Hijacking Airplanes With an Android Phone

An anonymous reader writes "Until today, hacking and hijacking planes by pressing a few buttons on an Android mobile app has been the stuff of over-the-top blockbuster movies. However, the talk that security researcher and commercial airplane pilot Hugo Teso delivered today at the Hack in the Box conference in Amsterdam has brought it into the realm of reality and has given us one more thing to worry about and fear (presentation slides PDF). One of the two technologies he abused is the Automatic Dependent Surveillance-Broadcast (ADS-B), which sends information about each aircraft (identification, current position, altitude, and so on) through an on-board transmitter to air traffic controllers, and allows aircrafts equipped with the technology to receive flight, traffic and weather information about other aircrafts currently in the air in their vicinity. The other one is the Aircraft Communications Addressing and Reporting System (ACARS), which is used to exchange messages between aircrafts and air traffic controllers via radio or satellite, as well as to automatically deliver information about each flight phase to the latter. Both of these technologies are massively insecure and are susceptible to a number of passive and active attacks. Teso misused the ADS-B to select targets, and the ACARS to gather information about the onboard computer as well as to exploit its vulnerabilities by delivering spoofed malicious messages that affect the'behavior' of the plane."

It has?

[tocsy]

"Until today, hacking and hijacking planes by pressing a few buttons on an Android mobile app has been the stuff of over-the-top blockbuster movies."

I... don't think I've ever seen a movie where that happens (planes getting hijacked that way). Maybe I just don't see enough movies.

Re:It has?

[localman57]

... don't think I've ever seen a movie where that happens (planes getting hijacked that way).

Die Hard 2. Except it was a room full of computer shit in a nearby church, rather than a smart phone. But, you know, technological progress and all that.

Re:It has?

This movie

Re:It has?

Yeah, that is not as cool as a massive zero-g gunfight as the plane dives dramatically.

Re:It has?

[lesincompetent]

aaaaand they were screwing with the airport's ILS, not with the plane itself.

Re:It has?

[morcego]

... don't think I've ever seen a movie where that happens (planes getting hijacked that way).

Die Hard 2. Except it was a room full of computer shit in a nearby church, rather than a smart phone. But, you know, technological progress and all that.

That, and they used hardwire (cable) to connect directly to the airport network.

Re:It has?

[localman57]

That, and they used hardwire (cable) to connect directly to the airport network.

Well, That puts them one up on the guy in this article. He didn't connect to any hardware or network. Just some simulators.

From TFA:

When talking about the range, please keep in mind that we are talking about a proof-of-concept application used in a virtual environment. In real life, the range would be limited depending on the antennas used (if going directly for the plane), or global (if misusing one of the two big ACARS players such as SITA or ARINC).

Re:It has?

It's approximately the plot to Battlestar Galactica

Re:It has?

[localman57]

They were executing a man in the middle attack against aircraft and their ground based navigation infrastructure. Same thing here, just different technology. Don't be so pedantic.

Re:It has?

[Obfuscant]

Aaaaand they were moving the touchdown zone elevation below ground, which is not a function of the signals being transmitted but of the physical location of the transmitting antennas. In fact, the entire ILS system is based on the physical properties of the antennas (bolted in place).

Now, I suppose you could put the high beam audio onto the low beam and vice versa IF the transmitters were computer controlled (and they almost certainly aren't.). All that would do is create confusion as the pilot intercepted the glideslope and noticed that he was flying into the glideslope from below yet the instrument said he was intercepting it from above. I don't think that would flag the display, but it certainly would have the pilot ignoring the ILS at least, and going around as a precaution.

But move the TDZE down? Impossible.

Re:It has?

[lesincompetent]

It's the ground-based signal that got changed: the aircraft simply followed it to its doom. Yes i know i am pedantic.

Re:It has?

[lesincompetent]

Mod parent up! Thanks for the crystal clear explanation!

Re:It has?

[pixelpusher220]

You totally missed it!

has given us one more thing to worry about and fear (presentation slides

I'm already afraid of presentation slides, but apparently that fear is now renewed!

Re:It has?

[Obfuscant]

They were executing a man in the middle attack against aircraft and their ground based navigation infrastructure.

A MITM attack requires intercepting the original message and replacing it with a modified version. That's not what was happening in DH2. In DH2 they were allegedly modifying the original message itself, in a way that is ridiculously impossible.

A MITM would have the black hats intercepting the ILS radio signals and modifying them. There would be no need to do that, since all you need is the ability to transmit your own ILS signal. That would have required the physical presence of a transmitter several hundred feet prior to the threshold in order to put the TDZE below ground. You cannot do that by simply changing the signals transmitted by the FAA ILS system itself.

Re:It has?

[Cosgrach]

Except that as a pilot, I can tell you that everything that they did in that movie was so fucking far out of the realm of possibility as to be a joke. ILS is a fixed installation and must be physically moved to affect the glide slope. And blowing up the transmitter? Really?!? What about all the other aircraft sitting on the ramp - each one with it's own shiny transmitter? What about those?

Re:It has?

"Until today, hacking and hijacking planes by pressing a few buttons on an Android mobile app has been the stuff of over-the-top blockbuster movies."

I... don't think I've ever seen a movie where that happens (planes getting hijacked that way). Maybe I just don't see enough movies.

The Lone Gunman Pilot episode comes in mind for me.

Re:It has?

[DoubleJ1024]

my kingdom for my expired mod points. (they expired less than one hour ago)

Re:It has?

[wonkey_monkey]

You must've hated Airplane.

Re:It has?

He's an inflatable autopilot, you insensitive clod!

Re:It has?

[martinX]

Airplane? That movie was a joke, too.

Re:It has?

[Cosgrach]

Actually, I liked Airplane - it was meant to be a comedy and did not even try to portray real life possibilities.

But when asked to suspend disbelief in a situation and then get so many things wrong on so many levels - it really fucks up a story.

Re:It has?

[davros74]

While DH2 is a good movie, the whole concept behind the ILS manipulation is horse manure. ILS isn't a digitally encoded system with GPS coordinates or something, it's a localizer beam with elevation and azimuth. The plane picks up the radio waves and "rides the beam" down. The only way to move the landing point is to go physically move the transmitter. And in the case of DH2, bury the transmitter 100' below ground or something. (And expect the pilots and flight computer to ignore the ground altimeter, which is pretty hard to mess with remotely).

Re:It has?

[Obfuscant]

ILS is a fixed installation and must be physically moved to affect the glide slope.

Actually, I think you can change the angle (slope) of the glideslope by changing the modulation levels of the tones on the two radio beams, and theoretically there could be an obstruction that would intrude in the flight path if you lowered it a degree. I don't know the TERPS (approach designer) criteria for protected zones.

However, this would screw the glideslope intercept altitude shown on the approach and the pilot would know something is wrong if he's paying attention, and this is one of the points of the approach he's supposed to pay attention to. At least I was taught to verify that I was intercepting at the right altitude (or passing through that altitude at the marker/locator if I intercepted higher.)

Changing slope, maybe, but changing the intercept -- no. That's fixed at a point just past the antennas. Not at the antennas, since they are above ground and non-zero distance apart, but at a point following the glideslope angle behind them.

Re:It has?

[Obfuscant]

And in the case of DH2, bury the transmitter 100' below ground or something.

