
Hijacking airplanes with an Android phone - mikeknoop
http://net-security.org/secworld.php?id=14733
======
eduardordm
I used to make avionics for a living and I don't even understand what this man
is talking about. (I don't think he does too) That seems to be just an ACARS
sniffer.

ACARS and ADS-b has nothing do to with aircraft control systems. You don't
need an android app to intercept satellite communication and even if you
'root' the ACARS computer, it is not connected to the systems that could
control the airplane.

Also: to pass DO-254 at level A you must have physical switches for
flight/computer functionality, that said, no software can engage autopilot or
change AP behavior, you need physical switches to do that. They are NOT
similar to keyboard buttons, those switches actually interfere at the hardware
level.

~~~
jamesseattle
I concur.

I used to work on interfaces to all the computers on the latest 747 and the
787 and there is no wireless way to talk to any of the computers or sensors
that have any input to controlling the airplane.

I am not making this up.

On the 747-400 I was on a group whose computer got input from all the 70+
computers on the airplane. It was all wired.

On the 787 I worked on a database during the development of the airplane that
tracked all the information that flowed between computers. Nothing came to any
computer that controlled the airplane that was not by wire or fiber optics.

I also dealt with ACARS. It is a read-only system on the airplane. It gets
information from other computers and transmits it via satellite to the ground.

~~~
Alex3917
"I used to work on interfaces to all the computers on the latest 747 and the
787 and there is no wireless way to talk to any of the computers or sensors
that have any input to controlling the airplane."

Don't they get weather data from somewhere? And if the pilot thought there was
a thunderstorm or heavy turbulence in some direction, wouldn't they fly the
plane through what appeared to be the clearest route on their own? (And does
the autopilot not take weather into account?)

~~~
rpmcb
"Don't they get weather data from somewhere?"

Yes, most (if not all) modern airliners have a radar dish in the nose of the
aircraft. If you wanted to mess with this, you'd have to spoof radar echoes.
Not something you can do from an android phone for sure.

"And does the autopilot not take weather into account?"

No, not in the slightest. Pilots adjust autopilot settings to account for
weather. It is not automatic.

------
swdunlop
Welcome to the security conference lifecycle.

Step 1) What's something important? (SCADA / Smart Grid / Air Traffic Control)

Step 2) How likely is someone to catch me on the details? (Low)

Step 3) How dramatic can I make this sound?

Step 4) Press Release / Slide Show / Simulation

Step 5) Enjoy sugar hit of popularity.

Step 6) Get asked about vuln / exploit / PoC

Step 7) Fffuuuuuuuuu... Look! Jazz hands!

Step 8) Go to Step 1.

If you work for a boutique security consultancy, interleave elements of
panhandling to various customers, clueless managers beating their chests and
claiming expertise, and the occasional Congresscritter / Talking Head
interview.

It is frustrating that this kind of noise drowns out the signal of actual,
thoughtful research or reasonable disclosure. It is the hacker equivalent of
security theater where Sensational New Discoveries (TM) distract from hard
work and serious issues.

~~~
tptacek
This is more true than not true (my friend Chris likes to call these talks
"look at this debug port debugging!"). Some caveats, though:

* Some of these talks are real. For instance, bodega ATMs could in fact be jackpotted. You really could open up most of the hotel room locks.

* Some of these talks involve genuinely interesting technical challenges. For instance, anything involving custom RF work. Or the tolling systems, which also had hardware cryptography. You can appreciate these talks just for technical walkthrough.

* In almost every instance, talks like these target industry verticals where there is little to no attention given to software security. A different kind of software developer works on the firmware for a utility smart meter. There is value in forcibly plugging them in to software security.

