|
|
Subscribe / Log in / New account

Hijacking airplanes with an Android phone (Help Net Security)

[Posted April 11, 2013 by jake]

Help Net Security has a report of a rather eye-opening talk from the Hack in the Box conference in Amsterdam. Security researcher Hugo Teso demonstrated exploits of two aircraft communication systems (ADS-B and ACARS), though purposely only in a virtual environment. "By taking advantage of two new technologies for the discovery, information gathering and exploitation phases of the attack, and by creating an exploit framework (SIMON) and an Android app (PlaneSploit) that delivers attack messages to the airplanes' Flight Management Systems (computer unit + control display unit), he demonstrated the terrifying ability to take complete control of [aircraft] by making virtual planes 'dance to his tune.'"
to post comments

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 2:38 UTC (Fri) by brooksmoses (guest, #88422) [Link] (17 responses)

After reading the article, I'm still not clear on whether this malicious payload gets onto the virtual "airplane" through the ADS-B and ACARS radio interfaces, or whether it's something preloaded on the plane by some other means and then activates in response to control messages over the radio networks. Does someone have more information on this?

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 3:22 UTC (Fri) by Duncan (guest, #6647) [Link] (14 responses)

Here's a more general news audience article on the subject, from Christian Science Monitor (for those not familiar but possibly scared away by the name, it's not what it sounds like; they're well recognized as actually reasonably solid news and they've had reporters taken hostage and etc like other news orgs, just stay away from the commentary pieces if you prefer...).

This article's less technical so isn't likely to answer your questions, but it's another view. Presumably, it is or will be all over the news, but this is where I happened to see it as I was reading my CSM feed shortly after seeing the LWN article in its feed, so I thought I'd post the link.

Hijack an airplane with a phone? Security specialist says it can be done.

http://www.csmonitor.com/Innovation/2013/0411/Hijack-an-a....

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 3:29 UTC (Fri) by brooksmoses (guest, #88422) [Link]

Looks like LWN ate the necessary period on the end of your link. Correct link is http://www.csmonitor.com/Innovation/2013/0411/Hijack-an-airplane-with-a-phone-Security-specialist-says-it-can-be-done..

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 3:32 UTC (Fri) by brooksmoses (guest, #88422) [Link] (8 responses)

Also, a rather interesting comment from that article: "...in a statement given to Information Week, a spokesman for Honeywell said Teso may have used a different version of the flight-management software, or FMS, than is found in commercial airliners. 'If we talk very generically – not just about Honeywell software – PC FMS software is normally available as an online pilot training aid,' the spokesman said. 'In other words, what Teso did was hack a PC-based training version of FMS that's used to simulate the flight environment, not the actual certified flight software installed on an aircraft.'"

Seems like that sort of thing would be rather a rookie mistake that one wouldn't expect in this context, so I wonder if that's true or just wishful thinking on Honeywell's part.

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 4:46 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

I've spoken to people who work on "safety critical" code for military hardware. They were very skeptic about the overall quality of code - management was more concerned about code passing arbitrary code style "safety" checks rather about safety itself.

And it's written in pure C. Do they honestly think that it doesn't contain buffer overflows somewhere?

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 4:52 UTC (Fri) by billev2k (subscriber, #32054) [Link] (1 responses)

But still, why would any critical control system, on an airplane or on the power grid, be connected to a general purpose, open network?

Anyone designing that should be summarily fired.

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 4:57 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Well, you obviously need to get data from sensors. And this data is also needed by the flight control software.

So you need a gateway between the flight network and the external-facing network.

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 7:03 UTC (Fri) by AndreiG (guest, #90359) [Link] (2 responses)

Generally, from what I've seen, what qualifies as 'mission critical' in industries like this and, especially if it needs official certifications, is written in Ada.

Avionics, for example, is a field quite populated by Ada.

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 13:17 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Often Ada is not used for the very low-level stuff, that directly interfaces with the hardware.

Also, Ada has quite a bit of cargo-cult safety itself.

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 22:28 UTC (Fri) by brouhaha (subscriber, #1698) [Link]

Often Ada is not used for the very low-level stuff, that directly interfaces with the hardware.

Which is sad, if true, because Ada has better support for low-level hardware interface than most other programming languages, in chapter 13 on representation specifications, which allow specifying precise bit-level definitions of data structures (e.g., hardware registers). Admittedly it's an optional feature, but C doesn't have anything similar, since the ordering of C bitfields was deliberately left undefined.

