Hijacking Airplanes With an Android Phone

An anonymous reader writes "Until today, hacking and hijacking planes by pressing a few buttons on an Android mobile app has been the stuff of over-the-top blockbuster movies. However, the talk that security researcher and commercial airplane pilot Hugo Teso delivered today at the Hack in the Box conference in Amsterdam has brought it into the realm of reality and has given us one more thing to worry about and fear (presentation slides PDF). One of the two technologies he abused is the Automatic Dependent Surveillance-Broadcast (ADS-B), which sends information about each aircraft (identification, current position, altitude, and so on) through an on-board transmitter to air traffic controllers, and allows aircrafts equipped with the technology to receive flight, traffic and weather information about other aircrafts currently in the air in their vicinity. The other one is the Aircraft Communications Addressing and Reporting System (ACARS), which is used to exchange messages between aircrafts and air traffic controllers via radio or satellite, as well as to automatically deliver information about each flight phase to the latter. Both of these technologies are massively insecure and are susceptible to a number of passive and active attacks. Teso misused the ADS-B to select targets, and the ACARS to gather information about the onboard computer as well as to exploit its vulnerabilities by delivering spoofed malicious messages that affect the'behavior' of the plane."

It has?

[tocsy]

"Until today, hacking and hijacking planes by pressing a few buttons on an Android mobile app has been the stuff of over-the-top blockbuster movies."

I... don't think I've ever seen a movie where that happens (planes getting hijacked that way). Maybe I just don't see enough movies.

Re:It has?

[localman57]

... don't think I've ever seen a movie where that happens (planes getting hijacked that way).

Die Hard 2. Except it was a room full of computer shit in a nearby church, rather than a smart phone. But, you know, technological progress and all that.

Re:

[lesincompetent]

aaaaand they were screwing with the airport's ILS, not with the plane itself.

Re:It has?

[localman57]

They were executing a man in the middle attack against aircraft and their ground based navigation infrastructure. Same thing here, just different technology. Don't be so pedantic.

Re:

[lesincompetent]

It's the ground-based signal that got changed: the aircraft simply followed it to its doom. Yes i know i am pedantic.

Re:

[pixelpusher220]

You totally missed it!

has given us one more thing to worry about and fear (presentation slides

I'm already afraid of presentation slides, but apparently that fear is now renewed!

Re:It has?

[Obfuscant]

They were executing a man in the middle attack against aircraft and their ground based navigation infrastructure.

A MITM attack requires intercepting the original message and replacing it with a modified version. That's not what was happening in DH2. In DH2 they were allegedly modifying the original message itself, in a way that is ridiculously impossible.

A MITM would have the black hats intercepting the ILS radio signals and modifying them. There would be no need to do that, since all you need is the ability to transmit your own ILS signal. That would have required the physical presence of a transmitter several hundred feet prior to the threshold in order to put the TDZE below ground. You cannot do that by simply changing the signals transmitted by the FAA ILS system itself.

Re:It has?

[davros74]

While DH2 is a good movie, the whole concept behind the ILS manipulation is horse manure. ILS isn't a digitally encoded system with GPS coordinates or something, it's a localizer beam with elevation and azimuth. The plane picks up the radio waves and "rides the beam" down. The only way to move the landing point is to go physically move the transmitter. And in the case of DH2, bury the transmitter 100' below ground or something. (And expect the pilots and flight computer to ignore the ground altimeter, which is pretty hard to mess with remotely).

Re:

[Obfuscant]

And in the case of DH2, bury the transmitter 100' below ground or something.

Easier to put it 1000' prior to the TDZ. That would put the TDZE below ground. And the point about ignoring the radar/pressure altimeter is also valid, as is one that they'd have to ignore the ILS FAF altitude (final approach fix, a 3-d point in space defined by glideslope, localizer and one other lateral fix) which has a published altitude and is part of the final approach checklist. And they'd have to ignore the DH, which is the altitude (radar or pressure) at which they must either have the runway/envir

Re:

[Rich0]

Well, they could do it for a Cat III ILS. For a Cat III ILS the decision height is zero - you can use it even if you can't see the ground at all. Considering the weather that would have been the only way to land the plane in any case - they didn't see the ground until it was too late to abort.

