Slashdot Mirror
Hijacking Airplanes With an Android Phone
An anonymous reader writes "Until today, hacking and hijacking planes by pressing a few buttons on an Android mobile app has been the stuff of over-the-top blockbuster movies. However, the talk that security researcher and commercial airplane pilot Hugo Teso delivered today at the Hack in the Box conference in Amsterdam has brought it into the realm of reality and has given us one more thing to worry about and fear (presentation slides PDF). One of the two technologies he abused is the Automatic Dependent Surveillance-Broadcast (ADS-B), which sends information about each aircraft (identification, current position, altitude, and so on) through an on-board transmitter to air traffic controllers, and allows aircrafts equipped with the technology to receive flight, traffic and weather information about other aircrafts currently in the air in their vicinity. The other one is the Aircraft Communications Addressing and Reporting System (ACARS), which is used to exchange messages between aircrafts and air traffic controllers via radio or satellite, as well as to automatically deliver information about each flight phase to the latter. Both of these technologies are massively insecure and are susceptible to a number of passive and active attacks. Teso misused the ADS-B to select targets, and the ACARS to gather information about the onboard computer as well as to exploit its vulnerabilities by delivering spoofed malicious messages that affect the'behavior' of the plane."
... don't think I've ever seen a movie where that happens (planes getting hijacked that way).
Die Hard 2. Except it was a room full of computer shit in a nearby church, rather than a smart phone. But, you know, technological progress and all that.
yes
Would aircraft hijacked by phones be considered drones?!
You designed a broken system that remained hidden, now that it's out fix it!
Sorry, but to have a android device that can transmit and receive ACARS is close to impossible. Might as well take android out of the equation. I guess it could be possible to take a software radio and any mobile platform (windows, ubuntu tablet, raspberry pi, android, ios) and make it capable of receiving and sending out altered ACARS messages since i'm fairly sure the system has no encryption built in, but i dunno. Hijacking seems to be a stretch.
There's an app for that!
The NSA: The only part of the US government that actually listens.
I am going to call BS on this one.
These are indication systems.
Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.
That, and they used hardwire (cable) to connect directly to the airport network.
Well, That puts them one up on the guy in this article. He didn't connect to any hardware or network. Just some simulators.
From TFA:
When talking about the range, please keep in mind that we are talking about a proof-of-concept application used in a virtual environment. In real life, the range would be limited depending on the antennas used (if going directly for the plane), or global (if misusing one of the two big ACARS players such as SITA or ARINC).
They were executing a man in the middle attack against aircraft and their ground based navigation infrastructure. Same thing here, just different technology. Don't be so pedantic.
Now, I suppose you could put the high beam audio onto the low beam and vice versa IF the transmitters were computer controlled (and they almost certainly aren't.). All that would do is create confusion as the pilot intercepted the glideslope and noticed that he was flying into the glideslope from below yet the instrument said he was intercepting it from above. I don't think that would flag the display, but it certainly would have the pilot ignoring the ILS at least, and going around as a precaution.
But move the TDZE down? Impossible.
has given us one more thing to worry about and fear (presentation slides
I'm already afraid of presentation slides, but apparently that fear is now renewed!
People in cars cause accidents....accidents in cars cause people
It seems that the aircraft industry is about as security conscious as the car industry. The following page at http://lwn.net/Articles/518923/ discusses how researchers were able to take almost complete control, including the breaks, but excluding the steering IIRC by for example the following attack vectors: Malware infested CD inserted into car stereo, malformed RDS package sent via FM radio, some sort of bluetooth hacking, etc. (Also the ODBC-II port of course, although that is cheating....)
:(
At the time I read the lwn article and the associated papers I thought to myself that the car industry should learn security and stability from the aerospace industry. Unfortunately it now turns out that they seem to have done so
They were executing a man in the middle attack against aircraft and their ground based navigation infrastructure.
A MITM attack requires intercepting the original message and replacing it with a modified version. That's not what was happening in DH2. In DH2 they were allegedly modifying the original message itself, in a way that is ridiculously impossible.
A MITM would have the black hats intercepting the ILS radio signals and modifying them. There would be no need to do that, since all you need is the ability to transmit your own ILS signal. That would have required the physical presence of a transmitter several hundred feet prior to the threshold in order to put the TDZE below ground. You cannot do that by simply changing the signals transmitted by the FAA ILS system itself.
Except that as a pilot, I can tell you that everything that they did in that movie was so fucking far out of the realm of possibility as to be a joke. ILS is a fixed installation and must be physically moved to affect the glide slope. And blowing up the transmitter? Really?!? What about all the other aircraft sitting on the ramp - each one with it's own shiny transmitter? What about those?
Why is it that most of the people that I encounter seem to have been shat from the Sphincter of Mediocrity?
IAAP
The concept of using ADS-B to spoof position reporting doesn't hold water, since there are backup systems (Mode C/S xpdr)...though it may trigger a traffic alert on a neighbor's TCAS if it only relies on ADS-B reports (which it shouldn't). You can't control anything with just ADS-B spoofing.
Hacking the FMS via something like vulnerability in the ACARS receive stack....ok that might be in the realm of possibility. Except its not very useful, because any deviation of course or altitude would be detected by the pilots and ATC nearly immediately. Redundancy is built in at the human level.
I am going to call BS on this one. These are indication systems. Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.
