Can A Smart Phone Hack A Flight Computer? Not Really
Last week headlines regarding an Android App’s ability to hack an airliners’ in-flight systems computer once again invoked fear among travelers, however the reality is those fears exist in a virtual world scenario, not a real world scenario.
Hugo Teso, an IT security consultant with Germany’s n.runs AG, presented what appears to be some terrifying findings on the 10th of April at the Hack In The Box conference in Amsterdam. Mr. Teso detailed that he discovered and bypassed two vulnerable security flaws in the systems that deal with the communication between an aircraft and air traffic controllers. Using an Android mobile phone application Mr. Teso was able to hack the sin-flight computer system of a virtual airliner. The system Mr. Teso hacked is in fact a real in-flight computer systems that perfectly replicates the systems used by pilots and are used for flight training simulation by airlines around the world.
The information that Mr. Teso however did not address in his doomsday Hack In The Box presentation of mobile phones hacking in-flight systems and crashing aircraft are this … the systems he hacked, while ‘real’ for flight simulator training are not the actual systems installed on aircraft. Simulator software mimics the real world allowing pilots to train under many scenarios and constantly stay up to date, but these systems do not come with multiple security redundancies, nor are they connected to ‘the system’ in the same way the software would be in service on a real flying aircraft. In short, the software Mr. Teso hacked is not certified to work with fight hardware systems by any aviation authority in the world.
A factor Mr. Teso also failed to address, as he used his Android phone application to wreak havoc on the flight software, is this … the ability for a pilot to switch to manual, override the system, and fly the aircraft without using the flight computer inputs. Should an aircraft’s flight system put the aircraft in a dive towards the center of the city a pilot at the controls would be able to stop all of that, bring the aircraft level and continue flying safely and normally doing what they were trained to do as a pilot.
Finding vulnerabilities in aircraft flight systems is important, but there are many factors in place to seek out command errors, both on board the aircraft and in the air traffic control towers that would prevent a mobile phone, or outside system, from hacking into an in-flight computer and bringing down the plane.
You may hit some rough air and spill your drink as you fly from place to place, but that will be the work of Mother Nature, not the work of a hacker taking over your flight.
No sit back, relax, take out your phone (in Airplane Mode) if your flight has wifi, and enjoy your trip.
Happy Flying!
Hi,
Two quick comments on your post. Before I do though, I was in the flight simulation industry for more than 20 years, working for both Boeing and the world’s leading flight simulator manufacturers, and even helped launch the world’s first 777 flight simulator while working for Boeing’s flight simulator group. In other words, I know the hardware and I know the code. I was a technical guy and them moved into PM.
First comment: You say” Simulator software mimics the real world allowing pilots to train under many scenarios and constantly stay up to date, but these systems do not come with multiple security redundancies, nor are they connected to ‘the system’ in the same way the software would be in service on a real flying aircraft. ”
That’s only partially true. In fact, on the 777 flight simulators we used the exact AIMS (flight control) software that was used in the airplane. Identical. We downloaded it straight from Boeing engineering. Now the software that interfaces with that AIMS software was custom simulator code to actually move the hydraulic controls, etc. There are no “extra redundancies” – the simulator has to act exactly as the aircraft does or we’d never get FAA Level D certified (Level D is the highest certification – meaning you can get fully qualified on an aircraft without ever stepping foot in a real one).
Second: You say: “Should an aircraft’s flight system put the aircraft in a dive towards the center of the city a pilot at the controls would be able to stop all of that, bring the aircraft level and continue flying safely and normally doing what they were trained to do as a pilot.”
Again, partially true. While the pilots can certainly fly manually, most of the modern flight control systems are now “fly by wire” as I’m sure you know. That means there’s both electrical (or fiber) systems and software in between the controls and the actual flight control surfaces. Anytime there’s software, there’s the potential for something to go wrong.
I’m not saying the gist of your blog post is incorrect – in fact the person who discovered the “vulnerability” admitted it wasn’t entirely real-world (of course the media ignored that part), but he did bring up some valid points for investigation.