Can airplanes be hacked with an Android app? Researcher claims it's possible

The Transportation Department reports that U.S. airlines made $3.4 billion from baggage fees in 2010. Jeff Glor reports. iStockphoto

Can you hack into an airplane using an app on your Android smartphone? That's what one man claimed during a demonstration at a conference in Amsterdam this week.

At the Hack in the Box security conference, Hugo Teso, a security researcher at the German IT consulting firm N.Runs, hacked into a simulated aircraft system using an Android app. According to Forbes, Teso claims he is able to send data to commercial aircraft -- like those made by Honeywell, Thales and Rockwell Collins -- exploit bugs in flight management software and send radio signals to planes to execute commands including those changing altitude, speed or direction. Teso has not disclosed what vulnerabilities he claims to have found in the code.

In his presentation, Teso used an Android application to redirect a virtual aircraft by tapping on a map on his smartphone, Forbes reports. He claims that a protocol called Aircraft Communications Addressing and Report System (ACARS) has no security, and that an airplane cannot tell if the messages it receives are valid or not.

According to CNN, Teso said he spent three years developing a framework of malicious code which would run on an Android app called PlaneSpoit. N.Runs explained in a press release that Teso collected real data from aircraft systems to build a virtual environment that it believes replicates the systems and processes found on real planes.

N.Run added that Teso kept his research code and platforms separate and deliberately refrained from working directly on real aircraft. The firm still believes the research is accurate, however, and warns that the findings present a real problem for aviation security and airliners.

The Federal Aviation Administration (FAA) says it is aware of Teso's research, but points out it was never tested on certified flight hardware. The FAA released this statement to CBSNews.com via email:

The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer. The FAA has determined that the hacking technique described during a recent computer security conference does not pose a flight safety concern because it does not work on certified flight hardware. The described technique cannot engage or control the aircraft's autopilot system using the FMS or prevent a pilot from overriding the autopilot. Therefore, a hacker cannot obtain "full control of an aircraft" as the technology consultant has claimed.

A spokesperson for Honeywell and Rockwell Collins told Forbes that they have been in touch with N.Runs to asses the allegations.

"Today's certified avionics systems are designed and built with high levels of redundancy and security. The research by Hugo Teso involves testing with virtual aircraft in a lab environment, which is not analogous to certified aircraft and systems operating in regulated airspace," said a statement released by Rockwell Collins.

The European Aviation Safety Administration did not immediately respond to CBSNews.com's request for comment, but released this statement to Forbes.

"For more than 30 years now, the development of certifiable embedded software has been following strict guidance and best practices that include in particular robustness that is not present on ground-based simulation software."

Watch Teso's demonstration below:

Comments

CBSN Live

pop-out
Live Video

Watch CBSN Live

Watch CBS News anytime, anywhere with the new 24/7 digital news network. Stream CBSN live or on demand for FREE on your TV, computer, tablet, or smartphone.