Cyber Criminals, Smartphones and the Plane You Might be On


With cyber terrorism, hacking, “breaking in digitally” and all the many other things we can add to these or other names we can refer to them by – there is one underlying thing to all of them. It takes a certain kind of smarts – an almost idiot savant kind of smarts – to become a truly outstanding hacker. And it requires an enormous amount of tenacity and stick-to-itiveness. Those of us on the other side of the fence may have more laudable goals than these individuals, but to work against them, one necessarily needs to among them – some of the same traits that define hackers also define the good guys.

Take, for example, Hugo Teso, a security researcher for the German IT consultancy N.Runs. He has spent the last three years painstakingly and tenaciously taking apart and reverse engineering flight navigation software that receives ACARS signals. Why? He’s been looking for flaws, security holes and software anomalies that can be exploited by similarly tenacious hackers and cybercriminals to recognize invalid and fake commands.

These commands can be sent through a hacked airline system, but the scary alternative is that they can also be sent through an on-board, software-defined radio that can be tuned to use ACARS if one happens to know ACARS inside and out.

What exactly is ACARS? It’s an acronym for Aircraft Communications Addressing and Reporting System – which is a fairly old suite of protocols used for the transmission of short, relatively simple messages between aircraft and ground stations via radio or satellite. ACARS was originally deployed in 1978. When it was designed the world was a different place, and what Teso has discovered – perhaps to no one’s surprise – is that the system has absolutely no security built into it. None whatsoever.

No one worried about such security issues back then, and apparently nobody has thought about them since 1978 either.

What this means is that an airplane actually has no means of knowing, among the many legitimate messages it receives via the system, if any of them are actually valid…or not. ACARS even lacks basic authentication features so that it cannot distinguish between real or otherwise fake commands.

About that Flight Management System…

The implications of this are potentially enormous. It means that a rogue set of commands could – aside from causing general mayhem of the safe but scary sort (airbags deploying, crazy things happening to video systems, etc. - also conceivably tie into an airplane’s flight management system (FMS).

The former might prove scary but harmless; the latter might prove deadly.

At the recently held “Hack in the Box” security conference that took place in Amsterdam, Teso divulged both his general findings – as we’ve noted above, and a demonstration that he could hack into an FMS simply using his Android smartphone! Of course the demo was a staged event involving software running on a PC and a virtual airplane environment, but this should not be cause for comfort. It should be cause for enormous discomfort.

Companies such as Thales, Honeywell and Rockwell Collins, among others, make FMS systems. As much as we inherently trust that such systems will be secure, how can we really know? The fact that Chinese hackers – and not even elite Chinese hackers – can easily break into U.S. networks at all levels of business and government needs to give us serious pause. We ourselves have never seriously doubted, for example, government, utility or big business abilities to prevent intrusions at the deepest layers of either hardware or software infrastructure – but this is clearly not the case.

Nor can we really believe real-world FMS platforms are secure and safe from cyber attacks – no matter how much the manufacturers assure us this is the case.

There is no need to break down the pilots’ door. There is no need to threaten passengers. Simply take out your Android device and send out the appropriate signals. Is it a stretch to picture, say, 30 cyber terrorists on board 30 planes, each of them having easily moved through TSA security, pulling out their Android smartphones and coordinating a doomsday plane attack? As the TSA considers allowing passengers to take pen knives on board, will we need to begin dropping our smartphones off at the boarding gate? Now that thought is indeed a scary one.

Fortunately, Teso has not been of a mind to reveal what he has actually learned about the vulnerabilities he has uncovered. Rather, true to his good guy persona, he’s taken his findings to the Federal Aviation Administration and its European equivalent, the European Aviation Safety Administration.

We hope they take the potential threats seriously.

Edited by Braden Becker
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

TechZone360 Senior Editor

Related Articles

Protecting Your Digital Fortress Through Threat Exposure Management

By: Contributing Writer    5/23/2024

In today's digital landscape, cybersecurity threats loom large, posing significant risks to businesses, organizations, and individuals alike. With the…

Read More

Why Block Websites? Understanding the Reasons

By: Contributing Writer    5/6/2024

The internet is such an expansive network where every click can lead to information, entertainment, or opportunities for productivity. However, this a…

Read More

ChatGPT Isn't Really AI: Here's Why

By: Contributing Writer    4/17/2024

ChatGPT is the biggest talking point in the world of AI, but is it actually artificial intelligence? Click here to find out the truth behind ChatGPT.

Read More

Revolutionizing Home Energy Management: The Partnership of Hub Controls and Four Square/TRE

By: Reece Loftus    4/16/2024

Through a recently announced partnership with manufacturer Four Square/TRE, Hub Controls is set to redefine the landscape of home energy management in…

Read More

4 Benefits of Time Tracking Software for Small Businesses

By: Contributing Writer    4/16/2024

Time tracking is invaluable for every business's success. It ensures teams and time are well managed. While you can do manual time tracking, it's time…

Read More