Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

A Mile-High Hack: An App That Could Remotely Hijack Planes

A German IT consultant's proof-of-concept software raises questions about efforts to secure global flight systems.
iStockphoto.com
A German IT consultant's proof-of-concept software raises questions about efforts to secure global flight systems.

The Federal Aviation Administration continues work on its multibillion-dollar upgrade to the nation's air traffic control system, but it may not be enough to stop hackers from taking control of airplanes with a smartphone.

That's the warning from pilot and IT consultant Hugo Teso, who demonstrated how easy it would be to exploit traffic control systems at the Hack In The Box security conference in Amsterdam this week. To the fascination of those in attendance and following on Twitter, Teso demonstrated a remote attack on a virtual air control system by using a radio transmitter, flight code software and an app he designed for his Android smartphone.

Help Net Security reports:

"The application, fittingly named PlaneSploit, sports a clean and simple interface, but is packed full with features. This is a remarkable example of technology evolution - ten years ago we barely had phones with a color screen, today we can use them to hack aircrafts.

"PlaneSploit uses the Flightradar24 live flight tracker and you can tap on any airplane found in range. When talking about the range, please keep in mind that we are talking about a proof-of-concept application used in a virtual environment."

Taso, who considered it too unethical to hack an actual jet in flight for his presentation, used the demo to sound the alarm to the FAA and others that even the agency's Next Generation Air Transportation System currently in development is vulnerable.

NextGen will keep tabs on every plane in U.S. airspace using GPS technology instead of a traditional radar, and comes with a price tag in the tens of billions of dollars. But Taso suggests even the new system could be compromised with the right expertise and software framework.

To find targets, Teso exploited an existing communications system that sends information about each aircraft with an onboard transmitter. Then, using the Aircraft Communications Addressing and Reporting System, ACARS, he broke into a virtual airplane's onboard computer system and uploaded spoofed, malicious messages that affected the "behavior" of the plane.

Pilots could regain control of their planes with analog instruments, since attacks of this kind only work when planes are in auto-pilot, reports Help Net. But few modern planes have analog instruments anymore, and, Teso said, pilots would have to notice the plane's computer was taken over to correct the problem.

Update at 11:28 a.m. ET, April 12: Federal and European aviation officials say not so fast — just because Taso can do this hack in a simulated environment does not mean he could hijack a real jet, in flight. The Atlantic reports:

"According to the Federal Aviation Administration (FAA), the European Aviation Safety Administration (EASA) and Honeywell, the [makers] of the cockpit software, it's not [true]. The FAA, for one, says, 'The described technique cannot engage or control the aircraft's autopilot system using the FMS or prevent a pilot from overriding the autopilot.' The agency assures America that this hack 'does not pose a flight safety concern because it does not work on certified flight hardware.' "

-- h/t Steve Henn

Copyright 2021 NPR. To see more, visit https://www.npr.org.

Tags
Elise Hu is a host-at-large based at NPR West in Culver City, Calif. Previously, she explored the future with her video series, Future You with Elise Hu, and served as the founding bureau chief and International Correspondent for NPR's Seoul office. She was based in Seoul for nearly four years, responsible for the network's coverage of both Koreas and Japan, and filed from a dozen countries across Asia.