As an owner/operator of an established boutique security company, I'd push
back a little on the panhandling dig. First, the giant security companies are
just as bad about that. Second, not every boutique firm traffics in "look at
this debug port debugging" talks. I don't see a lot of BS Stach and Liu talks
either. For that matter, n runs has a good reputation too.

~~~
swdunlop
"Look at this debug port" is spot on, and relevant in the case of the bodega
ATM. It's a WinCE single board computer behind a pathetic lock. Pointing out
the silliness of the design is relevant. The theatrics that followed? Not so
much.

I think it is fair to say not all boutiques play the sensationalist card. The
ones that actually refuse to do this presentation clown cycle suffer some
damage and have to work harder, because the showy ones grab mindshare while.

I also agree, the big ones do it, too, but it is harder to pick out against
the slow lumbering noises as they rumble from one puppy mill PCIDSS gig to the
next.

~~~
tptacek
I liked Barnaby Jack's presentation, but I have a bias for people who came up
at eEye.

I think there's room every year for 1-2 theatrical security presentations ---
not that I want to give them! --- and that demonstrating that it's easy to
jackpot an ATM or pop open a hotel room door is a perfectly valid bit of
theater.

I also think some topics become theatrical without sacrificing technical
value. For instance, Nate Lawson, Peter Ferrie and I picked a fight with
Joanna Rutkowska a few years ago. There was a lot of drama. But the drama was
about the accuracy of HPET timers, the AGP GART, and whether we could probe
the branch translation buffers to detect hypercalls. I don't think it should
have mattered if we got on stage in clown suits and shot nerf guns at the
audience; if you're giving a talk about address remapping chipsets, I think
it's all fair game. (In fairness: Rutkowska did not agree about the value of
the drama.)

I agree that the theater gets tiresome, and, in particular, I think if you're
going to shoot for theater, you'd better be right. Your exploit should work.
It should work in the real world. It should be repeatable. The problem with
the hype cycle here isn't that "taking an airplane down with an Android app"
is a bogus topic. It's that you don't believe it's actually possible.

------
TheAnimus
It's an interesting concept, but.

ADS-B, this is just automating a couple of things, firstly the classic mode-c
transponder. Secondly things like weather information and other such, which is
often read out on good old analogue radio such as AWOS.

Messing around with that wouldn't be any different from people just SQUARKing
fake data.

I suppose there could be opportunity for security exploits on the digital
device listening, but the airline industry is very legally enforced at
applying updates.

With regards to ACARS I have no idea, as a PPL my rust bucket has nothing that
fancy. I suppose there could be buffer overflow type things, or a flaw in the
encryption.

However I still feel that this is a little bit sensationalist, as it stands
you could create chaos as it just VHF radio and voices.

~~~
mikeash
There's a huge difference between an old-style transponder and ADS-B in terms
of spoofability. To make a transponder position show up on radar, you need to
actually put a transponder there. You can spoof altitude to an extent, and you
can potentially spoof being farther away by delaying your echo, but you can't
spoof the radial at all. And you can't spoof being _closer_ than you really
are, which means you can't e.g. falsely trigger a TCAS system.

ADS-B is a simple broadcast of coordinates. Spoofing a position there is just
a matter of broadcasting coordinates that aren't where you actually are.

~~~
TheAnimus
True, but given the way the ATC or TCAS receivers work, they really care about
the history of the echos.

They are looking for a vector. It would be theoretically possible to create a
ghost, give it a speed and heading to make people avoid it. But I'm not sure
what it would achieve. Maybe I'm not being creative enough.

Thing is though, why would that be any different to "FY holding London NDB UFY
60 descending 40." on the radio. If you then dropped off the radio completely
a massive poostorm would happen as ATC tried to figure out who that
transmission came from. Whilst ATC have to try and find the plane that thinks
it's got full service in class-a space (non pilots this is the busy bits of
sky where you have to get permission from guys on the ground) they would
divert away from that area.

I'm not aware of a TCAS system which doesn't alert the pilot to the fact it is
changing the autopilot heading. If this happened in busy controlled airspace,
it would have to be with acknowledgement from ATC or the pilot would at worse
do a near miss to avoid a phantom that wasn't there, he certainly wouldn't hit
one that was to avoid a ghost which ground wasn't warning him of.

