
FAA: 'No, you can't hijack a plane with an Android app' - sambeau
http://www.theregister.co.uk/2013/04/13/faa_debunks_android_hijack_claim/
======
rurounijones
It would be nice to get an actual technical rebuttal describing _why_ his
stuff doesn't work rather than the sleight-of-hand English and PR responses in
that article (The whole "industry standard robustness yada" bit makes my
cringe).

Based on their responses it sounds like "Yes, these _systems_ are vulnerable
but a good pilot will ignore the bad data so the _plane_ is not vulnerable."
which does not exactly give me the warm fuzzies.

(Good point here at the bottom:
[http://arstechnica.com/security/2013/04/hacking-
commercial-a...](http://arstechnica.com/security/2013/04/hacking-commercial-
aircraft-with-an-android-app-some-conditions-apply/) )

All his hack needs to be able to do is cause problems for the pilot (bad
information etc.) for this to be a problem.

I mean, if there is no issue then surely he is now justified in publishing his
work and them publishing in detail why it is not a risk.

~~~
lsh123
Brief technical explanation.

The "attack" consists of the following steps:

1) Modify the desktop simulator FMS code to support commands in the data
protocols (e.g. ADS-B). 2) Send commands through data link to utilize the
newly created control channel.

What FAA is saying that

1) It is hard if not impossible to actually inject un-authorized code into an
embedded airplane system (FMS, GPS, ...) due to strict quality controls in
place. 2) Even if one succeeds with 1) then you still have limits of what FMS
can actually do with the plane because it is a separate unit from other
systems with well defined protocols (e.g. FMS doesn't control the lights in
the plane).

IMHO, the whole "hack" sounds like a BS/PR action. Yes, you can "fake" GPS,
ADS-B, and other communication protocols. However, there are other sources of
information for pilots (e.g. the old and true magnetic compass) that can and
should be used to validate and cross-reference the data. From a pilot's
perspective, a "fake" GPS is no different from a "failed" GPS (yes, this
happens). One should be ready to deal with this to qualify as a pilot.

~~~
antmldr
Yep, hit the nail on the head.

Thing is, if you're able to inject un-authorised code into the FMS, chances
are you have bigger concerns than a single aircraft getting hijacked.

It's the equivalent of saying "If I had access to a bank's mainframe and
network infrastructure, I could steal millions of dollars with an Android
App." Sure you could, but is the problem the fact you can do it with an
Android App, or the fact you were able to inject the code in the first place?

~~~
malkarouri
Exactly. If I have that much capabilities I would buy the airline. It seems
neater.

------
bigiain
I've been (perhaps foolishly) trying to work out what the actual attack here
is.

I have strong suspicions... I saw a fascinating presentation a couple of years
back* by the guy who built this: <http://maps.spench.net/aviation/> (requires
the Google Earth browser plugin). He's using the Universal SDR (software
defined radio) to listen to various bits of telemetry coming down from
commercial airliners (including, amusingly, automated reports from toilet
failures!) and plotting in real time all the planes he's detecting data from.
He's using ~$800 worth of radio hardware to recieve those transmissions, but
you can listen in on those bands for a lot less using something like this:
<http://www.funcubedongle.com/> \- and I've heard talk about re-purposed USB
cableTV dongles being useable down in the ~$30 price range.

What the USDR can do that the cheaper receivers can't though, is _transmit_ on
those bands. Hearing how readily Balint decoded the ModeS data, I'm 100% sure
that a technically competent but not-very-sophisticated attacker could very
easily transmit their own data on those channels using a USDR with the
appropriate TX daughterboard (and, in the context of the original article,
could easily control the USDR transmitter with an Android app).

(I do vaguely wonder whether any of the radio hardware in a typical Android
device is "universal" enough to be convinced to transmit on the bands required
here - I'm not quite enough of a radio-geek to know and/or go looking right
now. I _strongly_ suspect not, and that if the original article has kernels of
truth in it, it's referring to external transmitters controlled by an Android
app)

* <http://spench.net/drupal/video/mode-s-dorkbot>

~~~
adestefan
I'm not going to comment on the first part since all of that data is readily
available, in real-time, on various Internet sites already. No need for a
radio.

As to the question about the radios in cell phones the answer is yes and no.
Yes a lot of modern baseband are nothing more than an SDR, but that's only
part if the issue. The other issue is getting appropriate signal levels into
and out of that device. For that you need specific filters and antennas for
the frequencies you want to receive and transmit. For example, an LTE baseband
can work on any of the LTE frequencies (and then some) but specific handsets
will have filters for the appropriate region the handset is sold in. While you
can change these it's just easier and cheaper to use something like a USRP.

