Hugo Teso is a security researcher at N.Runs, a Germany-based IT consultancy firm. He is also a licensed commercial pilot. So he did what any other regular person would do with two seemingly unrelated interests: use one to exploit the other. In the Hack In The Box security conference being held in Amsterdam, Teso has revealed that he has been working on a hack for the past three years that allows him to remotely hijack commercial airplanes with the use of an Android app.
According to Teso, the Aircraft Communications Addressing and Report System (ARCARS) used by commercial airlines is extremely insecure; it uses no type of authentication to differentiate between valid and illegitimate commands. As such, Teso says he was able to develop an Android app, dubbed PlaneSploit, that is able to send commands to the ARCARS which then passes the commands to the flight management system (FMS). This essentially lets Teso “modify approximately everything related to the navigation of the plane”.
The caveat here is the exploit allows Teso to take control of a plane’s autopilot, which allows Teso to do dangerous things like re-navigate the plan to annoying things like flicker lights inside the cockpit; pilots can easily manually override the commands. Still, that requires a pilot to be aware of the situation and what is happening. One can only imagine what would happen if a pilot was clueless about the whole ordeal.
Teso says he tested this hack on FMS hardware he purchased off eBay and FMS simulation software, but the exploit is applicable to real commercial airplanes. However, companies that make flight management systems — such as Honeywell, Thales, and Rockwell Collinsmakers — have come out and publicly rebuked Teso’s claims, saying real airplanes are vastly different than the simulations Teso tested on and real airplanes have protections against this. The United States Federal Aviation Administration (FAA) and European Aviation Safety Administration (EASA) have also said Teso’s hack works only in a lab and won’t work on real airplanes. However, no one is taking chances; Teso and N.Runs are said to be in contact with not only FAA and EASA but also Honeywell to see if there is any real-life truth behind the hack.
For what it is worth, Teso has not publicly revealed the fine details of the exploit. And he says he specifically limited the app to only work on simulations and not real airplanes because hijacking a real plane would be “too dangerous and unethical”. So you don’t have to worry about an Android app hijacking your next flight. Yet.