If you're over the north atlantic and the TCAS wants to change heading or
attitude, it will alert the meatbag AFAIK.

~~~
mikeash
History is a good point, but does TCAS really care? I thought it was a fairly
simple device in that regard. It has only vague directional sensing.

As for twiddling the autopilot and acknowledgement with ATC, I'm not aware
that either is the case. TCAS simply informs the pilot, and current systems
never advise any horizontal maneuvers, only climb/descend, because their
ability to detect horizontal position is fairly crap. A TCAS advisory takes
precedence over ATC commands and is expected to be obeyed immediately unless
there's an obvious immediate danger to doing so. You never inform ATC of the
TCAS alert and ask what to do, you always obey the machine, then tell ATC
what's going on when you have time. If ATC notices the impending collision and
gives you instructions that contradict the TCAS's instructions, you follow
TCAS and ignore ATC.

------
eggoa
Predicted TSA response: ban Android phones. (I'm only being half sarcastic.)

~~~
sedev
Predicted TSA response: ban iPhones.

I have a very, _very_ low opinion of the TSA.

~~~
lubujackson
Unless you put it in a one quart ziplock baggie. Then it's cool.

~~~
umsm
And they'll sell you a "safer" iphone on the other side for $900!

~~~
piyush_soni
Jokes apart, does someone know if the same thing could be done by an iPhone?

------
steven777400
I'm doubtful. I believe you could easily spoof ADS-B and ACARS messages, but
I'm not sure how that gives you control. The best I can think of is that you
could spoof other airplanes nearby, and trigger TCAS (collision avoidance) to
automatically move in the opposite direction. There is no way the pilot's
would notice this, though.

The only other option is, as another commenter mentioned, a buffer overflow,
or similar, that would allow the ACARS receiver to load a program in the FMS.
In normal operation, FMS programs are not controllable remotely.

~~~
andrewcooke
"...would _not_ notice..." this? you're missing a "not"? (and have an extra
apostrophe!)

~~~
steven777400
You are right :)

------
__alexs
Slides are here
[http://conference.hitb.org/hitbsecconf2013ams/materials/D1T1...](http://conference.hitb.org/hitbsecconf2013ams/materials/D1T1%20-%20Hugo%20Teso%20-%20Aircraft%20Hacking%20-%20Practical%20Aero%20Series.pdf)

------
antirez
I'm not an expert, all my knowledge about ADS-B is what I gained while writing
dump1090[1].

The vulnerability of ADS-B, as I understand it, is the ability to mimic that
there is a collision with another aircraft, since it is _trivial_ , as far as
I can tell, to send a message impersonating another aircraft. There is no
cryptography of authentication whatsoever in ADS-B, you just write the
aircraft ICAO address into a field.

So if I simulate aircrafts in collision route, I think the system will tell
the pilot to climb or the reverse, depending on the condition. Maybe this can
be used to create troubles...

[1] <http://github.com/antirez/dump1090>

~~~
eduardordm
You are correct, but modern receivers will actually use the transmitter like a
"NDB" and will detect that the incoming position is not the same as the stated
in those messages, ignoring them.

The same thing happens with sudden changes in GPS messages that are completely
out of alignment with the inertial system, they will be ignored. (unless you
somehow are capable of knowing exactly where the plane is and gradually hack
the GPS messages)

ILS systems are maybe the most dangerous and prone to hacking, but keep in
mind that those frequencies are under surveillance and police is dispatched
within seconds of a clandestine transmission on those frequencies. Again, here
the gps and inertial is also used to guarantee nothing completely wrong is
accepted as valid ILS sources.

~~~
michael_miller
How are ILS frequencies policed? Does the airport have receivers in multiple
locations which automatically detect a failure, and notify someone in the
tower?

