Cyber Criminals, Smartphones and the Plane You Might be On

By

With cyber terrorism, hacking, “breaking in digitally” and all the many other things we can add to these or other names we can refer to them by – there is one underlying thing to all of them. It takes a certain kind of smarts – an almost idiot savant kind of smarts – to become a truly outstanding hacker. And it requires an enormous amount of tenacity and stick-to-itiveness. Those of us on the other side of the fence may have more laudable goals than these individuals, but to work against them, one necessarily needs to among them – some of the same traits that define hackers also define the good guys.

Take, for example, Hugo Teso, a security researcher for the German IT consultancy N.Runs. He has spent the last three years painstakingly and tenaciously taking apart and reverse engineering flight navigation software that receives ACARS signals. Why? He’s been looking for flaws, security holes and software anomalies that can be exploited by similarly tenacious hackers and cybercriminals to recognize invalid and fake commands.

These commands can be sent through a hacked airline system, but the scary alternative is that they can also be sent through an on-board, software-defined radio that can be tuned to use ACARS if one happens to know ACARS inside and out.

What exactly is ACARS? It’s an acronym for Aircraft Communications Addressing and Reporting System – which is a fairly old suite of protocols used for the transmission of short, relatively simple messages between aircraft and ground stations via radio or satellite. ACARS was originally deployed in 1978. When it was designed the world was a different place, and what Teso has discovered – perhaps to no one’s surprise – is that the system has absolutely no security built into it. None whatsoever.

No one worried about such security issues back then, and apparently nobody has thought about them since 1978 either.

What this means is that an airplane actually has no means of knowing, among the many legitimate messages it receives via the system, if any of them are actually valid…or not. ACARS even lacks basic authentication features so that it cannot distinguish between real or otherwise fake commands.

About that Flight Management System…

The implications of this are potentially enormous. It means that a rogue set of commands could – aside from causing general mayhem of the safe but scary sort (airbags deploying, crazy things happening to video systems, etc. - also conceivably tie into an airplane’s flight management system (FMS).

The former might prove scary but harmless; the latter might prove deadly.

At the recently held “Hack in the Box” security conference that took place in Amsterdam, Teso divulged both his general findings – as we’ve noted above, and a demonstration that he could hack into an FMS simply using his Android smartphone! Of course the demo was a staged event involving software running on a PC and a virtual airplane environment, but this should not be cause for comfort. It should be cause for enormous discomfort.

Companies such as Thales, Honeywell and Rockwell Collins, among others, make FMS systems. As much as we inherently trust that such systems will be secure, how can we really know? The fact that Chinese hackers – and not even elite Chinese hackers – can easily break into U.S. networks at all levels of business and government needs to give us serious pause. We ourselves have never seriously doubted, for example, government, utility or big business abilities to prevent intrusions at the deepest layers of either hardware or software infrastructure – but this is clearly not the case.

Nor can we really believe real-world FMS platforms are secure and safe from cyber attacks – no matter how much the manufacturers assure us this is the case.

There is no need to break down the pilots’ door. There is no need to threaten passengers. Simply take out your Android device and send out the appropriate signals. Is it a stretch to picture, say, 30 cyber terrorists on board 30 planes, each of them having easily moved through TSA security, pulling out their Android smartphones and coordinating a doomsday plane attack? As the TSA considers allowing passengers to take pen knives on board, will we need to begin dropping our smartphones off at the boarding gate? Now that thought is indeed a scary one.

Fortunately, Teso has not been of a mind to reveal what he has actually learned about the vulnerabilities he has uncovered. Rather, true to his good guy persona, he’s taken his findings to the Federal Aviation Administration and its European equivalent, the European Aviation Safety Administration.

We hope they take the potential threats seriously.




Edited by Braden Becker
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

TechZone360 Senior Editor

SHARE THIS ARTICLE
Related Articles

Choosing the right dedicated server: A crucial guide for website hosting

By: Contributing Writer    9/5/2024

Deciding how to host your website can be daunting, especially when considering a dedicated server. This type of hosting solution offers many benefits,…

Read More

How Web Application Firewalls Protect Against Common Threats

By: Contributing Writer    8/29/2024

Despite organizations' best efforts, cyberthreats are more prevalent than ever. The most common threats are becoming more dangerous for your data and …

Read More

Paying Attention to the User Experience: Nureva's New App Simplifies Workspace Audio Management

By: Alex Passett    8/27/2024

After launching its Nureva App in beta earlier this summer, Nureva has announced that this companion app is now fully available to HDL310 and HDL410 a…

Read More

Emerging AI Trends Set to Revolutionize Crypto Trading

By: Contributing Writer    8/26/2024

Anyone who wants to achieve success in crypto trading is well-aware that they need to keep up with the trends. The digital currency market moves fast …

Read More

The technology behind online video poker: welcome to the future

By: Contributing Writer    8/12/2024

Long gone are the days when the most we could do with our cell phones was call and play Snake (If you were born before 2000, you probably remember thi…

Read More