Airplanes Hackable by Phone? Not So Fast

As a rule, if a sensational headline about some dangerous new hacking threat seems too scary to be true, it probably is.

  • Share
  • Read Later
REUTERS / Daniel Munoz

As a rule, if a sensational headline about some dangerous new hacking threat seems too scary to be true, it probably is.

A great example is this week’s hysteria over aircraft hacking, invoked by a security consultant who demonstrated the concept on an Android phone. For many publications, the temptation to frighten readers was too irresistible. Headlines with words like takeover, hijack and crash abound.

In reality, the risk of getting in a plane crash at the hands of some evil hacker is nonexistent at this point. Aviation groups, flight-equipment makers and even a pilot are all saying there’s nothing to worry about.

Let’s step back and look at what was demonstrated this week by Hugo Teso, a consultant for Germany-based n.runs AG. As Forbes reports, Teso found vulnerabilities in two systems that handle communication between airplanes and air-traffic controllers. Using an Android app and an exploit framework, Teso hacked into a virtual airplane, which he cobbled together from training-simulation software and flight-management hardware that he bought on eBay.

As you might expect, there’s a big difference between a PC-based training simulator and the actual in-flight systems that commercial airlines use. Real flight systems have extra protection and redundancies. The simulation does not. In a statement to the Inquirer, the European Aviation Safety Agency said Teso’s system does not reveal any potential vulnerabilities in the real world.

Likewise, the Federal Aviation Administration (FAA) said Teso’s hack “does not pose a flight-safety concern because it does not work on certified flight hardware.”

But what if we assume that eventually, someone will figure out how to hack into a real flight-management system (FMS)? The good news here is that pilots aren’t helpless. If a hacker were to beam in a few unwanted commands, pilots would be able to react quickly and take control. Over at Ask the Pilot, Patrick Smith does the debunking:

There’s only so much you could do by inputting faulty info to the FMS. The FMS cannot say to the plane, ‘descend toward the ground now!’ or ‘slow to stall speed now!’ or ‘turn left and fly into that building!’ It doesn’t work that way.

And anything really weird or unsafe — an incorrect course or altitude setting, say — would be corrected more or less instantaneously by the pilots.

A statement by the FAA backs up this claim. “The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot,” it told the Inquirer.

The more likely danger — yet still a theoretical one — is that hackers would try to mess with air-traffic controllers by sending false information, rather than trying to manipulate the planes themselves. A 2012 story by Forbes describes how hackers could send bogus signals using a new system called Automatic Dependent Surveillance-Broadcast, which is on track to supersede radar by 2020. But again, regulators say they have “redundancies” in place to root out false signals, and as a recent story by Airport-Technology points out, traffic controllers can still use radar or other methods to correlate their data. Many academic groups are exploring even better solutions.

I’m not trying to belittle Teso’s work. The whole point of bringing up these sorts of vulnerabilities, within the context of a security conference, is to alert the industries involved and get them to think about solutions, if necessary. Nothing wrong with that.

The problem occurs when this type of research gets spun into breathless stories about how hackers have doomed us all. This isn’t the first time it’s happened, and it doesn’t only apply to airplanes. I’ll remind you that if every story like this translated to a real-world threat, you’d never be able to drive, lest you risk being burglarized or run off the road by a hack attack. I can think of a lot more actual risks that you’d be better off worrying about.

6 comments
JamesBeauchamp
JamesBeauchamp

This is complete BS.  Aircraft do not have direct FMS connections other than from the flight computer processor, and even then it is HIGHLY integratd.  It is a hard connection - not logical like an internet connection would use.  Any loss or error on the bus (and backup bus) results in immediate error and disengage.  Furthermore, hundreds of dynamic states are constantly cross-checked against redundant, independent inputs from sensors in real-time.  ANY discontinuity results in an error state, which are also categorized for severity.  Critical flight data resulting in an error results in immediate disconnection, and is tested hundreds of times between development, flight test, on to final FAR certification.  This is science fiction nonsense.  You could have interviewed any of a thousand engineers before publishing this drivel.  I remember a time when there was a basic sense of journalistic integrity.  Do you even verify these stories anymore?

Harve
Harve

Why do people publish stuff like this? Don't they realize that terrorists read these pages too? We know they spend a lot of time focusing on using airplanes in terrorist plots. They have scientists and engineers too. By publishing this info we just give them a new direction to focus on. We did all of the preliminary work for them. We keep shooting ourselves in the foot. Sooner or later its going to come back and bite us in a major way.

Bullsgt
Bullsgt

Mass media is primarily a business with stake holders looking to increase viewership, sales, and profits. They are a public "service" second. The disturbing trend is the lack of confirmation, responsibility for social impact and the use of "unidentified or anonymous" sources to provide legitimacy of their stories. 

newmanjb
newmanjb

@JamesBeauchamp I'm confused. The entire story is dedicated to debunking the original claims about airplane hacking. You seem to be asking me to do exactly what I did.

newmanjb
newmanjb

@Harve You really think terrorists would never think of trying to hack into airline operations on their own? The reason security experts try to find vulnerabilities is so the companies/agencies involved can fix potential security holes before they are discovered by groups with bad intentions.