places such as eBay, he has managed to simulate airplane systems.
In his Hack in the Box presentation, Teso showed how, in theory, he could take complete control of an aircraft. The attacker could perform a wide range of tasks depending on what systems are active on the plane.
For instance, for the attacker to modify the aircraft’s trajectory and altitude, the autopilot would have to be on. The attack method he developed focused on commercial aircraft.
During the presentation, he utilized an Android app to simulate the hijacking of an airplane. However, he said the application was only to simplify the presentation.
Some might have believed an attacker could hijack an aircraft from a smartphone but, that is not the case.
For a real life equipment hijack, an attacker would need quite a few more resources. But it could be possible in the future, Teso said.
Click here to download the presentation.