Easier to put it 1000' prior to the TDZ. That would put the TDZE below ground. And the point about ignoring the radar/pressure altimeter is also valid, as is one that they'd have to ignore the ILS FAF altitude (final approach fix, a 3-d point in space defined by glideslope, localizer and one other lateral fix) which has a published altitude and is part of the final approach checklist. And they'd have to ignore the DH, which is the altitude (radar or pressure) at which they must either have the runway/environment in sight or cannot descend further.

Re:It has?

[localman57]

A MITM attack requires intercepting the original message and replacing it with a modified version. That's not what was happening in DH2. In DH2 they were allegedly modifying the original message itself, in a way that is ridiculously impossible.

The MITM attack I was thinking of was when they took over voice control...

Re:It has?

[RabidReindeer]

Aaaaand they were moving the touchdown zone elevation below ground, which is not a function of the signals being transmitted but of the physical location of the transmitting antennas. In fact, the entire ILS system is based on the physical properties of the antennas (bolted in place).

Now, I suppose you could put the high beam audio onto the low beam and vice versa IF the transmitters were computer controlled (and they almost certainly aren't.). All that would do is create confusion as the pilot intercepted the glideslope and noticed that he was flying into the glideslope from below yet the instrument said he was intercepting it from above. I don't think that would flag the display, but it certainly would have the pilot ignoring the ILS at least, and going around as a precaution.

But move the TDZE down? Impossible.

Hey! You are talking about a movie where they faxed fingerprints (100dpi) and got clear identification. Obviously they know more about science than YOU do!

Re:It has?

[wonkey_monkey]

Die Hard 2 wasn't exactly meant to make you think "what if...?". Films that strictly depict real life possibilities tend to be either very worthy or very very dull (and sometimes both).

Re:It has?

[hughk]

Yes, the antennas are fixed but the ILS can be tweaked and often had to be (worked a long time ago at a place that built ILS equipment). They are supposed to be self maintaining using ground mounted calibration antennas but every so often an aircraft has to check the slope out by probing the ILS envelope (flying deliberately off the glide path) under VFR conditions. However, on top of the glide slope, there are radar altimeters (on the plane) and marker beacons (on the ground).

Re:It has?

[Big+Hairy+Ian]

Oh surely this is "Nerds on a Plane!!!" :)

Re:It has?

[delt0r]

News flash. The Die hard series is suppose to be a action comedy. Not a documentary. And really what movie doesn't get so many things wrong on so many levels? Its probably the very few good docos...Since so many documentaries are equally bad.

Re:It has?

[Rich0]

Well, they could do it for a Cat III ILS. For a Cat III ILS the decision height is zero - you can use it even if you can't see the ground at all. Considering the weather that would have been the only way to land the plane in any case - they didn't see the ground until it was too late to abort.

For less than Cat III the aircraft would have aborted when they failed to see the runway at the decision height. However, that would have likely meant aborting the landing even on a proper approach - any aircraft without Cat III wouldn't be just hanging around in that weather waiting for a clearance though.

Now, the hack that would work perfectly fine would be to put the ILS right in the path of a tall building. If the building were more than 200 feet tall the plane would crash into it before reaching the decision height.

Re:It has?

[deadweight]

I think you can. I had a test box when I worked for an airline that did just that. You send the 90HZ signal when the plane is a couple miles out and the pilot or autopilot will think you are high and descend. Depending on terrain and visibility, you just might send them into the ground. IIRC in WW II the Germans did successfully wreck a plane or two by doing something like this.

Re:It has?

[deadweight]

See my previous post. That is NOT how it works. The "high" signal is modulated at 90 Hz and "low" signal at 150 Hz. You could grab the antenna and point it higher or lower to change the slope or you could just send a strong 90 Hz modulated signal and the cockpit indication will always be "descend - you are high" even at ground level. I used to "fly" a 737 with the autopilot coupled to the ILS with a test ILS transmitter sitting in first class just for fun. (sitting parked, not actually flying)

Re:It has?

[Rich0]

Yup, and I'm sure it wouldn't be that hard to transmit on the tower frequency from the nearest approach/center ATC. Those are usually in office buildings miles from airports.

Every one of those aircraft would have had an alternate designated which was far enough away as to not be likely to be closed, and they would have fuel to reach that alternate. When their primary airport closed and stopped responding they wouldn't have just sat around circling until they ran out of fuel - especially as they exceeded their planned hold time.

Pilots don't just guess how much fuel they need. They designate fuel for taxi, their planned route, to reach their alternate, planned hold time, and then a reserve on top of that. Pilots constantly check consumption against their plan, and when something doesn't add up they divert before they're anywhere near using up their reserves. If you have 30 minutes of hold fuel and you're holding for more than 30 minutes you divert, declare an emergency, or whatever. You don't just wait until you're gliding it in.

Re:It has?

[tlhIngan]

Yup, and I'm sure it wouldn't be that hard to transmit on the tower frequency from the nearest approach/center ATC. Those are usually in office buildings miles from airports.

There's a reason why aviation uses AM modulation, and not FM or a digital mode. When an AM transmission is "stepped on" (that is, two people transmitting), the receiver squeals, which indicates to anyone listening that there were two people transmitting simultaneously (or what people would call a "collision").

Ah, but the even fancier trick to AM? The highest power can still be intelligible over the squeal! A flying transceiver only outputs around 20-25W. ATC normally transmits with 100-250W, and can usually overpower the other person transmitting so despite the squeal, the pilot can still make out what the tower is saying.

FM won't work - it suffers from the "capture effect" where if two FM stations transmit on the same frequency, the stronger one at the receiving antenna is demodulated, with no indication that there were two transmitting simultaneously.

Digital modes, depends on the transmission, but usually results in bit errors that make it unintelligible and unrecoverable.

Re:It has?

[bytethese]

As a former IT worker working in computer forensics now, you now know how I feel watching CSI, Swordfish and the like.

Re:It has?

[nonsecurity]

You are assuming that the glidepath is the only reference for an aircraft on a CAT III approach. But CAT III (and II) also require a radar altimeter, which would foil a Die Hard II scheme.

  In addition, the aircraft would not be at the proper height for its location along the approach.

But it was a fun movie to watch, even if extremely unrealistic.

Re:It has?

[Obfuscant]

You could grab the antenna and point it higher or lower to change the slope or you could just send a strong 90 Hz modulated signal and the cockpit indication will always be "descend - you are high" even at ground level.

As I already pointed out, if you do this then the pilot will be absolutely certain that there is a problem with the ILS because he will be told he's above the glideslope even before he intercepts it -- and he will always intercept the glideslope from below. It's part of the training for IFR pilots. Watch the needle on the GS to see it come down towards center and then start a descent to keep it there. If you haven't intercepted the GS yet and it says "too high", something is broken and you don't use the GS. If authorized, you can fly the ILS as a LOC approach and then you'll descend based on your altimeter reading. Even if somehow you get a bad BP setting* and your pressure altimeter is off, the radar altimeter will be telling you AGL and you'll know you are too low.

The error will become glaringly obvious when you reach the FAF. That's the point in space where you know your 3-D position based on ILS and another nav aid (compass locator/NDB/marker beacon/VOR radial) and you cross-check your altitude -- and if the ILS is wrong the altitude will be wrong, telling you that something isn't right.

