An extremely well attended talk by Hugo Teso, a security consultant at n.runs AG in Germany, about the completely realistic scenario of plane hijacking via a simple Android app has galvanized the crowd attending the Hack In The Box Conference in Amsterdam today.

Teso, who has been working in IT for the last eleven years and has been a trained commercial pilot for a year longer than that, has combined his two interests in order to bring to light the sorry state of security of aviation computer systems and communication protocols.

By taking advantage of two new technologies for the discovery, information gathering and exploitation phases of the attack, and by creating an exploit framework (SIMON) and an Android app (PlaneSploit) that delivers attack messages to the airplanes’ Flight Management Systems (computer unit + control display unit), he demonstrated the terrifying ability to take complete control of aircraft by making virtual planes “dance to his tune.”

One of the two technologies he abused is the Automatic Dependent Surveillance-Broadcast (ADS-B), which sends information about each aircraft (identification, current position, altitude, and so on) through an on-board transmitter to air traffic controllers, and allows aircraft equipped with the technology to receive flight, traffic and weather information about other aircraft currently in the air in their vicinity.

The other one is the Aircraft Communications Addressing and Reporting System (ACARS), which is used to exchange messages between aircraft and air traffic controllers via radio or satellite, as well as to automatically deliver information about each flight phase to the latter.

Both of these technologies are massively insecure and are susceptible to a number of passive and active attacks. Teso misused the ADS-B to select targets, and the ACARS to gather information about the onboard computer as well as to exploit its vulnerabilities by delivering spoofed malicious messages that affect the “behavior” of the plane.

Based on his own research, Teso developed the SIMON framework that is deliberately made only to work in a virtual environment and cannot be used on real-life aircraft. His testing laboratory consists of a series of software and hardware products, but the connection and communication methods, as well as ways of exploitation, are absolutely the same as they would be in an actual real-world scenario.

Since it’s nearly impossible to detect the framework once deployed on the Flight Management System, there is no need to disguise it like a rootkit. By using SIMON, the attacker can upload a specific payload to the remote FSM, upload flight plans, detailed commands or even custom plugins that could be developed for the framework.

To make things even more interesting – or easier – Teso showcased an Andorid application that uses SIMON’s powers to remotely control airplanes on the move. The application, fittingly named PlaneSploit, sports a clean and simple interface, but is packed full with features. This is a remarkable example of technology evolution – ten years ago we barely had phones with a color screen, today we can use them to hack aircraft.

PlaneSploit uses the Flightradar24 live flight tracker and you can tap on any airplane found in range. When talking about the range, please keep in mind that we are talking about a proof-of-concept application used in a virtual environment. In real life, the range would be limited depending on the antennas used (if going directly for the plane), or global (if misusing one of the two big ACARS players such as SITA or ARINC).

The user interface is divided by its main functions which are self-explanatory: discovery, information gathering, exploitation and post exploitation. The attacker can click on any active airplane and is receives its identification, current location and final destination. In case a nearby airplane system is exploitable (a number of vulnerability vectors mentioned, not much details provided), the application alerts the user via an in-application alert or a push message. The payload can be uploaded with a tap of a button and from that point on, the flight management system is remotely controlled by an attacker. There are a number of other systems connected to FMS, so further exploitation is possible.

Here are some of the functions Teso showed to the HITBSecConf Amsterdam audience:

Please go here: A way of interacting with the plane where the user can dynamically tap locations on the map and change the plane’s course.

A way of interacting with the plane where the user can dynamically tap locations on the map and change the plane’s course. Define area: Set detailed filters related to the airplane, for example activate something when a plane is in the area of X kilometers or when it starts flying on a predefined altitude.

Set detailed filters related to the airplane, for example activate something when a plane is in the area of X kilometers or when it starts flying on a predefined altitude. Visit ground: Crash the airplane.

Crash the airplane. Kiss off: Remove itself from the system.

Remove itself from the system. Be punckish: A theatric way of alerting the pilots that something is seriously wrong – lights start flashing and alarms start buzzing.

By showing a sample scenario of a drunk pilot flying over Berlin, Teso mentioned that the Android application also uses the benefits of the accelerometer and therefore a remote attacker can transform the motion of its smartphone into physical changes in the plane’s movement.

It’s amazing to discover that aviation – an industry where safety is of vital importance and every physical element has one or even two fail-safe mechanisms – is failing to secure the onboard computer, the heart and brain of the plane.

Teso has not shared too many details about the tools he used to effect the attack, as the vulnerabilities have yet to be fixed. He says that he was pleasantly surprised by the reaction of the industry to his research and discoveries, as the companies didn’t try to deny the existence of the problems and have vowed to aid him in his research.

He says that older, legacy systems harking back to the 1970s will be difficult, if not impossible, to fix, but that modern ones will easily be updated with patched and modified firmware and software.

The vulnerabilities, of course, differ from system to system and from plane to plane, but it’s easy to discover just which ones are present once the attacker identifies the type, model of the plane, and the airline for which it flies.

There is a solution for pilots to regain the control of the plane and land it safely, he says. Attacks of this kind work only when the auto-pilot is on, so the trick is to switch it off, then fly the plane by using analog instruments.

The bad news is that there aren’t that many on modern planes, and that the pilots have to detect that the plane’s computer is being hacked in order to effect these maneuvers, and that is no easy feat.

Update: Monday, 15 April 2013 – FAA and EASA say hijacking planes using an app is not possible.

Co-authored by Zeljka Zorz.