On Thursday, a man named Hugo Tesco demonstrated at the Hack in a Box security conference a way to hijack an airplane using an Android device – and nothing else. Obviously, such a claim drew quite a bit of attention, including from the Federal Aviation Administration and European Aviation Safety Administration, both of which have come forward with statements that it simply isn’t possible.
According to Tesco, an airplane could be hijacked because two aviation systems, the Automated Dependent Surveillance-Broadcast and the Aircraft Communications Addressing and Reporting System, are unauthenticated and unencrypted. He acquired flight code software off eBay and a radio transmitter, and got to work with creating his plane hijacking method.
Tesco used the code to find vulnerabilities in virtual aircraft, and via these problems he used his Android app called PlaneSploit to take control of a Boeing jet in autopilot mode. Rockwell Collins, which is a company that make the systems that were hijacked, says the problem is that Tesco is using a virtual plane, and that such a method wouldn’t work with a real aircraft. The FAA agrees, publishing a statement that says:
“The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer … The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot. Therefore, a hacker cannot obtain ‘full control of an aircraft’ as the technology consultant has claimed.”
[via The Register]