A pair of ANA pilots in the cockpit of a Boeing 787, and yes, they still have manual controls. Image: Boeing
A talk given by a security consultant at the Hack In The Box conference in Amsterdam has been making waves for a couple days now, largely because it made bold claims: Hugo Teso, who's also a trained commercial pilot, said he'd developed a way to hijack airplanes (as in take over their flight controls) by attacking the plane's systems wirelessly using an Android app he developed.
The ability to take control of an aircraft via an Android app is obviously a scary possibility. And it's true that a lot of aircraft systems–like many industrial networks–aren't as secure as they should be. But a guy crashing a plane with his phone? I wouldn't worry about that.
Zeljka Zorz and Berislav Kucan at Net Security wrote an in-depth explanation of Teso's demonstration and claims, which is worth the read if you haven't heard about the nuts and bolts yet. For everyone else, the notable point is that Teso set up a framework to gain access to two aircraft systems that broadcast wirelessly: the Automatic Dependent Surveillance-Broadcast (ADS-B), which communicates flight, traffic, and weather data back and forth with air traffic controllers; and the Aircraft Communications Addressing and Reporting System (ACARS), which essentially sends standardized messages back and forth between pilots and the ground, in some cases automatically so that pilots don't have to spend their time sending in standard reports.
Now, it's true that both systems are insecure, and it does have some worrisome implications–for one, perhaps someone could spoof a plane via the ADS-B to warn pilots of a mid-air collision, which would likely cause some chaos on the flight deck. Regardless, that airline systems are so susceptible to attacks is certainly something that needs to be fixed.
A nice ADS-B explainer, if you want to know more.
But the claim that a plane could be remotely controlled–which Teso did simulate in his talk, although the doom hype blame also lies with some media outlets–is pretty much false, for a number of reasons.
First, let's say that indeed Teso found a way to worm his way in from communications systems into taking over flight controls. As James Fallows notes for the Atlantic, even if a plane's autopilot was hijacked and sent the plane into a nosedive, pilots will always be able to take over manual controls. And if an attacker subtly recalibrated instruments and the autopilot to head a plane towards a mountain, jets cruise at 35,000 feet. Pilots will notice the plane has lost altitude before it ever gets near crashing into anything.
And even then, the claim that accessing an admittedly-unsecure pair of communications systems can then lead to accessing plane controls appears to be a leap beyond what's feasible. A couple security consultants I emailed both said the specific flight hijacking claim seemed fairly ridiculous, one of whom pointed me towards a Hacker News thread with folks saying the same thing. As user eduardordm wrote:
I used to make avionics for a living and I don't even understand what this man is talking about. (I don't think he does too) That seems to be just an ACARS sniffer.
ACARS and ADS-b has nothing do to with aircraft control systems. You don't need an android app to intercept satellite communication and even if you 'root' the ACARS computer, it is not connected to the systems that could control the airplane.
Also: to pass DO-254 at level A you must have physical switches for flight/computer functionality, that said, no software can engage autopilot or change AP behavior, you need physical switches to do that. They are NOT similar to keyboard buttons, those switches actually interfere at the hardware level.
DO-254 is an FAA-recognized set of standards covering electronic systems onboard planes, and as eduardordm and others have noted, autopilot systems are physically separated from other onboard systems. So it's very unlikely that entry through communications systems could result in actual takeover of a plane's autopilot. And even if it happened, pilots switching into manual flight would nullify the problem, which is how things are designed; planes are designed to deal with catastrophic failures of autopilot systems, even if designers didn't have black hats in mind.
It's unfortunate that the discussion has revolved around "We're all gonna die!" style headlines of hackers crashing planes with cell phones, because the exploits Teso demonstrated are worth examining on their own. Fooling around with ADS-B in particular seems like an area ripe for trouble.
Ssending erroneous plane signatures to screw with traffic control, or even spreading false weather reports, would be a big problem. Even a few could be cause for distrust within the system, which would make it pretty much useless. That on its own may be realistic, but the holes are there. But will a hacker fly your jet into the ground like a remote control plane? I wouldn't worry about it.