Just when we were getting flight attendants to relax the electronic device restrictions on flights, a German security consultant has demonstrated a real-world hack and takeover of an airplane’s critical guidance and control systems using an app he built that runs on an Android smartphone. Hugo Teso of n.run, who is also a trained commercial pilot, demonstrated the exploit at the Hack in the Box conference in Amsterdam, and has developed a framework and app as a means to illustrate just how poor the current state of aviation security actually is. Teso designed the framework to be unusable outside his simulation environment, but he maintains that his environment mirrors technology that is currently in use throughout the aviation industry. On top of being able to completely own the Flight Management System (sometimes referred to as the “Autopilot”) of an aircraft, Teso’s app, named “PlaneSploit” demonstrated how, once complete control of the aircraft’s control systems was obtained, the actual operation of a flying aircraft could be remotely controlled from a smartphone.
Teso has carefully kept his research private, and has been working closely with the aircraft industry to help them close the gap on the many security vulnerabilities that exist in the thousands of aircraft in use today. Even still, it’s possible that other security analysts could uncover the same exploitable weaknesses in avionics platforms, and perhaps behave less altruistically than Teso. Also keep in mind that the autopilot systems can be manually overridden and the aircraft flown “by hand” using backup analog instrumentation. The trick, Teso reminds us, is that unless the pilot knows the plane has been hacked, he won’t know to take over control until the damage has already been done.
What this means for you:
Unless you are a commercial pilot, or someone of influence in the airline industry, I’m afraid there’s not much you can do about this except continue to raise awareness with everyone around you about technology security. Even though I sincerely doubt we’ll see any real-world plane hijackings via smartphone any time soon, now that this Pandora’s Box has been opened, it may never be shut again.