By Sam Grobart
April 12, 2013 6:00 AM EDT
Facebook Twitter LinkedIn
So it looks like someone could hack a jetliner. With an Android smartphone. Awesome.
At the Hack In The Box conference in Amsterdam, security consultant Hugo Teso demonstrated PlaneSploit, an app he developed that can take control of certain systems aboard an airplane and cause it to change direction or just crash itself into the ground.
Hugo’s no terrorist, mind you. He developed the app to point out the glaring, frightening, insane security holes in most planes’ onboard flight systems. His demonstration was done in a simulated environment, but the methods and effects, he says, are exactly the same as what could happen with a real plane.
“The complete attack will be accomplished remotely, without needing physical access to the target aircraft at any time,” wrote Teso in his presentation abstract for the conference. The hack exploits the plane’s autopilot, transferring control to the hacker, who (in theory) could command the plane from an app running on Android.
The site Help Net Security describes the process in bland, chilling detail:
“The attacker can click on any active airplane and it receives its identification, current location and final destination. In case a nearby airplane system is exploitable (a number of vulnerability vectors mentioned, not much details provided), the application alerts the user via an in-application alert or a push message. The payload can be uploaded with a tap of a button and from that point on, the flight management system is remotely controlled by an attacker.”
Teso says he has been in contact with several members of the airline/aircraft industry and that they are working on addressing these deficiencies. One should hope so.
mother of god. i mean, i already expect corporate and federal networks to be losing more battles against hackers in the coming years, but airplanes? motherf--kin airplanes
? we're talkin bout airplanes now?
how shitty would it be to lose your life due to terrorist plane hijack, and the guy didn't even need to commit suicide to do so. AND the 'guy' could be some 11yr old scrub who was having a bad day in starcrack and decided to make someone pay with a fun new app his buddy hooked him up with. or something like that.
i guess if you're dead then you're not caring too much about consolation... but friends and relatives could still use something to soothe them a bit. petty vindication of the terrorist's death was better than nothing. i mean, geez.