Military Review

How to hack a plane using a smartphone ... And why is it even possible?

When last winter I happened to write about "Cybernetic September 11" (an imagined large-scale terrorist act organized by exploiting vulnerabilities in civilian IT systems), the main counter-argument against the possibility of such an event was the independence of the critical communal infrastructure from computers. Simply put, drowning a few high-rises in boiling water, breaking into the “server” of the pumping station and opening the valves with hot water, will not work - not even because the boiling water will not be poured into the streets by a computer command, but due to the lack of such a server. However, since then, the practice has thrown some interesting examples that incline the scales in this dispute in favor of the supporters of "cyberacalypse". The latter appeared just the other day. Though vaguely, but you probably already heard that the Spanish cybersecurity expert Hugo Teso demonstrated interception control airliner using a regular smartphone. The most delicious in this stories - details that the author generously shared at the HITBSecConf security conference.

Teso is also a professional pilot. So the path to the digital bowels of the aircraft was destined for him. And three years ago, he set out to prove that both little Cessna and a huge Airbus can become a toy in the hands of a trained black hacker. Having sorted through the available options, Hugo settled on three key "pieces of iron" present in many civilian aircraft today. aviation. The first of these is the ADS-B ("automatic dependent surveillance-broadcast" transmitter-receiver).

If in the 20th century, the radar was the main instrument for monitoring the situation in the air of the ocean, today it is being pushed around by “smart” technologies, which allow for more accurate, flexible, and therefore safe escort of aircraft. ADS-B is just one example of such a replacement, which has received international recognition due to its free and open. Basically, this is a very simple thing, based on digital data exchange over the air in the range of about a thousand megahertz. Airplanes that are in the air continuously inform others about their position and course (coordinates are calculated using GPS), and ground services, in turn, collect this information and give back a general summary of the status in the airspace under their control. Since the ADS-B signals are not encrypted, everyone who has the necessary equipment can listen to them. Interesting? Take a look at Flightradar24.comwhere, based on information collected by enthusiast receivers, a global real-time flight chart is compiled.

How to hack a plane using a smartphone ... And why is it even possible?

For Teso, groping for vulnerabilities in aviation infrastructure, ADS-B has become the perfect “gunner”. With its help, at any second you can find out exactly where exactly in the three-dimensional space the necessary board is located, where it is going, at what speed, etc. Formally, it may also be a vector to attack, but for this purpose, Teso chose another, more ancient technology - ACARS. If ADS-B is still being introduced (in Europe it is based on 70 percentages of airplanes, in the USA it is still only one in three), then ACARS has been serving civil aviation since the 80s of the last century. This is a slow (2400 baud: as the very first modem) digital communication system that allows airplanes and ground services to exchange short text messages and, more importantly, data packets for the on-board computer (FMS - Flight Management System, on which all control strings are onboard) . As the last Teso chose the popular model from Honeywell.

In order not to put at risk the lives of people, Teso built a digital model of the aircraft at home. Honeywell FMC and ACARS box he purchased on cheap eBay. For visualization, the popular X-Plane air simulator was used. Sending spoof messages was carried out using an SDR device (Software-Defined Radio is a radio station clinging to a computer, the parameters of which can vary in a very wide range thanks to digital control at the deepest level, up to the nuances of the generation and reception process). All this, including the Android-smartphone, on which the attacking application written by Hugo worked, fit into the desktop.

The task posed by Hugo: focusing on the ADS-B readings of the selected aircraft, generate and transmit ACARS packets, the reception of which will lead to dangerous behavior of the FMS and / or inadequate response of the pilots. Theoretically, it only needs to make the onboard computer believe that the forged packages were sent by ground-based air service. And here our hero was waited by the most pleasant surprise: neither ADS-B, nor even ACARS, nor the general architecture of the FMS have any means of protection against forgery. Describing the situation with the security of these systems, Teso (the big joker) uses the expression “facewall”: security is zero, it simply does not exist. Imagine yourself - with today's knowledge - trapped in 80-ies: Internet hardware is designed only with a view to performance, no one thinks about security. Here in this raspberry was Teso. ADS-B, ACARS, FMS do not imply any checks on who sent this or that message, and therefore are subject to every imaginable attack, ranging from banal eavesdropping and ending with DDoS and spoofing.

