As if inexpensive attacks on mission-critical global positioning systems weren't enough, a researcher said he's developed an Android app that could redirect airplanes in mid-flight.
The frightening scenario was presented on Wednesday at the Hack in the Box security conference in Amsterdam. It's made possible by security weaknesses in the protocol used to send data to commercial planes and in flight-management software built by companies including Honeywell, Thales, and Rockwell Collins, Forbes reports. Vulnerable systems include the Aircraft Communications Addressing and Report System used for exchanging text messages between planes and ground stations using VHF radio or satellite signals. It has "virtually no authentication features to prevent spoofed commands."
Using a custom-developed Android app dubbed PlaneSploit, researcher Hugo Tesa of N.Runs showed how a virtual plane in a laboratory could be redirected. Because there's no means to cryptographically authenticate communications sent over ACARS, pilots have no way to confirm if messages they receive in the cockpit are valid. Malformed messages can then be used to trigger vulnerabilities, Tesa told Forbes.