~~~
eduardordm
Exactly. Because the ILS range is short, it becomes easy to pin point
location. Those protections are embedded in the ILS system itself

------
jjwiseman
I find the skepticism here a little surprising. These are unencrypted,
trivially spoofable protocols that haven't been exposed to attack before--of
course there are going to be buffer overflow bugs and unexpected, exploitable
connections between vulnerable components and critical systems (if they're not
already the same machine).

Video of spoofing ADS-B:
[http://www.youtube.com/watch?feature=player_embedded&v=N...](http://www.youtube.com/watch?feature=player_embedded&v=NSLqRXyxiBo)

(I believe if you spoof ADS-B it means you can generate TCAS warnings, which
pilots are trained to prioritize over ATC commands due to earlier incidents
where TCAS was correct and ATC was wrong:
[http://en.wikipedia.org/wiki/%C3%9Cberlingen_mid-
air_collisi...](http://en.wikipedia.org/wiki/%C3%9Cberlingen_mid-
air_collision) )

~~~
yasth
They issue isn't can they be spoofed? It is can you crash a plane remotely? Or
even can you force a plane to go somewhere? The answer to both is basically
no. You can confuse the heck out of the pilot, and possibly make them do some
maneuvering until they ignore the system (and send the police after you).

Realistically the idea of putting encryption on ADS is one of the stupider
ideas ever. I mean can you imagine a crash caused because someone didn't
update their CA list, and thus it rejected a the signature of another plane?

Anyways, you could just jam the whole ADS-B system for your region. The system
is protected by aggressive action against rogue transmitters.

Also the "with an android phone" part is disingenuous, as you'll need a fair
amount of equipment.

------
zapistan
From the linked article and the slide deck, I've determined that the only
thing exploited was the simulator software, which was running on a machine
that the group already had full access on. There's no avionics being used in
this. They're 'simulating' a set up with commercial PCs and training software.
They're using the two communications standards, ADS-B and ACARS to communicate
to a 'box' that they already had control over and already hooked into.

There is no exploit here.

If you want more detail about why this would never land, I've wrote about it
here: [http://zapistan.net/blog/2013/4/11/fear-mongering-the-
friend...](http://zapistan.net/blog/2013/4/11/fear-mongering-the-friendly-
skies)

------
wklauss
"In real life, the range would be limited depending on the antennas used (if
going directly for the plane), or global (if misusing one of the two big ACARS
players such as SITA or ARINC)"

It seems to me that the article has a lot of "in real life" caveats. Theres a
lot of elements that have to be in place in order for an attack like this to
work, beginning with the fact that the attacker would need a powerful, very
specific transmitter for the ACARS frequencies.

The way I see it this look more of a publicity stunt than anything else.

~~~
toomuchtodo
I have done long haul 2.4ghz wireless links before with directional antennas
(60+ miles).

36K feet is 6NM vertical. I have an antenna in my car, and enough power with
the car running to reach a large aircraft audience. This doesn't even take
into account if I have the transmitter and a lithium ion battery in my luggage
(I've travelled across the world with Pelican cases loaded with AV and IT kit;
no one asks, and they've only been opened by the TSA twice).

TL;DR Unauthenticated, unencrypted radio protocols are vulnerable, that's all.

~~~
parimm
abd-s works on 1080Mhz which should further improve range.

Rough back of the envelope calculations give a range of about 300nm for an
aircraft at 37000ft

~~~
toomuchtodo
Your radio horizon if you're a ground attacker will be limited by your antenna
height. Attacked with powerful transmitted in Class B airspace at a busy
airport? You're gonna have a bad time.

------
dsr_
Can anyone point to knowledgable commentary from a pilot with current
experience with these systems?

