“The Hack in the Box security conference in Amsterdam has a very interesting lineup of talks,” Darlene Storm reports for Computerworld. “One that jumped out was the Aircraft Hacking: Practical Aero Series presented by Hugo Teso, a security consultant at n.runs in Germany.”
Strom reports, “According to the abstract, ‘This presentation will be a practical demonstration on how to remotely attack and take full control of an aircraft, exposing some of the results of my three years research on the aviation security field. The attack performed will follow the classical methodology, divided in discovery, information gathering, exploitation and post-exploitation phases. The complete attack will be accomplished remotely, without needing physical access to the target aircraft at any time, and a testing laboratory will be used to attack virtual airplanes systems.'”
“Once he was into the airplane’s computer, he was able to manipulate the steering of a Boeing jet while the aircraft was in ‘autopilot’ mode. The only countermeasure available to pilots, if they even realized they were being hacked, would be to turn off autopilot. Yet many planes no longer have old analog instruments for manual flying. Teso said he could take control of most all airplane systems; he could even cause the plane to crash by setting it on a collision course with another plane. He could also give the passengers a serious adrenaline rush by making the oxygen masks drop down,” Strom reports. “Teso used his Samsung Galaxy and a specially crafted app called PlaneSploit to demonstrate how to hack an airplane’s computer. Crime Site also showed a quick clip of the hack. And no, PlaneSploit is not going to be available to the masses to hijack planes with their Android devices.”
Read more in the full article here.
[Thanks to MacDailyNews Readers “Fred Mertz” and “Lynn Weiler” for the heads up.]
MacDailyNews Take: No Fragmandroid Apple knockoff devices allowed past airport security checkpoints in 3… 2…
😉
from someone who travels a LOT by plane, this is utterly terrifying!
The news reports will say all smartphones not Android phones.
Time for a “rendition.”
Eff that. Pay this guy a huge amount of money and get him to help fix the airplane cpmputers. This is seriously worrying and needs to be sorted asap.
The bigger question is why the airplane computers are able to be accessed wirelessly.
I’m wondering if they’re accessible wirelessly so the airline companies can take over remotely?
um, because they are powered by Microsoft?
An example of a genuine threat to aviation security while TSA is busy putting their hands down your pants. Nice work, pervs.
YOUR American Gestapo at work:
Gestapo? Disappearances, death camps, poison gas, and torture? Is that what the TSA’s involved in? Whoa, I had no idea.
you’re right, you have no idea.
Botvinnik is a sensationalist. Casually tossing around incendiary terms like “Gestapo” undermines any merits that his posts may contain.
Melvin, are you familiar with The Fourth Amendment (Amendment IV) to the United States Constitution, the part of the Bill of Rights which guards against unreasonable searches and seizures, along with requiring any warrant to be judicially sanctioned and supported by probable cause?
…perhaps being illegally groped by the TSA is the highlight of your social life.
For a lot of folks, that is the ONLY way they are going to get gropped…
I am deeply concerned about our nation and where it is headed. Based on my concerns, some would call me a “gun nut”, a conspiracy theorist, a radical Liberal, a radical Conservative, or maybe just a nut. What I truly am is a radical Constitutionalist, and I’m afraid we could be in the process of losing this nation, its freedoms, and its future.
First let us examine in a holistic way what is going on in this nation at the moment. We have been carrying on a war on terrorism for over 10 years now at a cost of $80B per year. That war effort has resulted in the creation of the DHS and TSA, the Patriot Act, the NDAA, and the recent purchase of enough ammunition by DHS to shoot every person in America 5 times. We now have warrantless searches and interception of American citizen’s private communications, and secretly approved searches and interception of private communications of American citizen’s. The President has been granted the power to assassinate American citizens overseas on his own authorization, while the same aerial drones used in those assassinations overseas have been authorized for “reconnaissance” purposes within the United States. Bid specifications for drones to be used within the United States include a requirement for “weapons delivery capability”. DHS, in addition to billions of rounds of ammunition, has ordered thousands of “personal protection” weapons, better known when in civilian hands not as “personal protection” weapons, but as “assault” weapons, while at the same time the most powerful attempts in history are being made to disarm the populace, and militarize the domestic police forces.