For less than Cat III the aircraft would have aborted when they failed to see the runway at the decision height. However, that would have likely meant aborting the landing even on a proper approach - any aircraft wi

Re:

[Rich0]

I'm not sure if Cat III requires an INS with a suitable level of performance. That and a radar altimiter is about the only thing that I think would defeat this attack. Of course, you can't just "recalibrate" the ILS to pull it off - you need to move it physically (either moving the original, or disabling it and setting up a new transmitter).

A radar altimeter alone would not really prevent this. The altimeter would tell you that you're 100 feet up, and you'd look down and see clouds, and have no idea that

Re:

[deadweight]

See my previous post. That is NOT how it works. The "high" signal is modulated at 90 Hz and "low" signal at 150 Hz. You could grab the antenna and point it higher or lower to change the slope or you could just send a strong 90 Hz modulated signal and the cockpit indication will always be "descend - you are high" even at ground level. I used to "fly" a 737 with the autopilot coupled to the ILS with a test ILS transmitter sitting in first class just for fun. (sitting parked, not actually flying)

Re:

[Obfuscant]

You could grab the antenna and point it higher or lower to change the slope or you could just send a strong 90 Hz modulated signal and the cockpit indication will always be "descend - you are high" even at ground level.

As I already pointed out, if you do this then the pilot will be absolutely certain that there is a problem with the ILS because he will be told he's above the glideslope even before he intercepts it -- and he will always intercept the glideslope from below. It's part of the training for IFR pilots. Watch the needle on the GS to see it come down towards center and then start a descent to keep it there. If you haven't intercepted the GS yet and it says "too high", something is broken and you don't use the GS

Re:

[deadweight]

Sure - there are some diffiuculties to pulling this off. Say you do nothing until the plane is about 400' AGL and then send 90hz and the plane is flying a coupled approach. At 90 knots in a 3000 pound airplane the pilot would recover if he was paying attention, but at 100,000 pounds and 120-140 knots you might just have a hard time with it. In real life messing with a localizer or glideslope is a low return idea - you have to be there on or near the runway and the pilots will just call it in as defective eq

Re:

[Obfuscant]

Sure - there are some diffiuculties to pulling this off.

Do you think there are some difficulties with pulling off a hack where a bad guy turns a knob and the ILS glideslope moves downward as a whole 100 or 200 feet? Really? That's what they did in the movie. They didn't change the slope, they changed the intercept, in terms of a linear equation.

Say you do nothing until the plane is about 400' AGL and then send 90hz and the plane is flying a coupled approach.

So the GS goes fully offscale in a fraction of a second and the flight computer faithfully follows it, even though it is no longer providing course guidance. And the GS receiver doesn't notice that it is no longer rece

Re:

[deadweight]

That actually could be done. The test box DOES have a knob that moves the glideslope (and localizer too) from full up to full down and anywhere in between. You could start with needles centered and slowly add a little down needle as the plane descended to force the pilot gradually lower. Of course this plot requires to see exactly where the airplane is AND relies on a clueless pilot who does not go missed at DH. Also the dastardly radar altimeter will help defeat this evil plan..... So as a realistic way to

Re:

[Obfuscant]

That actually could be done. The test box DOES have a knob that moves the glideslope (and localizer too) from full up to full down and anywhere in between.

You are missing the difference. In DH2 the bad guys moved the ILS APPROACH up and down without changing the slope. YOU are talking about moving the glideslope NEEDLE in the aircraft up and down. Those are two different things. One can be done, the other cannot.

Re:

[deadweight]

Yes - that is why you need to watch the airplane in real time for the trick to work. Otherwise it will just look like the equipment is broken.

Re:

[localman57]

A MITM attack requires intercepting the original message and replacing it with a modified version. That's not what was happening in DH2. In DH2 they were allegedly modifying the original message itself, in a way that is ridiculously impossible.

The MITM attack I was thinking of was when they took over voice control...

Re:

[deadweight]

I think you can. I had a test box when I worked for an airline that did just that. You send the 90HZ signal when the plane is a couple miles out and the pilot or autopilot will think you are high and descend. Depending on terrain and visibility, you just might send them into the ground. IIRC in WW II the Germans did successfully wreck a plane or two by doing something like this.

Re:It has?

[Obfuscant]

Aaaaand they were moving the touchdown zone elevation below ground, which is not a function of the signals being transmitted but of the physical location of the transmitting antennas. In fact, the entire ILS system is based on the physical properties of the antennas (bolted in place).