What can be done with an airplane in this way? After feeding incorrect data to the on-board computer, you can make it change course, change altitude, send to collide with another board, start blinking with external lights, throw away air masks - and much, much more. Some actions will be performed by the autopilot, some - by the intervened captain who is guided by erroneous indications of indicators, some will be forced to do the on-board computer itself, in the software of which Teso has found vulnerabilities. Any unauthorized, unexpected action, when there are hundreds of people on board, becomes potentially catastrophic. At the conference, Teso demonstrated some attacks live, on his desktop complex. But he didn’t disclose the most valuable details, in particular regarding the “holes” he found in the aircraft carrier: according to him, after a minor modification, the application he wrote can be applied in reality, against real planes, and therefore he was the first to inform the manufacturers of aviation equipment and aviaregulators Europe and the United States.

I must say, experts (including the US Federal Aviation Administration and the European Aviation Safety Agency) were quick to dispel fears. According to their representatives, the “real, certified hardware” tricks of Hugo Teso will not work. In contrast to the simulator assembled on the table, where the devices, software and protocols are real, but there is no auxiliary attachment, in airplanes security is ensured by a high level of functional redundancy and protective add-ons (roughly speaking, switches that will not allow the liner to corkscrew by forged ACARS -package). Nevertheless, in private conversations with Teso themselves, they (as well as the manufacturers) showed great interest and even offered assistance in further research. And Teso's colleagues (he works for the German N.Runs AG) confirm his words that the attack scheme needs only a little change in order for it to work “in the air”.

However, let us give experts to judge the real danger of loopholes discovered by Teso. Two more general conclusions that can be drawn from this story are more important to us. First, about the weak or absent security of “non-IT” IT systems. Unlike the world of personal computers, where competition is fierce and rapid progress, closed digital systems from the general public evolve according to their unhurried laws. Here they proceed from the assumption that only professionals should use the product, who, naturally, will not use them to the detriment. Therefore, there are “holes” in them that no one is looking for (Hugo Teso found several of these in a specific FMS implementation) and the lack of input checks (ADS-B, ACARS do not have mechanisms for checking the origin of received packets). It is natural to assume that this rule is true for all - let's call them communal - IT systems that serve the average person, but not available to the average person directly.

And the second observation is connected with availability: the degree of involvement of communal IT systems in global communications is constantly growing. ACARS is still able to work independently, but to use the full potential of ADS-B, GPS is already needed and coordination with other participants via the Network is useful. And the same is true of any other utility systems. Take a look at This is a specialized search engine that indexes all sorts of assistive devices connected to the Internet. There you can find ordinary webcams, routers, printers, but also hundreds of millions of more exotic hardware such as traffic lights, components of smart homes, climate systems, scientific equipment, amusement parks, gas stations, etc. etc. (By the way, a quick search for the word “ADS-B” produces several thousand results). Many of them - quite expectedly - do not require a password or use the default one: the owners obviously did not assume that access might be necessary for someone other than themselves.

And now mentally combine all this and agree that the picture emerges at least unpleasant. So far, terrorists are bombing. But today they can use communal systems serving us against society. How exactly, I do not know, in each case will have to include fantasy. The question is whether we should wait for someone like Hugo Teso, but driven by other considerations, to direct the imagination through this course.
Dear reader, to leave comments on the publication, you must to register.

