Go Back  PPRuNe Forums > Flight Deck Forums > Tech Log
Reload this Page >

FMS vulnerabilities highlighed at Net Security conference

Tech Log The very best in practical technical discussion on the web

FMS vulnerabilities highlighed at Net Security conference

Old 11th Apr 2013, 04:28
  #1 (permalink)  
Thread Starter
Join Date: Dec 2008
Location: Sydney, Australia
Posts: 58
FMS vulnerabilities highlighed at Net Security conference

This article is obviously going for the shock factor (I tried to tone down the headline) but it seems like this guy has found some interesting vulnerabilities?

Hijacking airplanes with an Android phone

An extremely well attended talk by Hugo Teso, a security consultant at n.runs AG in Germany, about the completely realistic scenario of plane hijacking via a simple Android app has galvanized the crowd attending the Hack In The Box Conference in Amsterdam today.

It's still curious to me how he thinks he can "hack"an FMS via ACARS or ADS-B... I sincerely hope that's hyperbole.
jportzer is offline  
Old 11th Apr 2013, 06:09
  #2 (permalink)  
Join Date: Mar 2003
Location: BC
Age: 73
Posts: 2,460
I'm more curious about why people would attend such a presentation. Rationality has departed; credulity has no bounds in our wiki age and this article reflects the current depth and quality of investigative journalism. Frightening people has become an easy pastime.

There is no link between the described systems that will move the flight controls of the aircraft and that leaves the crew at the mercy of an Android phone.

Last edited by PJ2; 11th Apr 2013 at 06:15.
PJ2 is offline  
Old 11th Apr 2013, 07:26
  #3 (permalink)  
Join Date: Apr 2008
Location: back of beyond
Posts: 115
He's talking about a "payload" (think "virus") that could be deployed on the FMS computer. I've no idea how (or if) this can be done, but if it could then it should be relatively easy to modify the FMS's inputs so as to deliver the desired outputs.

While ACARS/ADSB normally have no connection with the flight controls, my understanding is that this connection is precisely what this "payload" provides. But it doesn't have to - it may just contain the instruction to fly into the ground on the 4th of July, for example. Of course, that wouldn't be as cool as controlling the plane through your Android phone.

The real challenge isn't in programming the payload, it's in delivering it (or preventing its delivery, depending on your point of view). One hopes that the security measures involved with program updates (and possibly also nav data) are up to the task.

It's been done with industrial control systems (stuxnet), no fundamental reason why it can't be done with an FMC.

Last edited by fizz57; 11th Apr 2013 at 07:30.
fizz57 is offline  
Old 11th Apr 2013, 09:16
  #4 (permalink)  
Join Date: Dec 2005
Location: Up there
Posts: 30
Researcher hacks aircraft controls with Android smartphone

Researcher hacks aircraft controls with Android smartphone ? The Register

A presentation at the Hack In The Box security summit in Amsterdam has demonstrated that it's possible to take control of aircraft flight systems and communications using an Android smartphone and some specialized attack code.

Hugo Teso, a security researcher at N.Runs and a commercial airline pilot, spent three years developing the code, buying second-hand commercial flight system software and hardware online and finding vulnerabilities within it. His presentation will cause a few sleepless nights among those with an interest in aircraft security.

Teso's attack code, dubbed SIMON, along with an Android app called PlaneSploit, can take full control of flight systems and the pilot's displays. The hacked aircraft could even be controlled using a smartphone's accelerometer to vary its course and speed by moving the handset about.

"You can use this system to modify approximately everything related to the navigation of the plane," Teso told Forbes. "That includes a lot of nasty things."

First, Teso looked at the Automatic Dependent Surveillance-Broadcast (ADS-B) system that updates ground controllers on an aircraft's position over a 1Mb/s data link. This has no security at all, he found, and could be used to passively eavesdrop on an aircraft's communications and also actively interrupt broadcasts or feed in misinformation.

Also vulnerable is the Aircraft Communications Addressing and Reporting System (ACARS), the communication relay used between pilots and ground controllers. Using a Samsung Galaxy handset, he demonstrated how to use ACARS to redirect an aircraft's navigation systems to different map coordinates.

