funsec mailing list archives
Re: How To Hijack An Airplane With Android: Security Specialist Exposes Massive Holes In Airline Cyber Security
From: Daniel Preußker <daniel () preussker net>
Date: Fri, 12 Apr 2013 08:28:49 +0200
I'm sorry, but you should give credit to who actually found the vuln. and it was at DefCon20. Here the talk: http://www.youtube.com/watch?v=CXv1j3GbgLk Please dont hype people who re-chew the work of other's, thanks. - Daniel Preussker Linux Research & SecurityAm Donnerstag, den 11.04.2013, 19:00 +0200 schrieb Jeffrey Walton <noloader () gmail com>:
http://www.ibtimes.com/how-hijack-airplane-android-security-specialist-exposes-massive-holes-airline-cyber-security-1186625German security consultant Hugo Teso exposed massive holes in aircraftsecurity when he showed at the "Hack in the Box" conference in Amsterdam on Wednesday evening how to completely take over – and even crash – a commercial airplane. All you need is an Android phone, aradio transmitter and some knowledge about flight-management software.Perhaps the most frightening part is that you don’t even have to be onthe airplane when you hijack it. The entire attack can be done remotely from the ground, so not even full-body scans at the airport can prevent it. Turns out that the Automatic Dependent Surveillance-Broadcast, the technology used to track aircrafts, is unencrypted and unauthenticated. This lack of security was exposed in 2012 when hackers inserted ghost airplanes into radar. The Aircraft Communications Addressing and Reporting System, thedigital system for sending short messages between aircrafts and groundstations via radio, also lacks security. Teso exploited these vulnerabilities for his attack. After purchasing a flight-management system from eBay to study flight code, Teso learned how to read and send Aircraft Communications Addressing and Reporting System messages. He then used a radio transmitter to audit actual aircraft code, and built an Android app that delivers attack messages to an airplane’s computer. Teso could use the app to completely commandeer the steering of aBoeing jet once it goes on autopilot. The only countermeasure would befor pilots to turn off autopilot. The problem, as a Computer World blog post pointed out, is that even if the pilots realized the steering had been hijacked, many airplanes no longer have the equipment necessary for manual flying. The app, which Teso named PlaneSploit, could take control of almost all of an airplane’s systems. He could manipulate the pilots’ lights and alarms, trigger the oxygen masks to drop, and even make the airplane crash. Using a Samsung Galaxy smartphone and some virtual airplanes, Teso demonstrated live how to hack an airplane’s computer. The slides from the presentation can be found here. [YOUTUBE Video] Thankfully, Teso has no plans to release PlaneSploit to the GooglePlay Store -- not that it would be accepted; however, his presentationshowed that airlines need to take immediate steps to protect their networks before a more malevolent hacker makes plans. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: How To Hijack An Airplane With Android: Security Specialist Exposes Massive Holes In Airline Cyber Security Daniel Preußker (Apr 12)