Hijacking an Aircraft with a Simple Android App PlaneSploit


A malicious hacker is a threat to everybody. He uses his superior intellect to wreak havoc just for fun. Imagine if such a person is able to simply take over the control of an airplane just by using an Android app. Sounds like the opening scene of a Hollywood movie doesn’t it? In real life, a German security expert recently presented an Android app that can control an airplane using an Android app. PlaneSploit is an Android app that can interact with the plane’s FMS or Flight Management Systems.

At a recent security conference in Amsterdam, the Spanish security researcher, Hugo Teso, showcased the app. PlaneSploit takes advantage of a minor flawed protocol that transmits data from the ground to commercial airplanes. This protocol has been found vulnerable to attack from the app by Teso. In other words, A hacker armed with this app turns into a terrifying hijacker. The vulnerable protocol is a regular data exchange system known as ACARS. The software for these systems has been provided by companies like Thales, Rockwell Collins and Honeywell. The app exploits flaws in the protocol and certain bugs in the software to assume control over the system.

The PlaneSploit app detects the communicating radio signals and sends its own malicious signals along with them. The app uses an exploit framework, named SIMON, created by Teso to begin communications with the plane’s FMS. The hubris of the ACARS is that it has negligible authentication protocols which render it difficult for the plane to distinguish between signals from the ground station and a hacker. Teso used simulation aircraft training software to showcase his app’s potential. However, authorities from the FAA (Federal Aviation Administration) and Honeywell have debunked these claims as being impractical in real life.

The FAA commented on the presentation and stated that the app poses no credible threat to flight safety. FAA remarks that while the app may have been to gain control over the simulation software, certified flight hardware may be much more difficult to penetrate. The FAA has rejected the possibility of a hacker gaining undue control over an aircraft. Even Honeywell quipped in with statements that Teso’s app poses no credible danger to real-life aircraft FMS which have greater protection against corrupting or overwriting of software.

However, it may be interesting to note that while the software is in place to guide the plane, the crew has control over the aircraft in the end. And any suspicious activity that they detect can be immediately put to an end by simply disabling the autopilot and taking charge manually. Even with minor adjustments made to the app to suit real world aircraft, a hacker may not be able to gain complete control of a craft. The maximum extent of the hackers control may be to alarm the passengers by suddenly dropping the pressured air masks. The hack in itself may be impractical at the moment, but the flaws it has exposed may pose a larger threat at some point in the future. FAA needs to some damage control to prevent any such exploitable flaws.