Now, I suppose you could put the high beam audio onto the low beam and vice versa IF the transmitters were computer controlled (and they almost certainly aren't.). All that would do is create confusion as the pilot intercepted the glideslope and noticed that he was flying into the glideslope from below yet the instrument said he was intercepting it from above. I don't think that would flag the display, but it certainly would have the pilot ignoring the ILS at least, and going around as a precaution.

But move the TDZE down? Impossible.

Re:

[lesincompetent]

Mod parent up! Thanks for the crystal clear explanation!

Re:

[DoubleJ1024]

my kingdom for my expired mod points. (they expired less than one hour ago)

Re:It has?

[RabidReindeer]

Aaaaand they were moving the touchdown zone elevation below ground, which is not a function of the signals being transmitted but of the physical location of the transmitting antennas. In fact, the entire ILS system is based on the physical properties of the antennas (bolted in place).

Now, I suppose you could put the high beam audio onto the low beam and vice versa IF the transmitters were computer controlled (and they almost certainly aren't.). All that would do is create confusion as the pilot intercepted the glideslope and noticed that he was flying into the glideslope from below yet the instrument said he was intercepting it from above. I don't think that would flag the display, but it certainly would have the pilot ignoring the ILS at least, and going around as a precaution.

But move the TDZE down? Impossible.

Hey! You are talking about a movie where they faxed fingerprints (100dpi) and got clear identification. Obviously they know more about science than YOU do!

Re:

[morcego]

... don't think I've ever seen a movie where that happens (planes getting hijacked that way).

Die Hard 2. Except it was a room full of computer shit in a nearby church, rather than a smart phone. But, you know, technological progress and all that.

That, and they used hardwire (cable) to connect directly to the airport network.

Re:

[localman57]

That, and they used hardwire (cable) to connect directly to the airport network.

Well, That puts them one up on the guy in this article. He didn't connect to any hardware or network. Just some simulators.

From TFA:

When talking about the range, please keep in mind that we are talking about a proof-of-concept application used in a virtual environment. In real life, the range would be limited depending on the antennas used (if going directly for the plane), or global (if misusing one of the two big ACARS players such as SITA or ARINC).

Re:It has?

[Cosgrach]

Except that as a pilot, I can tell you that everything that they did in that movie was so fucking far out of the realm of possibility as to be a joke. ILS is a fixed installation and must be physically moved to affect the glide slope. And blowing up the transmitter? Really?!? What about all the other aircraft sitting on the ramp - each one with it's own shiny transmitter? What about those?

Re:

[Obfuscant]

ILS is a fixed installation and must be physically moved to affect the glide slope.

Actually, I think you can change the angle (slope) of the glideslope by changing the modulation levels of the tones on the two radio beams, and theoretically there could be an obstruction that would intrude in the flight path if you lowered it a degree. I don't know the TERPS (approach designer) criteria for protected zones.

However, this would screw the glideslope intercept altitude shown on the approach and the pilot would know something is wrong if he's paying attention, and this is one of the points o

Re:

[hughk]

Yes, the antennas are fixed but the ILS can be tweaked and often had to be (worked a long time ago at a place that built ILS equipment). They are supposed to be self maintaining using ground mounted calibration antennas but every so often an aircraft has to check the slope out by probing the ILS envelope (flying deliberately off the glide path) under VFR conditions. However, on top of the glide slope, there are radar altimeters (on the plane) and marker beacons (on the ground).

Re:

[Rich0]

Yup, and I'm sure it wouldn't be that hard to transmit on the tower frequency from the nearest approach/center ATC. Those are usually in office buildings miles from airports.

Every one of those aircraft would have had an alternate designated which was far enough away as to not be likely to be closed, and they would have fuel to reach that alternate. When their primary airport closed and stopped responding they wouldn't have just sat around circling until they ran out of fuel - especially as they exceeded t

Re:

[tlhIngan]

Yup, and I'm sure it wouldn't be that hard to transmit on the tower frequency from the nearest approach/center ATC. Those are usually in office buildings miles from airports.

There's a reason why aviation uses AM modulation, and not FM or a digital mode. When an AM transmission is "stepped on" (that is, two people transmitting), the receiver squeals, which indicates to anyone listening that there were two people transmitting simultaneously (or what people would call a "collision").

Ah, but the even fancier tr

Re:

[bytethese]

As a former IT worker working in computer forensics now, you now know how I feel watching CSI, Swordfish and the like.

Re:

[Anonymous Coward]

He's an inflatable autopilot, you insensitive clod!

Re:

[martinX]

Airplane? That movie was a joke, too.

