Remote Airplane Hijack Threat Demoed: Simon Says 'Crash!'
Airplanes can be hijacked using an Android smartphone, security consultant and trained commercial pilot Hugo Teso told an audience at the Hack in the Box conference in Germany on Wednesday.
Teso, who works for N.runs, created an exploit framework he calls "SIMON," and crafted an Android app he named "PlaneSploit" that delivers attack messages to an aircraft's flight management system (FMS).
He gathered data from the Automatic Dependent Surveillance-Broadcast (ADS-B) technology used for tracking aircraft in flight. Teso also leveraged the Aircraft Communications Addressing and Reporting System (ACARS), which is a digital datalink system for transmitting short simple messages between aircraft and ground stations by radio or satellite.
"We do need to treat airlines and airline control like any other secure transmission system and give it a much needed upgrade," Ken Pickering, development manager, security intelligence at CORE Security, told TechNewsWorld. "Most of this airline technology is pretty old, and I doubt it's anywhere near as secure as it needs to be."
Modern aircraft are more susceptible to hacking than older ones, said Richard Westmoreland, Level III Security Analyst at SilverSky. On the newer Boeing 787, for example, the control systems and the media content for passengers were put on the same network in 2008, and one of the computer chips used in the system has a built-in backdoor that was easy to find and exploit.
How the Smartphone Hijack Was Created
Teso acquired aircraft hardware and software from various suppliers, including vendors of simulation tools that use actual aircraft code, and from eBay. The latter supplied him with an FMS and an ACARS aircraft management unit, both made by Honeywell.
He then reportedly created virtual aircraft and set up a station to send them specially crafted ACARS messages in order to exploit vulnerabilities in their FMSes. The FMS automates various in-flight tasks, including management of the flight plan. It uses various sensors, including GPS, to determine an aircraft's position and guide it along its flight plan path.
Teso apparently used ADS-B to identify potential targets and gather basic information about them from Flightradar24.com, a site that lets users track live flights in real-time. Several similar sites exist, Teso said, and a quick search on the Web turned up several, including FlightAware, FlightView, and Planefinder. All three offer mobile flight tracking apps.
ACARS provided Teso more information about potential targets. Combining this information with other open source data makes it possible to determine quite accurately what model of FMS a particular aircraft is using, he reportedly said.
Once it's known which version of FMS a particular aircraft is using, attackers can build their own software-defined radio systems, or hack into the systems of ground service providers and send rogue ACARS messages to the target plane. However, doing so would alert the authorities.
Teso then created SIMON to run on a compromised FMS that could be used to make flight plan changes or execute commands remotely. The PlaneSploit app automates the entire attack process.
Is Safety an Illusion?
SIMON reportedly runs only on x86 architecture, and cannot be used against FMS systems on real aircraft, which use different architectures.
However, that's no consolation for either the airlines or their passengers. "Since he was able to show a working proof of concept, there is a chance somebody else has already created a similar attack toolset," Westmoreland told TechNewsWorld.
"This is quite a serious security flaw, particularly given that the attacker can conduct exploit activities from the ground," Joe Bonnell, CEO of Alchemy Security, told TechNewsWorld. It will require revision of ACAR to introduce encryption into wireless communications between aircraft and service providers.
However, the possibility of such an attack has nothing to do with why passengers are required to turn off wireless and mobile devices during takeoff and landing. That's to reduce possible electromagnetic interference with sensitive systems, Westmoreland said.