I have an account? Sign in

  1. Canep
    Canep 13 May 2013 06: 02
    In order to take control of the aircraft, you need to have the autopilot turned on. Disabling it solves all problems. Although in reality, developers need to be more careful.
    1. patline
      patline 13 May 2013 07: 37
      Straight manual for attackers ...
    2. Reasonable, 2,3
      Reasonable, 2,3 13 May 2013 07: 46
      We must follow-Who sits-1, who in general in life. This is unpleasant, but you need to do something.
  2. Denis
    Denis 13 May 2013 06: 13
    So far, terrorists are detonating bombs. But even today they can use utility systems serving us against society. How exactly, I don’t know, in each particular case it’s necessary to include fantasy. The question is, should we wait until someone like Hugo Teso, but driven by other considerations, directs the imagination with this course
    A hangover dream on the topic of "Matrix". In many rather large settlements, the payment of utility bills via the Internet has not been established and for another years ... they will not look at it, but here everything is already global. And there is already a fear about refueling ... Not so long ago I saw a gas station of a decommissioned army tanker trailer with a manual pump to and fro and no lighting. Are terrorist hackers afraid?
    And there are places where there is also no Internet
    1. Atlon
      Atlon 13 May 2013 07: 05
      Quote: Denis
      And there are places where there is also no Internet

      Give the deadline ... How long have we become regulars on the Internet? Remember 10 years ago, but 20? So everything is possible, the technology is developing very rapidly.
      1. Denis
        Denis 13 May 2013 07: 53
        Quote: Atlon
        technology is developing very rapidly
        Then yes! They tried to break the country with an iPhone
        1. Corsair
          Corsair 13 May 2013 10: 56
          Quote: Denis
          Then yes! They tried to break the country with an iPhone

          Like this ? smile
      2. Papakiko
        Papakiko 13 May 2013 09: 08
        Quote: Atlon
        Give time

        Yes, at least get over this time.
        If federal money is not allocated for the "provision of the hinterland," then this "Internet" will not appear there, and private business will not pull it. Satellite is not affordable for everyone. Cellular operators can only provide telephone and ICQ communications, about 3Gnanno I will not write.
      3. Corsair
        Corsair 13 May 2013 11: 00
        Quote: Atlon
        Give the deadline ... How long have we become regulars on the Internet? Remember 10 years ago, but 20? So everything is possible, the technology is developing very rapidly.