Re:

[Cosgrach]

Actually, I liked Airplane - it was meant to be a comedy and did not even try to portray real life possibilities.

But when asked to suspend disbelief in a situation and then get so many things wrong on so many levels - it really fucks up a story.

Re:

[wonkey_monkey]

Die Hard 2 wasn't exactly meant to make you think "what if...?". Films that strictly depict real life possibilities tend to be either very worthy or very very dull (and sometimes both).

Re:

[delt0r]

News flash. The Die hard series is suppose to be a action comedy. Not a documentary. And really what movie doesn't get so many things wrong on so many levels? Its probably the very few good docos...Since so many documentaries are equally bad.

Re:

[Big Hairy Ian]

Oh surely this is "Nerds on a Plane!!!" :)

An Apple marketing ploy?

[Master Moose]

Could apple now be trying to make people scared to purchase Android devices should they be targeted by the TSA as potential terrorists? :)

Re:

[cjpa]

yes

Re:

[Anonymous Coward]

Both of you. Get a fucking life.

Re:An Apple marketing ploy?

[Anonymous Coward]

NO. I saw the guy talk at Black Hat last year, and he's full of shit. "OMG!!! I can tell that there's an airplane in the air!!! That must be bad!!! But I don't have any explanation why it[s bad..." He even prefaced his talk with "I'm nowhere near an expert in aviation or how planes work, so it's possible that there's stuff going on here that I don't know."

He's a kid crying wolf when he sees sheep, because a wolf might attack the sheep, but he doesn't even try to find the sheepdog, or the shepard carrying a rifle, or the fence around the sheep, or...

Oh shit, Obama's in trouble!

[Iniamyen]

Would aircraft hijacked by phones be considered drones?!

Secure it.....

[Murdoch5]

You designed a broken system that remained hidden, now that it's out fix it!

Re:

[gandhi_2]

...or at least jail those who figured it out!

Re:

[CodeReign]

Sadly this will be the solution. Make it so unthinkable to try and find vulnerabilities that nobody does it. Except those whom are willing to use them maliciously and willing to pay the price for their noncompliance.

Not true

[s.petry]

It was not designed broken, that was management mandated changes later on in order to garner bonuses by saving money on the project. I'm sure you know the term transponder, and even if you don't you can look it up. All communications between planes and ATC are supposed to go through the transponder. No code, no data.

So the question should be: Is the manager that got the nice fat bonus check going to return the money and go to jail? But of course we'd never want to punish an exec for doing something wro

nope

[hypergreatthing]

Sorry, but to have a android device that can transmit and receive ACARS is close to impossible. Might as well take android out of the equation. I guess it could be possible to take a software radio and any mobile platform (windows, ubuntu tablet, raspberry pi, android, ios) and make it capable of receiving and sending out altered ACARS messages since i'm fairly sure the system has no encryption built in, but i dunno. Hijacking seems to be a stretch.

Re:

[X0563511]

No kidding. Newsflash: radios can transmit radio waves.

Re:

[jcdr]

Sorry, but to have a android device that can transmit and receive ACARS is close to impossible.

I would not bet on that !

The lasts superphones embeds so much high speed subsystems (2,3,4G/WiFia,b,n,g/BT/FM/AM/NFC/RFID/PAL/NTSC/HDMI/USB2,3/Audio/ and certainly a few more at each generation) that there are probably capable of processing some signals at virtually any frequencies if some high skilled hackers are motivated to do it.

Analog filters never cut abruptly; DSP can be reprogrammed to abuse the surrounding components. Any interfaces can leaks some creative signals. Take a look at this for example:

Re:

[hughk]

Nope.

A good demonstration of this was the issue about Nexus 4s being able by accident, to transmit a little bit on LTE (only one frequency) and only because the LTE frequencies were enabled by accident in the software. Unless there are antennas designed, the signal would be weak as hell even if you can get it out of the phone. Then you have to get the signal out of the fuselage which is normally working, more or less, as a Faraday cage to an antenna pointing at the ground or a satellite. The vulnerability t

Re:

[jcdr]

Nope ? How can you be so certain ? I have passed long days in electromagnetic testing room, and I can say that you will be surprised by what can happens with complex and highly programmable electronics !

Your "demonstration" prove that a software modification can open up the frequency range. This is not a surprise as most RF subsystem uses DSP and only a minimal of analog components. Your example is just about a bug; think of what can happens if the DSP are fully reprogrammed... Yes, the signal can be weak,

Re:

[hughk]

I have passed long days in electromagnetic testing room, and I can say that you will be surprised by what can happens with complex and highly programmable electronics !

