Cyber Criminals, Smartphones and the Plane You Might be On

By Tony Rizzo April 11, 2013

With cyber terrorism, hacking, “breaking in digitally” and all the many other things we can add to these or other names we can refer to them by – there is one underlying thing to all of them. It takes a certain kind of smarts – an almost idiot savant kind of smarts – to become a truly outstanding hacker. And it requires an enormous amount of tenacity and stick-to-itiveness. Those of us on the other side of the fence may have more laudable goals than these individuals, but to work against them, one necessarily needs to among them – some of the same traits that define hackers also define the good guys.

Take, for example, Hugo Teso, a security researcher for the German IT consultancy N.Runs. He has spent the last three years painstakingly and tenaciously taking apart and reverse engineering flight navigation software that receives ACARS signals. Why? He’s been looking for flaws, security holes and software anomalies that can be exploited by similarly tenacious hackers and cybercriminals to recognize invalid and fake commands.

These commands can be sent through a hacked airline system, but the scary alternative is that they can also be sent through an on-board, software-defined radio that can be tuned to use ACARS if one happens to know ACARS inside and out.

What exactly is ACARS? It’s an acronym for Aircraft Communications Addressing and Reporting System – which is a fairly old suite of protocols used for the transmission of short, relatively simple messages between aircraft and ground stations via radio or satellite. ACARS was originally deployed in 1978. When it was designed the world was a different place, and what Teso has discovered – perhaps to no one’s surprise – is that the system has absolutely no security built into it. None whatsoever.

No one worried about such security issues back then, and apparently nobody has thought about them since 1978 either.

What this means is that an airplane actually has no means of knowing, among the many legitimate messages it receives via the system, if any of them are actually valid…or not. ACARS even lacks basic authentication features so that it cannot distinguish between real or otherwise fake commands.

About that Flight Management System…

The implications of this are potentially enormous. It means that a rogue set of commands could – aside from causing general mayhem of the safe but scary sort (airbags deploying, crazy things happening to video systems, etc. - also conceivably tie into an airplane’s flight management system (FMS).

The former might prove scary but harmless; the latter might prove deadly.

At the recently held “Hack in the Box” security conference that took place in Amsterdam, Teso divulged both his general findings – as we’ve noted above, and a demonstration that he could hack into an FMS simply using his Android smartphone! Of course the demo was a staged event involving software running on a PC and a virtual airplane environment, but this should not be cause for comfort. It should be cause for enormous discomfort.

Companies such as Thales, Honeywell and Rockwell Collins, among others, make FMS systems. As much as we inherently trust that such systems will be secure, how can we really know? The fact that Chinese hackers – and not even elite Chinese hackers – can easily break into U.S. networks at all levels of business and government needs to give us serious pause. We ourselves have never seriously doubted, for example, government, utility or big business abilities to prevent intrusions at the deepest layers of either hardware or software infrastructure – but this is clearly not the case.

Nor can we really believe real-world FMS platforms are secure and safe from cyber attacks – no matter how much the manufacturers assure us this is the case.

There is no need to break down the pilots’ door. There is no need to threaten passengers. Simply take out your Android device and send out the appropriate signals. Is it a stretch to picture, say, 30 cyber terrorists on board 30 planes, each of them having easily moved through TSA security, pulling out their Android smartphones and coordinating a doomsday plane attack? As the TSA considers allowing passengers to take pen knives on board, will we need to begin dropping our smartphones off at the boarding gate? Now that thought is indeed a scary one.

Fortunately, Teso has not been of a mind to reveal what he has actually learned about the vulnerabilities he has uncovered. Rather, true to his good guy persona, he’s taken his findings to the Federal Aviation Administration and its European equivalent, the European Aviation Safety Administration.

We hope they take the potential threats seriously.




Edited by Braden Becker

TechZone360 Senior Editor

SHARE THIS ARTICLE
Related Articles

Why Blockchain Could Be a Gamechanger

By: Paula Bernier    1/22/2018

Blockchain has become closely associated with the controversial topic of cryptocurrency. And that's fine because blockchain is an enabling technology …

Read More

Consumer Privacy in the Digital Era: Three Trends to Watch

By: Special Guest    1/18/2018

Digital advertising has exploded in recent years, with the latest eMarketer data forecasting $83 billion in revenue this year and continued growth on …

Read More

CES 2018: Terabit Fiber - Closer Than We Think

By: Doug Mohney    1/17/2018

One of the biggest challenges for 5G and last mile 10 Gig deployments is not raw data speeds, but middle mile and core networks. The wireless industry…

Read More

10 Benefits of Drone-Based Asset Inspections

By: Frank Segarra    1/15/2018

Although a new and emerging technology, (which is still evolving), in early 2018, most companies are not aware of the possible benefits they can achie…

Read More

VR Could Change Entertainment Forever

By: Special Guest    1/11/2018

VR could change everything from how we play video games to how we interact with our friends and family. VR has the power to change how we consume all …

Read More