Hijacking Airplanes With an Android Phone 131
An anonymous reader writes "Until today, hacking and hijacking planes by pressing a few buttons on an Android mobile app has been the stuff of over-the-top blockbuster movies. However, the talk that security researcher and commercial airplane pilot Hugo Teso delivered today at the Hack in the Box conference in Amsterdam has brought it into the realm of reality and has given us one more thing to worry about and fear (presentation slides PDF). One of the two technologies he abused is the Automatic Dependent Surveillance-Broadcast (ADS-B), which sends information about each aircraft (identification, current position, altitude, and so on) through an on-board transmitter to air traffic controllers, and allows aircrafts equipped with the technology to receive flight, traffic and weather information about other aircrafts currently in the air in their vicinity. The other one is the Aircraft Communications Addressing and Reporting System (ACARS), which is used to exchange messages between aircrafts and air traffic controllers via radio or satellite, as well as to automatically deliver information about each flight phase to the latter. Both of these technologies are massively insecure and are susceptible to a number of passive and active attacks. Teso misused the ADS-B to select targets, and the ACARS to gather information about the onboard computer as well as to exploit its vulnerabilities by delivering spoofed malicious messages that affect the'behavior' of the plane."
An Apple marketing ploy? (Score:2, Interesting)
Could apple now be trying to make people scared to purchase Android devices should they be targeted by the TSA as potential terrorists? :)
Re:An Apple marketing ploy? (Score:5, Interesting)
NO. I saw the guy talk at Black Hat last year, and he's full of shit. "OMG!!! I can tell that there's an airplane in the air!!! That must be bad!!! But I don't have any explanation why it[s bad..." He even prefaced his talk with "I'm nowhere near an expert in aviation or how planes work, so it's possible that there's stuff going on here that I don't know."
He's a kid crying wolf when he sees sheep, because a wolf might attack the sheep, but he doesn't even try to find the sheepdog, or the shepard carrying a rifle, or the fence around the sheep, or...
Re:how long?? (Score:2, Interesting)
Well, therein lies the problem actually. You are of course correct that airplanes of all sizes have all kinds of communications and navigations gear, most of which isn't really all that connected. Airliners have computers that will read signals from multiple inputs at once and present it in a single display, just like smaller GA glass cockpits have started doing, but that's not really the problem.
The problem is when people, especially people who like to plan things and do budget spreadsheets, start asking questions like "why do we need VOR transmitters when we have GPS?" Or "why do we need ILS (simple enough, well understood technology) when we can replace it with GPS enhancing equipment made by very expensive contractors and look cool". So you get things like the FAA planning on turning off a bunch of VORs, NDBs and other such navaids, and then of course planning on replacing primary and secondary radar with ADS-B. When you get right down to it, ADS-B is essentially airplanes telling each other where they are. What could possibly go wrong? (Definition for the uninitiated: primary radar is like what you see in WWII movies, but computer enhanced. Secondary radar is what interrogates transponders to get actual data from planes in flight about things like altitude and coded numbers so the computer can tag planes with the right data. It's not really "radar" but it is a ground based interrogation/response system that works along with primary radar. The ATC computers put both together on displays for the controllers. They can use one without the other, but things work better with both.)
Getting rid of these "redundant" systems is a bunch of stupid ideas. Except they're not. Individually they're OK. They're stupid when you take the effect in total, which is going to be to make airplanes rely on essentially one external input for position information, plus whatever they can sense via INS systems, etc, at least until the accountants decide to start making planes without that stuff because it costs a lot and GPS works great, right?
Well, other than by remote management, which I'm sure they have but which can be interrupted, you can't turn off all the VORs all over the place all at once. You can't re-aim ILS systems for reasons that have already been beaten to death in this thread. NDBs? Essentially AM radios. You can even use commercial stations in a pinch if you know where the transmitter is. All relatively simple, very proven technologies--each of which has very real flaws, but well understood flaws.
So if somebody could spoof GPS signals or send fake ADS-B transmissions today, it's not a big deal. Become dependent on them, and by "dependent" I mean "using them because there's nothing else to use", then it becomes a really big deal.
Media propaganda aside, which is mostly fed by for-profit privatizers (airlines) trying to grab control of the ATC system, air traffic control in this country is not all that unsophisticated. It is, usually, as sophisticated as it needs to be for a given area. Remote airport with light traffic and decent weather? A controller with binoculars and maybe a radar repeating display is quite sufficient. Busy places? They go all out. They always do things that look weird to people who just have to have an app for everything. For instance, they print out clearances, write things on them, and send them around via vacuum tubes in lots of cases. Why? Because if you lose your tech all of the sudden you still have an idea where everybody is and what they're doing. Make things "efficient", start them working on tablets and such, and you've actually introduced risk into the system you didn't have before. Just like with making planes dependent on ADS-B by removing other sources of information.