* Yes, the bad guys could have hijacked the tower frequency and told you a new altimeter setting, but you will have gotten the current setting from the ATIS or approach controller well before you talk to the tower, and if the setting changes by a large amount you have good reason to question it. That still leaves the radar altimeter as a backup.

Re:It has?

[deadweight]

Sure - there are some diffiuculties to pulling this off. Say you do nothing until the plane is about 400' AGL and then send 90hz and the plane is flying a coupled approach. At 90 knots in a 3000 pound airplane the pilot would recover if he was paying attention, but at 100,000 pounds and 120-140 knots you might just have a hard time with it. In real life messing with a localizer or glideslope is a low return idea - you have to be there on or near the runway and the pilots will just call it in as defective equipment 9 times out of 10 and end up with the thing turned off and a repair crew sent out. But - once again - a lot of people seem to think the airplane uses some kind of DF gear to aim itself at the antenna. NOT SO - all the glideslope does is sense the 90 and 150 Hz tones. It is EASY EASY EASY to fake and any good avionics shop would have the gear to do it. BTW - ever get a false glide slope? Sometimes you get a 6, 9, 12, 15, etc. degree reflections that result in an incredible descent rate if you try and follow them.

Re:It has?

[Obfuscant]

Sure - there are some diffiuculties to pulling this off.

Do you think there are some difficulties with pulling off a hack where a bad guy turns a knob and the ILS glideslope moves downward as a whole 100 or 200 feet? Really? That's what they did in the movie. They didn't change the slope, they changed the intercept, in terms of a linear equation.

Say you do nothing until the plane is about 400' AGL and then send 90hz and the plane is flying a coupled approach.

So the GS goes fully offscale in a fraction of a second and the flight computer faithfully follows it, even though it is no longer providing course guidance. And the GS receiver doesn't notice that it is no longer receiving the other tone?

But - once again - a lot of people seem to think the airplane uses some kind of DF gear to aim itself at the antenna.

I said nothing of the kind, so arguing with me about it is ridiculous.

BTW - ever get a false glide slope? Sometimes you get a 6, 9, 12, 15, etc. degree reflections that result in an incredible descent rate if you try and follow them.

This is precisely the reason for the FAF and/or glideslope intercept information on the approach plate. Yes, you can find the sidelobes from the directional antennas, but guess where the INTERCEPT still is. Right -- at the TDZ and the TDZE. And guess what, too? If you've been properly trained you'll notice that you are having to descend much faster than you should be or have pulled the power back too much and you'll know something is wrong well before you hit the ground. "Gee, in this aircraft I pull the power back to 1800 RPM and descend at 500 fpm at 90 knots to keep the normal glideslope on an ILS, but today I'm at 1500 rpm and 1000 fpm at 100 knots. I guess everything is ok..."

Re:It has?

[deadweight]

That actually could be done. The test box DOES have a knob that moves the glideslope (and localizer too) from full up to full down and anywhere in between. You could start with needles centered and slowly add a little down needle as the plane descended to force the pilot gradually lower. Of course this plot requires to see exactly where the airplane is AND relies on a clueless pilot who does not go missed at DH. Also the dastardly radar altimeter will help defeat this evil plan..... So as a realistic way to wreck airplanes - not so much. But it technically can be done.

Re:It has?

[Rich0]

I'm not sure if Cat III requires an INS with a suitable level of performance. That and a radar altimiter is about the only thing that I think would defeat this attack. Of course, you can't just "recalibrate" the ILS to pull it off - you need to move it physically (either moving the original, or disabling it and setting up a new transmitter).

A radar altimeter alone would not really prevent this. The altimeter would tell you that you're 100 feet up, and you'd look down and see clouds, and have no idea that the runway is nowhere nearby.

Now, in a real attack of this type the crash wouldn't be that bad as long as there wasn't any protruding terrain (towers, buildings, steep hills, etc). The aircraft would still flare for landing as it approached the ground, so it would be making a controlled landing on something other than a runway. If it were level grass there would be few fatalities.

If CatIII requires INS/RNAV/etc and the aircraft actually uses it during approach then the crew would be aware of the discrepancy. These systems are not really adequate to actually land a plane with zero visibility (not reliably accurate to within a few feet), but they'll certainly tell you if the ILS isn't anywhere near the runway. What I don't know is if the autopilot or crew on a CatIII aircraft is required to compare the two. From a controls standpoint they just tune the ILS on the receiver and hit the approach mode on the panel just as you would in a Cessna - but I have no idea what cross-checks are implemented under the hood or by the crew. I do know that RNAV in general includes internal accuracy checks and redundancy so that it isn't used if it is not reliable, but I don't know if these apply to an ILS approach.

Re:It has?

[Obfuscant]

That actually could be done. The test box DOES have a knob that moves the glideslope (and localizer too) from full up to full down and anywhere in between.

You are missing the difference. In DH2 the bad guys moved the ILS APPROACH up and down without changing the slope. YOU are talking about moving the glideslope NEEDLE in the aircraft up and down. Those are two different things. One can be done, the other cannot.

Re:It has?

[deadweight]

Yes - that is why you need to watch the airplane in real time for the trick to work. Otherwise it will just look like the equipment is broken.

An Apple marketing ploy?

[Master+Moose]

Could apple now be trying to make people scared to purchase Android devices should they be targeted by the TSA as potential terrorists? :)

Re:An Apple marketing ploy?

[cjpa]

yes

Re:An Apple marketing ploy?

Both of you. Get a fucking life.

Re:An Apple marketing ploy?

NO. I saw the guy talk at Black Hat last year, and he's full of shit. "OMG!!! I can tell that there's an airplane in the air!!! That must be bad!!! But I don't have any explanation why it[s bad..." He even prefaced his talk with "I'm nowhere near an expert in aviation or how planes work, so it's possible that there's stuff going on here that I don't know."

He's a kid crying wolf when he sees sheep, because a wolf might attack the sheep, but he doesn't even try to find the sheepdog, or the shepard carrying a rifle, or the fence around the sheep, or...

Re:An Apple marketing ploy?

Different guy. The Blackhat 2012 talk was bei Andrei Costin (https://www.blackhat.com/usa/bh-us-12-briefings.html#Costin), not by Hugo Teso.

Oh shit, Obama's in trouble!

[Iniamyen]

Would aircraft hijacked by phones be considered drones?!

Re:Oh shit, Obama's in trouble!

This should breathe new life into the 9/11 conspiracy theories.

Secure it.....

[Murdoch5]

You designed a broken system that remained hidden, now that it's out fix it!

Re:Secure it.....

[gandhi_2]

...or at least jail those who figured it out!

Re:Secure it.....

[CodeReign]

Sadly this will be the solution. Make it so unthinkable to try and find vulnerabilities that nobody does it. Except those whom are willing to use them maliciously and willing to pay the price for their noncompliance.

nope

[hypergreatthing]

Sorry, but to have a android device that can transmit and receive ACARS is close to impossible. Might as well take android out of the equation. I guess it could be possible to take a software radio and any mobile platform (windows, ubuntu tablet, raspberry pi, android, ios) and make it capable of receiving and sending out altered ACARS messages since i'm fairly sure the system has no encryption built in, but i dunno. Hijacking seems to be a stretch.

