With cyber terrorism, hacking, “breaking in digitally” and all the many other things we can add to these or other names we can refer to them by – there is one underlying thing to all of them. It takes a certain kind of smarts – an almost idiot savant kind of smarts – to become a truly outstanding hacker. And it requires an enormous amount of tenacity and stick-to-itiveness. Those of us on the other side of the fence may have more laudable goals than these individuals, but to work against them, one necessarily needs to among them – some of the same traits that define hackers also define the good guys.

Take, for example, Hugo Teso, a security researcher for the German IT consultancy N.Runs. He has spent the last three years painstakingly and tenaciously taking apart and reverse engineering flight navigation software that receives ACARS signals. Why? He’s been looking for flaws, security holes and software anomalies that can be exploited by similarly tenacious hackers and cybercriminals to recognize invalid and fake commands.

These commands can be sent through a hacked airline system, but the scary alternative is that they can also be sent through an on-board, software-defined radio that can be tuned to use ACARS if one happens to know ACARS inside and out.

What exactly is ACARS? It’s an acronym for Aircraft Communications Addressing and Reporting System – which is a fairly old suite of protocols used for the transmission of short, relatively simple messages between aircraft and ground stations via radio or satellite. ACARS was originally deployed in 1978. When it was designed the world was a different place, and what Teso has discovered – perhaps to no one’s surprise – is that the system has absolutely no security built into it. None whatsoever.

No one worried about such security issues back then, and apparently nobody has thought about them since 1978 either.

What this means is that an airplane actually has no means of knowing, among the many legitimate messages it receives via the system, if any of them are actually valid…or not. ACARS even lacks basic authentication features so that it cannot distinguish between real or otherwise fake commands.

About that Flight Management System…

The implications of this are potentially enormous. It means that a rogue set of commands could – aside from causing general mayhem of the safe but scary sort (airbags deploying, crazy things happening to video systems, etc. - also conceivably tie into an airplane’s flight management system (FMS).

The former might prove scary but harmless; the latter might prove deadly.

At the recently held “Hack in the Box” security conference that took place in Amsterdam, Teso divulged both his general findings – as we’ve noted above, and a demonstration that he could hack into an FMS simply using his Android smartphone! Of course the demo was a staged event involving software running on a PC and a virtual airplane environment, but this should not be cause for comfort. It should be cause for enormous discomfort.

Companies such as Thales, Honeywell and Rockwell Collins, among others, make FMS systems. As much as we inherently trust that such systems will be secure, how can we really know? The fact that Chinese hackers – and not even elite Chinese hackers – can easily break into U.S. networks at all levels of business and government needs to give us serious pause. We ourselves have never seriously doubted, for example, government, utility or big business abilities to prevent intrusions at the deepest layers of either hardware or software infrastructure – but this is clearly not the case.

Nor can we really believe real-world FMS platforms are secure and safe from cyber attacks – no matter how much the manufacturers assure us this is the case.

There is no need to break down the pilots’ door. There is no need to threaten passengers. Simply take out your Android device and send out the appropriate signals. Is it a stretch to picture, say, 30 cyber terrorists on board 30 planes, each of them having easily moved through TSA security, pulling out their Android smartphones and coordinating a doomsday plane attack? As the TSA considers allowing passengers to take pen knives on board, will we need to begin dropping our smartphones off at the boarding gate? Now that thought is indeed a scary one.

Fortunately, Teso has not been of a mind to reveal what he has actually learned about the vulnerabilities he has uncovered. Rather, true to his good guy persona, he’s taken his findings to the Federal Aviation Administration and its European equivalent, the European Aviation Safety Administration.

We hope they take the potential threats seriously.