FAA shoots down hijacking demonstration via Android app

By on April 12, 2013, 5:00 PM

Those preparing to fly the friendly skies can breathe a sigh of relief today as the Federal Aviation Administration has shot down widely-reported claims that a security researcher could theoretically hack into an airplane’s computer system and effectively hijack it using an Android app.

A recently-issued statement from the agency said they were aware that an IT consultant alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System. Upon further investigation the FAA concluded that the described technique does not work on certified flight hardware.

During a recent security conference in Amsterdam, Hugo Teso used virtual planes in a lab to demonstrate how the app would allow him to remotely hijack an airliner. The problem with the demonstration, according to the FAA, is that Teso utilized a PC-based training version of the Aircraft Communications Addressing and Reporting System (ACARS) software found in airplanes.

This validates similar claims from the European Aviation Safety Administration (EASA) which said the presentation was based on a PC training simulator and did not highlight potential vulnerabilities on real flight systems. That’s because the simulator doesn’t have the same overwriting protection and redundancies found in certified flight software, the EASA said.

Furthermore, Honeywell spokesperson Scott Sayres said their flight management system includes security and safety measures designed to prevent data overwriting and data corruption. Part of Teso’s demonstration involved gaining access to the flight management system and uploading new data via software defined radio and ground service providers.




User Comments: 15

Got something to say? Post a comment
1 person liked this | Lurker101 said:

I'm not exactly convinced. Partly because I have no way to validate their claims (on account of not having a spare aeroplane on hand) and partly because this has the whiff of damage control about it.

spydercanopus spydercanopus said:

And Capt'n Crunch whistles didn't really hack the phone systems. >.>

JC713 JC713 said:

Yeah, they didnt validate any claims. There could be more versions they dont know about that does the same, harmful thing.

PinothyJ said:

So, are they saying this because he was right and they do not want it to it the fan while they fix the problem or is he just wrong...

Guest said:

Just wondering what the airplain manifacturers have to say on the subject.

Tygerstrike said:

Ok this article clarifies the previous article. So this guy hasnt ACTUALLY tested this on a REAL planes command and control systems. Good to know!! But it does beg the question, How secure is a real planes C&C system? With enough computing power can someone actually gain entrance into a planes flight controls? Is a planes recieving equiptment protected from a cyber attack? Wow so many questions, and literally no answers.

@Lurker

Smells less like damage control and more like "lets get the story straight before it goes mushroom". I personally view the press release as a good thing. It means that they saw what this guys was claiming he could do, realized that the information he was spewing was incorrect, a moved to give the correct information. With all we have to worry about due to flying this gentlemans statement just added to a already tense and stressful activity. I mean besides air marshals, crazy ppl who want to crash or blow up, stressed out and crazy flight attendants/pilots, luggage issues, now we would have the added worry about some idjit trying to take over the plane with their smartphone. Im glad they did do damage control. Atleast some of that concern and fear can be laid to rest.

Guest said:

From the previous article:

"With these vulnerabilities in mind, he used virtual planes in a lab to demonstrate his ability to hijack a plane rather than attempting to take over a real flight as that was "too dangerous and unethical." He used ACARS to gain access to the plane's onboard computer system and uploaded Flight Management System data."

How was it unclear what he did? I don't feel like the initial report said anything misleading, they stated plainly that it was done with virtual planes - the fact that it was possible even in that scenario should raise questions. I'm not sure that this new press release satisfies that this is not possible on real aircraft because it doesn't cite enough of the measures in place that prevent this from happening. I'm not really sure I like the idea of 'buying time to fix the problem either'. I'll take what has been said with a grain of salt and continue to wonder why even on the simulation this was allowable.

Guest said:

Is he Iranian or North Korean?

Credibility lacking and all.....

veLa veLa said:

"Shoots down" haha.

Guest said:

Hahahaha

they dont want to panic anybody but they are trying to close the security gap.

Good One ! (FAA and Honeywell) Liars

ghasmanjr ghasmanjr said:

"Upon further investigation the FAA concluded that the described technique does not work on certified flight hardware."

Yes...I'm sure that airlines keep every single plane up to date with the brand new certified flight hardware because that's cost-effective and all...

I still don't think people should be reporting about things like this though because as I said in a comment on the previous article: someone, somewhere is stupid enough to try this.

Guest said:

Yep, pretty soon we'll have to check our smartphones. You wanna see crazy people? Take away their Pudding Monsters...

wiyosaya said:

As I see it, this article says that real, commercial airplanes have redundant backup systems. It does not sound like the FAA is saying that it could not be hacked.

The most obvious of the redundant systems is the engines. On commercial airplanes, you will always see at least two engines. The reason is that if one fails, the plane is more than capable of flying with only one engine operable.

In this case, the FAA is saying that commercial airplanes have more than one computer system. If one is found to be malfunctioning, a secondary computer system can be used in place of the malfunctioning one. So, the scenario is this:

Flight crew notices primary computer system is malfunctioning. Flight crew switches to backup computer system.

As I see it, it is not all that likely that a secondary computer system would also be hacked because in order to be truly redundant, they should be isolated from each other.

Simulators often do not accurately reflect the real system.

ReederOnTheRun ReederOnTheRun said:

Am I the only one that had to take a double take at that title before realizing they didn't actually shoot down a hijacked plane? X-D

Field McConnell Field McConnell said:

The FAA and the Air Line Pilots Association were informed of illegally installed hardware on U S airlines on 10 December, 2006. FAA Administrators Babbitt and Huerta are both aware of Civil Case 1:08-1600 (RMC) which exposed the existence of the BUAP ( Boeing uninterruptible auto pilot ). Much detail can be searched for in the search window at abeldanger DOT net and it is abel not able. Civil Case 1:08-1600 was against ALPA after a previous lawsuit Civil Case 3:07-cv-24 had been filed against Boeing and ALPA however Boeing admitted the existence of the BUAP and as of this date, 20 April, 2013, the Air Line Pilots Association which professes to be concerned with airline safety, has not. Colgan 3407, Air France 447 and the Sukhoi Superjet have all been destroyed AFTER the exposure of Civil Case 1:08-1600.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.