By on April 12, 2013

As the technology that will one day network cars together and reorganize the roads in the name of safety and efficiency continues to rush towards us, word comes that the computerized systems used to control commercial aircraft in flight are now vulnerable to hackers via android devices. is reporting on an April 10th presentation at the “Hack in the Box Conference” by German security consultant Hugo Teso during which he demonstrates how a wireless device can be used to transmit malicious code into an aircraft’s computer through at least two different systems currently used to exchange information between aircraft and ground stations. Those of you who are already afraid to fly will want to read all of the excruciating details here:

Like many people, I believe that the highways of the future will be heavily automated. The possibilities of computerized roads are enormous and the technology could change the way our society functions by combining the benefits of cheap, efficient public transportation with the convenience enjoyed by car owners today. Imagine a world where a car will arrive at your doorstep moments before you leave for work, carry you in comfort and privacy on a trip that will meet with no traffic jams, stop at no lights, and during which you will be free to watch TV, browse the internet, catch a nap or just look out the window. Upon dropping you off, the car will then head off to its next customer or, if you are one of the Neanderthals who insist on owning your own vehicle, head off to a designated parking facility until you summon it again.

That future is heavily dependent upon the seamless integration of a number of networks and like modern aircraft, cars of the future will need to exchange a great deal of data to coordinate even the simplest of trips. Within that coordination lies the opportunity for mayhem and our lives will hang in the balance. While I look forward to that better, brighter future, for the time being I will keep my feet firmly on the ground and my hands wrapped around the steering wheel.

Get the latest TTAC e-Newsletter!


16 Comments on “Better Brighter Future Delayed: Commercial Airliners Vulnerable To Hacks Via Android...”

  • avatar

    Scary indeed but I would tend to think the likelihood of this doing any real damage is very low. Wouldn’t the various towers responsible for the flight send communications that the flight is off course, not at planned altitude etc etc? Especially during take off and landing I find this hard to pull off as the planes are hand flown for take off and landing.

  • avatar

    Before anyone gets too excited I recommend reading this piece by airline pilot and author Patrick Smith:

    • 0 avatar

      Ask the Pilot is a great column, and I highly encourage everyone to read Patrick’s article on this.

      All the claims are pretty bogus in any practical scenario — the pilots can always manually take over (hand-fly), and they always will know about any updates to the FMS. No doubt lots of other publishers will also spread FUD over this alleged exploit, and a lot of people will believe it because they don’t even know that control towers don’t directly control planes or how autopilot works.

  • avatar

    I’m not sure what the point of the editorial was, because there really isn’t one being explicitly made. The reader is left to implicitly draw the conclusion that autonomous vehicles will be subject to hacking (and presumably not without safety challenges , albeit different to their non autonomous predecessor.)

    What is important to understand about he Android hack (I read about it yesterday before this article appeared, and so was a little surprised to see the article here attempt to link these two things), is that the hack can succeed because the data exchange with the aircraft is currently over UNencrypted VHF channels.

    Obviously, the current system, while previously adequate will need improvement now that the communication method is no longer exclusivly available to authorized white hats. This is the nature of everything visavis continuous improvement.

    What is likely is that those working on autonomous vehicles and networks will be aware of black hat vulnerabilities much more than the designers of these aircraft systems were (when, 30 – 50 years ago), and will incorporate these lessons learned.

    What is also safe to say is that as long as there are systems to hack, and hackers to hack them, hacks will occur, and hacks will be patched (sometimes before an incident, sometimes after. This is no different than lock nuts on stop signs, fencing above underpasses, or locking the keyboard on traffic info signs to avoid “Zombie Attack!” warnings.)

    What is more interesting to discuss is how transportation (of commuters, as well as goods, some critical like foodstuffs or medicines) via automation and autonomous operation, will be transformed into a vulnerable network no different, and no less vulnerable to malicious mischief or pernicious attack, than other centralized (water), or decentralized (pipelines, electricity, telecon/Internet) network systems, and whether we want to accept this risk to receive the benefits such a system can offer.

    Personally I look forward to my self driving car, but not until I’m sure no black hat will be able to prevent both me and my burger from being able to be both available to commune in nutrious pleasure at my local drive in.

    • 0 avatar

      Maybe it’s just the odd way my mind works, I guess, but I drew a natural connection between the networks that airliners use today and what must be developed for the cars of the future. My intention was to start a discussion, something you have significantly added to with your well reasoned response.

      The truth is that I would never have even thought about doing something like hacking an aircraft with a telephone. It’s intriguing and I figured many of the readers here (like yourself) would be better informed and that I might be able to educate myself through the resultant discussion.

      • 0 avatar

        It’s also unclear that “a phone” could *actually* do it.

