Hijacking via Android?

April 12, 2013

This is my preemptive plea, an open letter to the media, to rein in another silly airplane story before it garners too much traction.

Too late, I know.

I’m referring to the story, which began making rounds on Thursday, about the possibility of using Android devices or similar gadgets to “hijack” or “take over” commercial airplanes by inputting rogue data to the plane’s ACARS or FMS units.

If you don’t know what I’m talking about, good. Chances are you do, however. If so, try not to take it too seriously.

On the one hand, Hugo Teso, the person behind this lecture/experiment, has a solid understanding of how planes fly, and is presumably familiar with the way pilots and their technology interact. Unfortunately, he’s extrapolating wildly — or certain commentators and reporters are extrapolating wildly — and giving people the entirely wrong impression. What could be an interesting conversation is instead being dumbed down into alarmist nonsense.

ACARS is an air-to-ground communications system that allows messages to be sent back and forth over VHF radio frequencies or satellite link. The FMS, or flight management system, is the proverbial “computer” that you sometimes hear pilots mention. It presents an electronic, integrated blueprint of a flight — the various courses, altitudes and speeds that we’ll be flying at between city A and city B — which the plane’s autoflight system — or the pilots, when flying manually — then follow. This blueprint is based on a slew of manually and/or electronically inputted data. Much of this is data is loaded prior to departure, but a flight is very organic; our headings, altitudes, speeds, arrival and departure patterns, etc., are never forecast with certainty from the start. FMS data is subject to constant updating and revising over the course of a flight. Most of the changes are entered manually by the crew. Occasionally they are sent automatically from air traffic control or company dispatchers. Either way, we are clearly aware of them.

Teso wants you to believe your smartphone can send these instructions as well, causing a dangerous disruption.

The problem is, the FMS — and certainly not ACARS — does not directly control an airplane the way people think it does, and the way, with respect to this story, media reports are implying. Neither the FMS nor the autopilot flies the plane. The crew flies the plane through these components. We tell it what to do, when to do it, and how to do it. Whatever data finds its way into the FMS, and regardless of where it’s coming from, it still needs to make sense to the crew. If it doesn’t, we’re not going to allow the plane, or ourselves, to follow it.

The sorts of disruptions that might arise aren’t anything a crew couldn’t notice and easily override. The FMS cannot say to the plane, “descend toward the ground now!” or “Slow to stall speed now!” or “Turn left and fly into that building!” It doesn’t work that way. What you might see would be something like an en route waypoint that would, if followed, carry you astray of course, or an altitude that’s out of whack with what ATC or the charts tells you it ought to be. That sort of thing. Anything weird or unsafe — an incorrect course or altitude — would be corrected very quickly by the pilots.

Several websites that have picked up the story seem to contradict this by claiming that many modern planes “lack analog instruments” or have autopilot systems that cannot be switched off, etc., etc. — basically claiming that pilots would be unable to recognize or react in time to pirate uplinks. For instance, in this report, it states: “A pilot could thwart an attack by taking the plane out of autopilot although he pointed out that several newer systems no longer include manual controls.”

This is extremely misleading. While not all aircraft have direct manual reversion of flight controls, there is always a way for the pilots to disconnect the automation and, as we call it, hand-fly. Heck, more than 99 percent of landings a full 100 percent of takeoff are hand-flown every day.

To be clear, none of this is to suggest that beaming uninvited data into the electronic architecture of the cockpit is an acceptable idea. Of course it is not. There are aspect of this, such as how outside interference might interplay with fly-by-wire flight controls, and the emerging technology known as ADS-B, that warrant a closer look. That such things might be possible is, to be sure, a potential cause for alarm.

But, even so, this is not by any stretch the sort of imminent threat people are being led to think it is. In fairness to Mr. Teso, I’m less annoyed by his demonstration than by the the way some in the media have been spinning it. A hacker with an Android is not going to fly your 757 into the Empire State Building. Scary words like “hijack” and “takeover” have no place in this conversation.