It seems very strange to me that the very same people who worry that their personal safety is threatened by their next door neighbor owning guns are seemingly unconcerned about these much greater dangers.
Each and every safeguard afforded us by the Bill of Rights is being quickly limited, eroded, and negated:
The 1st Amendment is being limited through efforts at criminalizing “terrorist” and “hate” speech. The 2nd Amendment is being dismantled through the banning of certain weapons and accessory types from civilian possession. In both cases the same tactic is used, a special class of speech or weapon is carved out and then sliced off.
The NDAA and the Patriot Act negate the protections in the 4th , 5th, 6th, and 7th Amendments, allowing such clear violations of the Constitution as indefinite detainment without charges, warrantless searches, secret warrants and indictments, denial of a fair and speedy trial by jury, and the right to confront accusers and refute evidence.
The federal government continues to use the commerce clause disingenuously to bypass the 10th amendment and usurp powers reserved by the Constitution for the individual states.
Those of us who look around and make note of all of these things recognize that all of the tools are rapidly falling into place that would enable a despotic administration to declare a national emergency and effectively suspend the Constitution, and with it our rights as citizens indefinitely. But if we voice our fears along these lines we are then declared to be speaking from the lunatic fringe. We are marginalized, discredited, and ridiculed by people who ought to know better, but have a pathological need to believe that all is well and that there is nothing to fear. They would have us believe that the world is a benign place, where none of these protections would ever be needed anyway. Their need to do so arises from a deep, unarticulated fear that if they admit to the possibility that these protections are necessary, they might have to actually think about possible unpleasant outcomes, and the possibility that they might have to stand up and defend these rights. They prefer to irrationally believe that America is different, and will continue to be different from all the other great empires, which have eventually fallen into ruin and despotism. They prefer not to contemplate the depth of evil to which powerful politicians, bureaucrats, and military officers are prone to sink without strong prohibitions concerning the exercise of raw power.
I am afraid for this nation. You can call me paranoid if it makes you feel better. But it doesn’t negate the facts. Look around you. Wake up!
Excellent. Zeke is payin’ attention..however, reality is pretty much wasted on most of the touchy-feely dunderheads who post here.
Yep. TL;DR
eh, your time isn’t that valuable. Zeke pretty much nails it and his thoughtful post is certainly appreciated by me.
Thank you George w. Bush, but then what should we expect from te grandson of war profiteer who gave aid to the actual nazi’s?
My thoughts exactly. How many of you voted GWB into power and then voted for him again?
fortunately, Canadians are not allowed to vote in American elections…so STFU and stay out of our business.
We all suffer for the mistakes of the US. On his first election, GWB opted to travel outside of the US for the second time in his life to visit Mexico (“The United States ‘biggest’ trading partner”) without even knowing that the US trade with Canada far exceeds that of Mexico.
GWB lead the US into becoming a further bully in the world with an attack on Iraq for “Weapons of mass destruction” which never were there.
what part of SHUT.THE.FUCK.UP.and.stay.out.of.our.business do you not understand?
Sorry, I didn’t realize that I hit a sore point that you personally voted for George W. Bush TWO TIMES. Maybe if you get some rest you can type out something meaningful with your index fingers.
wrong again, foreigner.
3l3c7ro is Canadian. Embarrassing, isn’t it.
@botvinnik What’s disappointing is your behavior and choice of words towards someone you don’t know irregardless of which country they come from.
Signed,
~ A proud Canadian
irregardless isn’t word, even in Canada.
Sometimes “foreigners” have a better perspective on U.S. actions than do U.S. citizens. It does no harm to give them fair consideration, at any rate. Besides, all our ancestors were “foreigners” to North America at some point. Even the Native Americans migrated from Asia, if the history that I was taught is still valid.
If I am forced to listen to the drivel of citizen botvinnik, then I don’t see why inputs from anyone else should be suppressed on this forum.
oh hush Melvin, grown folks are talkin’.
