Planesploit
April 11, 2013 8:18 AM Subscribe
Planesploit : this Android app permits you to take control over the commercial jet in which you are a passenger if it is on autopilot.
First reaction: Finally, they'll redesign these systems right!
Second reaction: Sha, as though. But at least we'll get some TSA restrictions on bringing mobile devices on planes, which might be even better!
posted by DU at 8:24 AM on April 11, 2013 [3 favorites]
Second reaction: Sha, as though. But at least we'll get some TSA restrictions on bringing mobile devices on planes, which might be even better!
posted by DU at 8:24 AM on April 11, 2013 [3 favorites]
20 years. It's going to take 20 years to roll out a system that doesn't send unencrypted flight data over the air.
posted by 1adam12 at 8:27 AM on April 11, 2013 [4 favorites]
posted by 1adam12 at 8:27 AM on April 11, 2013 [4 favorites]
But at least we'll get some TSA restrictions on bringing mobile devices on planes, which might be even better!
Especially for people that carry their Android devices in their shoes.
posted by RobotVoodooPower at 8:27 AM on April 11, 2013 [1 favorite]
Especially for people that carry their Android devices in their shoes.
posted by RobotVoodooPower at 8:27 AM on April 11, 2013 [1 favorite]
Finally, an app where the Android version was released before the iOS version!
posted by jessssse at 8:29 AM on April 11, 2013 [12 favorites]
posted by jessssse at 8:29 AM on April 11, 2013 [12 favorites]
So if they'd started in 1993, around the time when cellphones first started to come out, this talk would never have been given?
posted by DU at 8:30 AM on April 11, 2013
posted by DU at 8:30 AM on April 11, 2013
The only countermeasure available to pilots, if they even realized they were being hacked, would be to turn off autopilot. Yet many planes no longer have old analog instruments for manual flying.This is utterly untrue, unless it's being suggested that the manual yokes can be deactivated.
posted by jaduncan at 8:31 AM on April 11, 2013 [1 favorite]
This was sort of the plot device of the pilot of The Lone Gunmen, complete with a pre-Sept. 11 story about said plane being crashed into the World Trade Center.
posted by Uther Bentrazor at 8:32 AM on April 11, 2013
posted by Uther Bentrazor at 8:32 AM on April 11, 2013
It's bit more than an app. He's using an external radio transceiver. Otherwise a smart phone couldn't talk to the satellites.
SDR Hardware
There is a broad range of hardware solutions for radio amateurs and home use. There are professional-grade transceiver solutions, home-brew solutions and starter solutions.
The GNU Radio using primarily the Universal Software Radio Peripheral (USRP) uses a USB 2.0 interface, an FPGA, and a high-speed set of analog-to-digital and digital-to-analog converters, combined with reconfigurable free software.
Beautiful nice job though which really shows the vulnerability of "modern" air traffic control.
This is utterly untrue, unless it's being suggested that the manual yokes can be deactivated.
It's all ball bearings these days jaduncan. The Airbus is completely fly-by-wire and if you can gain control of the computer, you have control of the aircraft regardless of what the pilots do with the "yokes."
posted by three blind mice at 8:34 AM on April 11, 2013 [2 favorites]
SDR Hardware
There is a broad range of hardware solutions for radio amateurs and home use. There are professional-grade transceiver solutions, home-brew solutions and starter solutions.
The GNU Radio using primarily the Universal Software Radio Peripheral (USRP) uses a USB 2.0 interface, an FPGA, and a high-speed set of analog-to-digital and digital-to-analog converters, combined with reconfigurable free software.
Beautiful nice job though which really shows the vulnerability of "modern" air traffic control.
This is utterly untrue, unless it's being suggested that the manual yokes can be deactivated.
It's all ball bearings these days jaduncan. The Airbus is completely fly-by-wire and if you can gain control of the computer, you have control of the aircraft regardless of what the pilots do with the "yokes."
posted by three blind mice at 8:34 AM on April 11, 2013 [2 favorites]
Do "analog instruments" specifically mean analog instrumentation readouts of things like altitude and direction? So even if you have manual control of the plane, you may be relying on digital (and therefore, hackable) instruments to tell you where to go?
posted by Nutri-Matic Drinks Synthesizer at 8:36 AM on April 11, 2013
posted by Nutri-Matic Drinks Synthesizer at 8:36 AM on April 11, 2013
The "Visit Ground" button is cute.
posted by lazaruslong at 8:36 AM on April 11, 2013 [2 favorites]
posted by lazaruslong at 8:36 AM on April 11, 2013 [2 favorites]
Yeah, but they are manipulating the system with unencrypted ACARS inputs.
It's not a root exploit; they don't have control of the computer in the rooting sense.
posted by jaduncan at 8:37 AM on April 11, 2013 [2 favorites]
It's not a root exploit; they don't have control of the computer in the rooting sense.
posted by jaduncan at 8:37 AM on April 11, 2013 [2 favorites]
The reports and slides I've seen are short on details, but it's pretty clear that this Android app is only used to control a flight management system where he has already installed his "exploit framework" SIMON. Getting that done is the hard part, of course. That won't stop people from freaking out about phones though.
posted by grouse at 8:38 AM on April 11, 2013 [3 favorites]
posted by grouse at 8:38 AM on April 11, 2013 [3 favorites]
If it is anything like my phone the plane will be constantly flipping on its side every time I move my hand even a little bit. Fun!
posted by srboisvert at 8:39 AM on April 11, 2013 [9 favorites]
posted by srboisvert at 8:39 AM on April 11, 2013 [9 favorites]
But at least we'll get some TSA restrictions on bringing mobile devices on planes, which might be even better!
Making people shut off their phones/tablets or keep them in checked luggage is one thing. But we're rapidly approaching a point where mobile devices are going to be further miniaturized and effectively hidden in normal-looking wearables like wristwatches or eyeglasses. In the long run, this is going to be much more effectively dealt with as a hardware/software security issue, instead of turning TSA checkpoints into a game of spot-the-Android.
(let the Blade Runner jokes commence.)
posted by Strange Interlude at 8:40 AM on April 11, 2013 [3 favorites]
Making people shut off their phones/tablets or keep them in checked luggage is one thing. But we're rapidly approaching a point where mobile devices are going to be further miniaturized and effectively hidden in normal-looking wearables like wristwatches or eyeglasses. In the long run, this is going to be much more effectively dealt with as a hardware/software security issue, instead of turning TSA checkpoints into a game of spot-the-Android.
(let the Blade Runner jokes commence.)
posted by Strange Interlude at 8:40 AM on April 11, 2013 [3 favorites]
"Why aren't you helping the turtle?"
"I'M LATE FOR MY GODDAMN FLIGHT, THAT'S WHY."
"Give him the full cavity search. I'm talking Roto-rooter. Don't stop until you reach the back of his teeth."
posted by Ghostride The Whip at 8:42 AM on April 11, 2013 [1 favorite]
"I'M LATE FOR MY GODDAMN FLIGHT, THAT'S WHY."