"ACARS has no security at all. The airplane has no means to know if the messages it receives are valid or not," he said. "So they accept them and you can use them to upload data to the airplane that triggers these vulnerabilities. And then it's game over."

Teso was also able to use flaws in ACARS to insert code into a virtual aircraft's Flight Management System. By running the code between the aircraft's computer unit and the pilot's display he was able to take control of what the aircrew would be seeing in the cockpit and change the direction, altitude, and speed of the compromised craft.

He admitted that some of this was moot, given that the human pilot could always override the automatic systems, but the software could be used to make cockpit displays go haywire or control other functions, like deploying oxygen masks or lights.

The precise nature of the code flaws wasn't released for understandable reasons but Teso says the Federal Aviation Administration and the European Aviation Safety Administration have both been informed and are working on fixing the issue.

Skipping the usual press over hype - but still.... Really?
Outlook is offline  
Old 11th Apr 2013, 10:26
  #5 (permalink)  
Join Date: May 2008
Location: Toulouse
Posts: 1
There's more information here and his presentation is here (in PDF format).
uncle.slacky is offline  
Old 11th Apr 2013, 13:04
  #6 (permalink)  
Join Date: May 2011
Location: Glasgow
Age: 37
Posts: 642
So with the right radio / software, could you manipulate the ADS-B information that is part of Transponder Mode-S data to initiate a TCAS RA?

I suppose the question is - are there any vulnerabilities in the FMS which allow the FMS to be programmed via ACARS?
If the answer is no, then the attack potential is to retrieve lots of data and send bogus messages and flight plans into it. I would be very surprised if you can send something to an FMS and for that thing to be automatically used / executed without Pilot involvement?
riverrock83 is offline  
Old 11th Apr 2013, 13:55
  #7 (permalink)  
Join Date: May 2008
Location: USA
Posts: 44
I just read this over the The Register and I suspect that everything he says is possible is indeed possible. These systems were designed with the assumption that both the transmitting device and the receiving device were validated. I'm sure a great deal of time and effort went into validation and testing to make sure the transmitted messages were properly formatted, transmitted, and received. I'm sure the system was also tested for its ability to detect and reject messages corrupted by random interference.

But the complete lack of any authentication security tells me that there was no attempt to validate the system for deliberately constructed malicious messages. In networking systems, maliciously constructed messages/packets are probably the most common attack vector. And they often succeed, even on networks hardened against such attacks. I should think that do what he claims would be child's play for someone with in-depth knowledge of those systems.
areobat is offline  
Old 11th Apr 2013, 14:39
  #8 (permalink)  
Join Date: Jun 2009
Location: Canada
Posts: 464
Originally Posted by areobat View Post
In networking systems, maliciously constructed messages/packets are probably the most common attack vector.
But the ACARS network is more like your home LAN than the Internet; there are few legitimate routes into the system and they're validated as trustworthy before they're allowed to send data. An evil person at an ATC centre could send evil messages, but you pretty much have to trust them regardless of how the messages are transferred.

For this to work, they'd presumably need a suicidal passenger on the aircraft carrying a radio transmitter powerful enough to override the ground transmitters. Which doesn't seem too easy to me.
MG23 is offline  
Old 11th Apr 2013, 16:03
  #9 (permalink)  
Join Date: Mar 2011
Location: engineer at large
Posts: 1,409
I will look at the feed, but unfortunately, I would assume it is valid.
ADSB issues are one of the biggest reasons that ADSB-IN is not moving forward.

In regards to the FMS, those of us who work with the system architecture, understand the potential vulnerabilities. It is somewhat unfortunate that this issue has been brought forward in a hacker format...

Edit: In looking through the presentation, I dont have the verbiage of how or what was explained, but the presentation is very accurate.

Last edited by FlightPathOBN; 11th Apr 2013 at 16:10.
FlightPathOBN is offline  
Old 11th Apr 2013, 16:15
  #10 (permalink)  
Join Date: Mar 2003
Location: BC
Age: 73
Posts: 2,460
Well, before we all set our hair on fire over some half-baked notions we need to think about this, with some understanding of the systems involved and not just ride off in all directions with ill-considered claims. The sky is not falling . . .

