A bad-intentioned individual can potentially take control of an airplane's navigation using nothing but an Android phone. According to security researcher Hugo Teso, who has previous experience as a commercial airline pilot, with the right tools and under specific conditions, hackers could exploit bugs in flight management software. This is very, very worrying.
Presenting during a Hack In The Box security conference, Teso detailed the hackable flaws in software created by companies such as Honeywell, Thales and Rockwell Collins. The trick is done by sending radio signals to a plane's navigation technology, which can then be modified to control the navigation of a plane. "That includes a lot of nasty things," Teso said.
Teso said the vulnerability is executed through the system's Aircraft Communications Addressing and Report System (ACARS), which displays weather data and airline schedules, among other things. Right now, Teso claims ACARS has "virtually no authentication features to prevent spoofed commands."
From a custom-built Android app on his Samsung Galaxy device, Teso demonstrated how someone can gain control and redirect a plane—simply tap a location on a map and that's where the plane will go. It sounds frighteningly simple. The plane does need to be in autopilot, however, and remain that way for the exploit to work. It sounds like once a pilot engages manual controls things should be ok.
Still, knowing such a hack exists is huge, and Teso understands what's at stake. For his part, Teso has apparently contacted the Federal Aviation Adminstration (FAA) and the European Aviation Safety Administration (EASA) to help fix the problems. Hopefully that means better measures are introduced into the navigation software soon.
Teso explained that he discovered the issue by reverse engineering flight management system hardware he bought off eBay, which had the same code planes use today. Not something everyone can do, but considering the gravity of the exploit, it sounds almost too easy. Let's hope such open access doesn't lead to a bigger issue down the road.