 

RELATED STORY: MORE MEDIA CLAPTRAP ABOUT COCKPIT AUTOMATION

 
A VERSION OF THIS STORY ALSO APPEARS ON BOSTON.COM

Back to the Ask the Pilot Home Page Visit the Blog Archive Back to Top!
Leave a Comment


9 − 2 =

69 Responses to “Hijacking via Android?”
  1. Timothy says:

    Patrick,

    Thanks for your perspective on this, however I must ask the following: since commercial airlines are now controlled via fly-by-wire systems is it conceivable that once a connection between the hacker and the plane has been made that they would then be able to access parts of the system that control flight surfaces, auto pilots, throttles, etc? Or are there firewalls between networked systems on planes?

    Thanks,
    T

    • James says:

      It isn’t really a connection. It is more of a public announcement of conditions changing. Data, not commands.

      • Matthias Urlichs says:

        It may be “data not commands”, but we all know what buffer overflows and related bugs can do.

        The whole story smells just like one of Bruce Schneier’s movie plot contest entries.

      • Lie says:

        Even the ability to send malicious data can be just as dangerous. An attacker can tell the plane that there is a very strong crosswind ahead, and the autopilot might be programmed to adjust to crosswind by changing its direction to counteract the crosswind, but since there is no actual wind the adjustments would actually alter the plane’s direction. Feeding faulty atmospheric pressure data to the plane could also alter the plane’s altimeter. An autopilot that have been set to fly at a specific altitude might adjust its height, causing the plane to fly at an incorrect altitude. A pilot that wasn’t expecting an attack might not notice the discrepancy between the glass displays and the analog compass/altimeter until it’s too late.

        • Patrick says:

          No, this wouldn’t happen. Autopilots don’t react to anticipated or FMS-programmed crosswinds. Neither do I understand how you would “feed faulty atmospheric pressure data” into the plane. Feed it to where? The plane’s air data system is, so far as I know, totally self contained and doesn’t accept inputs the way an FMS does.

        • Seth says:

          Correct me if I’m wrong Patrick, but in the class A airspace above 18,000 ft, when you are using flight levels rather than thousands of feet, don’t you use standard pressure for altitude reporting/setting? With that the pressure wouldn’t matter until you get to a critical flight stage where the pilots are sure to be paying full attention and receiving regular barometer updates.

    • JimD says:

      As a pilot who uses this equipment and technology every day, I can agree completely with the author, with absolute certainty, that there is currently no way, that any kind of erroneous data can somehow be transmitted into an aircraft to make an aircraft go astray, or to confuse aircraft systems.

      I believe I need to take it one step further and make a clear statement that at all times, every aspect of the aircraft systems and route of flight are under 100% control of the flight crew, NOT by Air Traffic Control, NOT ACARS, and not the FMS… It needs to be made clear that the FMS only does what it is told, and approved, by the flight crew; AFTER receiving, verifying, and accepting either an ACARS message or ATC clearance.

      To make it simple, there is, always, at all times, a human in the loop to verify that what is being told to them in any form, is acceptable, logical and makes sense… only then do the flight crew initiate a route or altitude change. Just remember – pilots still fly the aircraft, NOT computers… they just tell the computers exactly how to do it with continous monitoring.

      If, in the very unlikely event that there was an ability to “hack” ACARs data being uploaded to the aircraft, it is still verified by the flight crew – no data is ever just blindly accepted by crew, including altitudes, clearances, and routes. Everything is verified by the crew before being accepted. That is the way aviation is done behind that mysterious closed cockpit door… check and re-check against known waypoints, minnimum altitudes and routes.

      All this information is in the cockpit via paper. Some airlines are moving to paperless cockpits with items like multiple ipads with several redundancies; however, this information is in the form of redundant stored memory; the exact purpose is to prevent corruption or “hacking” of data.

      to re-iterate as well, no aircraft systems in even the most advanced aircraft flying today, are able to be “hacked” from the ground. No one can “hack” the environmental system and cause a depressurization, for example. These systems are “hardwired” meaning they all still need to be adjusted from inside the cockpit via switches – there is no magic remote control system that can be taken over by some geek hacker and cause aircraft systems disruption. And to this day, aircraft still have very direct controls, or exceptionally redundant systems on fly-by-wire aircraft. There is no way whatsoever to somehow wirelessly “hack” into the multiple redundant code and cause the electronics to go haywire; just as there is no way to remotely “hack” into a computer that has no internet or wireless access (airwall).