"Give him the full cavity search. I'm talking Roto-rooter. Don't stop until you reach the back of his teeth."
posted by Ghostride The Whip at 8:42 AM on April 11, 2013 [1 favorite]
They are broadcasting remote signals from inside the plane, and they can't do anything that the remote signallers can't do. I am very dubious indeed about a claim that the remote signallers can turn off the non-autopilot flight control systems.
posted by jaduncan at 8:43 AM on April 11, 2013 [1 favorite]
posted by jaduncan at 8:43 AM on April 11, 2013 [1 favorite]
let the Blade Runner jokes commence
They don't call it "confiscating" a phone. They call it "retiring".
posted by cortex at 8:44 AM on April 11, 2013 [3 favorites]
They don't call it "confiscating" a phone. They call it "retiring".
posted by cortex at 8:44 AM on April 11, 2013 [3 favorites]
I am very dubious indeed about a claim that the remote signallers can turn off the non-autopilot flight control systems.
I haven't seen any evidence that the developer of PlaneSploit, Hugo Teso, has claimed this.
posted by grouse at 8:46 AM on April 11, 2013
I haven't seen any evidence that the developer of PlaneSploit, Hugo Teso, has claimed this.
posted by grouse at 8:46 AM on April 11, 2013
I haven't seen any evidence that the developer of PlaneSploit, Hugo Teso, has claimed this.
No, but:
It's all ball bearings these days jaduncan. The Airbus is completely fly-by-wire and if you can gain control of the computer, you have control of the aircraft regardless of what the pilots do with the "yokes."
posted by three blind mice at 16:34 on April 11 [1 favorite +] [!]
posted by jaduncan at 8:47 AM on April 11, 2013 [1 favorite]
No, but:
It's all ball bearings these days jaduncan. The Airbus is completely fly-by-wire and if you can gain control of the computer, you have control of the aircraft regardless of what the pilots do with the "yokes."
posted by three blind mice at 16:34 on April 11 [1 favorite +] [!]
posted by jaduncan at 8:47 AM on April 11, 2013 [1 favorite]
Right. The only people who seem to be claiming this are MeFi commenters.
posted by grouse at 8:50 AM on April 11, 2013
posted by grouse at 8:50 AM on April 11, 2013
So if the app crashes, do you have to give your phone a blowjob until it reinflates restarts?
posted by robocop is bleeding at 8:53 AM on April 11, 2013 [7 favorites]
posted by robocop is bleeding at 8:53 AM on April 11, 2013 [7 favorites]
Xoc: "Completely relevant Dilbert from 1997."
Is that you, PlannedChaos?
posted by Chrysostom at 8:55 AM on April 11, 2013 [4 favorites]
Is that you, PlannedChaos?
posted by Chrysostom at 8:55 AM on April 11, 2013 [4 favorites]
Do "analog instruments" specifically mean analog instrumentation readouts of things like altitude and direction? So even if you have manual control of the plane, you may be relying on digital (and therefore, hackable) instruments to tell you where to go?
This discussion would be much helped by clarity regarding analog vs manual vs mechanical, which all mean different things.
posted by DU at 8:55 AM on April 11, 2013 [1 favorite]
This discussion would be much helped by clarity regarding analog vs manual vs mechanical, which all mean different things.
posted by DU at 8:55 AM on April 11, 2013 [1 favorite]
I find it unlikely that these systems, which are based on parsing unencrypted and trivially spoofable protocols, and haven't been exposed to attack before and therefore may not have a culture of treating the input as untrusted, don't have buffer overflow and other exploits.
We've been trying to build that into the culture of programming for the web for a decade, and we still see software with dumb vulnerabilities.
Even without rooting the software there are vulnerabiltiies. ADS-B is a system where aircraft broadcast their positions to other aircraft and to ATC. It's easy to spoof, see http://www.youtube.com/watch?v=NSLqRXyxiBo. TCAS, Traffic Collision Avoidance System, is a system whereby a computer on the aircraft is listening to the position reports of nearby aircraft, and if any get too close it automatically issues instructions to the pilot about how to avoid a collision--like "turn right 30 degrees and climb immediately". A TCAS "Resolution Advisory" is an urgent message, and pilots are trained to follow those instructions, even if they conflict with orders from ATC (due to accidents where TCAS was right and ATC was wrong, and listening to ATC led to fatalities). I believe that spoofing ADS-B could be used to generate spurious TCAS warnings.
If you are interested in eavesdropping on ADS-B messages sent by aircraft in your area, see "Tracking planes for $20 or less". If you're interested in having your drone know where nearby aircraft traffic is, see (my blog post) "Cheap ADS-B on Amateur Drones".
BTW, the PlaneSploit app appears in screenshots to be using the Mavelous front-end, previously seen on projects.
posted by jjwiseman at 8:56 AM on April 11, 2013 [9 favorites]
We've been trying to build that into the culture of programming for the web for a decade, and we still see software with dumb vulnerabilities.
Even without rooting the software there are vulnerabiltiies. ADS-B is a system where aircraft broadcast their positions to other aircraft and to ATC. It's easy to spoof, see http://www.youtube.com/watch?v=NSLqRXyxiBo. TCAS, Traffic Collision Avoidance System, is a system whereby a computer on the aircraft is listening to the position reports of nearby aircraft, and if any get too close it automatically issues instructions to the pilot about how to avoid a collision--like "turn right 30 degrees and climb immediately". A TCAS "Resolution Advisory" is an urgent message, and pilots are trained to follow those instructions, even if they conflict with orders from ATC (due to accidents where TCAS was right and ATC was wrong, and listening to ATC led to fatalities). I believe that spoofing ADS-B could be used to generate spurious TCAS warnings.
If you are interested in eavesdropping on ADS-B messages sent by aircraft in your area, see "Tracking planes for $20 or less". If you're interested in having your drone know where nearby aircraft traffic is, see (my blog post) "Cheap ADS-B on Amateur Drones".
BTW, the PlaneSploit app appears in screenshots to be using the Mavelous front-end, previously seen on projects.
posted by jjwiseman at 8:56 AM on April 11, 2013 [9 favorites]
Beautiful nice job though which really shows the vulnerability of "modern" air traffic control.
Ughhhh no
This whole thing relies on assuming one thing is the same as the next thing. So they can spoof ACARS, which is not the FMS, which is not the autoflight systems, and the autoflight systems are not the computers handing the FBW on airbus, and none of these are "instruments", the instruments are providing information to the pilots, and they're an entirely separate game, and who said anything about air traffic control? That's yet another thing which is not related to ACARS or autoflight or FBW or instruments. So yeah, I guess if you assume a continuous series of vulnerabilities exist in the very minimal interfaces between each of these systems, then yes, your phone can do whatever you want to a plane. But right now I see a way to make funny messages print out on the printer in the cockpit (that is primarily what ACARS does) and not much else. As is, this is about one step above crashing the video screen in your seat and claiming you can "CRASH THE PLANE OMG".
