Hacker demonstrates how to hijack an airplane using an Android app

By on April 11, 2013, 11:00 AM

A security consultant by the name of Hugo Teso claims he has created an Android app called PlaneSploit that would allow him to remotely attack and hijack commercial aircraft. He recently presented his findings at the Hack in the Box security conference in Amsterdam where, among other things, he exposed the fact that a number of aviation and aircraft systems have no security in place.

>> See our follow-up to this story: FAA shoots down hijacking demonstration via Android app

Teso, a trained commercial pilot for 12 years, reiterated that the Automated Dependent Surveillance-Broadcast (ADS-B) is unencrypted and unauthenticated which can lead to passive attacks like eavesdropping or active attacks such as message jamming and injection. Furthermore, the Aircraft Communications Addressing and Reporting System (ACARS) – a service used to send text-based messages between aircraft and ground stations - also has no security.

With these vulnerabilities in mind, he used virtual planes in a lab to demonstrate his ability to hijack a plane rather than attempting to take over a real flight as that was “too dangerous and unethical.” He used ACARS to gain access to the plane’s onboard computer system and uploaded Flight Management System data.

Once in, he demonstrated how it was possible to manipulate the steering of a Boeing jet while it was in autopilot mode. The security consultant said he could cause a crash by setting the aircraft on a collision course with another jet or even give passengers a scare by dropping down the emergency oxygen masks without warning.

A pilot could thwart an attack by taking the plane out of autopilot although he pointed out that several newer systems no longer include manual controls. Some systems could be updated to patch the vulnerabilities but many legacy systems would be difficult, if not impossible, to update.




User Comments: 54

Got something to say? Post a comment
Ravik Ravik said:

Say bye-bye to using phones on planes.

Tygerstrike said:

And now I understand why they tell you to turn off your phone when flying!! I wont be flying anytime in the near future lol

Prosercunus said:

And now I understand why they tell you to turn off your phone when flying!! I wont be flying anytime in the near future lol

Actually they tell you to turn off your phones because of the potential for unproven interruption with older flight equipment. Although it is largely a joke as it has been shown that the very pilots themselves keep their Tablets and Smartphones on to read flight plans and passengers rarely actually shut their phones off.

2 people like this | Guest said:

I would use this to reroute my boss's plane to North Korea.

Guest said:

Newer systems no longer contain manual controls?

If that's referring to fly-by-wire instead of the older-style flight controls, that's still not something that could be taken over by someone with a computer or a phone. There's no way that someone outside the cockpit could actually take the control of flight away from two pilots sitting behind a yoke.

Guest said:

Consider it done.

Guest said:

Wow that's scary. I bet the folks at TSA are gonna want to either confiscate your phone or "Inspect it"

Guest said:

I saw that mister, don't think I don't monitor you. I think you can kiss your job goodbye.

Guest said:

". There's no way that someone outside the cockpit could actually take the control of flight away from two pilots sitting behind a yoke."

If the controls are fly by wire, the yokes simply provide electronic (position sense) inputs to a flight control system. If that system has been hacked and the inputs bypassed, the pilots could flail around all they wanted, their actions will simply not be recognized.

1 person liked this | Lurker101 said:

Terrorism! There's an app for that!

Captain Pat said:

Terrorism! There's an app for that!

FYI -- On Boeing aircraft, the pilots can take manual control away from the flight director. On Airbuses, the pilots are only ?voting members? and the three onboard computers comprise a ?majority? vote.

TFlorida TFlorida said:

And now I understand why they tell you to turn off your phone when flying!! I wont be flying anytime in the near future lol

Actually they tell you to turn off your phones because of the potential for unproven interruption with older flight equipment. Although it is largely a joke as it has been shown that the very pilots themselves keep their Tablets and Smartphones on to read flight plans and passengers rarely actually shut their phones off.

It's actually not a joke. My friend is a pilot with a large airlines and he told me that you can tell when people try using their phones when they aren't supposed to. In the cockpit they will hear buzzing noises in their headphones.

Guest said:

Ignorance of the average individual about airplanes and technology in general.