      Finally, and to support all the other pilots who have commented, all flight crew are trained to continuously monitor and watch if the pre-programmed route is actually taking the aircraft where it is supposed to. In every single aircraft ever made, (or ever TO BE made as long as there is a human up front…) the flight crew can at any time take over control. I can say with certainty that I am trained constantly to never completely trust the automation – always be ready to take over and hand fly. Part of my training insludes questioning deliberatly misleading or false clearances (like getting deliberate clearances during simulator training that will eventually fly me into the side of a mountain or a clearance that will fly me into the oncoming traffic I can see on my TCAS display – do I catch it? This is all part of learning situational awareness and never just blindly trusting any clearance from ATC).

      It goes back to the basics – aviate, navigate, communicate, in that order. Automation will never change this.

      • Steve says:

        The problem here is that some things you state as if obvious here aren’t obvious. Just because it appears from a user-interface point of view that the FMS is advisory and has no direct or indirect paths to altering aircraft behaviour in a way that’s hard to notice or countermand, doesn’t mean it’s necessarily so.

        What we really need, and AFAIK nobody has yet provided, to determine if Teso’s story holds water is:

        Suppose I have complete control of the FMS, obtained by feeding it malicious ACARS messages. Not just misleading/incorrect information, complete control of that box.

        Now: what onboard systems are connected to the FMS? What commands can the FMS send to them? What data do they read from the FMS? Can I find a vulnerability in systems accepting commands or data from the FMS? If so, assume I can completely control that system and ask the same questions of it.

      • Lie says:

        “Part of my training insludes questioning deliberatly misleading or false clearances (like getting deliberate clearances during simulator training that will eventually fly me into the side of a mountain or a clearance that will fly me into the oncoming traffic I can see on my TCAS display”

        If the flight system is compromised, the TCAS might never show that there is an incoming traffic or show a traffic where there is none. The only thing you can trust in case of a compromised computer are those that are not controlled by a computer. This means anything on the glass display, GPS, and the autopilot may not be trusted. Essentially you will have to fly an A320 with only the tools available on a C172P. Combine this with a bad weather, zero visibility, and jamming radio communication with ATC and you have a movie script.

  2. […] Bruce Schneir’s blog is a link in the comments that leads to this article at Ask A Pilot that calls bullshit: The problem is, the FMS — and certainly not ACARS — do not directly control an airplane the […]

  3. […] Could an exploit via an Android app really hijack a plane? Not so, says a prominent pilot/author Finally, some sanity. After many a blog post this week re-reported Help Net Security's "Hijacking airplanes with an Android phone" piece — in which security consultant and pilot Hugo Teso apparently demonstrated how he could theoretically interfere with an aircraft's flight management system — and headlines grew more and more alarmist, Patrick Smith, editor of the popular "Ask the Pilot" blog has a few things to say about the matter. […]

  4. JS says:

    James Fallows has did a debunking over at his blog as well. (here)

  5. Othercents says:

    If it is possible to update the FMS in two aircraft that are in close proximity then it could be possible to have the pilots or autopilot steer the aircraft towards each other. If at times FMS is the primary source of heading and altitude information then outside intervention of this system could be a major issue.

    Since I’m not familiar with all the systems, I’m unsure of proximity warnings pilots might get when approaching other aircraft or if traffic control actively watches flights and provides course corrections once they are at cruising altitude.

  6. Neal says:

    First off, I am a pilot, but not commercial/airline, have a raggedy old Piper for weekend trips.

    While I agree that the story is sensationalized in terms of taking over the FMS or sending errant TIS/ADS-B data being a real threat, the fact that newer airliners are apparently using wireless links between cockpit and control surface servos does not make it impossible.

    It would just be a matter of having a device capable of sending the signal and sending compliant data. May or may not be possible with a phone, I haven’t read the specs on these wireless servos.

    If there is a weak link in a chain of data that weak link can be exploited. The logistics of exploiting it are semantics, the point is it theoretically can be done.