I'm rather doubtful that the actions presented in this article can be done in
that manner.

~~~
omegant
Airline pilot here, with experience with both systems, but not technical
knowledge of the inner parts or how much they are capable. I have to leave
right now, I´ll be expanding this comment a bit latter.

By now just tell you that both systems are capable of creating great troubles
if they can be accessed as easily as he claims (and I think they are).

------
RockyMcNuts
In the ATC system planes don't actually get routed electronically. Controllers
give verbal clearances and tell pilots where traffic is.

This sounds more like spoofing an SMS from the airline's dispatch.

Sort of makes sense simulator would have ability to load scenarios without
pilot acknowledgement, has no bearing on whether it would work in an Boeing or
Airbus.

The ATC system is pretty vulnerable to DOS though.

~~~
jjwiseman
TCAS is a completely automated system. When your TCAS issues a Resolution
Advisory, pilots are expected to do the following:

* Shall respond immediately and manoeuver as indicated, unless doing so would jeopardize the safety of the airplane

* Shall follow the RA even if there is a conflict between the RA and an Air Traffic Control (ATC) instruction to manoeuver

([http://www.eurocontrol.int/msa/gallery/content/public/docume...](http://www.eurocontrol.int/msa/gallery/content/public/documents/Doc9863_ACAS_Controller_Training_chp6_1.pdf))

~~~
jrockway
But TCAS is preempted by GPWS and stall warnings, so the damage is limited to
cases where you are flying at altitude directly under another airliner and you
can spoof an RA for the plane above to descend into the plane below. The
statistical likelihood of this configuration _and_ a malicious attacker that
can spoof TCAS is probably so low as to not cause much worry.

(Also, despite procedures, airline pilots are not automatons. They may be able
to insert their brain into the loop to avoid disaster, despite the opposite
happening from time to time.)

------
adamnemecek
Someone's about to be put on the no fly list.

------
pedromorgan
The ADSB is the "secondary radar" part, and radar reflection is the "primary".

To to create a "fake aircraft", one would have to "fake the primary" also.

<http://en.wikipedia.org/wiki/Secondary_surveillance_radar>

~~~
neurotech1
No you wouldn't have to "fake" the primary radar return.

Civilian Air Traffic Controllers in the US, Australia and numerous other
countries only have Secondary Radar.

It used to be the running joke when I learnt to fly. "How is a Cessna 150 like
a Stealth Fighter?" "With the transponder turned off.. neither will show on
secondary radar"

The US Air Force, NORAD and NATO still maintain primary Air Defense radar.
Especially in the US, a business jet or airliner without a functioning and
active transponder is likely to get intercepted by a F-16 and escorted to land
at the nearest suitable airport.

------
zaroth
It probably fell off the list the first time around because the title seems
like it "must be linkbait," so many resisted clicking on it until it's high up
on the front page. Then you start reading and realize it's about as far from
linkbait as you can get! Amazing work by Hugo Teso, and also going the extra
mile to show the PoC on Android is exactly the right method to get this
problem noticed and increase the chances it will be worked on.

I think talks like these are the absolute best way to light a fire under
vendors (or an industry) to get these issues addressed. In this case we're no
doubt talking about a very expensive remediation process. It also makes you
wonder how bad the security will be for the next-gen GPS based systems.

I do worry the protections are not strong enough for researchers who give
these talks, especially in areas like national security. It's a brave thing
that Teso did going public with these vulnerabilities, and I sincerely hope we
aren't reading about harassment coming his way in the future.

------
dbuxton
Not entirely on topic, but I also remember seeing something a few years ago
about how you could actually telnet (sic) into some airliner flight control
computers if you were able to splice into the physical cables (which run under
the floors). Something about not using ssh because it messed up the prompts...
Will have to find it.

~~~
jamesseattle
You're mistaken.

I worked on the 787 and a derivative of the 747. They use protocols defined by
ARINC (google it) that are only used in the airplane industry. Stuff like
telnet need not apply.

------
pnathan
I do believe that the reaction to this will be to double down on the
banning/shutting off electronic devices.

------
tuxidomasx
Just thinking out loud...

How about a simple hardware device covertly attached to the plane's flaps and
rudders... Then using a smart phone to control that hardware device, thus
mechanically overriding the onboard aircraft control system and giving an
attacker a degree of control over the plane.

How hard is it to get access to a plane to install something like this? Is it
possible for a plane to pass an inspection with this device installed?

I imagine the motors that control the flaps are powerful, but even being able
to lock them up would be useful. Lets say the plane rolls 10 degrees. We can
then trigger the device that physically jams the motor, locking the flap in
that position.

This could be like some small gel that expands and hardens.