  • The reason you turn off your equipment in flight is because while one or two phones may not interfere with electronics, 100 or 200 on at the same time could. Don't do it.
  • Flight controls and engine management systems have overides and backups. Good (professional) pilots train to handle things when the equipment fails or malfunctions. It's why they are in the seat. A hacker might make the flight temporarily more interesting but nothing is going to "crash". It's why analog stuff is still there to backup all the displays and pretty colors.
  • Don't these "app developers" have anything better to do - like tagging water tanks in east Texas?
AlmostThere AlmostThere said:

As much as I love tech.... Was anyone else bothered by the line that said, "A pilot could thwart an attack by taking the plane out of autopilot although he pointed out that several newer systems no longer include manual controls." Seriously, no manual controls. errr......

Guest said:

Actually, it is the volume of users on mobile and wireless devices that can cause interference. Singular use such as pilots have no effect. It is on the newer aircraft such as the Airbus later models that are more effected than the older Boeing versions. Airbus uses all radio signal controls for flaps, thrust, etc.. while Boeing uses all hydraulic and hardwire configurations on their older models. Only the wireless planes would have any issues. Boeing today, uses radio wireless formats on their planes, but backs up with hydraulics and hardwire as well.

Twenty five pilots on a tarmac will have no effect. Two thousand folks streaming and using wireless however will have an impact.

Guest said:

Hey, unjustified or not, if it gets people to STFU for the time I'm on a plane, fine by me. Now if only we could find a similar way to shut babies up....

Young0716 Young0716 said:

I would use this to reroute my boss's plane to North Korea.

That is awesome idea haha

Guest said:

The entire point of security conferences is to expose security flaws publicly and allow the companies a chance to close them. The alternative is that they find out about a flaw after it is exploited by a criminal or another person with bad intentions (or they ignore it until it becomes a problem).

Publicly announcing a problem like this forces organizations to admit that they have problems and repair them before there is an actual tragedy.

Munch Munch said:

Hmm, seems like kind of big deal. Why isn't this the headline story on CNN?

Guest said:

There is no way, you can upload a FMS when it in flight, there are provisions to prevent that for any electronics. I wouldnt worry so much

cliffordcooley cliffordcooley, TechSpot Paladin, said:

I'm sure everyone also realizes this would give someone access of control from the ground. A cell phone anywhere on the plane is a potential risk and can be controlled remotely. The solution is to tighten security on the plane, not disabling cell phones which would be impossible.

Guest said:

How soon can we download this app from the app store?

Stuxnet for the Airbus anyone?

1 person liked this | VitalyT VitalyT said:

So you get your ass on a rocket and try to hack it while flying it, that's smart. Where did I see it though,...oh yeah, the coyote - that's what they should call the program!

JC713 JC713 said:

I am actually pretty scared to go on a plane now lol.

Guest said:

In past, terrorist needs to bring several guns and/or bombs inside the plane without being detected to hijack an airplane.. now we only need a smartphone to hijack a plane remotely..

Razer said:

"mommy, mommy, look I got new radio control plane, it's Boeing 747!!"

Guest said:

ACTUALLY, they tell you to turn off your devices as the times before/during take off and before/during landing are the most critical to paying attention to instructions and your surroundings in the event of an emergency landing/crash. Kind of hard to be 100% alert if you're listening to music, etc.

Guest said:

Are you retarded they have to let you have your phone, if they didn't you would land in a foreign country with no phone

Guest said:

That idea crazy. Plane reroute golden land potato. All rejoice.

2 people like this | The Droog said:

Say bye-bye to using phones on planes.

You mean Assault Phones whose only purpose is mass murder?

Guest said:

Well!, if you can think it then it's possible. I understand what Hugo wanted to achieve by asking - What if?.

madboyv1, TechSpot Paladin, said:

Are you retarded they have to let you have your phone, if they didn't you would land in a foreign country with no phone

The capacity for communication is more or less a right nowadays, but a cell phone is merely one of many mechanisms to facilitate it, and privilege to own and operate.

But yes, a scary possibility indeed, to think I just had a round trip flight a few days ago, and it was on time both times no less. =o

Guest said:

This app is now in the Google Store. Can't wait to try it out.

pmshah said:

And now I understand why they tell you to turn off your phone when flying!! I wont be flying anytime in the near future lol

Actually they tell you to turn off your phones because of the potential for unproven interruption with older flight equipment. Although it is largely a joke as it has been shown that the very pilots themselves keep their Tablets and Smartphones on to read flight plans and passengers rarely actually shut their phones off.