    FWIW the android app Naviator can indeed fly your autopilot via a Bluetooth adapter on the autopilot’s serial port, pretty cool.

    • cthulhu says:

      There is no wireless link between the flight computer and the control surfaces; your claim is 100%, unadulterated BS. All of the flight critical communications between the flight computer and its sensors and actuators are conducted over hardwired links that are either point-to-point or, when on a shared bus, are rigorously arbitrated by the flight computer.

  7. […] to beam in a few unwanted commands, pilots would be able to react quickly and take control. Over at Ask the Pilot, Patrick Smith does the debunking: [T]here’s only so much you could do by inputting faulty info […]

  8. […] to beam in a few unwanted commands, pilots would be able to react quickly and take control. Over at Ask the Pilot, Patrick Smith does the debunking: [T]here’s only so much you could do by inputting faulty info […]

  9. […] to beam in a few unwanted commands, pilots would be able to react quickly and take control. Over at Ask the Pilot, Patrick Smith does the debunking: [T]here’s only so much you could do by inputting faulty info […]

  10. Owen says:

    A few security researchers, including a good friend of mine, have been looking into insecurities in the implementation of ADS-B, especially the Mode-S variant. Using open source software running on a PC (not Android), and a commercially available software-defined radio (https://www.ettus.com – $700 and up), one can trivially transmit false Mode-S data, causing “ghost” aircraft to show up on some aircraft flight deck and air traffic control/ground displays.

    See http://www.andreicostin.com/papers/adsb_blackhat12us_whitepaper.pdf for a technical overview of the issue.

    To illustrate the problem more clearly, my friend prepared this video: http://www.youtube.com/watch?v=NSLqRXyxiBo In it, he is taking live ADS-B data off the air, decoding it, and piping it into an open source flight simulator called FlightGear. In this way, he can fly around in a virtual world populated with real-world planes. At the same time, he is OUTPUTTING ADS-B data from his virtual plane as he flies it around on a PC, it is being encoded, and broadcast for real over the radio (which is connected to a dummy load, not a real antenna, so the signals cannot actually be received). To be clear, in that demonstration there is RF being received and transmitted – it just happens that the transmitted RF is attenuated so much that no other receiver would detect it. A malicious individual would simply need to attach an antenna.

    This type of attack is a lot more worrisome than the silly Android FMS thing, and it’s NOT a problem that can be fixed easily or cheaply.

  11. […] So take it from writer and airline pilot Patrick Smith, author of the Ask the Pilot blog, who explains that even if it were possible to override an aircraft’s systems remotely, it probably […]

  12. Matt says:

    Is it fair to say them that the FMS is somewhat analogous to a nav system in a car?

    Meaning if the map indicates I should turn into a building, that’s bad, but I’m still in full control of my car.

    Just had this discussion over lunch today and wanted to check my comparison :-)

    Thanks!

    • Tim says:

      As I understand it, there’s some other aspects to it, but it’s pretty close.

      Still, to follow your analogy further, what Patrick is saying is that putting a direction to turn into a building won’t work, but if your GPS believes your destination is 1 mile west of where it actually is, you might get a little lost.

      • Doc says:

        Can you hack into a GPS and recalibrate it? That’s a pretty big hack. ATC is always there. So is the airline’s ground support.

        The information feed to the aircraft in Korean Air flight 007 shoot down was provided by the ground, if I remember right…

        • Duncan says:

          Spoofing civilian GPS is dead easy, well understood and has been repeatedly demonstrated. You just need to get a transmitter in the same general location as the receiver… on the same plane is plenty close enough and in a small plane nearby is feasible.