No doubt about it.
Iraq had weapons off mass destruction, they had already used chemical weapons on their own people, their troops had large amounts of biohazard suits when we went in there. They were actively pursuing nuclear which Iran is close to now.
You can argue whether we should have dealt with the issue differently and make a decent case but to claim they did not have them is pure lunacy, and I frankly don’t understand that line of reasoning.
You talk about it like it was a technicality.
How do you rationalize the hundreds of thousand of lives that were lost over…a technicality???
Maybe if you realized that one if your dear family could have been amongst the victims you might realize that this is not a mere partisan point.
If you believe Iraq had WMDs, you are living in a different reality.
He chose to go to Mexico because he speaks Spanish. They speak English in Canada and he didn’t want to seem like a foreigner.
That gave me my day’s chuckle. Thanks.
Sometimes I get lucky and my attempts at humor make sense.
(botvinnik displays the attitude that every arrogant empire displayed on the verge of its rapid downfall).
fuck you.
@botvinnik
“wrong again, foreigner.”
Unless your name is “Flies with Eagles” or something similar, you are a foreigner. A couple of generations doesn’t change that. Thus making your poisonous bigotry not only ugly but irrationally stupid.
“stay.out.of.our.business do you not understand?”
That’s laughable! The US is in the whole world’s business, whether invited or not. Which gives the whole world the right to be concerned about “your business”.
and fuck you too.
#1) Ironic, considering many states in the US actually try to prevent Americans voting in American elections by creating obstructions to voter registration, introducing voter ID laws, playing around with voting locations, etc.
#2) There are around 1000 US bases abroad in dozens of countries; maybe – before asking other people to STFU and stay out of US business – you should ensure your own country follows that piece of advice. Think of the money you’ll save.
and fuck you three.
Y’ gotta wonder about someone who posts like this.
What’s his purpose?
– To persuade us to his viewpoint? Obviously not.
– To engage in some kind of positive and interesting dialog? Obviously not.
– To think about the ideas of others? Maybe even to learn something, occasionally? Obviously not.
Why would someone bother saying anything at all to a bunch of people who he regards as morons? I have no idea. That, alone, is bizarre. (But it must be wonderful to so vehemently KNOW you have the 100% correct view on EVERYTHING.)
It really is quite an interesting pathology.
Nice work, pervs.
YOUR American Gestapo at work:
you have no idea.
STFU and stay out of our business.
what part of SHUT.THE.FUCK.UP.and.stay.out.of.our.business do you not understand?
wrong again, foreigner.
fuck you.
and fuck you too.
and fuck you three.
can you not perform basic mathematics?
you misspelled immigrant
you are an idiot,
you are also a blatant liar
fuck you x infinity +1, jackass.
Botvinnik, you really are a vile little prick, aren’t you.
And neither are us Brits, but that didn’t stop our armed forces being dragged into an illegal war by your dimwit President, resulting in a great many needless deaths and mutilations of our servicemen and women, and even more among civilian non-combatants.
But I guess you’re ok with that…
Tony did seem to have quite the man crush on W, it apparently clouded his judgement.
Don’t worry Rorschach, we bailed your Limey asses outta WWI and WWII, and we probably will in WWIII, but I guess “you’re ok with that” you goddamned spoiled ingrate.
Just over 50%.
Very disturbing to see a total lack of personal and professional discretion.
we need to take a lesson from European and Israeli airport security proceedure and practice, which is implemented with courtesy discretion, intelligence and unobtrusive professionalism by professionally trained and qualified personel.
Why doesn’t intelligent professional security discretion require like and kind peronel in the US? Probably because the bottom line here is money and TSA buffons get paid minimum wage or close…you don’t buy intelligent pros for minimum wage.
It doesn’t help that airlines are getting hammered by oil prices…they’re cutting corners wherever they can.