And "yoke" is not a scare-quotes term. That's the real word. On Airbus it's a sidestick.
posted by kiltedtaco at 8:57 AM on April 11, 2013 [15 favorites]
Ughhhh no
This whole thing relies on assuming one thing is the same as the next thing. So they can spoof ACARS, which is not the FMS, which is not the autoflight systems, and the autoflight systems are not the computers handing the FBW on airbus, and none of these are "instruments", the instruments are providing information to the pilots, and they're an entirely separate game, and who said anything about air traffic control? That's yet another thing which is not related to ACARS or autoflight or FBW or instruments. So yeah, I guess if you assume a continuous series of vulnerabilities exist in the very minimal interfaces between each of these systems, then yes, your phone can do whatever you want to a plane. But right now I see a way to make funny messages print out on the printer in the cockpit (that is primarily what ACARS does) and not much else. As is, this is about one step above crashing the video screen in your seat and claiming you can "CRASH THE PLANE OMG".
And "yoke" is not a scare-quotes term. That's the real word. On Airbus it's a sidestick.
Yet many planes no longer have old analog instruments for manual flying.This is one of the wrongest, most irresponsibly scaremongering thing I've ever heard. I'm so mad.
posted by kiltedtaco at 8:57 AM on April 11, 2013 [15 favorites]
Yes. At the risk of being patronising, for reference this is the short version of the talk:
1) There's a signalling facility to talk to planes, and both plane and ground can talk on that;
2) It was originally fairly simple, but has had lots of remote admin stuff loaded onto it so ground can tell the plane what to do for some things;
3) The security of that connection is not great;
4) As a result, if you have a software radio and the ability to project the signal (easier inside the plane) you can pretend to be the ground station;
5) You can do what the ground station can do;
6) You can't mess with anything but that signalling system, and only have the privs it does.
ADDED BY ME:
7) The pilots will WTF and turn off the auto systems then fly in manually;
8) This would be a good time to delete all traces of the exploit app, as ground authorities are about to ruin everyone's decade.
posted by jaduncan at 8:58 AM on April 11, 2013 [8 favorites]
1) There's a signalling facility to talk to planes, and both plane and ground can talk on that;
2) It was originally fairly simple, but has had lots of remote admin stuff loaded onto it so ground can tell the plane what to do for some things;
3) The security of that connection is not great;
4) As a result, if you have a software radio and the ability to project the signal (easier inside the plane) you can pretend to be the ground station;
5) You can do what the ground station can do;
6) You can't mess with anything but that signalling system, and only have the privs it does.
ADDED BY ME:
7) The pilots will WTF and turn off the auto systems then fly in manually;
8) This would be a good time to delete all traces of the exploit app, as ground authorities are about to ruin everyone's decade.
posted by jaduncan at 8:58 AM on April 11, 2013 [8 favorites]
jaduncan: "Yes. At the risk of being patronising, for reference this is the short version of the talk:."
You forgot two:
9) The talk itself looks like a reddit meme factory threw up all over it
10) Gratuitous racism on slide #12 ("Facepalm: Level Asian")
posted by barnacles at 9:06 AM on April 11, 2013
You forgot two:
9) The talk itself looks like a reddit meme factory threw up all over it
10) Gratuitous racism on slide #12 ("Facepalm: Level Asian")
posted by barnacles at 9:06 AM on April 11, 2013
11) Also, do not be the guy with software radio components on you. Very much not that guy.
posted by jaduncan at 9:07 AM on April 11, 2013 [1 favorite]
posted by jaduncan at 9:07 AM on April 11, 2013 [1 favorite]
killedtaco, I completely disagree. It's clear that the protocols being used were designed with no security in mind. A system that hasn't been specifically hardened to attack over years always has vulnerabilities, and probably has unintended and vulnerable connections between systems. That's been proven over and over again in computer security. You can't just assume that without any exposure to attack, the guys writing this software and designing these systems did it all right the first time.
I'm not a security expert, but I've worked with them on a security R&D team, and we spent millions of dollars a year trying to protect stuff that we knew hackers would be poring over constantly. Our shit got hacked every time, all we could do was try to delay them.
You should take a look at some of the details of iPhone jailbreaking exploits and Chrome exploits to get a sense for how it's possible for a really obscure chain of weaknesses to be exploited to get full control.
posted by jjwiseman at 9:11 AM on April 11, 2013 [3 favorites]
I'm not a security expert, but I've worked with them on a security R&D team, and we spent millions of dollars a year trying to protect stuff that we knew hackers would be poring over constantly. Our shit got hacked every time, all we could do was try to delay them.
You should take a look at some of the details of iPhone jailbreaking exploits and Chrome exploits to get a sense for how it's possible for a really obscure chain of weaknesses to be exploited to get full control.
posted by jjwiseman at 9:11 AM on April 11, 2013 [3 favorites]
"Have you ever retired an iPhone by mistake?"
posted by He Is Only The Imposter at 9:15 AM on April 11, 2013 [1 favorite]
posted by He Is Only The Imposter at 9:15 AM on April 11, 2013 [1 favorite]
I'm not saying it's clear that someone can "take full control" and crash a plane, but I think the likelihood of vulnerabilities existing that allow someone to take full control of flight computers remotely is very high. Maybe that's scary, maybe it's not.
posted by jjwiseman at 9:24 AM on April 11, 2013 [1 favorite]
posted by jjwiseman at 9:24 AM on April 11, 2013 [1 favorite]
We've been trying to build that into the culture of programming for the web for a decade, and we still see software with dumb vulnerabilities.
The people who write the software for airplanes are in the position where their mistakes could kill people. Getting their code right is a much, much more serious business for them than the bulk of the programming community. That's why they put significant effort into stuff like static verification, for example.
Vulnerabilities in ancillary stuff like ACARS, TCAS, sure, I'll even grant that uploading a new route into the FMS is not unlikely. But flight displays or FBW (surprised nobody mentioned engine FADEC)? That's where I think the analogy to "normal" computer security (where yes, everything gets hacked) starts to break down. I'm not saying impossible, just much harder than these folks (or really the media coverage) are trying to make it sound.
posted by kiltedtaco at 9:24 AM on April 11, 2013 [1 favorite]
The people who write the software for airplanes are in the position where their mistakes could kill people. Getting their code right is a much, much more serious business for them than the bulk of the programming community. That's why they put significant effort into stuff like static verification, for example.
Vulnerabilities in ancillary stuff like ACARS, TCAS, sure, I'll even grant that uploading a new route into the FMS is not unlikely. But flight displays or FBW (surprised nobody mentioned engine FADEC)? That's where I think the analogy to "normal" computer security (where yes, everything gets hacked) starts to break down. I'm not saying impossible, just much harder than these folks (or really the media coverage) are trying to make it sound.
posted by kiltedtaco at 9:24 AM on April 11, 2013 [1 favorite]
Wow, we were just talking about this in the design review I'm in not half an hour ago. Let me see if I can answer some questions, but keep in mind that I'm not a software person and only tangentially familiar with ADS-B.