~~~
btgeekboy
Good luck getting onto a commercial apron and installing that with nobody -
not even the pilots who perform the preflight inspection or the before takeoff
checklist - noticing.

------
jrochkind1
Meanwhile, millions (billions?) of dollars, hours of time, and degredations of
privacy and dignity all go into trying to reduce the chance of someone being
able to sneak a Toothpaste Bomb (over 3oz!) onto a plane.

You are only as secure as your weakest point.

------
drakaal
Article fails to mention you would need a HUGE transmitter, not just your
phone. They wouldn't let you get enough transmitter on to the plane to do it.
And from the ground you would have to have a strong directional transmitter
with enough siting capabilities to keep the plane in line of site for hundreds
of miles.

That's not something most people have access to, and in most places someone
would notice that you put up a 30 foot parabolic with auto-aligning mounts on
your house.

~~~
jjwiseman
That's not true. [http://www.cumulus-soaring.com/newsletter/2008-05/Mitre-
ADS-...](http://www.cumulus-soaring.com/newsletter/2008-05/Mitre-ADS-B-
Transmitter.jpg)

You also don't need to be on the plane. A typical ADS-B transmitter can be
picked up pretty easily from over 100 miles away--I can broadcast to every
aircraft over Los Angeles from my backyard if I want.

I don't know about ACARS, but I would imagine it's similar.

~~~
drakaal
You have to be the signal stronger than the tower. And you need enough
channels to talk to all those planes.

~~~
jjwiseman
Are you talking about ACARS? Because neither of those is true for ADS-B.

------
chenster
This reminds me the movie "Independence Day" in which scientist uploads a
"virus" to alien spacecraft and disable communications between mothership and
alien spacecrafts.

------
larrys
"Teso has not shared too many details about the tools he used to effect the
attack, as the vulnerabilities have yet to be fixed."

"has not shared" but then what is the security and methods by which he keeps
the info private within his own computing environment? A motivated attacker
could certainly take the initiative to get the info from him. Either by
physical break in, phishing or some other devious method.

------
jjwiseman
It looks like he's using my drone ground control software mavelous as a front-
end to control the simulated target aircraft:
<https://github.com/wiseman/mavelous>

------
dmiladinov
Between the TSA groping you at the terminal and now the scary possibility of
ne'er do wells initiating shenanigans from their smartphones in mid-air, it's
enough to make me never want to fly again.

------
NathanKP
Someday soon someone will make a similar app to hack self driving cars.

------
paraboul
Who cares? Mobile phones must be turned off during the flight.

~~~
carlisle_
Not on the flights I've been on recently. As long as it's in airplane mode
you're fine.

Also you think somebody doing something illegal like this is going to listen
to any rule that involves turning your phone off? If anything they'll just be
discreet about it.

~~~
paraboul
Man, sarcasme.

------
negativity
I love the polite, hoity-toity tone of the euphemisms used for some of the
more horrible functions: "Please go here", "Visit ground", "Kiss off", "Be
punckish"

------
smackfu
Is there anything that makes this unique to an Android phone vs a bog-standard
laptop with wireless?

------
matznerd
The irony here is that there may be a reason after all for people to turn of
their electronics!

------
SeanDav
Meanwhile, back at home, the TSA are doing a sterling job fondling someone's
privates....

------
sareon
Great, now an excuse for the TSA to not allow us to have electronics on board.

------
verygoodyear
So in reality this is just link bait? He can't crash a plane with his phone?

------
iansinke
My Nexus 4 arrives this week... :)

------
PlaneSploit
It's too late you guys, I already got the account name.

