Plane-In-Flight

Yesterday, at the Hack In The Box Conference in Amsterdam, Hugo Teso, security consultant form n.runs AG, made a report on a an easy, and totally real scenario of plane hijacking with help of a simple Android application. Hugo Teso works with IT-industry for the last 11 years and also, he is a commercial pilot with and made thousands of flights. That’s why he could combine his knowledge and experience from both his professions and analyze the security level of aircraft computers and communications protocols.

He was able to use two new aircraft communication systems to detect that vulnerability, gather information on it and finally exploiting it. He created a special SIMON framework and mobile Android application (PlaneSploit), which is able to send a malicious code to the Flight Management System, also at the conference mentioned above he has shown how the whole thing works and got the full control over the plane from an Android smartphone. But as long as Android OS is one of the most vulnerable to malware, literary any mobile phone with Android OS may be used for that.

The firs technology he has exploited was Automatic Dependent Surveillance-Broadcast (ADS-B). That system is used to send information about each plane (unique ID, current coordinates and height) with on-board transmitter to the aircraft movement dispatch. That lets other planes to get a full information about all the planes and the weather in the area.

Flight-Dispatcher

The second is Aircraft Communications Addressing and Reporting System (ACARS), which is used for two way communications with a dispatch with a VHF radio waves or with a satellite. Also it helps to transmit data about all the phases of the flight to the ground. Both of those systems are really vulnerable and are sensitive to a wide range of passive and active attacks.

Teso used ADS-B to locate and pick the target and ACARS to gather information about the onboard computer and exploiting its vulnerabilities by sending a malicious message. Hugo Teso used his previous reaserches to create a SIMON framework, that enables those hacking techniques. He intentionally made it working in virtual environment only, so nobody else would be able to use that in real life. But we at Jammer-Store Inc. have to mention that vulnerabilities and the whole principle of that hack is real, and may be used by evildoers.

The main feature of that framework is that it is undetectable, there is no need even to mask it as a rootkit. Attacker can use SIMON to upload a certain malicious code on the remote Flight Management System, upload fake flight plans, commands, etc. Also he has shown an Android app that uses SIMON framework to control a plane in motion remotely. PlaneSploit is really easy to use. It uses Flightradar24 tracker to locate nearby planes and you can tap any plane on the map.

Smart-Phones

The interface of PlaneSploit makes it easy to detect, gather info and hack the closest planes. We should mention that it won’t work without special high-gain antennas and a modulator, and the power of the signal must be really high to reach the plane. And have you noticed that smartphones are frequently used for hacking.

As you probably understand, Teso has not shared the details on how he was able to achieve that with third parties, but he admits that he was pleased with major plane’s manufacturers, because they are eager to fix those vulnerabilities and will help Hugo Teso with his further researches. He has also told that the old flight systems that were developed in mid 70s are the most vulnerable and they has to be fully replaced with a new hardware. And the new planes require better protected software.

But that hacking problem has a really simple solution, a combined 3G/4G jammer will block any smartphone and the plane will be safe. Also, the hack will work only if autopilot is online and it is necessary to turn it off, if the plane is under attack. The bad news are that pilot has to realize that the system is hacked, to do all the necessary manoeuvers manually.

  • Share/Bookmark