1. Neither the ADS nor the ACARS are directly linked / connected to the flight control system, period.

2. The FMS is connected to the flight control system when the autoflight / autothrust systems are being guided by the flight plan data and (to a much lesser extent) the weight-and-balance data entered during the ramp check.

2. The ADS system is an ATC communications system which has no connection to the FMS. ATC cannot control the routing, speed or altitude of the aircraft through ADS.

3. While some operators routinely upload flight plan and weight-and-balance data via ACARS during the ramp flight preparation sequence, many operators' do not have this auto-upload capability and the data is entered manually. In manually-entered circumstances there is no way to upload changes to the flight plan routing via the ACARS to affect aircraft navigation through the FMS which is connected to the autoflight system.

4. Given system and aircraft design, logically the autoflight system must be engaged for this to "work". The FMS has the route data and the autoflight is designed to follow that data.

5. FMS data cannot control altitude and will not command the aircraft to climb or descend even if cruise altitude changes and descent points have previously been entered or otherwise programmed in the FMS. Neither can ACARS nor ADS do this.

6. Within a narrow Mach or CAS range, when routinely engaged, the autoflight / autothrust systems are controlled by the FMS which in turn will control aircraft cruise speed. Cruise speed and speed restrictions at certain waypoints, (oceanic entry and exit points, for example), may be part of the flight plan. As with any FMS entries, there are reasonableness checks which reject incorrect or inappropriate data.

7. Should something like that which is claimed actually succeed, there are at least two human pilots in the cockpit, sometimes three or four depending upon phase of flight, etc who can fly the aircraft manually. When the autoflight system is disconnected none of this works. Also, routine enroute waypoint checks confirm position, speed, altitude, next position and so on and, should immediate but subtle anomalies occur enroute, they would be caught at such waypoints.

This doesn't deny the possibility that ACARS has vulnerabilities, but such potential is not about to take over an airliner in flight as implied by the use of the word, "hijack".

In my view, making claims that it is somehow possible to command an airliner to "dive" or do other untoward maneuvers beyond the crew's ability to counter, using an Android cellphone, is irresponsible.

When the exact method by which the claims in Mr. Teso's article are made is clearly explained and, as such things normally are required to be, peer-reviewed to substantiate serious claims of compromise, then we might take all this seriously. At present, it seems entertainment is where one finds it.

PJ2 is offline  
Old 11th Apr 2013, 16:29
  #11 (permalink)  
Join Date: Feb 2007
Location: -------
Posts: 480
I would put this topic along with chemical contrails.

Fullblast is offline  
Old 11th Apr 2013, 16:43
  #12 (permalink)  
Join Date: Mar 2011
Location: engineer at large
Posts: 1,409
PJ2, FB...

I can say this, that after 911, there was a very serious effort in these regards.

With ADSB, there has been ADSB IN capability on many aircraft for quite some time now.

If the aircraft is on a coded procedure, where do the speed and altitude commands originate?

(thats enough at this point, I dont want the black SUV's showing up)

Last edited by FlightPathOBN; 11th Apr 2013 at 17:14.
FlightPathOBN is offline  
Old 11th Apr 2013, 16:58
  #13 (permalink)  
Join Date: Dec 2010
Location: Teaneck NJ
Age: 47
Posts: 6
The actual presentation deck from the conference is here if you want to read the actual presentation itself instead of relying on second-hand news articles.

nombody is offline  
Old 11th Apr 2013, 17:24
  #14 (permalink)  
Join Date: Mar 2003
Location: BC
Age: 73
Posts: 2,460

Thanks for your response.

I realize that the issue has a security element to it but the point needs to be emphasized that ACARS & ADS systems cannot take over the flight controls of an aircraft, and that isn't a security issue, that is a design feature, knowledge of which is available to anyone. For heaven's sake, no "black SUVs" are going to show up for discussing such an issue!

I'm not disputing claims of interference through vulnerabilities, I am disputing the claim that such vulnerabilities represent a threat to the physical control of airliners beyond the ability of flight crews to counter. Let us not conflate the issue such that all manner of rumour be taken at face value for fact.

In general, let us not raise and embrace the possibility, then refuse to discuss it out of some concern for secrecy or security. If the threat is real, demonstrate how it is thus using commonly available knowledge and information. I have made some points regarding why I think this is nonsense but claim no expertise in any area other than flying these cable-pulley, hydraulic and fbw transports. Tell me as a pilot why such concerns should be taken seriously when there is a flight crew on board that can manually fly the airplane.