The first question I have about this whole thing is his notion of taking over "the computer". There is, in general, not one single computer running the whole show on a large aircraft - for safety reasons there are multiply redundant, distributed systems. Autopilot does not control the fly-by-wire, for example. From what I can tell, he is talking about taking over the Flight Management System (FMS), which he is then using to direct commands to other aircraft systems. There are at least two FMSs per aircraft, so a "full takeover" would probably require commandeering both (or all three) FMSs, all of the air data computers, and all of the autopilots (Category III landing capabilities require three independent autopilots).
So, a brief avionics primer. Basic information about the planes position and attitude are generated by a number of sources, but the primary ones are the air data system (comprised of direct air measurements by pitot and static air sources which are interpreted by an Air Data Computer), an Inertial Navigation System (a gyroscope-based system to measure pitch, roll, yaw, and rates of change of those), and nowadays GPS for accurate position info. All of these sources are present in multiply redundant systems and are fed to the multiple FMS units. Redundancy is built in so that the FMSs can cross check the input sources and throw out bad data. The FMSs receive other inputs - the pilots input their flight plans here, sometimes can control radios from here. The FMS outputs data to the avionics displays and autopilots and includes stuff like Flight Director information and a few other things. In the system I'm working on now, the Multifunction Displays (MFDs) do most of the heavy lifting, computation-wise. The displays is backended by a single board computer that determines course corrections, autopilot commands, and interprets alerts from the surveillance systems like TCAS and the weather radar.
The airplane is designed to remain safe and functional even if the FMSs fail. Again, multiply redundant systems. Multiple MFDs can fail, multiple autopilots can fail, you could have a total electrical failure and still fly the airplane. Even the Dreamliner, the most electric airplane in the world, is designed to fly with a total electrical failure.
The two systems he's talking about exploiting are ACARS and ADS-B. ACARS is essentially a text messaging system used by air carriers to send messages back and forth between ops centers and the cockpit. These DO NOT control anything on the aircraft - messaging only. Newer systems provide ACARS messages on the FMS, but older systems usually have a thermal printer installed somewhere in the cockpit.
ADS-B is pretty well discussed upthread. It's in its infancy right now, and while there's a mandate to have ADS-B OUT installed on every aircraft by (whatever date they set, I forget), ADS-B IN is not required yet. There is no requirement to take in data from the system right now. ADS-B currently provides information like aircraft position and weather data and is an advisory product right now. There is a vision within FAA to use it as a primary surveillance device for air traffic control, but that's way far off in the future if anyone will allow that to happen at all. Hell, they're still fighting about whether to decommission antiquated NDB and LORAN stations.
So this guy is claiming he can somehow get a message through ACARS which will inject malicious code into an FMS unit, which he can then use to control the aircraft. I do agree this is a serious security problem, but the fact that there are multiply redundant systems means a competent flight crew should be able to maintain control of the aircraft. If he's spoofing messages, traffic, or whatever else, there are other independent systems available on board that will contradict the bad information and will not be affected by his hack. Shutting down compromised FMS units, autopilots, or whatever else is possible and the aircraft will still fly. You could shut down basically the whole flight deck and still fly the airplane safely.
Based on my experience on flight deck avionics, I find the idea of overwriting critical software in flight, while the units are operating, to be a little far-fetched (but remember, I'm not a software guy). On the lower-certified equipment I worked on at my previous job, even then there were several checks to prevent people from attempting to access maintenance functions in flight, which included checking weight-on-wheels switches, airspeed indications, and other indications that would imply the plane was in motion and off the ground.
It's going to take 20 years to roll out a system that doesn't send unencrypted flight data over the air.
I will direct you to RTCA document DO-178B, which covers certification of avionics software. In a nutshell, Level A software (which is what would be found in an FMS or ADC in a large aircraft) can. not. fail. ever. Testing requirements are extreme - during testing and code coverage, every line of code and every branch of every decision must be hit and verified. That takes a long time and a lot of money, and there are many different models of FMS and ground stations that will need to be upgraded. Plus, backwards compatibility needs to be met until everyone can get their systems switched over.
I can attempt to answer questions, but I think I've overstepped my knowledge of these systems already. Long story short - interesting presentation, probably several differences between his simulation and "real world" implementation that keeps this from becoming the giant security hole it looks like offhand.
posted by backseatpilot at 9:25 AM on April 11, 2013 [92 favorites]
The first question I have about this whole thing is his notion of taking over "the computer". There is, in general, not one single computer running the whole show on a large aircraft - for safety reasons there are multiply redundant, distributed systems. Autopilot does not control the fly-by-wire, for example. From what I can tell, he is talking about taking over the Flight Management System (FMS), which he is then using to direct commands to other aircraft systems. There are at least two FMSs per aircraft, so a "full takeover" would probably require commandeering both (or all three) FMSs, all of the air data computers, and all of the autopilots (Category III landing capabilities require three independent autopilots).
So, a brief avionics primer. Basic information about the planes position and attitude are generated by a number of sources, but the primary ones are the air data system (comprised of direct air measurements by pitot and static air sources which are interpreted by an Air Data Computer), an Inertial Navigation System (a gyroscope-based system to measure pitch, roll, yaw, and rates of change of those), and nowadays GPS for accurate position info. All of these sources are present in multiply redundant systems and are fed to the multiple FMS units. Redundancy is built in so that the FMSs can cross check the input sources and throw out bad data. The FMSs receive other inputs - the pilots input their flight plans here, sometimes can control radios from here. The FMS outputs data to the avionics displays and autopilots and includes stuff like Flight Director information and a few other things. In the system I'm working on now, the Multifunction Displays (MFDs) do most of the heavy lifting, computation-wise. The displays is backended by a single board computer that determines course corrections, autopilot commands, and interprets alerts from the surveillance systems like TCAS and the weather radar.
The airplane is designed to remain safe and functional even if the FMSs fail. Again, multiply redundant systems. Multiple MFDs can fail, multiple autopilots can fail, you could have a total electrical failure and still fly the airplane. Even the Dreamliner, the most electric airplane in the world, is designed to fly with a total electrical failure.
The two systems he's talking about exploiting are ACARS and ADS-B. ACARS is essentially a text messaging system used by air carriers to send messages back and forth between ops centers and the cockpit. These DO NOT control anything on the aircraft - messaging only. Newer systems provide ACARS messages on the FMS, but older systems usually have a thermal printer installed somewhere in the cockpit.
ADS-B is pretty well discussed upthread. It's in its infancy right now, and while there's a mandate to have ADS-B OUT installed on every aircraft by (whatever date they set, I forget), ADS-B IN is not required yet. There is no requirement to take in data from the system right now. ADS-B currently provides information like aircraft position and weather data and is an advisory product right now. There is a vision within FAA to use it as a primary surveillance device for air traffic control, but that's way far off in the future if anyone will allow that to happen at all. Hell, they're still fighting about whether to decommission antiquated NDB and LORAN stations.