Re:nope

[X0563511]

No kidding. Newsflash: radios can transmit radio waves.

Re:nope

[jcdr]

Sorry, but to have a android device that can transmit and receive ACARS is close to impossible.

I would not bet on that !

The lasts superphones embeds so much high speed subsystems (2,3,4G/WiFia,b,n,g/BT/FM/AM/NFC/RFID/PAL/NTSC/HDMI/USB2,3/Audio/ and certainly a few more at each generation) that there are probably capable of processing some signals at virtually any frequencies if some high skilled hackers are motivated to do it.

Analog filters never cut abruptly; DSP can be reprogrammed to abuse the surrounding components. Any interfaces can leaks some creative signals. Take a look at this for example: http://bellard.org/dvbt/

Re:nope

I have it on good authority that SDR solutions are already present in some cellphone chipsets (although optimized for the frequencies usually required by cellphones of course which will hopefully stop the "hack an aircraft" apps that do not require additional hardware connected to the phone...) Most likely these SDR devices will not be able to physically transmit at the frequencies required as cellphones require fairly high frequencies compared to the frequencies in use by ACARS for example.

(However, the frequencies are fairly close to normal FM radio frequencies, and some phones have low power FM radio transmitters, although most likely these chips are not SDR based at the moment and probably not usable as different modulations are required and so on...)

Re:nope

There are plenty of implementations that use radio waves that aren't susceptible to attacks. The newsflash here is that essential FAA systems have no encryption or security built in. Android was likely part of the story solely to convince people to click through.

Re:nope

[hughk]

Nope.

A good demonstration of this was the issue about Nexus 4s being able by accident, to transmit a little bit on LTE (only one frequency) and only because the LTE frequencies were enabled by accident in the software. Unless there are antennas designed, the signal would be weak as hell even if you can get it out of the phone. Then you have to get the signal out of the fuselage which is normally working, more or less, as a Faraday cage to an antenna pointing at the ground or a satellite. The vulnerability that worries aircraft manufacturers (about mobile phone use) is the fact that ageing RF cabling and connectors may have faulty shielding.

Re:nope

[jcdr]

Nope ? How can you be so certain ? I have passed long days in electromagnetic testing room, and I can say that you will be surprised by what can happens with complex and highly programmable electronics !

Your "demonstration" prove that a software modification can open up the frequency range. This is not a surprise as most RF subsystem uses DSP and only a minimal of analog components. Your example is just about a bug; think of what can happens if the DSP are fully reprogrammed... Yes, the signal can be weak, but it could be enough to deal with very sensible antenna of some receiver on the aircraft. Placing in a cleaver way some metal part can greatly increase the gain. The size of smartphone antenna will almost not see the fuselage if you put it close to a window. In addition, a lot of wires in a aircraft are not shielded to reduce weight, making path up to more sensible material.

If you have read the publication subject of this article, you will see that aircraft manufacturers have actually not worried at all about vulnerability. There is simply no protection at all in many protocols. Finally the current testing practice of device against electromagnetic field susceptibility is only done using a high energy sinus weave slowly changing his frequency. RF subsystem can communicate with fare fare lower energy than the tested limits if modulated in a proper way. Don't mix security and vulnerability !

Re:nope

[AmiMoJo]

If you wanted to hijack the aircraft, i.e. make it go to a destination of your choice rather than its intended one, spoofing GPS might be a better bet. It worked for Iran, at least.

With ACARS you might be able to socially engineer the flight crew to divert from their planned course perhaps.

Re:nope

[deadweight]

A smart phone would be a good ternminal to attach to an ACARS *RADIO TRANSMITTER*. You could drive the airlines nuts with YR CREW MEALS ROTTEN or WIFESAYSCMHMNOW. Note that AFAIK the crew is not going to do something like FLYINTOBLDNG just because they see it on the ACARS display.

Re:nope

[hypergreatthing]

uhh.....
There are two kinds of SDRs, fixed and programmable. I sincerely doubt they're using programmable solutions on a cell phone chipsets. That would mean there could be universal X band cellphones with no restrictions on bands or signalling algorithms (HSPA+, LTE, etc all in one). Hell they would do that in a heart beat and just have custom covers with specific antennas for the frequencies in the back cover.
No, if they're using software solutions, it's for cost savings and it's definitely fixed. You can put together kits for fixed SDRs on the cheap (less than 50$) for a whole range of frequencies. That was like 7 years ago on the ham side of things. Now a days i wouldn't be surprised in an integrated solution on chip being in phones already.
What another poster said about out of band signaling and encoding... i guess it could be done in a lab, but i mean, that's like trying to send up a microwave signal by flicking your light switch on and off. Sure it could be done, but reliably in real world conditions? Very doubtful, and the signal would be noisy and extremely low power. If the object is to override messages, you'll need something with a SNR higher than the signal that you're overriding. I suppose proximity would help but still, very iffy.

Re:nope

[hughk]

I have passed long days in electromagnetic testing room, and I can say that you will be surprised by what can happens with complex and highly programmable electronics !

I had to work on a navigation system some years back, I didn't have to spend time in the "bubble" but colleagues did. We certainly did have people who were very aware of RF design and cross talk issues as we had a TEMPEST rated room as they had also been working on secure digital comms.

Your "demonstration" prove that a software modification can open up the frequency range.

True, but it is hard as the radio in a phone tends not to be open software. A USRP would be much better but then you need amplification and power. You are inside a metal tube and you need to get inside an antenna on the outside which is designed to go off when it receives a burst from a 50KW radar. The transponder squirts data back using something like 20w or so. It would be hard to overwhelm that from inside the plane. I would agree that if you hold up to a window, you could get some power outside (a phone does work on a plane on the ground up to a certain height, it is just a weak signal).

Inside the plane, RF goes by coax. Data goes by different means, usually twisted pair. Either way, the data wiring goes from the front-end in the cockpit to the avionics bay which is located underneath the cockpit (so no long cable runs). The FMS does not fly the plane (it acts more as a top-level monitoring system), there are other computers that worry about that.

If you have read the publication subject of this article, you will see that aircraft manufacturers have actually not worried at all about vulnerability.

Please remember that planes ship with standard flight control systems only. Cockpits and avionics are selected by airlines based on different options. It would be quite hard to try out every variant. However flight test has a big increase in general RF "crud" in the fuselage as you have multiple high performance logging and telemeter systems with cabling all over the place.

In the end, it seems that if you want to cause chaos, just get an airband radio and claim to be Frankfurt Radar or something.

Re:nope

[jcdr]

True, but it is hard as the radio in a phone tends not to be open software.

Yes it's hard, but not impossible.

A USRP would be much better but then you need amplification and power. You are inside a metal tube and you need to get inside an antenna on the outside which is designed to go off when it receives a burst from a 50KW radar.

ACARS transmission are handled by the VHF Ground Station (VGS), not by the radar ! VGS seem to be in the 50W range only, according to this specification:
http://www.selexelsag.com/internet/localization/IPC/media/docs/OTED100Radio-MGS100.pdf . So, a close sub-watt transmitter will certainly get received by the aircraft. I can for example add fake messages that will not cam from the VGS.

The transponder squirts data back using something like 20w or so. It would be hard to overwhelm that from inside the plane.

The downlink is likely not required to be hacked to abuse a vulnerability of the aircraft itself.

