Airplane security revolves around preventing hijackers from commandeering planes with weapons or explosives. But a recent presentation from the Hack in the Box conference in Amsterdam makes us wonder if another type of hijacking altogether poses a threat to airplane security. At the conference, security consultant Hugo Teso claimed to be able to hack into the Flight Management System computers of certain aircraft with two tools he's written. Teso demonstrated being able to take control of virtual aircraft with his exploit framework SIMON and Android app PlaneSploit.
Here's a disturbing image, if ever there was one: someone casually pulls out their Android phone on a flight, takes control of the plane with a simple app, and sends it crashing to the ground with a few taps.
Photo credit: Flickr user sebastiansuk via Creative Commons. Now for the obvious question: Is this even possible? Is Teso completely exaggerating the real-world applications of hacking Flight Management Systems? The Android app PlaneSploit is only an easy-to-use front end for SIMON, Teso's exploit. It's hard to know exactly how something in the virtual world applies to the physical.
Net-Security.org writes "Teso developed the SIMON framework that is deliberately made only to work in a virtual environment and cannot be used on real-life aircrafts. His testing laboratory consists of a series of software and hardware products, but the connection and communication methods, as well as ways of exploitation, are absolutely the same as they would be in an actual real-world scenario.
Since it's nearly impossible to detect the framework once deployed on the Flight Management System, there is no need to disguise it like a rootkit. By using SIMON, the attacker can upload a specific payload to the remote FMS, upload flight plans, detailed commands or even custom plugins that could be developed for the framework."
Image credit: Hugo Teso The slides from Teso's presentation are available online. The presentation includes a couple worrisome statements--specifically, that ADS-B, the automatic dependent surveillance broadcast system, and ACARS, the Aircraft Communications Addressing and Reporting System, have no security. Hacking into those systems could grant someone access to flight report data, interfere with communication between air traffic control and the airplane, or spoofing plane instruments.
And this isn't the first time someone has written about exploiting ADS-B.
It can be used to track airplanes relatively easily. A thread on Metafilter about Planesploit casts some doubt on the real danger of Teso's SIMON. While many commenters agree that these communication systems are likely poorly guarded and exploitable, just like most computer software, that doesn't mean someone could actually use them to control an airplane. Here's a healthy dose of skepticism:
There is, in general, not one single computer running the whole show on a large aircraft - for safety reasons there are multiply redundant, distributed systems. Autopilot does not control the fly-by-wire, for example. From what I can tell, he is talking about taking over the Flight Management System (FMS), which he is then using to direct commands to other aircraft systems. There are at least two FMSs per aircraft, so a "full takeover" would probably require commandeering both (or all three) FMSs, all of the air data computers, and all of the autopilots (Category III landing capabilities require three independent autopilots)...
The airplane is designed to remain safe and functional even if the FMSs fail. Again, multiply redundant systems. Multiple MFDs can fail, multiple autopilots can fail, you could have a total electrical failure and still fly the airplane. Even the Dreamliner, the most electric airplane in the world, is designed to fly with a total electrical failure...
So this guy is claiming he can somehow get a message through ACARS which will inject malicious code into an FMS unit, which he can then use to control the aircraft. I do agree this is a serious security problem, but the fact that there are multiply redundant systems means a competent flight crew should be able to maintain control of the aircraft. If he's spoofing messages, traffic, or whatever else, there are other independent systems available on board that will contradict the bad information and will not be affected by his hack. Shutting down compromised FMS units, autopilots, or whatever else is possible and the aircraft will still fly. You could shut down basically the whole flight deck and still fly the airplane safely...
Long story short--interesting presentation, but there are several differences between his simulation and "real world" implementation that keeps this from becoming the giant security hole it looks like offhand.
Most likely, Teso's research points to some security holes that do need fixing in ADS-B and ACARS--but in the real world, that image of a hacker crashing a plane with an Android phone isn't likely to come true.