FAA shoots down hijacking demonstration via Android app

Those preparing to fly the friendly skies can breathe a sigh of relief today as the Federal Aviation Administration has shot down widely-reported claims that a security researcher could theoretically hack into an airplane's computer system and effectively hijack it using an Android app.

A recently-issued statement from the agency said they were aware that an IT consultant alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System. Upon further investigation the FAA concluded that the described technique does not work on certified flight hardware.

During a recent security conference in Amsterdam, Hugo Teso used virtual planes in a lab to demonstrate how the app would allow him to remotely hijack an airliner. The problem with the demonstration, according to the FAA, is that Teso utilized a PC-based training version of the Aircraft Communications Addressing and Reporting System (ACARS) software found in airplanes.

This validates similar claims from the European Aviation Safety Administration (EASA) which said the presentation was based on a PC training simulator and did not highlight potential vulnerabilities on real flight systems. That's because the simulator doesn't have the same overwriting protection and redundancies found in certified flight software, the EASA said.

Furthermore, Honeywell spokesperson Scott Sayres said their flight management system includes security and safety measures designed to prevent data overwriting and data corruption. Part of Teso's demonstration involved gaining access to the flight management system and uploading new data via software defined radio and ground service providers.