I had to work on a navigation system some years back, I didn't have to spend time in the "bubble" but colleagues did. We certainly did have people who were very aware of RF design and cross talk issues as we had a TEMPEST rated room as they had also been working on secure digital comms.

Your "demonstration" prove that a software modification

Re:

[jcdr]

True, but it is hard as the radio in a phone tends not to be open software.

Yes it's hard, but not impossible.

A USRP would be much better but then you need amplification and power. You are inside a metal tube and you need to get inside an antenna on the outside which is designed to go off when it receives a burst from a 50KW radar.

ACARS transmission are handled by the VHF Ground Station (VGS), not by the radar ! VGS seem to be in the 50W range only, according to this specification:
http://www.selexelsag.com/internet/localization/IPC/media/docs/OTED100Radio-MGS100.pdf [selexelsag.com] . So, a close sub-watt transmitter will certainly get received by the aircraft. I can for example add fake messages that will not cam from the VGS.

The transponder squirts data back using something like 20w or so. It would be hard to overwhelm that from inside the plane.

The downlink is likely not required to be hacked to abuse a vulnerability of the aircraft i

Re:

[AmiMoJo]

If you wanted to hijack the aircraft, i.e. make it go to a destination of your choice rather than its intended one, spoofing GPS might be a better bet. It worked for Iran, at least.

With ACARS you might be able to socially engineer the flight crew to divert from their planned course perhaps.

Re:

[deadweight]

A smart phone would be a good ternminal to attach to an ACARS *RADIO TRANSMITTER*. You could drive the airlines nuts with YR CREW MEALS ROTTEN or WIFESAYSCMHMNOW. Note that AFAIK the crew is not going to do something like FLYINTOBLDNG just because they see it on the ACARS display.

Re:

[hypergreatthing]

uhh.....
There are two kinds of SDRs, fixed and programmable. I sincerely doubt they're using programmable solutions on a cell phone chipsets. That would mean there could be universal X band cellphones with no restrictions on bands or signalling algorithms (HSPA+, LTE, etc all in one). Hell they would do that in a heart beat and just have custom covers with specific antennas for the frequencies in the back cover.
No, if they're using software solutions, it's for cost savings and it's definitely fixed. You

Need to hijack a plane???

[It doesn't come easy]

There's an app for that!

I call BS

[Beer_Smurf]

I am going to call BS on this one.
These are indication systems.
Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.

Remote control 101 Re:I call BS

[fleebait]

I am going to call BS on this one.
These are indication systems.
Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.

Remote control is not a direct connect. It follows communications paths, and the information and control path apparently connects through the internet, both through the display and control path.

No one needs direct connection within the airplane -- all ya need to do is control it through the internet, at any receiver path, and any transmitting path. with additional directional antenna paths.

Can't do it from onboard, has to be from a remote site, and will involve additional receiver and transmit packages, n

Re:

[scheme]

I am going to call BS on this one. These are indication systems. Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.

Remote control is not a direct connect. It follows communications paths, and the information and control path apparently connects through the internet, both through the display and control path.

No one needs direct connection within the airplane -- all ya need to do is control it through the internet, at any receiver path, and any transmitting path. with additional directional antenna paths.

Can't do it from onboard, has to be from a remote site, and will involve additional receiver and transmit packages, not included on the android phone. (don't even have to be near the android used for control).

Are you in sales or marketing by any chance? Because this is the sport of keyboard heavy information free verbiage that typically comes from them.

Re:

[Krojack]

From my understanding, you could be on a plane and start sending signals that another plane is heading right for you. This would in return cause all sorts of alarms to go off and maybe cause the pilots to freak out and take extreme measures.

Re:

[T-Bucket]

No, you're thinking of the TCAS system. That isn't in any way attatched to the ACARS or ADS-B systems.

Plus, the pilots are used to seeing "normal" ACARS messages every day, if something odd came across, they'd notice something was up IMMEDIATELY.