Inside the plane, RF goes by coax. Data goes by different means, usually twisted pair. Either way, the data wiring goes from the front-end in the cockpit to the avionics bay which is located underneath the cockpit (so no long cable runs).

Any non properly shielded cable can be a path for some RF signal, the original signal inside the cable do not matter. I have see device that are so sensible that there are able to receive transmission from the power supply wire ! Even an unrelated signal wire can act as a path for a RF signal.

Please remember that planes ship with standard flight control systems only. Cockpits and avionics are selected by airlines based on different options. It would be quite hard to try out every variant.

Large fleet likely use a few standard variant.

However flight test has a big increase in general RF "crud" in the fuselage as you have multiple high performance logging and telemeter systems with cabling all over the place.

Agree

Massively insecure

as well as massively stupid. Broadcast position, speed, mass, size, fine. Also broadcast identity? Not such a great idea. It's useful, of course, but not necessary for the purpose of working out where not to go so as to avoid flying into occupied airspace. And for that reason, it shouldn't require it.

Even better, though, is not to rely on systems shouting "I'm here!" and instead fit short-range radars to simply look where you're going instead. That helps against flying into mountains too, which is useful since those generally aren't fitted with transponders to tell you where not to fly.

Re:Massively insecure

[0123456]

How are you going to tell who's sending the message without sending the aircraft ID?

Re:Massively insecure

Since you can't tell now (easily spoofable), it doesn't matter a whit. Thus: Better look for yourself (radar, lidar, sonar, whatevar) than to rely on a device broadcasting "I'm here! Honest! Don't thread on me! I'm here!"

Need to hijack a plane???

[It+doesn't+come+easy]

There's an app for that!

Finally a good reason for phone ban

This is the first good reason I have heard of for banning the use of electronics on airplanes.

Too bad it still lets a terrorist organization take a small plane up and get close enough to take control of a jetliner.

I call BS

[Beer_Smurf]

I am going to call BS on this one.
These are indication systems.
Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.

Re:I call BS

[Krojack]

From my understanding, you could be on a plane and start sending signals that another plane is heading right for you. This would in return cause all sorts of alarms to go off and maybe cause the pilots to freak out and take extreme measures.

Re:I call BS

I looked at the slides (I know, it's against the Slashdot code). I really couldn't find any facts there about any actual exploits. Just lots of LOLCAT style graphics and naming of well known protocols. Oh, and lots of SDR rambling that's entirely unrelated. I'd give this student a low but passing grade for the effort.

Re:I call BS

[T-Bucket]

No, you're thinking of the TCAS system. That isn't in any way attatched to the ACARS or ADS-B systems.

Plus, the pilots are used to seeing "normal" ACARS messages every day, if something odd came across, they'd notice something was up IMMEDIATELY.

Re:I call BS

[Hentes]

It does affect the behaviour of the pilot. If it's on autopilot, the change in behaviour may even be simulated and precisely planned beforehand. Still, it's not as effective than hacking the fly-by-wire controls, I wonder if that's possible from onboard.

Re:I call BS

[Obfuscant]

This would in return cause all sorts of alarms to go off and maybe cause the pilots to freak out and take extreme measures.

Thanks for the FUD. Pilots who fly aircraft with these systems have training to know how to deal with collision avoidance alerts and they don't "freak out" every time one happens, and the measures are rarely extreme.

Re:I call BS

[msmart13]

Incorrect. ADS-B has two components, FIS-B for weather and TIS-B for traffic. If you spoof airplanes via ADS-B you can trigger the exact same kinds of collision avoidance alerts and pilot reactions as a spoofed TCAS. http://en.wikipedia.org/wiki/Automatic_dependent_surveillance-broadcast#Traffic_information_services-broadcast_.28TIS-B.29

Re:I call BS

[ThunderBird89]

Think mucking with the tempomat's speed sensor while simultaneously turning the speedometer needle back with your pliers. The car does indeed go faster.

Re:I call BS

[tamyrlin]

The problem seems to be (if I understand the article correctly) that for example the FMS can be hacked (presumably by buffer overflows or similar exploits) and then used to take over other functionality.

This seems similar to how a malformed RDS packet sent via FM radio can disable the brakes on a certain car: http://www.autosec.org/pubs/cars-usenixsec2011.pdf (among other things).

Exactly how similar these attacks are are difficult to ascertain as the presentation leaves a lot to be guessed, although the net-security report on his talk gives some more details.

Re:I call BS

[sabri]

Thanks for the FUD. Pilots who fly aircraft with these systems have training to know how to deal with collision avoidance alerts and they don't "freak out" every time one happens, and the measures are rarely extreme.

Actually, it is not FUD. Since the crash over southern Germany, it has been made very clear in ICAO rules that pilots are to follow their TCAS advisories. See this article.

Re:I call BS

[hughk]

Except that TIS-B is not wired into TCAS at the moment. In fact, I have not heard of any use of ADS-B for air to air, just air to ground. Separations are controlled via time slots outside controlled air space and inside controlled airspace, by ground controller using good old fashioned PPI displays. Yes, those displays are "enhanced" by information from ADS-B but many smaller or older aircraft don't have it.

Re:I call BS

[dywolf]

exactly. this is not "hijacking", and people are forgetting that there is still a pilot on board, who believe it or not does have some say in what in the aircraft actually does, as well as teh ability to look out the window and go "nope, there's no plane there".

Re:I call BS

[tlhIngan]

Incorrect. ADS-B has two components, FIS-B for weather and TIS-B for traffic. If you spoof airplanes via ADS-B you can trigger the exact same kinds of collision avoidance alerts and pilot reactions as a spoofed TCAS. http://en.wikipedia.org/wiki/Automatic_dependent_surveillance-broadcast#Traffic_information_services-broadcast_.28TIS-B.29

Which shows you don't know how TCAS works.

TCAS doesn't work for ALL traffic. It does revert to TAS (traffic alerting system) mode when it encounters an aircraft that is NOT TCAS-equipped (not all planes are TCAS-equipped). In which case it's designed to call out traffic and most likely collision vector. And even then there are transponder-less aircraft that fly around too, where even TAS doesn't work (and most airplanes don't have traffic radar). ATC would also just see an unidentified dot that they may call out.

To have TCAS working, TCAS negotiates with the other TCAS unit (which is why it doesn't work in all circumstances - it requires TCAS-to-TCAS communication) to figure out a conflict resolution - usually one plane climbs while the other descends. Modern ones are a bit more sophisticated too ever since the accident where they may switch their alerting to the other direction if it sees the other plane is NOT cooperating (both TCAS will have to switch their displays, of course, so they have to stay in communication).

With traffic advisory, it's up to the pilot to figure out a resolution - which may not be a climb or descent, but a turn.

Electronics have gotten so good that these days you can get portable collision advisory systems as well, called PCAS. They won't alert to the resolution, just to most likely conflicting traffic.

And yes, ground radar for non-transponder traffic is erratic since it can pick up a flock of birds, or in one case, a ferry.

At best, a TIS-B would mean the pilot would start looking out for traffic, but ATC will usually re-confirm as well. And there are fallbacks because equipment fails. Often. So your spoofing may just result in the pilot shutting it down assuming faulty equipment.

Re:I call BS

Think mucking with the tempomat's speed sensor while simultaneously turning the speedometer needle back with your pliers. The car does indeed go faster.

