An extremely well attended talk by Hugo Teso, a security consultant at n.runs AG in Germany, about the completely realistic scenario of plane hijacking via a simple Android app has galvanized the crowd attending the Hack In The Box Conference in Amsterdam today.

Teso, who has been working in IT for the last eleven years and has been a trained commercial pilot for a year longer than that, has combined his two interests in order to bring to light the sorry state of security of aviation computer systems and communication protocols.

By taking advantage of two new technologies for the discovery, information gathering and exploitation phases of the attack, and by creating an exploit framework (SIMON) and an Android app (PlaneSploit) that delivers attack messages to the airplanes' Flight Management Systems (computer unit + control display unit), he demonstrated the terrifying ability to take complete control of aircrafts by making virtual planes "dance to his tune."

One of the two technologies he abused is the Automatic Dependent Surveillance-Broadcast, which sends information about each aircraft (identification, current position, altitude, and so on) through an on-board transmitter to air traffic controllers, and allows aircrafts equipped with the technology to receive flight, traffic and weather information about other aircrafts currently in the air in their vicinity.

The other one is the Aircraft Communications Addressing and Reporting System, which is used to exchange messages between aircrafts and air traffic controllers via radio or satellite, as well as to automatically deliver information about each flight phase to the latter.

Both of these technologies are massively insecure and are susceptible to a number of passive and active attacks. Teso misused the ADS-B to select targets, and the ACARS to gather information about the onboard computer as well as to exploit its vulnerabilities by delivering spoofed malicious messages that affect the "behavior" of the plane.

Here are some of the functions Teso showed to the HITBSecConf Amsterdam audience:

Please go here: A way of interacting with the plane where the user can dynamically tap locations on the map and change the plane's course.
Define area: Set detailed filters related to the airplane, for example activate something when a plane is in the area of X kilometers or when it starts flying on a predefined altitude.
Visit ground: Crash the airplane.
Kiss off: Remove itself from the system.
Be punckish: A theatric way of alerting the pilots that something is seriously wro