Ridiculous. Fuel prices are a known variable in the aircraft business, but its not like the costs have suddenly spiked in the past couple of months. And the airlines have more than made up for it by increasing other fees, like baggage fees (which has reduced the number and weight of bags, thus saving fuel), charging for drinks and food, and adding fees for window or aisle seats, etc. etc.
Must be a different “minimum wage” for TSA pervs..
Transportation Security Officer – Hourly Average: $14.74/hr
Transportation Security Officer – Average Salary: $34,952
General Manager – Average Salary: $106,626
source: http://www.glassdoor.com/Salary/TSA-Salaries-E41347.htm
Yeah, but they have to put up with the task of putting their hands down your pants. That surely requires some kind of premium.
In the United States, workers are generally entitled to be paid no less than the statutory minimum wage. The federal government mandates a nationwide minimum wage level of $7.25 per hour.
And republikkans refuse to raise it.
Point is that professional trained and qualified security personel need appropriate qualification that cannot be expected for any minimum wage ( or there abouts) salary.
bah, it isn’t about money and you know it.
Y’all need to switch to decaf. No need for Apple fans to be hating on each other. Life is too short to be angry at another person over their point of view or opinion.
can you not perform basic mathematics? The federally mandated minimum salary is $7.25/hr…the average hourly wage of a TSA screener is $14.74/hr…come on, Breeze, crunch those big ol’ numbers for me, I know you can do it.
What about : “Point is that professional trained and qualified security personel need appropriate qualification that cannot be expected for any minimum wage ( or there abouts) salary.” Don’t you comprehend?
Professional security agents cost real money.
you are an idiot, this is the last time I will respond to you regarding this:
What It Takes to be a Transportation Security Officer
Once hired, officers:
– Participate in more than 120 hours of classroom and on-the-job training before they ever screen a person or a bag;
– Undergo a series of tests before receiving a work assignment;
– Complete even more training if they are going to screen both passengers and baggage (More than half of our officers do this); and
– Complete an annual certification process that includes more written tests, image interpretation tests, and a third party evaluation.
Just like Apple’s there are high standards and a high bar to aspire to, which is what separates the men from the boys…
Samsung also claims to have innovation and high professional standards and quality…but we all know that is a joke and couldn’t be further from the truth.
When you have double standards and different measuring sticks, you have a market that compromises quality and caters to a dumbed down ignorant demographic. Sometimes it even gets away with the farce.
PS: Have a little russian vodka while your’e having your little temper tantrum mr imigrant.
you misspelled immigrant.
In this case, deliberately ….but the shoe fits.
not only can you not perform basic math skills, you have no grasp of English spelling fundamentals..”In this case, deliberately …” you are also a blatant liar.
Stupid argument. Raising the minimum wage results in the costs of goods, services and food increasing. So any increase is offset by inflation.
You know, it’s not even noon yet. You should try to cut back a little.
oh, it IS noon, no wonder you’re finally outta bed.
Thought I’d log in just to say, “fuck you too!” to botvinnik.
Your conservative troll shtick has no place on a computer blog. As an American, I am embarrassed by your behavior. As a human being, I can only say your continued vitriol and ad hominem attacks completely undermine any logical argument you try to make.
oooh! oooh! you’re embarrassed! call 1-800-GIV-ASHT. I am not a “conservative” you jackass, there is absolutely no difference between the policies of Obama Messiah and Dubya Dumbass…none.
Keep in mind this kind of exploit might also be possible with a jailbroken iPhone.
Or he could just be making the whole thing up to get attention.
This is my initial reaction.
Yes, both cell phones and aircraft have signals in the UHF and L-bands. However, the bandwidths, modulations, interleaving, and forward error correction codes for those signals are completely different from each other. AND for cell phones all those aspects of the signals are hardwired into the communications chips in them.
Changing the cell phone to be 100% interoperable with the wireless communications of commercial aircraft would, at the very least, require a completely programmable comms chip in the cell phone or a complete replacement of the comms chip in the cell phone with one that is 100% compatible with at least one RF waveform of the aircraft. (Currently no such chips exist that can fit within a cell phone.)
