The Hack in the Box (#HITB2013AMS) security conference in Amsterdam has a very interesting lineup of talks [pdf]. One that jumped out was the Aircraft Hacking: Practical Aero Series presented by Hugo Teso, a security consultant at n.runs in Germany. According to the abstract, “This presentation will be a practical demonstration on how to remotely attack and take full control of an aircraft, exposing some of the results of my three years research on the aviation security field. The attack performed will follow the classical methodology, divided in discovery, information gathering, exploitation and post-exploitation phases. The complete attack will be accomplished remotely, without needing physical access to the target aircraft at any time, and a testing laboratory will be used to attack virtual airplanes systems.
While keeping an eye on Twitter #HITB2013AMS, greatly interesting tweets started to appear as hackers who attended were excited. I will add some of those throughout this article.
Before his presentation, Teso recommended that people should have a little background knowledge on aviation and aircraft systems to better understand what he was going to explain. Here’s a few important facts: Automated Dependent Surveillance-Broadcast (ADS-B) has no security as was pointed out at Def Con 20 shortly before a hacker was able to inject ghost planes into radar. It is unencrypted and unauthenticated. Teso said, “Attacks range from passive attacks (eavesdropping) to active attacks (message jamming, replaying, injection.” The Aircraft Communications Addressing and Reporting System (ACARS) also has no security; it “is used for exchanging text messages between aircraft and ground stations via radio (VHF) or satellite.” Although his talk did not focus on the vulnerabilities in those two protocols, he used them to find targets.
Anyone with the right tools and a little know-how can read and send these ACARS messages. Teso purchased hardware from eBay that provided “actual flight code software” for “training” such as Flight Management System made by Rockwell. He also needed a radio transmitter and explained about software radio systems before the talk. He audited real aircraft code, searching for vulnerabilities to exploit, but used a lab with virtual airplanes as opposed to hijacking an actual jet in flight. Hijacking a real plane during a flight was “too dangerous and unethical.”
Help Net Security was present at the demo and explained:
By taking advantage of two new technologies for the discovery, information gathering and exploitation phases of the attack, and by creating an exploit framework (SIMON) and an Android app (PlaneSploit) that delivers attack messages to the airplanes' Flight Management Systems (computer unit + control display unit), he demonstrated the terrifying ability to take complete control of aircrafts by making virtual planes "dance to his tune."
According to Teso’s presentation slides [pdf], the ACARS datalink allowed for “real-time data transmission” and all communications between planes and airports are sent unencrypted. Teso used ACARS to exploit and break into the airplane’s onboard computer system and then upload Flight Management System (FMS) data. FMS could be uploaded by software defined radio and ground service providers.
Once he was into the airplane’s computer, he was able to manipulate the steering of a Boeing jet while the aircraft was in “autopilot” mode. The only countermeasure available to pilots, if they even realized they were being hacked, would be to turn off autopilot. Yet many planes no longer have old analog instruments for manual flying. Teso said he could take control of most all airplane systems; he could even cause the plane to crash by setting it on a collision course with another plane. He could also give the passengers a serious adrenaline rush by making the oxygen masks drop down.
Teso used his Samsung Galaxy and a specially crafted app called PlaneSploit to demonstrate how to hack an airplane’s computer. (Thank you for tweeting the image @isa56k!) Crime Site also showed a quick clip of the hack. And no, PlaneSploit is not going to be available to the masses to hijack planes with their Android devices.
Help Net Security said that some of the functions that Teso showed off were:
- Please go here: A way of interacting with the plane where the user can dynamically tap locations on the map and change the plane's course.
- Define area: Set detailed filters related to the airplane, for example activate something when a plane is in the area of X kilometers or when it starts flying on a predefined altitude.
- Visit ground: Crash the airplane.
- Kiss off: Remove itself from the system.
- Be punckish: A theatric way of alerting the pilots that something is seriously wrong - lights start flashing and alarms start buzzing.
Another not-too-comforting thought by Teso was that many aircraft onboard computers are running outdated software and fail to meet modern safety requirements. While all airplanes are not doomed, they are not exactly safe either. Teso said he’s woorking on the next version of ACARS which will be encrypted. The ACARS successor will roll out over the next 20 years.
Hack in the Box Amsterdam was quick and has posted the presentation slides for all of today's talks.
Another Hack in the Box security conference presentation is also about airplane insecurity, but it is more focused on airport insecurity. Beyond TSA checkpoints: Weaponizing everyday items sold in airports.