White-hat hacker cracks communications system used between planes and the air traffic control in 5 minutes

Oct 9, 2015 20:32 GMT  ·  By
Airplanes more vulnerable than ever, says director of European Aviation Safety Agency
   Airplanes more vulnerable than ever, says director of European Aviation Safety Agency

Ahead of the launch of the new SESAR (Single European Sky ATM Research) air traffic control system, Patrick Ky, Director of the European Aviation Safety Agency, is warning that airplane hacking is a present-day threat.

His revelations were shared with French journalists from the Les Echoes newspaper, to whom he revealed that the previous air traffic control system (ACARS) used for the exchange of short messages between airplanes and traffic control towers was hacked by a white-hat hacker in about 5 minutes.

The so-called hacker was a consultant the agency hired, one who is also a commercial pilot as well, meaning he knew exactly what to target and how.

The ACARS (Aircraft Communications Addressing and Reporting System) had also previously been hacked in 2013 at a Hack In The Box conference by security researcher Huge Teso, so the agency had already known it was faulty, to say the least.

Considering that ACARS features a communications protocol designed way back in the '70s, many could find it surprising that it hasn't been hacked by now.

The new air traffic control system can give hackers relative control of the plane

"Tomorrow, with the introduction of SESAR and the possibility that air traffic control give direct instructions to the aircraft control system, this risk will be multiplied," said Patrick Ky for Les Echoes (translated).  "We need to start putting in place a structure for alerting airlines of cyber attacks."

The questions are why this system isn't already put in place, and why Mr. Ky is blabbing to the press about it.

If what Mr. Ky said is true, and if air traffic control systems is able to send some instructions to airplanes, then the new SESAR system used for communications between in-flight planes and traffic towers had better be more robust than the older ACARS, otherwise Al-Qaeda will be better served by a hacking squad instead of terrorists with explosives strapped to their chests.

Disclaimer: We haven't studied the SESAR system in depth, but technically, you don't need to control the airplane via SESAR instructions. A hacker would only need a way to spoof the communications and send wrong messages to the flight crew, like landing instructions, which can have serious or catastrophic consequences. We have contacted SESAR for further details and we'll update this post when they become available.