Hijack an airplane with a phone? Security specialist says it can be done.

German security analyst Hugo Teso has found vulnerabilities in fight system software and hardware. 

Reuters
Could you hack a plane's software with an Android phone? Maybe, says one security specialist. Here, a Czech Airlines Airbus A319 takes off in Prague's Vaclav Havel Airport, on April 8, 2013.

In a presentation this week at Hack in the Box, an annual security summit in Amsterdam, German analyst Hugo Teso showed off an Android app called PlaneSploit, which Teso says could be used to override the computer controls on a commercial airliner. With PlaneSploit and SIMON, a homemade attack code, "I can influence the guidance and navigation of the aircraft," Mr. Teso later said in an interview with the BBC.

Couple things to note here. First of all, Teso isn't a criminal (although as the BBC notes, aviation agencies in the US and Europe are extremely interested in chatting with him). Instead, he's a security specialist, who has spent several years experimenting with flight system hardware and software (purchased in most cases on eBay), with the purpose of understanding how it might be exploited – and how those exploits might be prevented.

He has said he will share all findings with the proper authorities.

In addition, both on his blog and in the presentation at Hack in the Box, Teso has been careful not to reveal too much about his findings. 

"As you can understand this is a very sensitive study," Teso wrote on his blog, "so I will not release exploits or vulnerabilities that can be used against aircraft irresponsibly. That is not the goal of this series. [I]t is intended to illustrate the process to study an unusual system, display the status of its safety and learn as much as possible in the process." 

In his tests, Teso used hardware and software from aeronautics suppliers such as Honeywell, Thales, and Rockwell Collins. But in a statement given to Information Week, a spokesman for Honeywell said Teso may have used a different version of the flight-management software, or FMS, than is found in commercial airliners. 

"If we talk very generically – not just about Honeywell software – PC FMS software is normally available as an online pilot training aid," the spokesman said. "In other words, what Teso did was hack a PC-based training version of FMS that's used to simulate the flight environment, not the actual certified flight software installed on an aircraft."

For more tech news, follow us on Twitter @venturenaut

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.