          It does look like you can, with affordable equipment and open source software, do the equivalent of screwing with the satnav on a car. Fortunately most pilots are better than some drivers and don’t drive into the river because the satnav told them to…

  13. […] So take it from writer and airline pilot Patrick Smith, author of the Ask the Pilot blog, who explains that even if it were possible to override an aircraft’s systems remotely, it probably […]

  14. […] Finally, some sanity. After many a blog post this week re-reported Help Net Security's "Hijacking airplanes with an Android phone" piece — in which security consultant and pilot Hugo Teso apparently demonstrated how he could theoretically interfere with an aircraft's flight management system — and headlines grew more and more alarmist, Patrick Smith, editor of the popular "Ask the Pilot" blog has a few things to say about the matter. […]

  15. MooseDriver06 says:

    First, I must beg the readers of this form to listen to the sound knowledge of Mr Patrick Smith. I am a professional c-17 Instructor Pilot and Aircraft Commander. The C-17 is a true fly by wire jet complete with ADS and a FMS system that links directly to the flight controls. In the scenario given, a malicious hacker is able to upload false waypoints or dangerous, uncleared routing via ADS. Inorder for this to affect the aircrafts route of flight, a pilot (both by regulation), must manually accept this new clearence. Any sane pilot would querry ATC and get a verbal confirmation of the new “hacked” routing. In addition, there is zero outside source that can affect the jets FMS other then the crew’s inputs. The FMS does not “talk” to any ground agency or radio station. Finally, and Im a bit embarassed to even mention this, there is simply no aircraft that does not have “manual” controls. Think about it…what if the aircraft losses all Generators and subsequently all power? Are the aircraft designers going to forgo designing a “manual” system by which to fly the plane? I promise you there is no aircaft in production or design that will have an “autopilot” only feature.

    • Flatscissors says:

      I’m a software engineer and have, in the past, worked on various in-flight and in-orbit systems. I agree with everything that’s been said about the chances of spoofing the FMC or ADS, etc. However, is it true that all modern airliners have a manual backup?

      I know the Airbus A320/330/340 had manual control of pitch, through the elevator trim, yaw through the rudder pedals and manual control of the throttle quadrant, but ISTR that the A380 has relaxed aerodynamic stability in yaw, especially at low airspeed. I guess this would make manual control difficult?

  16. […] So take it from writer and airline pilot Patrick Smith, author of the Ask the Pilot blog, who explains that even if it were possible to override an aircraft’s systems remotely, it probably […]

  17. […] So take it from writer and airline pilot Patrick Smith, author of the Ask the Pilot blog, who explains that even if it were possible to override an aircraft’s systems remotely, it probably […]

  18. Neal says:

    MooseDriver, what you guys are disregarding is the wireless link between control surface and cockpit.

    I agree that false TIS or FMS data would be a nuisance at best, but in the case of wireless data transmission between yoke and control surface servos? That is a worthy target for malicious data injection, if that data can be sniffed, analyzed, and emulated.

    We have seen on other fly by wire airliners what happens when pilots send conflicting commands…

    • MooseDriver06 says:

      Neal:
      A valid point you make with regards to the flight controls. As far as I know there is no aircaft that use wireless communication between cockpit and flight control surfaces. All communication is hard wired via magnetically shielded wires. Now, in the future I do see the risk of compromise, albeit small, if a wireless system were used. I believe the overall learning point of this story is ADS amd CPDLC communications between the ground control agencies and pilots is unencrypted and unsecure. This is a potential loophole, but it wont cause jets to burn holes into mountains.

  19. […] So take it from writer and airline pilot Patrick Smith, author of the Ask the Pilot blog, who explains that even if it were possible to override an aircraft's systems remotely, it probably wouldn't […]

  20. […] So take it from writer and airline pilot Patrick Smith, author of the Ask the Pilot blog, who explains that even if it were possible to override an aircraft’s systems remotely, it probably […]

  21. […] So take it from writer and airline pilot Patrick Smith, author of the Ask the Pilot blog, who explains that even if it were possible to override an aircraft’s systems remotely, it probably […]

  22. […] Smith, while writing on his site Ask The Pilot wrote an open letter to the media, to rein what he called silly airplane story before it gets too […]

  23. […] Finally, some sanity. After many a blog post this week re-reported Help Net Security’s “Hijacking airplanes with an Android phone” piece — in which security consultant and pilot Hugo Teso apparently demonstrated how he could theoretically interfere with an aircraft’s flight management system — and headlines grew more and more alarmist, Patrick Smith, editor of the popular “Ask the Pilot” blog has a few things to say about the matter. […]

  24. […] Finally, some sanity. After many a blog post this week re-reported Help Net Security’s “Hijacking airplanes with an Android phone” piece — in which security consultant and pilot Hugo Teso apparently demonstrated how he could theoretically interfere with an aircraft’s flight management system — and headlines grew more and more alarmist, Patrick Smith, editor of the popular “Ask the Pilot” blog has a few things to say about the matter. […]

  25. Eliot Lear says:

    While I appreciate all the valuable information you are trying to convey, I do think you’re a might bit unfair toward Mr. Teso. He wasn’t trying to convince people that just any old Android phone could control a plane. He wrote a purpose built app so that HE could control a plane. That’s a big difference.