Except this, entirely theoretical, attack doesn't have access to the speed sensor. It can present wrong gate information, weather and things like that, maybe.

Re:I call BS

[msmart13]

Being a pilot, I am quite familiar with all of these systems. My concern is not about some hyperbolic remote control scenario but rather that the ability to paint targets on a traffic system is sufficient to greatly decrease the safety of a flight. Your "at best" scenario is lacking in several ways. It assumes visual conditions and a target at sufficient distance to elicit communication as the first step. If my traffic system paints a target at my 12 o'clock and closing fast I will aviate before I communicate. This is true in any meteorological condition but doubly so in IMC. High performance collision avoidance maneuvers greatly increase the risks associated with flight. We train for them but that does not make us immune to introducing high wing loads or overcontrolling in an emergency scenarioin the real world.

Re:I call BS

[Obfuscant]

Actually, it is not FUD.

Claiming that pilots are going to 'freak out' and perform "extreme measures" whenever they get a traffic conflict advisory certainly is trying to create fear, uncertainty and doubt. They've been trained how to deal with this. It isn't a 'freak out' kind of situation by any means.

Yes, part of the current training is to "follow the TCAS and ignore the human controller", but that's not "freaking out".

Re:I call BS

[sabri]

You are right, and the freaking out part was not what I was aiming at. I wanted to point out that TCAS is something that is taken very seriously by aircrew.

Well I'm sold!

[mcmonkey]

Let's get those driverless cars on the road! In fact, let's outlaw people driving their own cars in traffic, because the software will be so much better than a human driver. Because the developers working on driverless cars are so much smarter than the fools working on those silly airplanes.

(BTW, the above is sarcasm. There is no reason to think the developers working on cars are any better than the developers working on any other system, and no reason to think driveless cars will be any more secure or bug-free than any other software, including the system in this article.)

Re:Well I'm sold!

Your a dumbass.

Re:Well I'm sold!

The rate of plane crashes has decreased as we have used more information technology in air transit. But you use this one claim of a potential attack to justify your predisposed belief system.

Re:Well I'm sold!

[PRMan]

400,000 real-world miles repeated hundreds of times regression-tested against their software. Trust me, Google isn't leaving this one to chance. It's already orders of magnitude better than a human being. https://www.youtube.com/watch?v=7Yd9Ij0INX0

Re:Well I'm sold!

[jittles]

400,000 real-world miles repeated hundreds of times regression-tested against their software. Trust me, Google isn't leaving this one to chance. It's already orders of magnitude better than a human being. https://www.youtube.com/watch?v=7Yd9Ij0INX0

Until you have hundreds of thousands of these cars on the road, you're just talking statistical anomalies. I've probably driven close to 400,000 miles myself without ever getting into an accident (maybe even more). I also know a professional driver who has millions of miles and has never been in an accident.

Re:Well I'm sold!

[AK+Marc]

Humans are about the worst possible software to be in control of a car. If the bar is "better than the average human" we passed that 10 years ago. But the bar is "better than the best human under all possible (not just likely, possible) circumstances" which we are close to, but can't even test, so we aren't sure how close we are. Humans are very susceptible to hacks as well. People pulled over by fake cops, then robbed and killed. People who kill themselves trying to avoid wildlife. Missing or misunderstanding traffic signals. It'd be hard to build functional software as bad at driving as humans are.

Re:Well I'm sold!

[YrWrstNtmr]

I've probably driven close to 400,000 miles myself without ever getting into an accident (maybe even more).

Hell....I had 207,000 miles on one vehicle with only one minor parking lot bump.
The reason it didn't get to 208,000 miles and on to 300k was because of a idiot texting/phoning teenager. She destroyed it running a red light.

Re:Well I'm sold!

400,000 real-world miles repeated hundreds of times regression-tested against their software. Trust me, Google isn't leaving this one to chance. It's already orders of magnitude better than a human being.

https://www.youtube.com/watch?v=7Yd9Ij0INX0

Have you ever seen one of these on the road? It drives like a fucking maniac! Seriously, it tailgates and it will change lanes into a gap that no considerate driver would attempt. Basically, drives like your average coked up executive late for a golf meeting.

Re:Well I'm sold!

[fast+turtle]

400,000 miles? That's nothing. As a retired commercial driver, I averaged 120,000 miles a year and that's just a single truck. With all the commercial rigs (18 wheelers) on the road with a combined avg miles in excess of 1billion a year, with less then 1 accident per 250,000 miles avg (google for current stats), that simply doesn't impress me.

Now if you were talking 100,000 cars averaging 400,000 miles a year w/o accident, then I'd be willing to listen but when you mix in idiots like Joe and Tina Sixpack who's either drinking, fixing their god damn hair, reading a fucking book, talking on the cell phone and a whole rash of other stupid activities, you aint going to match the accident rate that commercial drivers have until you take Joe & Tina Sixpack's licenses away.

Re:Well I'm sold!

[jittles]

400,000 miles? That's nothing. As a retired commercial driver, I averaged 120,000 miles a year and that's just a single truck. With all the commercial rigs (18 wheelers) on the road with a combined avg miles in excess of 1billion a year, with less then 1 accident per 250,000 miles avg (google for current stats), that simply doesn't impress me.

Now if you were talking 100,000 cars averaging 400,000 miles a year w/o accident, then I'd be willing to listen but when you mix in idiots like Joe and Tina Sixpack who's either drinking, fixing their god damn hair, reading a fucking book, talking on the cell phone and a whole rash of other stupid activities, you aint going to match the accident rate that commercial drivers have until you take Joe & Tina Sixpack's licenses away.

That's exactly my point. He's pointing out a handful of Google operated automated cars. I'm Joe Sixpack, more or less, and I have gone 400k or more in my lifetime. My point is that commercial drivers do amazingly well and that his example just isn't statistically relevant.

Re:Well I'm sold!

Your a dumbass.

You're the dumbass.

Re:Well I'm sold!

[jon3k]

Yeah you're right, modern jetliners use absolutely no software and have extremely high incidents of failure related to autopilot systems. Pilots are DEFINITELY not the problem here.

During 2004 in the United States, pilot error was listed as the primary cause of 78.6% of fatal general aviation accidents, and as the primary cause of 75.5% of general aviation accidents overall.[1] For scheduled air transport, pilot error typically accounts for just over half of worldwide accidents with a known cause.[2]

Re:Well I'm sold!

[jon3k]

I don't understand, do you think you've never been in an accident because you're a skilled driver? It's called blind luck. The only accidents I've ever been in is where I was rear ended because someone wasn't paying attention. For ever driver you know that hasn't been in an accident, there's about 1,000 people who've been in an accident that was caused BY A DRIVER. Either themselves or someone else.

Re:Well I'm sold!

[jittles]

That is exactly my point!! The GP said that Google's cars are amazing because they've gone 400k miles without an accident. Big deal. How many cars do they have on the road? For all we know, they are just lucky. There is no statistical significance to Google's car's safety record at all.

Not true

[s.petry]

It was not designed broken, that was management mandated changes later on in order to garner bonuses by saving money on the project. I'm sure you know the term transponder, and even if you don't you can look it up. All communications between planes and ATC are supposed to go through the transponder. No code, no data.