So this guy is claiming he can somehow get a message through ACARS which will inject malicious code into an FMS unit, which he can then use to control the aircraft. I do agree this is a serious security problem, but the fact that there are multiply redundant systems means a competent flight crew should be able to maintain control of the aircraft. If he's spoofing messages, traffic, or whatever else, there are other independent systems available on board that will contradict the bad information and will not be affected by his hack. Shutting down compromised FMS units, autopilots, or whatever else is possible and the aircraft will still fly. You could shut down basically the whole flight deck and still fly the airplane safely.
Based on my experience on flight deck avionics, I find the idea of overwriting critical software in flight, while the units are operating, to be a little far-fetched (but remember, I'm not a software guy). On the lower-certified equipment I worked on at my previous job, even then there were several checks to prevent people from attempting to access maintenance functions in flight, which included checking weight-on-wheels switches, airspeed indications, and other indications that would imply the plane was in motion and off the ground.
It's going to take 20 years to roll out a system that doesn't send unencrypted flight data over the air.
I will direct you to RTCA document DO-178B, which covers certification of avionics software. In a nutshell, Level A software (which is what would be found in an FMS or ADC in a large aircraft) can. not. fail. ever. Testing requirements are extreme - during testing and code coverage, every line of code and every branch of every decision must be hit and verified. That takes a long time and a lot of money, and there are many different models of FMS and ground stations that will need to be upgraded. Plus, backwards compatibility needs to be met until everyone can get their systems switched over.
I can attempt to answer questions, but I think I've overstepped my knowledge of these systems already. Long story short - interesting presentation, probably several differences between his simulation and "real world" implementation that keeps this from becoming the giant security hole it looks like offhand.
posted by backseatpilot at 9:25 AM on April 11, 2013 [92 favorites]
Which is more likely:
1) There is a vulnerability that somehow allows inputs from ADS-B to affect the flight path, AND a guy with deep inside knowledge of how these extremely obscure systems work managed to get ahold of the equipment long enough to demonstrate the exploit, AND he decided to publicize the exploit at some hacker meetup rather than a real conference in the avionics security field
2) There is a guy who really, really wants to get publicity for his security consulting company, so he is exaggerating his spoofing of some insecure radio protocols into a plane-crashing exploit.
posted by miyabo at 9:27 AM on April 11, 2013 [9 favorites]
1) There is a vulnerability that somehow allows inputs from ADS-B to affect the flight path, AND a guy with deep inside knowledge of how these extremely obscure systems work managed to get ahold of the equipment long enough to demonstrate the exploit, AND he decided to publicize the exploit at some hacker meetup rather than a real conference in the avionics security field
2) There is a guy who really, really wants to get publicity for his security consulting company, so he is exaggerating his spoofing of some insecure radio protocols into a plane-crashing exploit.
posted by miyabo at 9:27 AM on April 11, 2013 [9 favorites]
How hard would it be to make the passenger compartment a Faraday cage? A bonus of this would be that they'd be able to conclusively ditch those CYA rules requiring people's Kindles and iPads (but somehow not wristwatches) to be switched off for takeoff and landing, as well as saturating the plane with in-flight WiFi and other modern amenities.
posted by acb at 9:30 AM on April 11, 2013
posted by acb at 9:30 AM on April 11, 2013
I will direct you to RTCA document DO-178B, which covers certification of avionics software. In a nutshell, Level A software (which is what would be found in an FMS or ADC in a large aircraft) can. not. fail. ever. Testing requirements are extreme - during testing and code coverage, every line of code and every branch of every decision must be hit and verified.
What do they code this stuff in? Is it still Ada or something, or have they started using Erlang and stateless, redundant parallel processes?
posted by acb at 9:33 AM on April 11, 2013
What do they code this stuff in? Is it still Ada or something, or have they started using Erlang and stateless, redundant parallel processes?
posted by acb at 9:33 AM on April 11, 2013
These systems aren't that obscure.
Code to generate/decode ADS-B: https://github.com/bistromath/gr-air-modes
Code for ACARS: https://www.cgran.org/browser/projects/gr-acars
Software-defined radios that can run that code and transmit or receive on those frequencies: https://www.ettus.com/product/category/USRP_Networked_Series
Lockheed Flight Management System Computer: $495 on ebay.
I've worked with reverse engineers. You'd be amazed at what they can do, and what motivates them.
posted by jjwiseman at 9:35 AM on April 11, 2013 [4 favorites]
Code to generate/decode ADS-B: https://github.com/bistromath/gr-air-modes
Code for ACARS: https://www.cgran.org/browser/projects/gr-acars
Software-defined radios that can run that code and transmit or receive on those frequencies: https://www.ettus.com/product/category/USRP_Networked_Series
Lockheed Flight Management System Computer: $495 on ebay.
I've worked with reverse engineers. You'd be amazed at what they can do, and what motivates them.
posted by jjwiseman at 9:35 AM on April 11, 2013 [4 favorites]
What do they code this stuff in? Is it still Ada or something, or have they started using Erlang and stateless, redundant parallel processes?
Some of it is still Ada, I believe. FAA just recently (with "recently" for a government agency of this size being some time in the past 10 years) started allowing object-oriented languages. When I left my last job they were doing most of the coding in C++ on top of a Lynx RTOS, but our highest cert level was Level C. The lower-certified stuff (D and E) were C/C++ on top of Embedded NT.
posted by backseatpilot at 9:35 AM on April 11, 2013
Some of it is still Ada, I believe. FAA just recently (with "recently" for a government agency of this size being some time in the past 10 years) started allowing object-oriented languages. When I left my last job they were doing most of the coding in C++ on top of a Lynx RTOS, but our highest cert level was Level C. The lower-certified stuff (D and E) were C/C++ on top of Embedded NT.
posted by backseatpilot at 9:35 AM on April 11, 2013
backseatpilot for the sidebar. Awesome comment. (The first one!)
posted by Andrew Galarneau at 9:46 AM on April 11, 2013 [1 favorite]
posted by Andrew Galarneau at 9:46 AM on April 11, 2013 [1 favorite]
Do you need physical access to the plane to install SIMON or can it be done remotely with a Stuxnet-type worm? Because that would be beyond terrifying. (Distribute and set to go off on every infected plane simultaneously at a certain date/time...)
posted by Skwirl at 9:46 AM on April 11, 2013
posted by Skwirl at 9:46 AM on April 11, 2013
How hard would it be to make the passenger compartment a Faraday cage?
No windows, for one thing. (Not gonna happen.)
posted by Chocolate Pickle at 9:46 AM on April 11, 2013
No windows, for one thing. (Not gonna happen.)
posted by Chocolate Pickle at 9:46 AM on April 11, 2013
No windows, for one thing. (Not gonna happen.)
Isn't it possible to make conductive glass? I'm fairly sure that heavily defended buildings like embassies, intelligence agency headquarters and such have windows, and was under the impression that they had somehow been treated to dampen electromagnetic emissions.
posted by acb at 10:04 AM on April 11, 2013
Isn't it possible to make conductive glass? I'm fairly sure that heavily defended buildings like embassies, intelligence agency headquarters and such have windows, and was under the impression that they had somehow been treated to dampen electromagnetic emissions.
posted by acb at 10:04 AM on April 11, 2013
Thank to backseatpilot for answering with real details that which I could only answer with grar.