AND this guy claims he did it with a “app” on the Android phone — strongly implying absolutely no physical changes to the cell phone.
However, here is ONE option:
Many commercial aircraft today have WiFi on them. IF (an extremely huge IF) the implementers of that WiFi system tied it into the network of computers on the aircraft itself (an unbelievably stupid thing to do) then it *might* be possible to use the on-board WiFi system to hack into the aircraft’s systems. While systems designers and implementers often do pretty stupid things, I find it difficult to believe that the implementers of the WiFi systems went through the added expense to integrate it into the on-board computer systems or that the aircraft owners would either pay for that additional integration or accept the risk of an access point opening up.
Well stated and thought out. I can’t imagine any aircraft manufacturer tying the entertainment systems into the control systems. It just isn’t done.
I sure hope that you are right.
I can see where remote wireless access to the aircraft would be beneficial – many reasons- maintenance data forwarding, remote control in emergencies. But you’d think encryption and passwords would be involved. I’m not sure this story is true. Sounds like a late April fool’s prank
Not to understate the possibility of an attack, but there are usually two pilots on board and part of their job is to monitor the “health” of the system. If the pilots encounter what could be construed as aberrant behaviour, they will cut system functions until they regain control. They would also contact the nearest air traffic controller and report on the situation. I don’t think it would take too long to suss out the signature of the hackers and triangulate on their position. They might get away with it for a couple of times but God help them when they get caught.
But, despite my faith in pilots, they are only human and my observations of most meatware systems is that they are generally only predictable in the aggregate – most people will do the expected. But as individuals, all bets are off. If one of these attacks does take place in real time, the press should have a field day with it.
Err
“No Fragmandroid Apple knockoff devices allowed past airport security checkpoints in 3… 2 ”
What part of remote don’t you get? Th problem isn’t the phone but the aircraft systems if this story is to be believed. I suspect it might be like the water bomb BS that the insecurity folks like to tout to their Republican buddies.
I can see this setting back the whole Phones on an aircraft thing.
This article is pure fantasy. You can’t just hook up to an airplanes computer wirelessly, they use dedicated network lines for fly by wire (A664, A429, Ect..). The airplane has several computers with multiple processesors performing the same calculations and comparing results in lock step as a safety measure. If by a miracle someone faked a signal or gave instructions to a plane it would cause a fault and the autopilot would shut off automaticly. This guy is a liar!
…But it’s on the Internet. They can’t put anything on the Internet that isn’t true.
Bon jour…
Another Onion article making it into so called legitimate news. Someone did not understand that it is April 11 not April 1. I say shenanigans!
…
The article makes the outrageous claim: “Yet many planes no longer have old analog instruments for manual flying.”
This is completely untrue, as a simple look at EASA or FAA regulations will show, not to mention the schematics of any commercial airplane ever built.
Furthermore, the idea that there is no electronic security on airplanes or in airports is absurd. ARINC technology is not consumer-grade. The idea that a hacker could infiltrate a system is not outlandish. The idea that he could do it and not be detected immediately by the multiple layers of data checking is far-fetched.
Anyone who has any familiarity with aviation knows that architecturally and procedurally, airplanes are monitored not only with automated systems but also by real humans — always at least two on the flight deck and, for commercial aviation, several more people on the ground in controlled airspace.
In almost all cases, erroneous operation/navigation/behavior of any kind [e.g., “Flight 123, this is YYZ Air Traffic Control. Why are you not maintaining your altitude?] will prompt the operator to take manual control, which typically means using a completely independent secondary or tertiary set of resources, often isolated and completely different in architecture so that common mode failures are not possible.
Increased airplane automation has not removed ATC, flight crew, and manufacturers from practicing and continuing to use safe procedures and constant communication by professional trained staff. And that is why commercial airliners aren’t being hacked, and they remain amongst the safest means of travel.
There is no Traffic Control over the Atlantic, Pacific, Arctic, Indian and any other Ocean you can think of.
correct — in non-controlled airspace, it is typically the airline (or contractor thereof) that monitors airplane position, health, and so forth to feed its schedule and maintenance systems.