If your interested in radio at all I suggest you start liking into ameture
radio. There's still a ton of interning tinkering with everything from Morse
code to data communications from 3MHz all the way into the hundreds of GHz
frequencies.

------
ams6110
_"The described technique cannot engage or control the aircraft's autopilot
system using the FMS or prevent a pilot from overriding the autopilot," the
FAA's statement explained. "Therefore, a hacker cannot obtain 'full control of
an aircraft' as the technology consultant has claimed."_

That may be true, but this does not not seem to address the other claim that
an attacker could inject false information into the FMS or cause it in some
way to give misleading information to the flight deck, which could be nearly
as bad.

~~~
ubernostrum
So, apparently the full thing going on here is that if you have some other way
to basically get root on one of the plane's systems (required in advance, not
provided by this "exploit"), then you can cause a message to be displayed
telling the pilot he's flying too close to some other aircraft.

The pilot will probably maneuver a bit to make room, and then will A) tell ATC
about this, get a "what other aircraft" response, and B) look out the window,
see there isn't another aircraft, and C) decide something's buggy with the
system that's displaying the message.

Before this all went public, it would have been followed with D) maintenance
crew looks into it after the plane lands.

Now that it's public, it will be followed with D) the plane lands ASAP and
everyone on board has a nice chat with guys who have uniforms, guns and
absolutely no sense of humor.

~~~
ivix
Perhaps that was the aim of this exercise?

------
dsl
This guy has all the right pieces, but sadly nobody is going to believe him
until he demonstrates it on a functional plane.

I saw this talk at Blackhat on vulnerabilities in ADS-B, which scared the shit
out of me. The paper is a good read [http://media.blackhat.com/bh-
us-12/Briefings/Costin/BH_US_12...](http://media.blackhat.com/bh-
us-12/Briefings/Costin/BH_US_12_Costin_Ghosts_In_Air_WP.pdf)

tl;dr: once a second every commercial plane transmits its location, heading,
and speed over an unencrypted unauthenticated protocol, and other planes and
air traffic control take it for truth.

~~~
mikeash
The lack of security in ADS-B is bad, but how much of a problem could you
really cause with it? The best I can come up with is tripping some collision
alarms. Even then, you won't be able to do too much before pilots and
controllers in the area decide that ADS-B is messed up and ignore it in
preference to radar.

~~~
bisrig
Serious question: what do you think about the lack of security in Mode A/C
then?

~~~
mikeash
Those are far less spoofable because so much of the information comes in the
form of un-spoofable things like echo delays and directional information.

You could spoof Mode C altitude, of course. You could spoof a distance from
the radar that's more than what your actual distance is by delaying your
response to the interrogation. But that's about it. You can't spoof direction,
and you can't pretend to be closer than you really are. I'm sure you could
still make a minor nuisance of yourself, but it's not going to be a very big
deal, I'd think.

I think you'd have to either be very close to the radar or airborne to pull
any of this off, too, which means that you likely get to play games only once,
then the large men in black suits will come ask you to please stop.

~~~
jacquesm
They may even omit the 'please'.

------
Xanza
When dealing with Technology, the very moment you irrevocably rebuke something
as an impossibility is the very moment it becomes possible.

The simple fact that no one has been able to accomplish it yet should not mean
in the slightest 'No, you can\'t'.

------
revelation
_Whatever data finds its way into the FMS, and regardless of where it's coming
from, it still needs to make sense to the crew. If it doesn't, we're not going
to allow the plane, or ourselves, to follow it._

The dude solved the halting problem? I really don't trust in people that think
they control complex computers running turbofan engines through sticks and
displays.

~~~
kenrikm
If it's possible to trick the FMS as it seems they are not denying. Then in
bad weather the pilot could easily be given false information to say that he's
flying straight and level when he's actually in a dive or inverted. If you
depend on your instruments and they are giving you bad data then in the right
conditions it could certainly cause a crash. There have been planes that have
gone down over the ocean because they could not tell the difference between
the water and the sky and they did not trust their instruments and are in an
inverted dive when they think they are climbing. Imagine if their instruments
said they we're climbing and they thought they we climbing but were really in
an inverted dive!

~~~
deckar01
The FMS does not override those types of sensors. It is more about signaling
the path of other aircraft. Broadcast a false danger and a pilot/autopilot
will alter the course.