No windows, for one thing.
I've been in a faraday cage with windows. You just put metal mesh screens over them. The sizing of the mesh depends on how high of frequencies you want to block.
posted by kiltedtaco at 10:09 AM on April 11, 2013 [2 favorites]
No windows, for one thing.
I've been in a faraday cage with windows. You just put metal mesh screens over them. The sizing of the mesh depends on how high of frequencies you want to block.
posted by kiltedtaco at 10:09 AM on April 11, 2013 [2 favorites]
How hard would it be to make the passenger compartment a Faraday cage?
So, essentially, make the whole plane out of that stuff?
posted by drjimmy11 at 10:13 AM on April 11, 2013 [1 favorite]
So, essentially, make the whole plane out of that stuff?
posted by drjimmy11 at 10:13 AM on April 11, 2013 [1 favorite]
This is potentially more sensible than the old black-box recorder joke. The passenger compartment is already a sealed, pressurised compartment by definition. The question is whether there are any parts of it which cannot be made to suppress RF transmissions, at least to the point where anything a passenger brings on in carry-on luggage without drawing too much attention is unlikely to affect avionics.
posted by acb at 10:59 AM on April 11, 2013
posted by acb at 10:59 AM on April 11, 2013
acb: would it be to make the passenger compartment a Faraday cage? A bonus of this would be that they'd be able to conclusively ditch those CYA rules requiring people's Kindles and iPads (but somehow not wristwatches) to be switched off for takeoff and landing, as well as saturating the plane with in-flight WiFi and other modern amenities.Not hard at all. Making sure the surrounding walls front & back connect to the frame (and are conductive, obviously), and the windows are covered with a conductive mesh. It would mean cellphones, radios, and GPS wouldn't work for passengers, but then, since they're currently required to be turned off, they don't work anyway.
posted by IAmBroom at 11:14 AM on April 11, 2013
I look forward to hearing all about this on the 11-o'clock local news.
posted by shemko at 11:15 AM on April 11, 2013 [1 favorite]
posted by shemko at 11:15 AM on April 11, 2013 [1 favorite]
drjimmy11: How hard would it be to make the passenger compartment a Faraday cage?For those who aren't familiar, a "Faraday cage" is a conductive shell that radio waves cannot penetrate*. It's commonly used to test emissions: put your device inside one, and measure the radio field strength inside it. The field measured must be coming from inside that cage, so you're measuring the device's emissions. It's also used for instruments that might be very sensitive to radio noise.
So, essentially, make the whole plane out of that stuff?
* "cannot", for a given section of the spectrum and a certain attenuation. Imagine your own hand. You think of it as "opaque", but also undoubtedly know that x-rays can penetrate. X-rays are just light/radio waves/microwaves, except at a different frequency. Or imagine putting your hand in front of a powerful spotlight - enough light will come through for you to see the shadows of your own bones. So, frequency and attenuation both have limits. Practically, however, it's radio waves that must be used to communicate with the satellites and plane receivers; these are fairly easily stopped with wire mesh, or anything more substantial such as an aluminum plane body. The important part is that there musn't be any large holes in the shielding, such as uncovered windows.
posted by IAmBroom at 11:20 AM on April 11, 2013
This is good. Faraday cages and wifi? ...hahaha...
From now on all passengers will be wrapped in tinfoil and duct-tape, then on-loaded by hand-carts before being stowed and securely harnessed in their bins. In-flight refreshments will be served via straws. Don't worry about the toilet--post-flight showers will take care of that issue.
You can catch up on your sleep, or contemplate the next big advance in civilization and enlightenment.
posted by mule98J at 11:22 AM on April 11, 2013 [2 favorites]
From now on all passengers will be wrapped in tinfoil and duct-tape, then on-loaded by hand-carts before being stowed and securely harnessed in their bins. In-flight refreshments will be served via straws. Don't worry about the toilet--post-flight showers will take care of that issue.
You can catch up on your sleep, or contemplate the next big advance in civilization and enlightenment.
posted by mule98J at 11:22 AM on April 11, 2013 [2 favorites]
I don't think there's any reason I would be sending these signals from inside the aircraft. Here's a 250 watt ADS-B transmitter that I can put on the ground and still reach any aircraft within line of sight within at least 100 miles: https://buy.garmin.com/en-US/US/prod201.html.
posted by jjwiseman at 11:24 AM on April 11, 2013 [2 favorites]
posted by jjwiseman at 11:24 AM on April 11, 2013 [2 favorites]
According to this article, this is the real deal: the researcher has found vulnerabilities in some FMSes, and he can exploit them through ACARS and take them over (he hasn't been clear on what the vulnerabilities are, so that people won't be able to easily replicate them). Once he pwns the FMSes, he can have it send commands to the plane, and the plane will obey so long as the it is on autopilot.
posted by Monday, stony Monday at 11:26 AM on April 11, 2013 [1 favorite]
posted by Monday, stony Monday at 11:26 AM on April 11, 2013 [1 favorite]
It would mean cellphones, radios, and GPS wouldn't work for passengers, but then, since they're currently required to be turned off, they don't work anyway.
If allowing passengers to turn on their phones and text friends once the plane has come to a stop is a priority, a repeater of some sort could be installed inside the cabin. Or this could be integrated into a microcell, also used for (undoubtedly extortionately expensive, at least at the start) in-flight calling.
posted by acb at 11:28 AM on April 11, 2013 [1 favorite]
If allowing passengers to turn on their phones and text friends once the plane has come to a stop is a priority, a repeater of some sort could be installed inside the cabin. Or this could be integrated into a microcell, also used for (undoubtedly extortionately expensive, at least at the start) in-flight calling.
posted by acb at 11:28 AM on April 11, 2013 [1 favorite]
Do you need physical access to the plane to install SIMON
omg if you press the wrong colour button the plane crashes
posted by Sys Rq at 11:46 AM on April 11, 2013 [9 favorites]
omg if you press the wrong colour button the plane crashes
posted by Sys Rq at 11:46 AM on April 11, 2013 [9 favorites]
The whole Faraday cage thing is a red herring in this instance. Teso says he only used the app to simplify the presentation. He would still need a good bit more equipment. To use ACARS over VHF from inside the plane, for instance, he would need to be able to transmit a signal with a wavelength of ~1-3 m (~3-9 ft) from inside the passenger compartment to the VHF antenna(e) of the plane. Not really doable with a smartphone, and I'm not sure how much signal would escape through the non-conductive parts of the fuselage.
posted by Monday, stony Monday at 11:50 AM on April 11, 2013 [1 favorite]
posted by Monday, stony Monday at 11:50 AM on April 11, 2013 [1 favorite]
I don't think there's any reason I would be sending these signals from inside the aircraft. Here's a 250 watt ADS-B transmitter that I can put on the ground and still reach any aircraft within line of sight within at least 100 miles: https://buy.garmin.com/en-US/US/prod201.html.