    I am left from all of this rather confused. Let’s agree that a pilots going to notice if the plane is doing something obviously dangerous, like descending 20,000 feet mid-flight. But what if the ADS-B indicates a flight change of 1,000–2,000 feet? Could that put the plane in the path of another plane? Would such an instruction be reasonable to expect? And would TCAS mitigate any such risk?

    • MooseDriver06 says:

      Eliot,
      You bring up some realistic questions. I believe the answer will depend on how the pilot “arms” his/her autopilot. Ill present you with the worst case scenario. Let’s say the pilots upload a “hacked” flight plan via ACARS while in chalks. The pilots then do not verify it with the filed flight plan. Once airborne the pilot “arms” an altitude below current cruise altitude (highly unlikely). Then, in theory the jet could descend to meet a “hacked” Flight Plan altitude. As soon as the jet starts a descent though several alerts will notify the pilot of deviations in altitude. So yes…the jet could descend via a “hacked” uploaded flight plan, then not be noticed by the pilots that an uncleared descent was occuring? Yes…but it would only occur if the pilots lacked basic piloting or Automation skills. Overall the true threat of Teso’s claim is greatly exagerated.

  26. Tod Davis says:

    Talking about being hacked, has this comments section been hacked? it sure looks like it

  27. John Bell says:

    Let me add one more back up to what Patrick and some of the pilot respondents are saying. The media has taken this guy’s claim with no verification or further research and run with the story.

    On some aircraft, the ACARS is capable of loading a route into the FMS. However, it is not simply something that is done behind the scenes. Even after uploading, the route must be manually accepted and executed in the FMS. Part of this functionality is for the pilots to verify the route with the flight plan and or air traffic control clearance before accepting the route.

  28. […] Finally, some sanity. After many a blog post this week re-reported Help Net Security's "Hijacking airplanes with an Android phone" piece — in which security consultant and pilot Hugo Teso apparently demonstrated how he could theoretically interfere with an aircraft's flight management system — and headlines grew more and more alarmist, Patrick Smith, editor of the popular "Ask the Pilot" blog has a few things to say about the matter. […]

  29. Eric says:

    So sad that most of you, including professional pilots, did not understand how this hack works. First of all, the mobile phone is just a remote. So forget about that. The attacker is sending malicious messages to the plane. Then, many say that all commands received must be approved by the pilot. This is not true. It is true for the normal case, but not for the hack that Teso demonstrated. Everybody denying this does not know what a buffer overflow attack is. This means essentially that by sending intentional malicious commands (not wrong commands that simply don’t get approved by the pilot), with these malicious commands the hacker installs its own program. This means the attacker “owns” the FMS and can do whatever he wants, without any approvals from anywhere. If other systems are connected to the FMS, then it is very likely that the attacker can “infect” these systems as well, meaning that also these system can display wrong fuel information or whatever they do. Such an attack cannot be done right away and needs months or years to develop and test.
    And yes, by turning off all computer based systems, the pilot can save the plane. BUT: Imagine the plane is doing strange things. What would a pilot do? Going through the checklists, checking fuel, whatever. It’s probably one of his first ideas “yeah, my plane got hacked, I’ll turn off all systems and fly manually.”

    • Kevin G. Rhoads says:

      Eric – YES. Since I wrote a guide to hacking OS/360 back in 1970 I have repeatedly seen people not *get* it regarding security and software. (And I learned about “shoot the messenger”.)

      Teso’s dem is simulator only, we get that. Flight systems are more hardened, we get that. Does that mean that there can not be a problem, NO!