When someone here who both embraces these claims (that airliners can be "taken over" by ACARS or ADS commands through the FMS directly controlling the flight and engine controls, autoflight on or off), and can describe the method or process by which this is made possible and cannot be defeated by the cockpit crew, then perhaps we can take this threat seriously.

I would think that the risks are far higher in terms of corporate espionage for data that airlines are always desperate to gather on their competitors. But that kind of hacking is not new and it doesn't threaten flight safety.

nombody, thanks for the link. The preso reminds me of something Von Daniken or Velikovsky would put out.


Last edited by PJ2; 11th Apr 2013 at 17:33. Reason: grammar, add last comment
PJ2 is offline  
Old 11th Apr 2013, 17:34
  #15 (permalink)  
Join Date: Jul 2007
Location: Germany
Posts: 893
This reminds me of the hype with computers leading up to the year 2000. People made a lot of money claiming disaster was around the corner and carrying out expensive audits. It is (just) conceivable that you could screw up the flight management system. But then what? after all that is what the pilots are there for....to fly the plane. If the system fails we revert to?....manual flight....big deal!
lederhosen is online now  
Old 11th Apr 2013, 18:36
  #16 (permalink)  
Join Date: Aug 2005
Location: Long Beach, CA
Posts: 7

There is a lively thread over at Hacker News. Several of the developers claim to have experience with avionics software programming.


p.s. also a humorous sub-thread about possible TSA responses: ban Android Phones; seal them in one quart ziplock baggie; wrap them aluminum; put Hugo Teso on the no-fly list; etc..
surfman96 is offline  
Old 11th Apr 2013, 18:38
  #17 (permalink)  
Join Date: Mar 2011
Location: engineer at large
Posts: 1,409

Understand your response.

that airliners can be "taken over" by ACARS or ADS commands through the FMS directly controlling the flight and engine controls, autoflight on or off)
If this was possible, would post how to do it in an online public forum?

Think about your autopilot controls, there is a button on the yoke, and several other ways to control the autopilot. Can the autopilot disengage itself?

Last edited by FlightPathOBN; 11th Apr 2013 at 18:42.
FlightPathOBN is offline  
Old 11th Apr 2013, 20:08
  #18 (permalink)  
Join Date: Dec 2003
Location: Tring, UK
Posts: 1,591
I read the presentation and I think this is a serious problem.

What the security researcher is talking about is using unsecured communication channels (ADS, ACARS) to identify then attack an aircraft, compromising the FMS and possibly other systems.

From what he was saying it appears that there are ''zero-day exploits'' available for some FMCs, through normal data channels. Once in there, the attacker could do pretty much anything.

We tend to think of aircraft nav/data systems as being made up of isolated units but if there are communications between them, then they are vulnerable. You can do a fair bit with most FMCs: tune navaids, select navigation sources and even use them as backup dials and switches for when these fail. On the 777 you can be ''pushed'' route updates by ATC (or whoever is pretending to be ATC...) Once compromised, you could display to the pilot(s) ''situation normal'' but in fact be taking the aircraft off-route...
FullWings is offline  
Old 11th Apr 2013, 20:24
  #19 (permalink)  
Join Date: May 2008
Location: USA
Posts: 44
No one thought that it was possible to remotely make 30 non-externally networked ultra high speed centrifuges located inside a super secret, hardened nuclear processing facility operated by country no one can get into quietly spin their bearings to destruction.

But it happened.

I'm not concerned about a flight becoming someone's jumbo size Parrot AR Drone, but I would be concerned that system interruptions or system manipulation could be used to provoke a mishap.

Last edited by areobat; 11th Apr 2013 at 20:35.
areobat is offline  
Old 11th Apr 2013, 20:36
  #20 (permalink)  
Join Date: Mar 2011
Location: engineer at large
Posts: 1,409
From what he was saying it appears that there are ''zero-day exploits'' available for some FMCs, through normal data channels. Once in there, the attacker could do pretty much anything.
All this, and TESO was not an avionics expert...
FlightPathOBN is offline  

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information -

Copyright 2021 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.