Researcher Says He’s Found Hackable Flaws In Airplanes’ Navigation Systems
▻http://www.forbes.com/sites/andygreenberg/2013/04/10/researcher-says-hes-found-hackable-flaws-in-airplanes-navigation-systems
By hijacking a protocol used to send data to commercial aircraft and exploiting bugs in flight management software built by companies including Honeywell, Thales and Rockwell Collins, Teso told the crowd that he could send radio signals to planes that would cause them to execute arbitrary commands such as changes in direction, altitude, speed, and the pilots’ displays.
“You can use this system to modify approximately everything related to the navigation of the plane,” Teso told me in an phone interview following his talk. “That includes a lot of nasty things.”
Update: Several companies and aviation safety organizations now claim that Teso’s research wouldn’t work on actual airplanes. See their comments below.
Hackers and security researchers have warned for years of vulnerabilities in next-generation air traffic control protocols. But Teso focused on a different protocol called Aircraft Communications Addressing and Report System, (ACARS) a simple data exchange system that has evolved over decades to now include everything from weather data to airline schedules to changes to the plane’s flight management system. (FMS)
Teso says that ACARS still has virtually no authentication features to prevent spoofed commands. But he spent three years reverse engineering the flight navigation software that receives ACARS signals to find bugs that allowed him to send his own commands to the systems, either from a software-defined radio that can be tuned to use ACARS or from a compromised airline system. In his talk, Teso demonstrated an Android application he built that allowed him to redirect a virtual plane with just a tap on a map application running on his Samsung Galaxy phone. “ACARS has no security at all. The airplane has no means to know if the messages it receives are valid or not,” he says. “So they accept them and you can use them to upload data to the airplane that triggers these vulnerabilities. And then it’s game over.”
In his presentation, Teso explained that he experimented on used FMS hardware he bought from eBay and FMS training simulation software that was advertised as containing some or all of the same code as the systems in real planes. In our interview he declined to specify exactly what vulnerabilities he discovered in that code, saying that he has instead contacted the Federal Aviation Administration (FAA) and the European Aviation Safety Administration, (EASA) and is working with the affected aerospace companies to fix the problems.