Re:

[msmart13]

Incorrect. ADS-B has two components, FIS-B for weather and TIS-B for traffic. If you spoof airplanes via ADS-B you can trigger the exact same kinds of collision avoidance alerts and pilot reactions as a spoofed TCAS. http://en.wikipedia.org/wiki/Automatic_dependent_surveillance-broadcast#Traffic_information_services-broadcast_.28TIS-B.29 [wikipedia.org]

Re:

[hughk]

Except that TIS-B is not wired into TCAS at the moment. In fact, I have not heard of any use of ADS-B for air to air, just air to ground. Separations are controlled via time slots outside controlled air space and inside controlled airspace, by ground controller using good old fashioned PPI displays. Yes, those displays are "enhanced" by information from ADS-B but many smaller or older aircraft don't have it.

Re:

[tlhIngan]

Incorrect. ADS-B has two components, FIS-B for weather and TIS-B for traffic. If you spoof airplanes via ADS-B you can trigger the exact same kinds of collision avoidance alerts and pilot reactions as a spoofed TCAS. http://en.wikipedia.org/wiki/Automatic_dependent_surveillance-broadcast#Traffic_information_services-broadcast_.28TIS-B.29 [wikipedia.org]

Which shows you don't know how TCAS works.

TCAS doesn't work for ALL traffic. It does revert to TAS (traffic alerting system) mode when it encounters an aircraft that is NOT

Re:

[Obfuscant]

This would in return cause all sorts of alarms to go off and maybe cause the pilots to freak out and take extreme measures.

Thanks for the FUD. Pilots who fly aircraft with these systems have training to know how to deal with collision avoidance alerts and they don't "freak out" every time one happens, and the measures are rarely extreme.

Re:

[sabri]

Thanks for the FUD. Pilots who fly aircraft with these systems have training to know how to deal with collision avoidance alerts and they don't "freak out" every time one happens, and the measures are rarely extreme.

Actually, it is not FUD. Since the crash over southern Germany, it has been made very clear in ICAO rules that pilots are to follow their TCAS advisories. See this article [wikipedia.org].

Re:

[Obfuscant]

Actually, it is not FUD.

Claiming that pilots are going to 'freak out' and perform "extreme measures" whenever they get a traffic conflict advisory certainly is trying to create fear, uncertainty and doubt. They've been trained how to deal with this. It isn't a 'freak out' kind of situation by any means.

Yes, part of the current training is to "follow the TCAS and ignore the human controller", but that's not "freaking out".

Re:

[sabri]

You are right, and the freaking out part was not what I was aiming at. I wanted to point out that TCAS is something that is taken very seriously by aircrew.

Re:I call BS

[Hentes]

It does affect the behaviour of the pilot. If it's on autopilot, the change in behaviour may even be simulated and precisely planned beforehand. Still, it's not as effective than hacking the fly-by-wire controls, I wonder if that's possible from onboard.

Re:

[ThunderBird89]

Think mucking with the tempomat's speed sensor while simultaneously turning the speedometer needle back with your pliers. The car does indeed go faster.

Re:

[tamyrlin]

The problem seems to be (if I understand the article correctly) that for example the FMS can be hacked (presumably by buffer overflows or similar exploits) and then used to take over other functionality.

This seems similar to how a malformed RDS packet sent via FM radio can disable the brakes on a certain car: http://www.autosec.org/pubs/cars-usenixsec2011.pdf (among other things).

Exactly how similar these attacks are are difficult to ascertain as the presentation leaves a lot to be guessed, although the net

I call false analogy.

[SuperBanana]

I am going to call BS on this one. These are indication systems. Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.

The article is bullshit because they claim "with an Android phone" when they mean "with a bunch of custom hardware that happens to be driven by a UI running on an Android phone"...but if they're able to present false information, your analogy is not correct.

If someone is able to spoof a transponder signal enough to be believed by colli

Re:

[dywolf]

exactly. this is not "hijacking", and people are forgetting that there is still a pilot on board, who believe it or not does have some say in what in the aircraft actually does, as well as teh ability to look out the window and go "nope, there's no plane there".

Well I'm sold!

[mcmonkey]

Let's get those driverless cars on the road! In fact, let's outlaw people driving their own cars in traffic, because the software will be so much better than a human driver. Because the developers working on driverless cars are so much smarter than the fools working on those silly airplanes.