      Even hardened systems may be vulnerable, and attack testing by outsiders is the only way to have even a modicum of confidence in their security. Why should aviation systems be considered any differently?

      No, we are not crying “wolf”. Yes, there is no immediate problem. But sweep it under an FAA rug and there *will* be problem, someday.

      MHOO — YMMV

      • Eric says:

        I disagree with your point “actual software is more hardened”. He used actual/real software that’s really in use (but running it on a simulator). The only difference was that it was compiled for x86 instead of the processor that’s in use in the plane. This means his exploit would require a rewrite, but it would still work.

        • olimp says:

          No, that doesn’t mean it would work. In could be impossible to do same kind of attack on a different architecture. It just depends.

  30. David Bunin says:

    The FMS can accept flight plan data from an ACARS uplink, but it can not accept a software upload via ACARS. Even if it could, the FMS will not accept any software loading while airborne. That function is only available when there is weight-on-wheels. We encounter this during hangar maintenance when somebody tries to load a new software and doesn’t realize the airplane is on jacks.

    • Eric says:

      That’s why it’s called a hack. Similar to malware on a PC that in some cases installs without asking you and without you starting something. This works simply because you’re using software with security bugs.

  31. zevrnc says:

    It just strikes me as most naive to believe that airplane industry would never thought of that and do everything to prevent it. They devised all those flight systems, nobody of us understand or even know they exist but somehow they forgot to guard the airplane from malicious data??!
    Typical conspiratorial, ignorant, illogical nonsense.

  32. Sebastian Schocke says:

    First off, let me say that the whole thing stinks of journalistic sensationalism, and I agree that there is no real threat at the moment.

    What Mr Teso did was prove that there are security holes in airline systems. To us security researchers this comes as no surprise. After all, those systems are still designed, developed and tested by humans. And as the saying goes, it’s only human to err.

    Should we be worried that some hacker is going to take over the plane your flying on and bury it in a skyscraper remotely… not at all. Should we be worried about the possible future ramifications… absolutely!

    Anybody “debunking” this story is most likely one of those people that will claim that Linux cannot be hacked, and that if you install a firewall and an anti-virus you are safe. Open your eyes people… Did the Stuxnet virus teach you nothing? Even a dedicated piece of industrial hardware from Siemens can be subverted to not do it’s job properly by simply sending it some malicious DATA… not uploading firmware, or reprogramming it… DATA!

    As a simple example, imagine a buffer overflow attack on the FMS that simply rewrote a part of the running code that implements fly-by-wire. It now returns to the requesting party that it did make the control surface changes to change the altitude, or the heading, but never actually does. Will this result in a deadly terrorist attack??? Not likely. Will the pilot notice and take over manual control? Most likely, but when is the question. And how far off the flight plan might the plane be before he does is the next.

    Do not for a second think that hackers lack creativity. They will find ways to subvert and use systems in ways that you have never imagined, and that the designers never imagined either. And THAT is why Hugo Teso should be congratulated for his work… not crucified for the way the media sensationalized his findings.

  33. Elizabeth Matheson says:

    Thanks for your article, Patrick. I knew you would write on this topic, so I came to see what you had to say. You put my mind at ease. This is not something I want to wonder about. I’m a passenger, not a pilot. I have no clue how planes work — except what I have read. And when I fly, I don’t want to be worried about such things happening. I just want to go to sleep — and I do, shortly after take-off!!

    Also, thanks to JimD. Your comments were also reassuring.

  34. Could it be done using a laptop running Linux? If so, then it can be done with an Android based device as well, as any decent Android developer can verify.

    I do agree that the media blew this completely out of proportion and made Teso look like a flake. But if the answer is yes to my initial question then there is a serious security concern. Granted, the media’s “We’re all gonna die” lies were way out of line.

  35. lloyd says:

    Consider the case of naval military aircraft which can be landed hands off (or so I understand) by commands sent from the carrier’s system. There have been suggestions for some years to implement such systems on commercial aircraft to enable zero/zero condition landings, So, I suspect we already have military aircraft potentially vulnerable. Not to mention the increasing number of drones inhabiting our airspace. Remember the Iranians claimed to have taken over control of a drone and captured it.

