As if hurtling through the air at 500 miles per hour in an enormous meshing of metal and wires wasn’t terrifying enough, security researcher Hugo Teso presented a practical demonstration of a remote airline attack in which he took complete control of a virtual aircraft’s flight management system (FMS) at the Hack-in-the-Box security conference in Amsterdam yesterday.
Before Teso could test his attack, he had to build a virtual aircraft environment that would accurately mimic the systems of a real-life commercial aircraft. Surprisingly, he found all the necessary hardware and training software online.
His lab consisted of a $400 Honeywell flight management console, an $85, used desktop trainer that uses “the same software that is used by the actual Rockwell Collins FMS and display avionics software,” and a $10 Teledyne Aircraft communications addressing and reporting system (ACARS) aircraft management tool, all of which, he claimed, could be purchased on eBay, from scrapyards, third-party vendors, or even resentful ex-flight-industry employees.
The Honeywell product is, Teso explains, supported by a PC-based tool called Airsim, which simulates a datalink system and incorporates 95% of communications management unit (CMU), air traffic services unit (ATSU), and airline operational communication (AOC) software. These products gave Teso the ability to simulate flight deck and cockpit controls, and communication using actual flight code software.
Ultimately, Teso scanned his second hand, but legitimate ACARS tool for vulnerabilities that he would later exploit in his virtual environment to take control of the duplicate flight management system using real aircraft code.
In other words, Teso built an incredibly accurate virtual airplane that he controlled with the popular flight simulator computer game, X-Flight. He then applied real-world, commercial flight control software to his simulator in order to make a virtual copy of a commercial flight environment, which he proceeded to compromise.
Teso did his preliminary research and claimed that attackers could case the joint ahead of time by studying automatic dependent surveillance-broadcasts (ADS-B), radar substitutes that told him the position, velocity, and identification of aircrafts as well as other air-traffic control and management-related data. In a real attack scenario, Teso postulated that ADS-Bs could be used to seek out potential target-crafts. Alarmingly, he claimed the ADS-B security is completely and utterly non-existent and that a knowledgeable attacker could use the systems to eavesdrop, manipulate incoming and outgoing air control messages and to inject malicious code into the aircraft.
The ACARS component handles transmission of data between plains and ground control and supports the sending of various kinds of data between planes and towers. Compromising such a device would give an attacker access to detailed flight and aircraft information. Teso claimed that this component was also noticeably devoid of security.
Forbes’ Andy Greenberg reported that Teso told the crowd during his presentation he could send remote commands to his virtual aircraft, changing the plane’s altitude, speed, and direction and that he could also remotely manipulate pilot control interfaces.
“You can use this system to modify approximately everything related to the navigation of the plane,” Teso told Greenberg. “That includes a lot of nasty things.”
Teso works as a security consultant at n.runs AG but is also a commercial pilot and has been working related avation security projects for the last three years.