Disturbing app could let hackers take control, crash planes
Chinese ground crew pumps fuel into a Chinese jetliner in this file photo. (AP Photo/Ng Han Guan)
Published Friday, April 12, 2013 11:19AM EDT
Last Updated Friday, April 12, 2013 11:54AM EDT
A commercial pilot and security researcher has created what he says is a smartphone app that makes it possible to hack the operating system of a plane -- potentially giving hackers the ability to crash the aircraft or send it off to a different destination.
Hugo Teso, a security consultant at a German firm, raised plenty of eyebrows when he unveiled his findings at the Hack in the Box conference in Amsterdam this week.
Teso demonstrated his ability to glean information from an airplane's onboard computer, change the intended destination, play around with the interior lights in the cabin and even cause the plane to "visit ground," or crash, if pilots fail to shut down the autopilot.
He has created an Android app called PlaneSploit, which delivers hostile messages to the plane's flight management systems (FMS), and an exploit framework called SIMON. Together, the two pieces of software theoretically allow a hacker to get inside the brain of a plane, using just a smart phone.
Teso hasn't tested his discoveries on an actual plane, however. Instead, he has conducted tests on aircraft hardware and software acquired in bits and pieces, and on a simulation tool that uses actual aircraft code and an FMS and communications system which he purchased on eBay.
And Teso's intention isn't to provide new tools to terrorists. He created the app in order to demonstrate to the airline industry the major holes that exist in aircraft security, so they can be plugged before any damage is done.
Help Net Security, which attended the conference and wrote about the presentation on their website, described Teso's app as follows:
"The attacker can click on any active airplane and receive its identification, current location and final destination. In case a nearby airplane system is exploitable, the application alerts the user via an in-application alert or a push message. The payload can be uploaded with a tap of a button and from that point on, the flight management system is remotely controlled by an attacker. There are a number of other systems connected to FMS, so further exploitation is possible."
Help Net said the app offers the following functions:
- Please go here: This option allows the user to change the plane's destination simply by tapping on a location on a map.
- Define area: Allows the user to set up detailed filters for the plane. Theoretically, this could allow an action to be triggered when the plane reaches a certain area or altitude.
- Visit ground: Crash
- Kiss off: This has the effect of removing the plane from the system.
- Be Punckish: Triggers flashing lights and alarms to alert the pilot that something is wrong with the plane.