(BTW, the above is sarcasm. There is no reason to think the developers working on cars are any better than the developers working on any other system, and no reason to think driveless cars will be any more secure or bu

Re:

[PRMan]

400,000 real-world miles repeated hundreds of times regression-tested against their software. Trust me, Google isn't leaving this one to chance. It's already orders of magnitude better than a human being. https://www.youtube.com/watch?v=7Yd9Ij0INX0 [youtube.com]

Re:

[jittles]

400,000 real-world miles repeated hundreds of times regression-tested against their software. Trust me, Google isn't leaving this one to chance. It's already orders of magnitude better than a human being. https://www.youtube.com/watch?v=7Yd9Ij0INX0 [youtube.com]

Until you have hundreds of thousands of these cars on the road, you're just talking statistical anomalies. I've probably driven close to 400,000 miles myself without ever getting into an accident (maybe even more). I also know a professional driver who has millions of miles and has never been in an accident.

Re:

[YrWrstNtmr]

I've probably driven close to 400,000 miles myself without ever getting into an accident (maybe even more).

Hell....I had 207,000 miles on one vehicle with only one minor parking lot bump.
The reason it didn't get to 208,000 miles and on to 300k was because of a idiot texting/phoning teenager. She destroyed it running a red light.

Re:

[fast turtle]

400,000 miles? That's nothing. As a retired commercial driver, I averaged 120,000 miles a year and that's just a single truck. With all the commercial rigs (18 wheelers) on the road with a combined avg miles in excess of 1billion a year, with less then 1 accident per 250,000 miles avg (google for current stats), that simply doesn't impress me.

Now if you were talking 100,000 cars averaging 400,000 miles a year w/o accident, then I'd be willing to listen but when you mix in idiots like Joe and Tina Sixpack wh

Re:

[jittles]

400,000 miles? That's nothing. As a retired commercial driver, I averaged 120,000 miles a year and that's just a single truck. With all the commercial rigs (18 wheelers) on the road with a combined avg miles in excess of 1billion a year, with less then 1 accident per 250,000 miles avg (google for current stats), that simply doesn't impress me.

Now if you were talking 100,000 cars averaging 400,000 miles a year w/o accident, then I'd be willing to listen but when you mix in idiots like Joe and Tina Sixpack who's either drinking, fixing their god damn hair, reading a fucking book, talking on the cell phone and a whole rash of other stupid activities, you aint going to match the accident rate that commercial drivers have until you take Joe & Tina Sixpack's licenses away.

That's exactly my point. He's pointing out a handful of Google operated automated cars. I'm Joe Sixpack, more or less, and I have gone 400k or more in my lifetime. My point is that commercial drivers do amazingly well and that his example just isn't statistically relevant.

Re:

[jon3k]

I don't understand, do you think you've never been in an accident because you're a skilled driver? It's called blind luck. The only accidents I've ever been in is where I was rear ended because someone wasn't paying attention. For ever driver you know that hasn't been in an accident, there's about 1,000 people who've been in an accident that was caused BY A DRIVER. Either themselves or someone else.

Re:

[jittles]

That is exactly my point!! The GP said that Google's cars are amazing because they've gone 400k miles without an accident. Big deal. How many cars do they have on the road? For all we know, they are just lucky. There is no statistical significance to Google's car's safety record at all.

Re:

[AK Marc]

Humans are about the worst possible software to be in control of a car. If the bar is "better than the average human" we passed that 10 years ago. But the bar is "better than the best human under all possible (not just likely, possible) circumstances" which we are close to, but can't even test, so we aren't sure how close we are. Humans are very susceptible to hacks as well. People pulled over by fake cops, then robbed and killed. People who kill themselves trying to avoid wildlife. Missing or misunder

Re:

[jon3k]

Yeah you're right, modern jetliners use absolutely no software and have extremely high incidents of failure related to autopilot systems. Pilots are DEFINITELY not the problem here.

During 2004 in the United States, pilot error was listed as the primary cause of 78.6% of fatal general aviation accidents, and as the primary cause of 75.5% of general aviation accidents overall.[1] For scheduled air transport, pilot error typically accounts for just over half of worldwide accidents with a known cause.[2]

This is even worse than car security

[tamyrlin]

It seems that the aircraft industry is about as security conscious as the car industry. The following page at http://lwn.net/Articles/518923/ discusses how researchers were able to take almost complete control, including the breaks, but excluding the steering IIRC by for example the following attack vectors: Malware infested CD inserted into car stereo, malformed RDS package sent via FM radio, some sort of bluetooth hacking, etc. (Also the ODBC-II port of course, although that is cheating....)

At the time I read the lwn article and the associated papers I thought to myself that the car industry should learn security and stability from the aerospace industry. Unfortunately it now turns out that they seem to have done so :(

Re:

[hughk]

It seems that the aircraft industry is about as security conscious as the car industry.