So the question should be: Is the manager that got the nice fat bonus check going to return the money and go to jail? But of course we'd never want to punish an exec for doing something wrong, so I realize that my question is not just rhetorical but silly.

Remote control 101 Re:I call BS

[fleebait]

I am going to call BS on this one.
These are indication systems.
Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.

Remote control is not a direct connect. It follows communications paths, and the information and control path apparently connects through the internet, both through the display and control path.

No one needs direct connection within the airplane -- all ya need to do is control it through the internet, at any receiver path, and any transmitting path. with additional directional antenna paths.

Can't do it from onboard, has to be from a remote site, and will involve additional receiver and transmit packages, not included on the android phone. (don't even have to be near the android used for control).

Re:Remote control 101 Re:I call BS

[scheme]

I am going to call BS on this one. These are indication systems. Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.

Remote control is not a direct connect. It follows communications paths, and the information and control path apparently connects through the internet, both through the display and control path.

No one needs direct connection within the airplane -- all ya need to do is control it through the internet, at any receiver path, and any transmitting path. with additional directional antenna paths.

Can't do it from onboard, has to be from a remote site, and will involve additional receiver and transmit packages, not included on the android phone. (don't even have to be near the android used for control).

Are you in sales or marketing by any chance? Because this is the sport of keyboard heavy information free verbiage that typically comes from them.

This is even worse than car security

[tamyrlin]

It seems that the aircraft industry is about as security conscious as the car industry. The following page at http://lwn.net/Articles/518923/ discusses how researchers were able to take almost complete control, including the breaks, but excluding the steering IIRC by for example the following attack vectors: Malware infested CD inserted into car stereo, malformed RDS package sent via FM radio, some sort of bluetooth hacking, etc. (Also the ODBC-II port of course, although that is cheating....)

At the time I read the lwn article and the associated papers I thought to myself that the car industry should learn security and stability from the aerospace industry. Unfortunately it now turns out that they seem to have done so :(

Re:This is even worse than car security

aerospace "security" has always been to have system redundancy. the 787-8 is the first airliner I've seen to use PKI encryption. working firsthand with these techs the worst they could do would be to freak out ATC into initially thinking a hijacking took place, but one of the many redundant communication systems would immediately confirm it has not been.

Re:This is even worse than car security

[hughk]

It seems that the aircraft industry is about as security conscious as the car industry.

Not really.

Aircraft typically carry different ways of getting the same vital information, passenger aircraft must do so. Equipment in former times was very unreliable, so essentially the plane must carry two (or more) of everything. Critical components, may have the "A" and "B" computers programmed by different teams or even using different architectures. They also carry a human, who may notice if their are strange instruments.

Drones are a different matter and do seem to be spoofable.

ADS-B is Trust Based

ADS-B is considered trust based. There are some guards in place to make it difficult for any fool to broadcast, but it is well known that a transmitter can lie. Given that, I hope a pilot wouldn't overreact to a fake plane that came out of nowhere.

ADS-B

I really need to look hard at this article. I find it hard for an Android Device to insert Aircraft Coordinates into the Squitter Pulses from / to the Mode-S Transponder. I could believe the ACARS is more susceptible, but that is a stretch. You do not use ACARS for Primary Navigation, only Company to Crew Coordination. Besides TCAS will not allow a collision as well as Ground Based intervention. For the readers reference, I was part of the first Operation Evaluation in July of 1999 at ILN with the CAA. Three Airlines Demonstrated the Feasibility. Airborne Express, which was the Airline I was the Principle Avionics Inspector for. FedEx and UPS. Google this and you can find the report. ADS-B First Ops Eval July 1999 at ILN

Re:ADS-B

[KraigHayner]

Sorry, I forgot to log in for the article Post. KHayner, Retired FAA Inspector.

how long??

[lkcl]

and for how long has ACARS and ADS-B been insecure? that's what's so embarrassing about these things. skype being insecure since it was created, relying on security-through-obscurity just as adobe does for RTMP, such that the russian govt has had the ability to eavesdrop on skype for at least the past 4 years.... and *not* told anyone about it.

it's the same here. someone *somewhere* will have been exploiting ACARS and ADS-B... and not telling anyone that they're doing it. conferences like these are a wake-up call to the idiots who believe that nobody - ever - will work out their "security".

the question is: when will they learn to get proper security reviews *before* designing the protocol??

Re:how long??

[EmperorArthur]

And how long have police radios relied on insecurity? That's the same question you're asking.

The protocol is very secure and error resistant. It is not, and never has been spoof resistant. All of these signals are unencrypted, and that's a good thing. I don't know about you, but I enjoy seeing where all the planes are. Or are you against open data?

Saying that you could modify the behavior of an airplane by spoofing these signals is like saying you could modify a cars behavior by spoofing GPS signals. Well duh, you can modify an instrument or two, but aircraft have a bunch of backups, the most important ones being the pilots. Actually, GPS spoofing doesn't even work against airliners. They have internal measurement units, and laser ring gyros as redundant backups. You have three fully separate systems voting on everything, including position information.

While someone could in theory spoof some messages, there are reasons why Die Hard 2 was stupid. The largest one being, that pilots have charts that they are required to keep updated, and look at before a flight. They know where they are, and they have good old fashioned paper maps of where everything else is, and it's elevation.

Re:how long??

Well, therein lies the problem actually. You are of course correct that airplanes of all sizes have all kinds of communications and navigations gear, most of which isn't really all that connected. Airliners have computers that will read signals from multiple inputs at once and present it in a single display, just like smaller GA glass cockpits have started doing, but that's not really the problem.

The problem is when people, especially people who like to plan things and do budget spreadsheets, start asking questions like "why do we need VOR transmitters when we have GPS?" Or "why do we need ILS (simple enough, well understood technology) when we can replace it with GPS enhancing equipment made by very expensive contractors and look cool". So you get things like the FAA planning on turning off a bunch of VORs, NDBs and other such navaids, and then of course planning on replacing primary and secondary radar with ADS-B. When you get right down to it, ADS-B is essentially airplanes telling each other where they are. What could possibly go wrong? (Definition for the uninitiated: primary radar is like what you see in WWII movies, but computer enhanced. Secondary radar is what interrogates transponders to get actual data from planes in flight about things like altitude and coded numbers so the computer can tag planes with the right data. It's not really "radar" but it is a ground based interrogation/response system that works along with primary radar. The ATC computers put both together on displays for the controllers. They can use one without the other, but things work better with both.)

Getting rid of these "redundant" systems is a bunch of stupid ideas. Except they're not. Individually they're OK. They're stupid when you take the effect in total, which is going to be to make airplanes rely on essentially one external input for position information, plus whatever they can sense via INS systems, etc, at least until the accountants decide to start making planes without that stuff because it costs a lot and GPS works great, right?

Well, other than by remote management, which I'm sure they have but which can be interrupted, you can't turn off all the VORs all over the place all at once. You can't re-aim ILS systems for reasons that have already been beaten to death in this thread. NDBs? Essentially AM radios. You can even use commercial stations in a pinch if you know where the transmitter is. All relatively simple, very proven technologies--each of which has very real flaws, but well understood flaws.

So if somebody could spoof GPS signals or send fake ADS-B transmissions today, it's not a big deal. Become dependent on them, and by "dependent" I mean "using them because there's nothing else to use", then it becomes a really big deal.