    • Tim says:

      Drones are a different matter because there IS no manual control. The only control is remote, and if a hacker managed to supersede the normal remote control with his/her own, then the hacker would be flying the drone and the “pilot” wouldn’t.

      • Lie says:

        Actually, there is very little differences between remotely controlled drones and digital fly-by-wires. Both are controlled by human operator that controls a computers that flies the plane; fly-by-wire aircraft does not have a yoke/sticks that is mechanically connected to the ailerons, instead the yoke/sticks sends signals to a computer that may be vulnerable.

        Fortunately this kind of attack is much easier said than done.

    • Doc says:

      Aircraft do not land on a carrier by ‘remote control.’ There is just too many variables to consider, some of which depend on someone looking out the window…

      The F/A 18 is catapulted off the deck ‘hands free,’ but it can’t land that way.

  36. Jeff Latten says:

    WOW! What a firestorm this article provoked. Some more truth: even if a wireless system was used to send commands from FMS to the control surfaces…what some claim is a point of entry for hacking…don’t you folks know that even your most basic home router has WiFi security at several levels? Why wouldn’t the designers employ something like that in an aircraft WiFi control circuit? It’s not rocket science.

    And just as an aside, I haven’t seen one terrorist or high-jacker who qualifies as a rocket science level engineer. These are for the most part fairly uneducated zealots driven by their fear and religion. Science and engineering are not their strong suits.

  37. Mike in Mass says:

    But Patrick, you know that when the cockpit door is closed the pilots push the take-off button and then nap until they have to push the landing button!

  38. Doc says:

    I knew android was evil. You can have my iPhone when you pry it from my cold dead hands…

    On a related front: Have you read the editorial in AOPA magazine in the April issue? The one entitled “Going Pilotless”? For those interested, it is on page 18.

    According to them, most of flight is already automated. Eventually, the need for the first officer will be eliminated (there goes pilot redundancy, they will, probably sell the empty seat). The captain will just over see the computers that will fly the plane…

    I was amazed that this came from the AOPA…

    No more “V1, Rotate!” for us. (sweet memories)

  39. Martin Mitev says:

    Thanks a lot for all the informed comments, happily leaving me little to add as both a programmer and a pilot! By the way, didn’t “Die Hard 2″ propose that planes could be flown into the ground by blowing up the glideslope antenna? How come no one’s tried to send an erroneous ILS signal based on that? Surely more feasible than remotely reprogramming an FMS.
    It took this man three years, 3, to iron out the technical details about how to present two/three pilots with an erroneous suggestion for their next move at best, or a completely erratic information output (not actual plane behaviour) at worst. I think this would be analogous to how erroneous airspeed readings are already handled (another, more vital computer-presented information). A refurbished version of “the pilots are just system operators and the autopilot flies the plane” argument.
    We are talking about individuals who can place 100 tons of metal going 300 km/hour on a rock in the Atlantic ocean with no electrics or computers. Now, that’s a good movie.

  40. Manoa Kahuna says:

    Patrick,

    You’re a pilot and obviously not a scientist. You are over your head. Stay in your lane.

  41. John Skrabutenas says:

    I’d like to believe that all data is carefully checked before being used in the system, but people tend to be lazy, so I lose trust. Frankly, in an era where pilots are flying planes into the ground reacting to stalls (e.g., Colgan Air 3407, Air France 447) — something I would expect them to handle — I do not expect them to be able to verify every piece of data that comes into the system.

  42. […] a number of passive and active attacks. His actual implementation has been decried by the FAA and pilots but the basic fact remains that conceptually it is possible and therefore with enough time & […]

  43. […] other statements can be read here. There is also a full and interesting rebuttal over at the Ask The Pilot blog. Among the points made is that a plane can always be flown without autopilot – meaning that […]

  44. […] other statements can be read here. There is also a full and interesting rebuttal over at the Ask The Pilot blog. Among the points made is that a plane can always be flown without autopilot – meaning that […]

  45. […] finns också en fullständig och intressant vederläggning på bloggen Be The Pilot. Bland de punkter som tas upp är att ett plan alltid kan flygas utan autopilot – vilket […]