An airplane’s flight controls can be hijacked by simply using an Android smartphone, a presentation at a security conference in Amsterdam on Wednesday demonstrated.
Hugo Teso — a security consultant at the German information technology firm n.runs — demonstrated that he could remotely take over an aircraft’s flight controls using an Android smartphone app, a radio transmitter and flight management software he purchased on eBay.
Teso, reported Help Net Security, was able to access various systems on the aircraft that talk to air traffic controllers via radio and satellite. Those systems are insecure, he noted.
Then, through the Android app that Teso built, called PlaneSploit, a hijacker can alter the course of the plane’s flight, crash the plane, or set off alarms and lights in the cockpit to harass the pilot.
Because taking over a physical plane would be “too dangerous and unethical”, said Teso to the Hack in the Box conference attendees in Amsterdam, he built a virtual lab where he could test the hypothesis, which he demonstrated at the conference.
Teso also noted on his website that since this is a “very sensitive study,” he “will not release exploits or vulnerabilities that can be used against aircraft irresponsibly.”
“That is not the goal of this series, it is intended to illustrate the process to study an unusual system, display the status of its safety and learn as much as possible in the process,” said Teso.
Teso, who is also a commercial pilot, presented his findings at the conference as the culmination of four years of research. He wrote on his website that at the time he began his research, he had been studying SCADA (supervisory control and data acquisition) system security.
SCADA systems are industrial computer systems that control industrial processes like manufacturing, power and water treatment.
Manned aircraft aren’t the only flying system whose controls can be hacked.
A research team at University of Texas at Austin hacked a drone in June 2012 in response to a dare by DHS. The research team managed to hack the drone’s GPS system with a GPS spoofing device that cost $1,000.