The article is bullshit because they claim "with an Android phone" when they mean "with a bunch of custom hardware that happens to be driven by a UI running on an Android phone"...but if they're able to present false information, your analogy is not correct.
If someone is able to spoof a transponder signal enough to be believed by collision warning systems, then absolutely, they're going to affect the plane - all it would take would be simulating a plane coming at the target in question, and the pilots on board will take evasive action. That's absolutely a form of "control".
Please help metamoderate.
He's an inflatable autopilot, you insensitive clod!
NO. I saw the guy talk at Black Hat last year, and he's full of shit. "OMG!!! I can tell that there's an airplane in the air!!! That must be bad!!! But I don't have any explanation why it[s bad..." He even prefaced his talk with "I'm nowhere near an expert in aviation or how planes work, so it's possible that there's stuff going on here that I don't know."
He's a kid crying wolf when he sees sheep, because a wolf might attack the sheep, but he doesn't even try to find the sheepdog, or the shepard carrying a rifle, or the fence around the sheep, or...
Well, therein lies the problem actually. You are of course correct that airplanes of all sizes have all kinds of communications and navigations gear, most of which isn't really all that connected. Airliners have computers that will read signals from multiple inputs at once and present it in a single display, just like smaller GA glass cockpits have started doing, but that's not really the problem.
The problem is when people, especially people who like to plan things and do budget spreadsheets, start asking questions like "why do we need VOR transmitters when we have GPS?" Or "why do we need ILS (simple enough, well understood technology) when we can replace it with GPS enhancing equipment made by very expensive contractors and look cool". So you get things like the FAA planning on turning off a bunch of VORs, NDBs and other such navaids, and then of course planning on replacing primary and secondary radar with ADS-B. When you get right down to it, ADS-B is essentially airplanes telling each other where they are. What could possibly go wrong? (Definition for the uninitiated: primary radar is like what you see in WWII movies, but computer enhanced. Secondary radar is what interrogates transponders to get actual data from planes in flight about things like altitude and coded numbers so the computer can tag planes with the right data. It's not really "radar" but it is a ground based interrogation/response system that works along with primary radar. The ATC computers put both together on displays for the controllers. They can use one without the other, but things work better with both.)
Getting rid of these "redundant" systems is a bunch of stupid ideas. Except they're not. Individually they're OK. They're stupid when you take the effect in total, which is going to be to make airplanes rely on essentially one external input for position information, plus whatever they can sense via INS systems, etc, at least until the accountants decide to start making planes without that stuff because it costs a lot and GPS works great, right?
Well, other than by remote management, which I'm sure they have but which can be interrupted, you can't turn off all the VORs all over the place all at once. You can't re-aim ILS systems for reasons that have already been beaten to death in this thread. NDBs? Essentially AM radios. You can even use commercial stations in a pinch if you know where the transmitter is. All relatively simple, very proven technologies--each of which has very real flaws, but well understood flaws.
So if somebody could spoof GPS signals or send fake ADS-B transmissions today, it's not a big deal. Become dependent on them, and by "dependent" I mean "using them because there's nothing else to use", then it becomes a really big deal.
Media propaganda aside, which is mostly fed by for-profit privatizers (airlines) trying to grab control of the ATC system, air traffic control in this country is not all that unsophisticated. It is, usually, as sophisticated as it needs to be for a given area. Remote airport with light traffic and decent weather? A controller with binoculars and maybe a radar repeating display is quite sufficient. Busy places? They go all out. They always do things that look weird to people who just have to have an app for everything. For instance, they print out clearances, write things on them, and send them around via vacuum tubes in lots of cases. Why? Because if you lose your tech all of the sudden you still have an idea where everybody is and what they're doing. Make things "efficient", start them working on tablets and such, and you've actually introduced risk into the system you didn't have before. Just like with making planes dependent on ADS-B by removing other sources of information.
While DH2 is a good movie, the whole concept behind the ILS manipulation is horse manure. ILS isn't a digitally encoded system with GPS coordinates or something, it's a localizer beam with elevation and azimuth. The plane picks up the radio waves and "rides the beam" down. The only way to move the landing point is to go physically move the transmitter. And in the case of DH2, bury the transmitter 100' below ground or something. (And expect the pilots and flight computer to ignore the ground altimeter, which is pretty hard to mess with remotely).
Aaaaand they were moving the touchdown zone elevation below ground, which is not a function of the signals being transmitted but of the physical location of the transmitting antennas. In fact, the entire ILS system is based on the physical properties of the antennas (bolted in place).
Now, I suppose you could put the high beam audio onto the low beam and vice versa IF the transmitters were computer controlled (and they almost certainly aren't.). All that would do is create confusion as the pilot intercepted the glideslope and noticed that he was flying into the glideslope from below yet the instrument said he was intercepting it from above. I don't think that would flag the display, but it certainly would have the pilot ignoring the ILS at least, and going around as a precaution.
But move the TDZE down? Impossible.
Hey! You are talking about a movie where they faxed fingerprints (100dpi) and got clear identification. Obviously they know more about science than YOU do!
FFS the plural of 'aircraft' is 'aircraft'. Yeah, yeah grammar Nazi and all that. But it doesn't change the fact that having basic grammatical errors repeated over and over in the summaries makes slashdot look terrible.
Pre-canned Evolution Links for all those Slashdot holy wars.