        On the way to progress, we will not look for beaten paths ... lol
      4. Kaa
        Kaa 13 May 2013 12: 56
        Quote: Atlon
        Remember 10 years ago, and 20
        I recall 12 years ago ... captured planes. In the United States, a version was slipping that they could be controlled not by poorly trained suicide bombers, but from outside. What was now possible with a household smartphone was quite possible with the help of special equipment. Iran’s double interception of American drones is an example.
    2. Canep
      Canep 13 May 2013 07: 54
      This is Die Hard script beautifully drawn. I watched and thought either Americans morons or crap crap.
  3. Horn
    Horn 13 May 2013 06: 52
    It’s dumb somehow: the daughter often flies from Kamchatka to Novosibirsk ...
  4. Mikhail m
    Mikhail m 13 May 2013 07: 24
    The direction for the activities of terrorists has been voiced, and very broadly. There is no doubt that they will not pass by such a clue. Brains have earned. Looking forward to the results?
  5. Dimitr
    Dimitr 13 May 2013 07: 25
    I don’t understand one thing, why is this publicity? Caught up - sit quietly, think about how to fix the problem, they themselves suggest ways. Now any inadequate, deprived of female attention lover of computers and the Internet, will begin to try to intercept aircraft!
  6. pensioner
    pensioner 13 May 2013 07: 31
    Hmm ... There is a way! Nanolamps and no numbers! Only analog signal!
    BARKAS 13 May 2013 07: 58
    And on airplanes that flew into the WTC on September 11, these systems were not tested? what
    1. Andrey57
      Andrey57 13 May 2013 11: 17
      One amerovsky millionaire who owned a skyscraper design firm across America offered a 10 lemons green award for someone performing an engineering calculation using the design documentation for the twin towers for their destruction from a Boeing strike, so here and to this day no one came with calculations for a bonus of 10 lyamas, the conclusion is that it was impossible to destroy these two skyscrapers with the help of airplanes. hi
      1. Kaa
        Kaa 13 May 2013 13: 02
        Quote: Andrey57
        it was impossible to destroy with the help of airplanes these two skyscrapers
        Well, the planes were needed for the entourage, and the industrial demolition of skyscrapers with the help of explosives has been used for many years, which apparently was done, because even the Sesna did not crash into the collapsed 3rd tower. "September 11, 2008" Voice of America "Was surprised to report the results of a study conducted in 17 countries. 16 thousand people were asked the same question:" Who organized the September 11, 2001 attacks in New York and Washington? "The majority believed in the involvement of Al-Qaeda only in 9 out of 17 countries. On average, 15 percent of those surveyed believed that the US government planned and carried out the terrorist attacks. In Turkey, 36% of respondents held this opinion, 27% in the Palestinian territories, and 30% in Mexico.
      2. fero
        fero 13 May 2013 21: 24
        The calculation results were provided to the government commission investigating the attack. In fact, the architect and designers with numbers in their hands proved that the building was designed for a direct hit of an aircraft without destroying the first one. After all, if they had not proved this, insurance companies could demand to oblige through the court to reimburse part of the sum insured, blaming that the building was originally designed with errors hi
  8. Monster_Fat
    Monster_Fat 13 May 2013 08: 30
    Well, you can "make a rustle" without resorting to such complex actions. When the widespread digging began to toughen checks on aircraft passengers and seize liquids from them, etc., the active part of the population saw in this not concern about the safety of passengers, but simply a means to call passengers early so that they spent more time at airports in a stressful state and buy more water, drinks and food, it is at the airport, at fabulous prices, thereby increasing the profits of their owners. To show all the delusional so-called. "increased security measures", a group of radical young people carried out the following action: they transferred into powder the used cases from firecrackers, firecrackers, etc., and this powder, imperceptibly, was scattered in the transport that carried passengers to one of the small American airports. The result was disastrous. Passengers on their feet and on their luggage smuggled this powder all over the airport and the scanners reacting to nitrogen-containing substances just went berserk - all the luggage showed the presence of explosives in it. In general, the airport was paralyzed for the whole day until they figured out and removed this stuff. And think about what could have happened if a similar action would have been carried out at many airports?
  9. individual
    individual 13 May 2013 08: 33
    Specialists electronic engineers and programmers hope to figure out ADS-B protection, and ACARS from hacking by their hackers.
    But global threats to scientific and technological progress on a person’s life. I don’t want to seem like a mastadon, but back to the history of weapons: when a sword was created, bow arrows, a shield appeared in response ... Further on in the evolution of the creation of weapons and protection against them, we can continue. So all this was created to kill / protect their own kind. The progress of creating tools to kill a person and protect him is becoming more and more sophisticated and, accordingly, counteracting this. The costs of this confrontation are growing with increasing progression. If previously having made a bow, arrows - a man spent his own mental abilities and muscular strength, now to create a modern analogue there is a whole branch of the military-industrial complex with its own science, institutions, industry and immeasurably large investments of intelligence and attracting muscular strength of hundreds of thousands of workers. Thus, the national product created by the state is redistributed in such a way that the lion's share goes not to livelihoods, but to save life as such. And the words from the Bible are remembered life is corruption.
  10. knn54
    knn54 13 May 2013 09: 08
    -built a digital model of an airplane at home.
    The model and the real aircraft, as they say in Odessa, are two big differences. I'm not special. Suppose, through ACARS, “false information” came to the FMS, but in this case, in the form of a code, not SMS? And what does full control have to do with it? In addition, there is a dispatcher (in the case of a route change), autopilot will not give in a corkscrew / stall, TCAS will warn about the threat of rapprochement. .. Let the equipment fail, but there are backup systems.
    Another thing is incomplete knowledge, as a result, the performance of its functions by PEOPLE: dispatcher, pilot. And most of the disasters now occur through the fault of a person, not a machine.
    PS It seems that cyber defense of aircraft will soon become a profitable business.
    1. Volkhov
      Volkhov 13 May 2013 13: 30
      This has already been tested on the Superjet in Indonesia - stuck in a sheer cliff with the best crew - hello from SU Liebher.
      And the encrypted channels are opened - the other day Israel shot down its drone after losing control, and how many of them are in Iran ... Il-62 is the last safe with mechanical control wiring and the US has a Boeing 707 for lightning research - everything is hydraulically.
    2. TSOOBER
      TSOOBER 13 May 2013 13: 47
      false information can be sent not only to the aircraft’s sensor but also to the dispatcher! it’s not necessary to set critical errors (corkscrew / stall) during a cyber attack, we will slightly correct the speed of the aircraft a little bit above the plane’s altitude by minus, the dispatcher’s plus, and the dispatcher himself already gives a voice command and when landing, 30 meters is critical (especially in bad weather)!
  11. Phoenix s
    Phoenix s 13 May 2013 09: 55
    I can imagine - an antivirus for a computer, and even an advertisement - "Buy our software, if you don't want your plane to repeat September 11!" ...
  12. AK-47
    AK-47 13 May 2013 10: 39
    Hugo Teso demonstrated the interception of airliner control using a conventional smartphone.

