14 DAY TRIAL // Many of the presentations held here at this edition of the Hack in the Box conference in Amsterdam show that we live in a world where almost anything can be hacked. Spanish security researcher Hugo Teso, of n.runs AG in Germany, has shown that aircraft are no exception.
The expert highlighted that when the software for most of today’s aircraft was developed, its creators mostly focused on making it safe. They wanted to make sure that in case one system failed, there would be a backup, and in case the backup system failed, there was another failsafe mechanism.
However, they haven’t taken into consideration that the software they’ve developed might be targeted by cybercriminals. Hopefully, that will change soon because, according to the expert, the aviation industry appears to be taking his findings seriously.
The process to address the issues discovered by Teso is costly and difficult, but he says the organizations he and his company have contacted appear to be interested in learning more about these problems.
So what has he actually found?
Modern aircraft relies heavily on computers. Automatic Dependent Surveillance-Broadcast (ADS-B) is a sort of radar which represents the primary surveillance method for aircraft control.
Aircraft Communications Addressing and Reporting System (ACARS) is used for exchanging messages between aircrafts and ground stations via radio (VHF) or satellite.
The flight management system (FMS) is also highly important for modern aviation, being utilized for a wide range of tasks that are designed to reduce the workload of the flight crew, including navigation, flight planning, trajectory prediction, performance computations and guidance.
While these systems are highly efficient, they’re also highly vulnerable.
The attack method developed by Teso has four phases: discovery, information gathering, exploitation and post-exploitation.
By utilizing publicly available equipment, which he obtained for fairly small prices from places such as eBay, he has managed to simulate airplane systems.
In his Hack in the Box presentation, Teso has shown how, in theory, he could take complete control of an aircraft. The attacker could perform a wide range of tasks depending on what systems are active on the plane.
For instance, for the attacker to modify the aircraft’s trajectory and altitude, the autopilot would have to be activated.
In an interview we had with him after the presentation, the researcher explained that the attack method he developed focused on commercial aircraft.
During the presentation, he utilized an Android app to simulate the hijacking of an airplane. However, he told Softpedia that the application had only been used to simplify the presentation.
Some might have believed that an aircraft could be hijacked from a smartphone but, in reality, a lot more equipment is needed.
So should we fear that our flight might be taken over by cybercriminals next time we get on board?
According to Teso, not yet. A lot of resources are needed for a real-life attack.
On the other hand, while such attacks are not imminent in the near future, the expert believes they could become a possibility in the mid-future.
You can check out his HITB 2013 Amsterdam presentation here.