Not really.

Aircraft typically carry different ways of getting the same vital information, passenger aircraft must do so. Equipment in former times was very unreliable, so essentially the plane must carry two (or more) of everything. Critical components, may have the "A" and "B" computers programmed by different teams or even using different architectures. They also carry a human, who may notice if their are strange instr

ADS-B

[Anonymous Coward]

I really need to look hard at this article. I find it hard for an Android Device to insert Aircraft Coordinates into the Squitter Pulses from / to the Mode-S Transponder. I could believe the ACARS is more susceptible, but that is a stretch. You do not use ACARS for Primary Navigation, only Company to Crew Coordination. Besides TCAS will not allow a collision as well as Ground Based intervention. For the readers reference, I was part of the first Operation Evaluation in July of 1999 at ILN with the CAA. Thr

Re:

[Kraig Hayner]

Sorry, I forgot to log in for the article Post. KHayner, Retired FAA Inspector.

how long??

[lkcl]

and for how long has ACARS and ADS-B been insecure? that's what's so embarrassing about these things. skype being insecure since it was created, relying on security-through-obscurity just as adobe does for RTMP, such that the russian govt has had the ability to eavesdrop on skype for at least the past 4 years.... and *not* told anyone about it.

it's the same here. someone *somewhere* will have been exploiting ACARS and ADS-B... and not telling anyone that they're doing it. conferences like these are a wa

Re:

[EmperorArthur]

And how long have police radios relied on insecurity? That's the same question you're asking.

The protocol is very secure and error resistant. It is not, and never has been spoof resistant. All of these signals are unencrypted, and that's a good thing. I don't know about you, but I enjoy seeing where all the planes are. Or are you against open data?

Saying that you could modify the behavior of an airplane by spoofing these signals is like saying you could modify a cars behavior by spoofing GPS signals.

Re:

[Anonymous Coward]

Well, therein lies the problem actually. You are of course correct that airplanes of all sizes have all kinds of communications and navigations gear, most of which isn't really all that connected. Airliners have computers that will read signals from multiple inputs at once and present it in a single display, just like smaller GA glass cockpits have started doing, but that's not really the problem.

The problem is when people, especially people who like to plan things and do budget spreadsheets, start asking

Unlikely

[borgasm]

IAAP

The concept of using ADS-B to spoof position reporting doesn't hold water, since there are backup systems (Mode C/S xpdr)...though it may trigger a traffic alert on a neighbor's TCAS if it only relies on ADS-B reports (which it shouldn't). You can't control anything with just ADS-B spoofing.

Hacking the FMS via something like vulnerability in the ACARS receive stack....ok that might be in the realm of possibility. Except its not very useful, because any deviation of course or altitude would be detected by the pilots and ATC nearly immediately. Redundancy is built in at the human level.

Re:

[tlhIngan]

Too bad that humans hold the record for flaws, vulnerabilities, exploits, bugs and errors... http://www.lewisandtompkins.com/library/pilot-error-the-most-common-cause-of-airplane-crashes.cfm [lewisandtompkins.com]

That's because mechanical failures in aircraft, even GA ones, are extremely uncommon these days. It's like a modern car breaking down causing an accident - it almost never happens (even the Toyota ones were found to be purely human error). It's usually human error purely because we got mechanical failure under control.

I

Does it only work if I'm on the plane?

[jader3rd]

Why would I want to do this if I'm on the plane? Suicide wish?

Here I was always just playing MS flight simulator

[damn_registrars]

I guess I was doing it wrong.

Just an android phone?

[dragonhunter21]

Unless the Galaxy S4 comes with an ADS-B transciever, I think these flights should be OK.

When the pilots start seeing multiple odd contacts on their ADS-B display, they'll call down to Center and ask what's going on. When they do, Center will tell them that there are no contacts in their area, and the flight will continue using more traditional navigation/avoidance procedures. This isn't a "shoot down an airliner free" card.

"Aircrafts" - TFS needs an editor!

[timbo234]

FFS the plural of 'aircraft' is 'aircraft'. Yeah, yeah grammar Nazi and all that. But it doesn't change the fact that having basic grammatical errors repeated over and over in the summaries makes slashdot look terrible.

Re:

[0123456]

How are you going to tell who's sending the message without sending the aircraft ID?

Re:

[hughk]

Good point. And not only that, information is flowing into the pilot from multiple sources, visual clues, ATC and multiple instruments.