Security consultant and trained commercial pilot Hugo Teso has aviation agencies on his trail since developing an Android app that can remotely attack and take full control of an aircraft.
Using the application, dubbed PlaneSploit, Teso demonstrated how to virtually hijack flight desk computers and feed false navigation information to change the course of a simulated jet, according to Help Net Security, which sat in on Teso's presentation at the Hack in the Box security conference in Amsterdam.
Teso, who spent three years researching the aviation security field, gathered hardware and software he purchased from eBay, Computerworld reported, and set to work searching for vulnerabilities in aircraft code. What he found was a terrifying ability to make flying machines "dance to his tune," as Help Net Security noted.
The hack targets two technologies: Automatic Dependent Surveillance-Broadcast (ADS-B) and Aircraft Communications Addressing and Report System (ACARS).
ADS-B, according to Teso's cheat sheet, sends information (current position, altitude, velocity) about aircraft through an on-board transmitter to air traffic controllers, who then provide pilots with details about other planes in their vicinity. Meanwhile, ACARS is used to exchange messages between pilots and air traffic controllers via radio or satellite.
By manipulating the ADS-B, Teso was able to select targets, then gather information from the ACARS, exploiting its vulnerabilities by delivering what Help Net Security said were "spoofed malicious messages that affect the 'behavior' of the plane."
Teso's discoveries have not gone unnoticed by global aviation organizations, though. The European Aviation Safety Agency (EASA) confirmed to PCMag that it is aware of Teso's presentation.
"This presentation was based on a PC training simulator and did not reveal potential vulnerabilities on actual flying systems," an EASA statement said. "There are major differences between a PC based training FMs [flight management system] software and an embedded FMS software."
The version Teso used does not include the same overwriting protection and redundancies that certified flight software does, the agency said.
The Federal Aviation Administration did not immediately respond to a request for comment.
No comments:
Post a Comment