Media propaganda aside, which is mostly fed by for-profit privatizers (airlines) trying to grab control of the ATC system, air traffic control in this country is not all that unsophisticated. It is, usually, as sophisticated as it needs to be for a given area. Remote airport with light traffic and decent weather? A controller with binoculars and maybe a radar repeating display is quite sufficient. Busy places? They go all out. They always do things that look weird to people who just have to have an app for everything. For instance, they print out clearances, write things on them, and send them around via vacuum tubes in lots of cases. Why? Because if you lose your tech all of the sudden you still have an idea where everybody is and what they're doing. Make things "efficient", start them working on tablets and such, and you've actually introduced risk into the system you didn't have before. Just like with making planes dependent on ADS-B by removing other sources of information.

Unlikely

[borgasm]

IAAP

The concept of using ADS-B to spoof position reporting doesn't hold water, since there are backup systems (Mode C/S xpdr)...though it may trigger a traffic alert on a neighbor's TCAS if it only relies on ADS-B reports (which it shouldn't). You can't control anything with just ADS-B spoofing.

Hacking the FMS via something like vulnerability in the ACARS receive stack....ok that might be in the realm of possibility. Except its not very useful, because any deviation of course or altitude would be detected by the pilots and ATC nearly immediately. Redundancy is built in at the human level.

Re:Unlikely

[data.angel.one]

Too bad that humans hold the record for flaws, vulnerabilities, exploits, bugs and errors... http://www.lewisandtompkins.com/library/pilot-error-the-most-common-cause-of-airplane-crashes.cfm

Re:Unlikely

[tlhIngan]

Too bad that humans hold the record for flaws, vulnerabilities, exploits, bugs and errors... http://www.lewisandtompkins.com/library/pilot-error-the-most-common-cause-of-airplane-crashes.cfm

That's because mechanical failures in aircraft, even GA ones, are extremely uncommon these days. It's like a modern car breaking down causing an accident - it almost never happens (even the Toyota ones were found to be purely human error). It's usually human error purely because we got mechanical failure under control.

It's so rare that it's typically a chain of events that lead to an incident - usually precipitated by some human failing and compounded by more human failings. Perhaps the closest relation to mechanical failure would be poor human interface design (which for any complex piece of machinery, is very common) in which case pilots get caught with misleading signals, false alarms, flipping wrong switches in the wrong place, indicators that don't ... well, indicate (or noticeably - partial autopilot disconnects without warning, for example). And it's sometimes not the fault of the equipment manufacturer - it can be poor HID on integration - where an indicator can be hidden by a body part (a knee is common).

And yes, I've had it happen to me - I accidentally engaged the autopilot on a Cessna 172 during a touch-and-go. The controls felt "weird" (did I break the airplane?), but I was still in positive control (you can overpower the autopilot as a backup), and my instructor was on board to diagnose the issue so I kept in positive control while he figured the problem. And yes, there's now an airwothiness directive because others weren't so lucky - basically to have the autopilot alarm go off when it's engaged AND disengaged (the standard was an alarm when it disengages to warn the pilot it's not in control).

I call false analogy.

[SuperBanana]

I am going to call BS on this one. These are indication systems. Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.

The article is bullshit because they claim "with an Android phone" when they mean "with a bunch of custom hardware that happens to be driven by a UI running on an Android phone"...but if they're able to present false information, your analogy is not correct.

If someone is able to spoof a transponder signal enough to be believed by collision warning systems, then absolutely, they're going to affect the plane - all it would take would be simulating a plane coming at the target in question, and the pilots on board will take evasive action. That's absolutely a form of "control".

Does it only work if I'm on the plane?

[jader3rd]

Why would I want to do this if I'm on the plane? Suicide wish?

"aircrafts" is not a word

...even if you repeat over and over in TFS and TFA.

That slideshow is amazing

[bshell]

If you actually go through the slideshow you can see that there's a hell of a lot more involved than just pressing some buttons on an android phone. Among other things "Russian scrapings" on eBay and "Universal Software Radio Peripherals" are mentioned. I guess a very industrious group of engineers could pull this off, but this is not going to be that easy.

Here I was always just playing MS flight simulator

[damn_registrars]

I guess I was doing it wrong.

Not anything like hijacking.

[EmagGeek]

You're not taking control of the plane. You are simply manipulating the information the pilot is receiving. The second the pilot realizes the information he is receiving is erroneous (and he will, quickly), the attack is over.

IAAP

Re:Not anything like hijacking.

[hughk]

Good point. And not only that, information is flowing into the pilot from multiple sources, visual clues, ATC and multiple instruments.

Just an android phone?

[dragonhunter21]

Unless the Galaxy S4 comes with an ADS-B transciever, I think these flights should be OK.

When the pilots start seeing multiple odd contacts on their ADS-B display, they'll call down to Center and ask what's going on. When they do, Center will tell them that there are no contacts in their area, and the flight will continue using more traditional navigation/avoidance procedures. This isn't a "shoot down an airliner free" card.

"Aircrafts" - TFS needs an editor!

[timbo234]

FFS the plural of 'aircraft' is 'aircraft'. Yeah, yeah grammar Nazi and all that. But it doesn't change the fact that having basic grammatical errors repeated over and over in the summaries makes slashdot look terrible.

New safety rules.

Smartphones, hell, all electronic devices, will now have to go in the checked luggage or they'll be confiscated.
The devices will have to be disabled or your bag won't get on the plane. This will be checked by specially trained cloned dogs.
This will be preferred solution, instead of implementing proper security other than "through obscurity" model existing today.

Subject

For a second there, I thought of how could the Snackbars abuse this.
Then I remembered they're just primates and could never handle such a thing.

Plurals

one sheep two sheep
one fish two fish
one aircraft two aircraft

BullShit

[KB2JAQ]

"Teso misused the ADS-B to select targets..." Select targets? There is no "select target" in commercial aviation. Some ( very few at this time ) aircraft can receive ADS-B and TIS broadcasts to display traffic, the traffic will only show as icons on a display for the pilot to interpret. The aircraft will not respond AT ALL to other traffic.... If the aircraft has TCAS II with RA it will do even less because the false ADS-B broadcast will not pass a sanity check when the TCAS issues capability inquiry's to the ICAO address your spoofing. TCAS will only issue RA's when aircraft are verified on a number of levels, the basics being distance and direction and altitude.... Distance measured by the response time of the ModeS inquiry... and the direction measured by a four pole directional antenna....You can't spoof tdoa information at the receiver. "...and the ACARS to gather information about the onboard computer as well as to exploit its vulnerabilities..." ACARS has the basic ability to send messages/flight plans etc to the aircraft via a DataManagementUnit and then on to the Flight Management System.... It does not control the aircraft.... It can upload a flight plan in some instances and give the pilot the option of using that plan.. but has no data path to the autopilot. Even saying "THE onboard computer" shows that this guy is 100% uneducated about aircraft. And for those of you worried. ACARS is being replaced in the next 5-10 years with VDL, which will enable more ground/aircraft integration and control.. but it's encrypted... And autopilot's mostly use 8086... There are no data links, most of the interconnects, inputs and outputs are still analog... you have to read error codes in hex. This guy is 100% full of **** I'm an avionics manager and I approved this message.