        He’s demonstrated a proof-of-concept that more or less waves away the real world issue of “actually talking to the plane’s systems using an actual radio”.

        This is fine in that it demonstrates an actual security hole.

        But this doesn’t mean that any phone (or other device) can actually *do it in practice*… yet. Note if you go there to read, that it doesn’t say – as it would to make the point that there’s Real Imminent Danger here, were it so – “oh, and the built-in bluetooth or cellular radio works for this”.

        I’m 99.99% sure that’s because it doesn’t.

        Someone will doubtless make a radio that attaches via BT or USB and lets that physical link happen – but Joe Wannabe Hacker’s phone doesn’t have that radio built in.

      • 0 avatar
        Kyree S. Williams

        Even todays cars are amazing. Some of them have upward of eighty onboard computers communicating wirelessly with one another, and likely without any kind of heavy security. And there are systems like GM’s OnStar, Hyundai’s Blue Link and BMW’s Assist that can track, or even stop your car altogether. Then, consider cars like the Lincoln MKZ, which, when fully equipped, use a myriad of computer equipment and sensors that allow them to basically drive themselves. It is probably more likely that if someone were trying to hack your car, he’d do it when it was parked and he wanted to steal it (thereby reaping a financial gain)…but it still makes you shudder when you think about it.

        This is free ammo for the “save-the-manuals” crowd, by the way.

        • 0 avatar

          Just sayin’

          • 0 avatar

            I had to Google a lot to find the basis of that, only because I know no Subaru has a computer controled starter so you can hardly “hack it” and start the car the switch needs to be physically turned. Found the NPR interview, they ADDED equipment to a 1998 Outback, then demonstrated a hack…sure thats realistic.

            This is far more interesting

  • avatar

    All of these automated, wireless, network, autonomous computer systems are high tech and cutting edge. No doubt.

    But what does one do when, not if, the system is compromised?

    In one episode of The Red Green Show, Red and Harold discuss a project-in-progress, including this gem which illustrates the dangers inherent in excessive dependence on advanced technology:

    Harold: “Yeah, but is it cutting edge?”

    Red: “Oh yeah, you could cut yourself real bad on the one edge there…”

  • avatar

    I spend more time on airplanes than I do in my car. I’m not loosing any sleep about this. At all.

  • avatar

    The real scary moment will come when somebody pulls that off with drones.
    There is no substitute for human ability, and there is never such a thing as a ‘clean’ war.

  • avatar

    As someone prior to me stated, you can’t just do this with an off-the-shelf Android device. These types of demos happen at any and all decent network security conferences, it’s all about displaying proof of concept. The idea is that security personnel become aware of the issue that the hackers have uncovered, and take action before a genuinely malicious actor takes advantage of the hole.

    In order to execute an attack on any electronic device you need two things: an exploit and access. Google doesn’t prepackage their devices with an OMGAiRplAneHaX exploit framework, and while the details surrounding exactly how you access a plane in flight is a little fuzzy to me, I’m going to guess that it’s more complicated than simply pinging an IP address or sending a text message. Still, it can’t be so complicated that a determined attacker couldn’t figure it out.

    All that said, so long as the pilot in charge of the plane is made aware of any adjustments to their flight system, and have the ability to take manual control of the plane at any point… I wouldn’t be terribly afraid of getting on a plane. Although I do hope that the airline industry starts to take this seriously, because if these systems are *that* vulnerable a single nasty piece of malware could be catastrophic.

  • avatar

    FAA has apparently consulted with the hacker and subsequently debunked his hack.

    • 0 avatar

      This does not mean that certified flight systems are invulnerable. It just means that either the specific technique used in this exploit did not work. It’s entirely possible that the exploit would still work with a trivial tweak, but the FAA isn’t going to advertise that for obvious reasons.

      However, that the FAA was so responsive to this makes me feel good about flying. If they’re taking it this seriously I don’t think we have much to worry about.

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • APaGttH: Almost $30K for a Corolla if you tick all the boxes…and no more grunt under the hood. $26K to enter...
  • Michael S6: 29 k is GTI money
  • EBFlex: Why does anyone reply to EBFlex? He’s obnoxious, aggressively ignorant, and has never added an ounce of...
  • ToolGuy: Oh hey Peter. “GM is awesome, and Cadillac represents GM at its finest.” Agree or disagree?
  • EBFlex: “I can go farther on refuting each of your arguments but I honestly don’t need to; all of your...

New Car Research

Get a Free Dealer Quote

Who We Are

  • Matthew Guy
  • Timothy Cain
  • Adam Tonge
  • Bozi Tatarevic
  • Chris Tonn
  • Corey Lewis
  • Mark Baruth
  • Ronnie Schreiber