I don't think a transponder is going to be the easiest way in to a flight deck's software. Transponder messages are very highly structured and anything that doesn't match the message format is just going to get thrown out. Plus, you'd have to reverse engineer the transponder first - much easier just to write something custom and hook it up to your own antenna. If you're hoping to use it to spoof traffic and cause collisions, you won't affect the aircraft's TCAS at all (which is an active interrogator rather than the TIS information that Mode S supplies) so the flight crew went get any sort of traffic advisory. In fact, I don't even know if large aircraft use TIS at all - TCAS provides a lot more functionality and can identify aircraft that don't have Mode S installed, and two separate traffic systems will just get confusing.
posted by backseatpilot at 12:14 PM on April 11, 2013 [1 favorite]
I don't think a transponder is going to be the easiest way in to a flight deck's software. Transponder messages are very highly structured and anything that doesn't match the message format is just going to get thrown out. Plus, you'd have to reverse engineer the transponder first - much easier just to write something custom and hook it up to your own antenna. If you're hoping to use it to spoof traffic and cause collisions, you won't affect the aircraft's TCAS at all (which is an active interrogator rather than the TIS information that Mode S supplies) so the flight crew went get any sort of traffic advisory. In fact, I don't even know if large aircraft use TIS at all - TCAS provides a lot more functionality and can identify aircraft that don't have Mode S installed, and two separate traffic systems will just get confusing.
posted by backseatpilot at 12:14 PM on April 11, 2013 [1 favorite]
backseatpilot: There is a long tradition of vulnerabilities in software that is supposed to parse highly structured and checksummed messages, and my guess is that's exactly what Teso's exploit uses.
And yes, I would just use an SDR that I can control with software rather than an actual transponder. My point was just to show that it's silly to worry about RF-proofing the passenger cabin when I can broadcast the packets containing anything I want, to every aircraft in the Los Angeles basin, from my backyard.
posted by jjwiseman at 1:05 PM on April 11, 2013 [1 favorite]
And yes, I would just use an SDR that I can control with software rather than an actual transponder. My point was just to show that it's silly to worry about RF-proofing the passenger cabin when I can broadcast the packets containing anything I want, to every aircraft in the Los Angeles basin, from my backyard.
posted by jjwiseman at 1:05 PM on April 11, 2013 [1 favorite]
I wish I could tell y'all that I attended that talk, but alas, I only attended the ComSec Village part of the conference.
posted by Too-Ticky at 1:54 PM on April 11, 2013
posted by Too-Ticky at 1:54 PM on April 11, 2013
And now, the FAA disagrees:
The FAA: “The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer. The FAA has determined that the hacking technique described during a recent computer security conference does not pose a flight safety concern because it does not work on certified flight hardware. The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot. Therefore, a hacker cannot obtain “full control of an aircraft” as the technology consultant has claimed.”posted by Monday, stony Monday at 2:21 PM on April 11, 2013 [5 favorites]
Imagine your own hand. You think of it as "opaque", but also undoubtedly know that x-rays can penetrate. X-rays are just light/radio waves/microwaves, except at a different frequency. Or imagine putting your hand in front of a powerful spotlight - enough light will come through for you to see the shadows of your own bones. So, frequency and attenuation both have limits.
CAUTION: Hands are also not opaque to bullets.
posted by vidur at 4:37 PM on April 11, 2013 [1 favorite]
CAUTION: Hands are also not opaque to bullets.
posted by vidur at 4:37 PM on April 11, 2013 [1 favorite]
I don't know about the ethics of publishing information like this. Is this shouting fire in a crowded airport? Is there even a fire here? Also what is the potential that this inspires some malicious person to now use the ideas in this presentation to do damage.
posted by humanfont at 4:50 PM on April 11, 2013
posted by humanfont at 4:50 PM on April 11, 2013
Once again, an argument between the people who have actual technical knowledge and people who are into FUD.
Who is who is left as an exercise to the reader.
posted by squorch at 5:08 PM on April 11, 2013 [3 favorites]
Who is who is left as an exercise to the reader.
posted by squorch at 5:08 PM on April 11, 2013 [3 favorites]
humanfont, the ethics of vulnerability disclosure is a huge topic of its own. There's an endless struggle to balance "if I've found it, it's likely that malicious people have already found it too", "the public should know that a problem exists (or may exist)", and "if I quietly disclose it to the responsible parties instead of presenting it publicly, they might ignore it" vs. "telling the public about it alerts malicious people to it", among other factors. Check out "full disclosure" and "responsible disclosure" for some discussion.
posted by dreamyshade at 5:13 PM on April 11, 2013
posted by dreamyshade at 5:13 PM on April 11, 2013
Which is more likely:
1) There is a vulnerability that somehow allows inputs from ADS-B to affect the flight path, AND a guy with deep inside knowledge of how these extremely obscure systems work managed to get ahold of the equipment long enough to demonstrate the exploit, AND he decided to publicize the exploit at some hacker meetup rather than a real conference in the avionics security field
given the type of people who enjoy this sort of reverse engineering, yes that's exactly what they would chose to do. (leaving aside your characterisation of HitB as "some hacker meet up", as if corporate sponsorship is required for people to do interesting work)
That FAA statement is interesting too. One the one hand
does not pose a flight safety concern because it does not work on certified flight hardware
implies that the claimed technique flat out doesn't work, but on the other hand
The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot.
doesn't refute any of the claims, since it's clearly stated up front that the attack can only alter plane steering if the autopilot is enabled, and that the pilots can simply turn off autopilot to regain control, and
Therefore, a hacker cannot obtain “full control of an aircraft” as the technology consultant has claimed
is obviously defining "full control" as "the pilots cannot regain control" rather than "the attacker can provide any input desired to the steering/throttle inputs".
sounds to me like the FAA is hedging it's bets in that denial, and taking advantage of an ambiguous claim (exactly what "full control" means) in order to dampen any fears.
posted by russm at 5:22 PM on April 11, 2013 [2 favorites]
1) There is a vulnerability that somehow allows inputs from ADS-B to affect the flight path, AND a guy with deep inside knowledge of how these extremely obscure systems work managed to get ahold of the equipment long enough to demonstrate the exploit, AND he decided to publicize the exploit at some hacker meetup rather than a real conference in the avionics security field
given the type of people who enjoy this sort of reverse engineering, yes that's exactly what they would chose to do. (leaving aside your characterisation of HitB as "some hacker meet up", as if corporate sponsorship is required for people to do interesting work)
That FAA statement is interesting too. One the one hand
does not pose a flight safety concern because it does not work on certified flight hardware
implies that the claimed technique flat out doesn't work, but on the other hand
The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot.
doesn't refute any of the claims, since it's clearly stated up front that the attack can only alter plane steering if the autopilot is enabled, and that the pilots can simply turn off autopilot to regain control, and
Therefore, a hacker cannot obtain “full control of an aircraft” as the technology consultant has claimed
is obviously defining "full control" as "the pilots cannot regain control" rather than "the attacker can provide any input desired to the steering/throttle inputs".
sounds to me like the FAA is hedging it's bets in that denial, and taking advantage of an ambiguous claim (exactly what "full control" means) in order to dampen any fears.
posted by russm at 5:22 PM on April 11, 2013 [2 favorites]
The FAA's non-denial denial made me believe the story more. "Doesn't work on certified flight hardware" implies that it does work on some kind of hardware, which is a story in itself.
