The app does its dirty work by sending radio signals to the targeted plane that change the pilot's displays or even the plane's direction and altitude, according to Forbes.
A security researcher in Germany has found a simple way to hijack such a plane using nothing more than an Android smartphone.
Developed by Hugo Teso, a security researcher for a German IT consultant firm, and presented at the Hack In The Box security conference yesterday in Amsterdam, the app exploits bugs in both a protocol that sends data to planes and the flight management software used in many commercial flights.
“You can use this system to modify approximately everything related to the navigation of the plane,” Teso said.
The main security hole that Teso found and exploited was in the Aircraft Communications Addressing and Report System (ACARS), a system that handles everything from weather data to changes in a plane's flight management software.
Over three years, Teso toyed with the software that planes use to receive data and messages from ACARS and realized that, "the airplane has no means to know if the messages it receives are valid or not."
“So they accept them and you can use them to upload data to the airplane that triggers these vulnerabilities. And then it’s game over.”
Exploiting this vulnerability, Veso created an app that he ran on his Samsung Galaxy smartphone which he used to take control of a virtual airplane.
Honeywell, one of the companies that makes flight management software that Teso was able to exploit, says that the vulnerabilities found by the researcher aren't as perilous as they sound because the software that was exploited by Teso is the PC version, not the full version found on planes.
"The version [Teso} used of our flight management system is a publicly available PC simulation, and that doesn’t have the same protections against overwriting or corrupting as our certified flight software,” a spokesman for Honeywell said.
However the firm that employs Teso, N. Runs, contends that making the leap from the PC version to the full version wouldn't be very difficult.
“From our perspective it would work with at minimum a bit of adaptation,” Teso's supervisor Roland Ehlies said.
No comments:
Post a Comment