With the earlier non-smartphones one could not do anything with an installed sim. Could not even access the contact list. The current smartphones allow full accessibility with / without a sim card installed. This is to allow "Aircraft" mode where it suspends ALL wireless communication. I am pretty sure the tablets and the phones used by the pilots while flying would be in this mode.

pmshah said:

As much as I love tech.... Was anyone else bothered by the line that said, "A pilot could thwart an attack by taking the plane out of autopilot although he pointed out that several newer systems no longer include manual controls." Seriously, no manual controls. errr......

This is nothing new. When Airbus A300 was introduced some 25 years ago it too had no pilot overriding control. An incident has been rumored to have occurred at Kolkotta (Calcutta) where the Pilot of a flight felt that the plane had not reached the required speed to takeoff and wanted to abort but had no control. The plane went into auto mode and took off on its own. The crash at Bangalore some time in 1988/89 could also be attributed to this when the pilot could not override the automatic landing procedure. I was booked on that flight and was saved by preponing my schedule by 3 days,

cliffordcooley cliffordcooley, TechSpot Paladin, said:

I was booked on that flight and was saved by preponing my schedule by 3 days,
O.O

Ohhh My!!

Guest said:

Will this work on rockets? Have somebody with an I-phone turn the North Korean rocket right around and have it head back to where it came from.

ghasmanjr ghasmanjr said:

I really don't think websites or conferences should post findings such as these because someone, somewhere out there is actually stupid enough to give this a shot.

1 person liked this | Tanstar said:

There is no way, you can upload a FMS when it in flight, there are provisions to prevent that for any electronics. I wouldnt worry so much

Except the entire point of this article is that there is NOT any such security on modern planes.

1 person liked this | Tanstar said:

Are you retarded they have to let you have your phone, if they didn't you would land in a foreign country with no phone

15 years ago cell phones were still pretty rare. 5 years ago international phones were rare. Most phones still have very limited options overseas. I'm not saying they should disallow smart phones on planes, just saying that people got fine without international phones not long ago at all.

Guest said:

This is BS.. "he used virtual planes in a lab to demonstrate his ability to hijack a plane",

so he did not hijack anything really....

Guest said:

So many problems with this article. Somebody doesn't know how aircraft/aviation works. There would have to be so much insider knowledge to make this type of effort work and even then it is highly doubtful.

1 person liked this | Guest said:

I'm an airline pilot and air travel writer/blogger. This story is mostly garbage -- just wild technological extrapolation, and not very realistic.

Here's a rebuttal that I published on my home page....

www.askthepilot.com

- PS

cliffordcooley cliffordcooley, TechSpot Paladin, said:

Here's a rebuttal that I published on my home page....

www.askthepilot.com

Thanks for the link and explanation of this topic.

Guest said:

This would also affect the new Boeing dreamliner but that's nor really in use yet.

Pmshah, A whole post just to get in the word "preponing" .. LOL. I bet you've been scouring the web for days for that chance. *I* thank god your still alive.

Guest said:

Because it's mostly inaccurate or downright wrong. Makes good clickbait though.

cliffordcooley cliffordcooley, TechSpot Paladin, said:

Pmshah, A whole post just to get in the word "preponing" .. LOL. I bet you've been scouring the web for days for that chance. *I* thank god your still alive.
What is your problem? Seriously! Why did you say that? Talk about contributing to the webs bad attitude.

tmcarr tmcarr said:

Newer systems no longer contain manual controls?

If that's referring to fly-by-wire instead of the older-style flight controls, that's still not something that could be taken over by someone with a computer or a phone. There's no way that someone outside the cockpit could actually take the control of flight away from two pilots sitting behind a yoke.

If he has access to the computer that relays the yokes commands "over the wire" to the actuators... then he has control of the plane. He just intercepts the signals and changes what they say... simple as that. Basic BASIC man in the middle attack.

Guest said:

Nope, they use iPads primarily, which doesn't have a means of removing a sim.

The app most use is called ForeFlight, to a lesser extent an app called WingX or one from Garmin that I believe is just called Garmin Pilot, they all have a 30 day free trial in iTunes feel free to play with them, they work on a phone too. If on android the options are the Garmin app and one called Naviator. Probably won't get a GPS lock in an airliner, though, you'd need to be in the cockpit. GPS signals won't go through metal, but work fine for pilots through the windshield.

The iPad is the more popular option due to the android apps having sketchy video acceleration in the apps themselves and ForeFlight being around the longest of these apps and being iPad only.

Source: I fly, own a small airplane, and use an iPad mini for maps, charts, and as a backup GPS in the air in case the panel mounted NAV/COMM unit in my plane fails.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.