I was an Ada programmer for a few years, using the original Ada 83. I liked it fairly well other than not having function pointers. Function pointers and object oriented facilities were added in Ada 95.

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 5:30 UTC (Fri) by Duncan (guest, #6647) [Link] (1 responses)

Thanks for catching that missing period.

While I've simply read the articles, no special domain knowledge let alone inside info, my take ATM is that if it indeed might have been the PC version he targeted in the demo -- but that if so, it's part of the deliberate virtual-case targeting he did, and that he has reason to believe the same general techniques could be used against "the real thing". Of course, the involved companies, keen to put their best public face on things, would emphasize the virtual/demo aspect as well as that they're (publicly at least) eager to work with him to resolve remaining questions, while glossing over the uncomfortable (implied) fact that their production flight software is likely vulnerable to the same thing, likely with a few small tweaks.

Of course various law enforcement agencies certainly have an interest as well, both in keeping any specific details out of the public domain at least until fixes are in place, and in tamping down any panic that might result were this taken too seriously.

So basically I think the Honeywell spokesperson was telling the truth, but not necessarily the /whole/ truth, and that law enforcement's probably "encouraging" keeping it at exactly that level, for now.

Meanwhile, regardless of how big or little this ultimately is and how much we ultimately learn or don't learn, the Art Bell types are sure to be having a field day with it in the mean time!

Here's hoping people post links to Reuters, CNN, etc, reportage as it comes in.

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 11:16 UTC (Fri) by amw (subscriber, #29081) [Link]

The BBC reported on this yesterday:
http://www.bbc.co.uk/news/technology-22107433

OT - Christian and reliable

Posted Apr 12, 2013 9:45 UTC (Fri) by sdalley (subscriber, #18550) [Link] (3 responses)

> ...from Christian Science Monitor (for those not familiar
> but possibly scared away by the name, it's not what it
> sounds like; they're well recognized as actually reasonably
> solid news and they've had reporters taken hostage and etc
> like other news orgs, just stay away from the commentary
> pieces if you prefer...)

No need to apologize for quoting something "Christian" there Duncan, some of us actually hold that being a Christian implies, or ought to imply, truthfulness and integrity, in accordance with what the apostle Paul (one of the original founders of our faith) wrote in one of his letters: "We can do nothing against the truth, but only for the truth." It could be that the CSM's "reasonably solid" track record owes something to this heritage.

Anyone who loves and practices falsehoods is not a Christian, whatever their pretensions.

Just sayin'.

OT - Christian and reliable

Posted Apr 12, 2013 10:03 UTC (Fri) by thumperward (guest, #34368) [Link]

In your proselytising you appear to have missed that the parent post's qualm is not with "Christian" but with "Christian Science", an obscure sect primarily known for its belief that the entire discipline of medicine is invalid and that illness should be treated exclusively through prayer.

CSM is distributed through that sect's publishing arm (and as a result contains a daily religious article) but is otherwise independent and is, as the parent post suggests, a very well-regarded and multiple-Pulitzer-winning organisation.

OT - Christian and reliable

Posted Apr 12, 2013 10:04 UTC (Fri) by f.lasseter (guest, #90364) [Link] (1 responses)

Hold your horses!

Please do not confuse Christian Science with Christianity. They are not the same thing. Their interpretation of the Bible is significantly different from the more commonly known Christian beliefs.

Whether correct or not, Christian Science has long been labelled a cult.

But LWN is not the place for religious discussions so let's not take this thread any further.

OT - Christian and reliable

Posted Apr 13, 2013 5:48 UTC (Sat) by Duncan (guest, #6647) [Link]

> do not confuse Christian Science with Christianity.

FWIW this whole subthread is why I didn't specify further. My point was simply that they're a recognized "legit" news organization, and that people otherwise scared away by the name (regardless of whether it was the Christian or the Christian Science bit) shouldn't be. But if I went further than that I'd have felt the need to explain the whole thing from both angles, and well, this isn't the place for that (especially as I tend to get rather verbose), so I tried to leave it at just they're more legit than the name might indicate...

Meanwhile, here's yet another link:

Mashable.com: Can a hacker hijack a plane with an Android app?

http://mashable.com/2013/04/11/hacker-hijack-plane-androi...

There's a few bits of further/further-clarified info in this one:

1) "The key to Teso's hack is that ACARS doesn't have any encryption or authentication features, so the plane can't distinguish between signals that are coming from a hacker or an airport's ground station. That way, he or she could potentially send spoofed malicious signals to affect the behavior of the plane."

