Vulnerabilities / Threats
4/11/2013
01:10 PM
Connect Directly
RSS
E-Mail
50%
50%

Airplane Takeover Demonstrated Via Android App

Software hack allows security researcher to take control of aircraft navigation and other systems; avionics manufacturers emphasize that the presentation exploited training software.

The avionics systems used in some commercial aircraft are vulnerable to being fed bogus data, which would allow an attacker to take control of navigation systems, relay fake information to pilots' displays and adjust other systems, such as deploying oxygen masks for passengers.

That warning was delivered by Hugo Teso, a researcher at security consultancy N.Runs in Germany who's also a commercial airline pilot, at this week's Hack In The Box conference in Amsterdam.

Using an Android application he developed, dubbed PlaneSploit, Teso employed a Samsung Galaxy smartphone to demonstrate how he could adjust the heading, altitude and speed of a virtual airplane by sending it false navigation data. "You can use this system to modify approximately everything related to the navigation of the plane," Teso told Forbes. "That includes a lot of nasty things."

[ Do you really need an app to find your way around a shopping mall? Read Indoor Location Tracking Has Lost Common Sense. ]

But Teso added that even if a plane did receive and act on spoofed navigation data, a pilot would be able to override the automated controls and take direct control of the aircraft.

According to Teso's Hack In The Box presentation, his research goal has been to successfully exploit an aircraft's flight management system (FMS), which is the computer-human interface in a plane that used for navigation, flight planning, performance computations and related activities. So for the past three years, he's been auditing code and testing for FMS vulnerabilities using hardware and software from Honeywell, Rockwell Collins and Thales, procured largely via eBay.

The vulnerabilities he exploited in his presentation relate to ACARS (Aircraft Communications Addressing and Reporting System), which is used for exchanging text messages between aircraft and ground stations via radio (VHF) or satellite, he said in a blog post previewing his presentation. Notably, ACARS messages aren't authenticated, and thus could be spoofed. "ACARS has no security at all. The airplane has no means to know if the messages it receives are valid or not," Teso said. "So they accept them and you can use them to upload data to the airplane that triggers these vulnerabilities. And then it's game over."

Teso hasn't publicly detailed the precise vulnerabilities he used to craft his attack code, which he dubbed SIMON, but said he's disclosed the flaws to the Federal Aviation Administration and the European Aviation Safety Administration (EASA), as well as to businesses in the aerospace industry that may be affected.

Honeywell spokesman Scott Sayres said that his company is already working with N.Runs to review Teso's research, but downplayed the real-world implications. "If we talk very generically -- not just about Honeywell software -- PC FMS software is normally available as an online pilot training aid," Sayres said via phone. "In other words, what Teso did was hack a PC-based training version of FMS that's used to simulate the flight environment, not the actual certified flight software installed on an aircraft."

EASA said that it's been in contact with Teso, but likewise emphasized that training software isn't the same as certified flight software. "This presentation was based on a PC training simulator and did not reveal potential vulnerabilities on actual flying systems," said spokesman Jeremie Teahan via email. "There are major differences between PC-based training FMS software and embedded FMS software. In particular, the FMS simulation software does not have the same overwriting protection and redundancies that is included in the certified flight software."

"For more than 30 years now, the development of certifiable embedded software has been following strict guidance and best practices that include in particular robustness that is not present on ground-based simulation software," he said.

An FAA official said the agency plans to release a related statement later today.

A well-defended perimeter is only half the battle in securing the government's IT environments. Agencies must also protect their most valuable data. Also in the new, all-digital Secure The Data Center issue of InformationWeek Government: The White House's gun control efforts are at risk of failure because the Bureau of Alcohol, Tobacco, Firearms and Explosives' outdated Firearms Tracing System is in need of an upgrade. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
4/12/2013 | 4:30:30 PM
re: Airplane Takeover Demonstrated Via Android App
Thanks for your comment. What wasn't clear, based on Teso's published research, was whether the FMS could be spoofed to alter data to which the autopilot system might react, or if it would just mess with information that the pilot might be reading and then acting on.

Teso hasn't released publicly full details of the vulnerabilities he said he discovered. So it might take a little while for avionics firms to work through the information, test systems, and report back.

But you raise an excellent point: a text messaging system (unencrypted to boot) shouldn't be allowed to interface or alter in any way an FMS, and hopefully this is an open and shut case, and the bugs identified by Teso -- who studied secondhand FMS hardware and software -- don't exist in certified flight systems.
rcsteiner
50%
50%
rcsteiner,
User Rank: Apprentice
4/12/2013 | 4:20:42 PM
re: Airplane Takeover Demonstrated Via Android App
I'm a little confused by this article. I worked on ACARS processing in a Flight Ops context at a major airline for over a decade, mainly on the software on the ground side which both generated and received/processed ACARS requests of various types, and ACARS (at least 10 years ago) simply did not have that level of integration with the avionics.

You could send all sorts of specialized text messages up and down from an ACARS terminal in the cockpit, and you could do a few interactive things on A3xx ships like trigger enroute reports about engine conditions, receive Fuel On Board reports and OOOI events, etc., but at least in our case the ACARS system wasn't involved in any way, shape, or form with the changing of anything at all on the aircraft.

We sent wx updates, takeoff and landing performance numbers, and a lot of other technical information relevant for the flight crew, but those were simply read by the flight crew and then acted upon as any other input would be acted upon. There was no direct interface to the flight controls, only a human interface, and I can't really fathom why one would possibly want to take that any further.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
4/12/2013 | 2:30:21 AM
re: Airplane Takeover Demonstrated Via Android App
Now I understand why they want people to turn off their phones.

Drew Conry-Murray
Editor, Network Computing
rallen927
50%
50%
rallen927,
User Rank: Apprentice
4/11/2013 | 11:30:38 PM
re: Airplane Takeover Demonstrated Via Android App
Yup.

As with most of these type of blog attacks, a real attack of the class is impractical and the severity is over-hyped. As all of us who work in safety critical systems know, risk is defined as probability * severity and this attack is both low probability and low severity, therefore low risk.
AvSec Dude
50%
50%
AvSec Dude,
User Rank: Apprentice
4/11/2013 | 9:26:55 PM
re: Airplane Takeover Demonstrated Via Android App
He hasn't told anyone anything dangerous other than making for some great sensationalist news headlines, this is no where near a repeat of 9/11 - that statement is more sensationalism. =ɡŻ

The German BSI have met with him - there's not too much to worry about. If there were, he would not have been able to give the presentation. ;)
AvSec Dude
50%
50%
AvSec Dude,
User Rank: Apprentice
4/11/2013 | 9:24:32 PM
re: Airplane Takeover Demonstrated Via Android App
Ya, I can not believe the Internet is not secure either - oh wait both were created decades ago when closed systems were the norm. =ɡŻ
AvSec Dude
50%
50%
AvSec Dude,
User Rank: Apprentice
4/11/2013 | 9:20:46 PM
re: Airplane Takeover Demonstrated Via Android App
This was a great PoC (proof of concept), but the amount of work required
to actually perform this in real life on a real aircraft is a lot more
complex than Hugo has led people to believe.

Some important bits of information; they did not test
the attack on a real aircraft with real systems. The system used to
validate the exploit is a simulation version of the FMS code (similarity
to the embedded one has to be investigated). The G«£full controlG«• claim
is not valid, there is no way to engage the autopilot from the FMS. Of
course, when engaged in G«£managed modeG«• the A/C will follow the FMS.

The aviation industry has known about this particular presentation for a while now.

Other things to consider are that the pilots would quickly realize
something is wrong, since their printed flight plan would not match
what is in the FMS. ATC would be squawking all over the place trying
to determine why is the airplane deviating for its flight plan, etc.

All in all this makes for some great headlines and talking point for bobbing heads and arm chair experts, that's about all.

That being said, both ADS-B and ACARS could use some protocol strengthening up though.
Tom Mariner
50%
50%
Tom Mariner,
User Rank: Apprentice
4/11/2013 | 8:30:34 PM
re: Airplane Takeover Demonstrated Via Android App
So in addition to telling every terrorist in the world that he knows how to take over an airplane and fly it into a world trade center from a seat, Hugo Teso now names the app. I am guessing that he will next auction off the thing to the highest bidder from the Mid East!

This guy should be treated just as if he had worked in Oak Ridge and for kicks decided to use the knowledge gained from his job to build a nuclear bomb in his garage. Somebody had better know where this fellow is at all times, who he has talked to and where every piece of information is stored. This is not just embarrassing Wikileaks -- If he is not just bragging, he can repeat 9/11! Why is he still walking the streets?
AAL773ER
50%
50%
AAL773ER,
User Rank: Apprentice
4/11/2013 | 6:46:58 PM
re: Airplane Takeover Demonstrated Via Android App
Actually pilots often crosscheck their instruments during flight so any changes would be caught rather quickly and pilots can fly without navigation data with the help of air traffic control along with the use of VOR's if worst comes to worst.
ANON1235579669135
50%
50%
ANON1235579669135,
User Rank: Apprentice
4/11/2013 | 5:50:49 PM
re: Airplane Takeover Demonstrated Via Android App
The remark about the pilot being able to disengage and fly the plane manually is not very reassuring. The pilot can fly the plan manually, but what about the navigation data? What if a spoofer just quietly adjusts the actual altitude by a 100 feet here and 100 feet there. Would the pilot even notice? He could easily be flying 1000 ft or 2000 ft lower than he thinks he is.

I cannot believe that these messages are not encrypted. Yikes. We encrypt home WiFi networks to keep our info private, but not aircraft communication?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.