    Such people do no harm except their own existence.
  13. 17085
    17085 13 May 2013 11: 11
    Automatic identification systems are naturally vulnerable, but they are not navigational. They are informational by definition. This information is used by some navigation systems to make decisions, but the final word is always with the person. And to admit that navigation systems are capable of performing divergence, i.e. to directly give commands to the performance equipment without a person, I don't know. Theoretically, they can exist, but as mentioned above, the restrictions imposed by the autopilot and environmental conditions (dispatchers, etc.) should not allow the vehicle to "fool". Again, you can break a fool. The human factor ... Although the system itself is banging like two fingers ... To clog the entire channel with false targets and voila! They all hang. And there is no protection against this, unless the standard of broadcasting and reception is changed, and this is very, very expensive. But we flew seven years ago without these systems, AT ALL ...
  14. SmacXnumx
    SmacXnumx 13 May 2013 12: 52
    I think that Teso did well, he showed manufacturers their weaknesses and holes in flight safety. Forewarned is forearmed.
  15. Mikhail3
    Mikhail3 13 May 2013 13: 46
    Why is there a system that is so easy to crack? Yes, specifically this hole is easy to patch. Yes, you can tighten, strengthen, improve, uglubit ... So why? Well, you see ...
    At some point, a massive invasion of "helpers" began in the entire industry. Computer devices that allow any fool to manage rather complex production processes. That's right, all these devices radically reduce the requirements for a person employed in production (that a pilot is in an airplane, that an engineer is at a factory, one hell is production). Is it clearer already? Now we are compatible with the accelerated development of remote control systems. Don't give a damn about that factory in China. I don’t care that the workers are Chinese, don’t even care that the engineers are also Chinese. In fact, the plant is operated ... and can only work ... Like this.
    And one more fact. During our gay rebuilding, thousands of scientists were killed or died under strange circumstances. Thousands. Scientists. All this perestroika began to boil just when an avalanche of unprecedented strength took place where it could not pass. Destroying an alpine camp with several thousand young scientists and engineers. Who were powerful climbers, that is, with a huge will, subordinate to anyone. Think ...
  16. Ogan
    Ogan 13 May 2013 14: 27

    "These pearls show that, at least, the author of the text is not at all a boom-boom in the control systems of a modern aircraft."

    here is a link to the discussion in the aviation forum:
    % 20% 20unt = 6