Thus it's clearly spoofed info, not buffer overflow or the like (tho from one of the earlier articles he looked briefly at that but decided there simply wasn't the need).

2) The FAA (US Federal Aviation Authority), Honeywell, and EASA (European Aviation Safety Agency) all three are downplaying the attack:

FAA: "[T]he described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot[.] Therefore, a hacker cannot obtain 'full control of an aircraft' as the technology consultant has claimed."

3) But 'Teso's fellow security researcher and supervisor Roland Ehlies counters that the hack "would work with at minimum a bit of adaptation" on real planes and software.'

Which is basically the same point I made earlier, that they're deliberately only doing this simulated, and that Honeywell and the authorities are (as might be expected) playing up the simulated bit in ordered to play down the danger, while the fact remains that the jump fro there to real life in use equipment is likely to be a pretty minimal one, rather less of a jump than Honeywell and the authorities are making it out to be, tho it may at the same time be a bit more than Teso and Ehlies are making it out to be.

There's a couple other additional details as well, including noting that this isn't the firs time security issues in modern aviation systems have been exposed: last year at Black Hat, there was a demo of similarly spoofed messages being injected into the next-gen air-traffic-control system ADS-B, popping up fake planes on-screen. (With a further link to that.)

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 9:10 UTC (Fri) by cate (subscriber, #1359) [Link]

I think the attack is mostly about giving wrong info to the system: speed, position, altitude, etc. so that autopilot will be confused. Consider also that pilot and autopilot will behave in a predefined manner, so you can setup the attack to force pilots/autopilots to do the "silliest" possible things.

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 12, 2013 20:07 UTC (Fri) by grantingram (guest, #18390) [Link]

You are not alone having read the article - I'm also none the wiser as to what the presenter actually claims to have done.

There are lots of acronyms and vague inferences but all I can get from it is that you might be able to introduce a buffer overflow and load some malicious code. Which you can say about almost any computer....

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 14, 2013 4:37 UTC (Sun) by akeane (guest, #85436) [Link] (2 responses)

Why does it have to be a rubbish Android/Java interface?

They should GPL the code so I can make a command line version.

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 14, 2013 8:21 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Yeah:
>sudo airplane land dest=Havana

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 14, 2013 21:50 UTC (Sun) by tao (subscriber, #17563) [Link]

It's not like it's complicated to get to Cuba anyway. Just fly via Canada if you're a US citizen.

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 16, 2013 15:31 UTC (Tue) by dpquigl (guest, #52852) [Link] (2 responses)

I can't say I'm surprised or even impressed by this. The guy is exploiting an unauthenticated communications channel that has no verification of the origin of the message. From most of the details he's relying on the fact that these systems are open and he can falsify data. His go here is probably just giving bad telemetry data or course correction requests to the plane's auto-pilot.

There is a reason these systems are open. We can't even do key management properly when it is for non-critical systems. There is no way you're going to be able to organize a world wide key management scheme so that every plane on the planet will be able to talk to every ground control station and every other plane in the air. If you try to use some sort of shared secret that is placed in the devices by the manufacturer that will fail as well. You could arguably try to devise a scheme where if you can't communicate with another plane you fail open or that plane bounces signals off of an authenticated source and back to you instead but we're talking about very complex systems which need to remain simple so two things don't crash into each other (two planes or planes and the ground).

As pointed out this was presented at black hat last year for the next-gen system and the same exact points were raised back then.

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 16, 2013 16:50 UTC (Tue) by ndye (guest, #9947) [Link] (1 responses)

There is no way you're going to be able to organize a world wide key management scheme so that every plane on the planet will be able to talk to every ground control station and every other plane in the air.  If you try to use some sort of shared secret that is placed in the devices by the manufacturer that will fail as well.

How is DNSSEC a bad match?  Yes, the requirements include fail-safe simplicity, but that networked, distributed protocol is about as widely deployed as you can get, no?.

<genuinely baffled/>

Hijacking airplanes with an Android phone (Help Net Security)

Posted Apr 16, 2013 18:05 UTC (Tue) by raven667 (subscriber, #5198) [Link]

Are these devices (airplanes and beacons) globally networked such that the network can be relied upon for critical operations? It seems that each is intended to be an autonomous system and communications entirely peer-to-peer, not reliant on any hierarchy, political, technical or otherwise.


Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds