As a rule, if a sensational headline about some dangerous new hacking threat seems too scary to be true, it probably is.
A great example is this week’s hysteria over aircraft hacking, invoked by a security consultant who demonstrated the concept on an Android phone. For many publications, the temptation to frighten readers was too irresistible. Headlines with words like takeover, hijack and crash abound.
In reality, the risk of getting in a plane crash at the hands of some evil hacker is nonexistent at this point. Aviation groups, flight-equipment makers and even a pilot are all saying there’s nothing to worry about.
Let’s step back and look at what was demonstrated this week by Hugo Teso, a consultant for Germany-based n.runs AG. As Forbes reports, Teso found vulnerabilities in two systems that handle communication between airplanes and air-traffic controllers. Using an Android app and an exploit framework, Teso hacked into a virtual airplane, which he cobbled together from training-simulation software and flight-management hardware that he bought on eBay.
As you might expect, there’s a big difference between a PC-based training simulator and the actual in-flight systems that commercial airlines use. Real flight systems have extra protection and redundancies. The simulation does not. In a statement to the Inquirer, the European Aviation Safety Agency said Teso’s system does not reveal any potential vulnerabilities in the real world.
Likewise, the Federal Aviation Administration (FAA) said Teso’s hack “does not pose a flight-safety concern because it does not work on certified flight hardware.”
But what if we assume that eventually, someone will figure out how to hack into a real flight-management system (FMS)? The good news here is that pilots aren’t helpless. If a hacker were to beam in a few unwanted commands, pilots would be able to react quickly and take control. Over at Ask the Pilot, Patrick Smith does the debunking:
There’s only so much you could do by inputting faulty info to the FMS. The FMS cannot say to the plane, ‘descend toward the ground now!’ or ‘slow to stall speed now!’ or ‘turn left and fly into that building!’ It doesn’t work that way.
And anything really weird or unsafe — an incorrect course or altitude setting, say — would be corrected more or less instantaneously by the pilots.
A statement by the FAA backs up this claim. “The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot,” it told the Inquirer.
The more likely danger — yet still a theoretical one — is that hackers would try to mess with air-traffic controllers by sending false information, rather than trying to manipulate the planes themselves. A 2012 story by Forbes describes how hackers could send bogus signals using a new system called Automatic Dependent Surveillance-Broadcast, which is on track to supersede radar by 2020. But again, regulators say they have “redundancies” in place to root out false signals, and as a recent story by Airport-Technology points out, traffic controllers can still use radar or other methods to correlate their data. Many academic groups are exploring even better solutions.
I’m not trying to belittle Teso’s work. The whole point of bringing up these sorts of vulnerabilities, within the context of a security conference, is to alert the industries involved and get them to think about solutions, if necessary. Nothing wrong with that.
The problem occurs when this type of research gets spun into breathless stories about how hackers have doomed us all. This isn’t the first time it’s happened, and it doesn’t only apply to airplanes. I’ll remind you that if every story like this translated to a real-world threat, you’d never be able to drive, lest you risk being burglarized or run off the road by a hack attack. I can think of a lot more actual risks that you’d be better off worrying about.