MDN — Please exercise at lease SOME minimalist level of monitoring of your site. I’m not suggested an onerous task. It would be only for the most vitriolic and valueless posters, whose large of amount of harshly negative drivel makes them easily stand out. Such as ON THIS ONE PAGE, we have from botvinnik…
Nice work, pervs.
YOUR American Gestapo at work:
you have no idea.
STFU and stay out of our business.
what part of SHUT.THE.FUCK.UP.and.stay.out.of.our.business do you not understand?
wrong again, foreigner.
fuck you.
and fuck you too.
and fuck you three.
fuck you x infinity +1, jackass.
can you not perform basic mathematics?
you misspelled immigrant
you are an idiot,
you are also a blatant liar
and more.
get the fuck out, you’re a goddamned tattle-tell little girl.
Ouch! That razor-sharp thinking! A incredible wit that Mark Twain would be jealous of.
Don’t part with your illusions. When they are gone you may still exist, but you have ceased to live.
When you make a semi-coherent comment like that, without saying “fuck”, you seem like merely an arrogant jerk — rather than what most of your comments portray… a poisonous, violent, arrogant jerk.
When angry count four; when very angry, swear…fuck you, jackass.
So much anger. So little ability to articulate anything.
You’re going to give yourself a heart attack by the time you’re 40. Which, no doubt, seems like a very long time from your current age of 14. But it really isn’t.
You just called Mark Twain inarticulate. Seamus, again, you are an idiot.
Seamus, in between your daily pablum of regurgitated CNN that drools all the way from your bib into this forum, you might consider obtaining a library card and actually reading a book. You are an amazingly stupid individual, even by 21st century “standards.”
You just called Mark Twain “an arrogant jerk.” Seamus, you are an idiot.
@botvijerk
All over the Internet, people are concerned about and fed up with poisonous negative jerks. I’m sure you know that. Well – it’s not some abstract “them” that they are all talking about. YOU are exactly the kind of person that most people don’t want online.
and YOU are exactly the kind of empty-headed jackass that is the subject of the following quote: “If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be.”
I second the motion!
botvinnik, you truly need to seek professional psychological help. Your vile behavior is not normal.
This article is complete and utter horseshit. What is it April 1st?
Lift your game MDN. I know I come here to laugh at the idiotic comments and paranoid “takes” but to see this posted as news makes me just shake my head.
Before blithely dismissing Teso as a crank, take a look at his slides. He may be a nut, may be wrong, but he may also be right. And he does appear to have done the footwork for his analysis. The demo will tell.
His work seems solid, but the article is pure sensationalism.
Even if he could inject bogus way points into the FMS, this needs to be verified and pushed to the AP after validation. Even then if he could get two planes on a collision course as soon as there is an TCAS resolution the autopilot is going to be switched off.
He’s gotten through just one layer of security of many present. This poses literally no danger to any commercial aircraft.
This software is unencrypted. ACARS & the like were written back in the 80s, before most people realized we all would be carrying the equivalent (in computing power) to IBM mainframes around in our pockets. And the connectivity! Not even a pipe dream then.
Basically, if you can get an Android phone to interface with a radio transmitter, you can hack an airliner & get it to do whatever … run into planes, the ground, other buildings …
I think that person you said “9/11” may have been on to something.
I did read the whole article and all the slides. I then sat in a meeting in an airline ops control office while the safety committee discussed all of this in detail with avionics engineers and senior pilots.
I stand by my statement. This poses no danger to anyone. Even if the autopilot could be mislead with false waypoints – which in itself is very difficult and requires a lot of luck in terms of hardware and software options – there are still independent systems like TCAS and GPWS that will alert the pilots to any danger. For this hack to work those systems would be inoperable (in itself would be an emergency situation and in violation of MELs) and both pilots would have to be either incompetent or incapacitated.
No airline in the world is altering their SOPs because of this.
http://www.informationweek.com/security/application-security/faa-dismisses-android-app-airplane-takeo/240152838?cid=RSSfeed_IWK_News