The problem with HitB is not that it is non-corporate, it's that there is no one in the audience in a position to actually evaluate the claims. Avionics is a huge field with lots of corporate type and also lots of scientists, grad students, government regulators, etc. and they have their own entire ecosystem of conferences and journals. A general computer programmer (like me) isn't really knowledgeable enough to evaluate the claim that a remote exploit could control an entire aircraft.
posted by miyabo at 8:08 PM on April 11, 2013
The problem with HitB is not that it is non-corporate, it's that there is no one in the audience in a position to actually evaluate the claims. Avionics is a huge field with lots of corporate type and also lots of scientists, grad students, government regulators, etc. and they have their own entire ecosystem of conferences and journals. A general computer programmer (like me) isn't really knowledgeable enough to evaluate the claim that a remote exploit could control an entire aircraft.
posted by miyabo at 8:08 PM on April 11, 2013
If anybody's interested in what the professionals are saying you can checkout this thread on PPrune (professional pilots rumor network)
Spoiler: ACARS and ADS are vulnerable to spoofing with an external radio - they are not secure - we know this. But these systems are usually not directly connected to the Flight Management System. The presentation (which to me looks like a lot of self promoting BS) claims to use data sent on ACARS to gain control of the FMS claiming to have found unspecified exploits on an FMS bought on ebay. I don't think anybody really understands how that could happen but most are unwilling to dismiss it out of hand.
It's not possible to prevent the pilots from controlling the aircraft as long as they realize that something is not right. Remember that most of what modern pilots do is monitor the aircrafts systems looking for exactly that.
posted by Long Way To Go at 10:57 PM on April 11, 2013 [2 favorites]
Spoiler: ACARS and ADS are vulnerable to spoofing with an external radio - they are not secure - we know this. But these systems are usually not directly connected to the Flight Management System. The presentation (which to me looks like a lot of self promoting BS) claims to use data sent on ACARS to gain control of the FMS claiming to have found unspecified exploits on an FMS bought on ebay. I don't think anybody really understands how that could happen but most are unwilling to dismiss it out of hand.
It's not possible to prevent the pilots from controlling the aircraft as long as they realize that something is not right. Remember that most of what modern pilots do is monitor the aircrafts systems looking for exactly that.
posted by Long Way To Go at 10:57 PM on April 11, 2013 [2 favorites]
The FAA's non-denial denial made me believe the story more. "Doesn't work on certified flight hardware" implies that it does work on some kind of hardware, which is a story in itself.
I think all they're saying here is that this hack isn't going to affect anything that actually can conceivably make its way onto an airplane. The point they're trying to make is that they believe there are enough differences between what he performed his exploit on (emulated software?) and what is certified to go on airplane that it's not a safety concern.
Honestly, I would be very, very surprised if FAA responded to this by saying "pay no attention to the man behind the curtain". In my experience, it's one of the better-run government agencies and the certification and safety people they employ know their business and do a good job at it.
Also incidentally, for reasons I cannot fathom, they're always referred to as "FAA" (without a "the") on every official document I've ever seen. "The NTSB", "The TSA", but just "FAA".
posted by backseatpilot at 4:57 AM on April 12, 2013 [1 favorite]
I think all they're saying here is that this hack isn't going to affect anything that actually can conceivably make its way onto an airplane. The point they're trying to make is that they believe there are enough differences between what he performed his exploit on (emulated software?) and what is certified to go on airplane that it's not a safety concern.
Honestly, I would be very, very surprised if FAA responded to this by saying "pay no attention to the man behind the curtain". In my experience, it's one of the better-run government agencies and the certification and safety people they employ know their business and do a good job at it.
Also incidentally, for reasons I cannot fathom, they're always referred to as "FAA" (without a "the") on every official document I've ever seen. "The NTSB", "The TSA", but just "FAA".
posted by backseatpilot at 4:57 AM on April 12, 2013 [1 favorite]
I think the FAA also understands that there is also a lot at stake if increased hacker interest is directed towards these systems. It doesn't matter how certified equipment is, unless it's powered off, encased in concrete, and buried 20 miles under the ground, people can find a way to exploit it in new unfathomable ways if given enough interest. (we wouldn't have 73k new variants of malware on Windows every day if that wasn't the case) And once those exploits are published, it then becomes a HUGE undertaking to patch the vulnerabilities and protect the industry.
Case and point on a smaller scale would be the string of hotel break-ins after an easy exploit was discovered on Onity locks. True, Onity is a small company not regulated by the government, but they know that recalling the millions of locks they have sold would sink their business (they're non flash-able so would need new hardware). They instead have offered their hotel customers plastic covers for the data ports (which are infeasable to keep doors updated efficiently). They have also stated that their commercial locks are "not vulnerable" to the attack. Being that the designs are similar, my gut tells me all it'll take is someone who understands the hotel exploit to develop a commercial lock exploit and make it publicly domain to make the company acknowledge it as a problem on ALL their products.
That's a troubling thought to me, as within my profession in the computer industry, I know that anything you can communicate with indirectly is not secure, as well as anything that is "connected" from that point forward.
posted by samsara at 5:46 AM on April 12, 2013
Case and point on a smaller scale would be the string of hotel break-ins after an easy exploit was discovered on Onity locks. True, Onity is a small company not regulated by the government, but they know that recalling the millions of locks they have sold would sink their business (they're non flash-able so would need new hardware). They instead have offered their hotel customers plastic covers for the data ports (which are infeasable to keep doors updated efficiently). They have also stated that their commercial locks are "not vulnerable" to the attack. Being that the designs are similar, my gut tells me all it'll take is someone who understands the hotel exploit to develop a commercial lock exploit and make it publicly domain to make the company acknowledge it as a problem on ALL their products.
That's a troubling thought to me, as within my profession in the computer industry, I know that anything you can communicate with indirectly is not secure, as well as anything that is "connected" from that point forward.
posted by samsara at 5:46 AM on April 12, 2013
as within my profession in the computer industry, I know that anything you can communicate with indirectly is not secure,
The "computer industry" that you and everyone else sees is entirely different than the industry that makes life-critical systems. I'm seriously baffled by how you can argue that because some hotel door locks are insecure, therefore the computers on an airliner probably are too.
non-denial denial
"Doesn't work on certified flight hardware" implies that it does work on some kind of hardware, which is a story in itself.
posted by kiltedtaco at 6:29 AM on April 12, 2013 [2 favorites]
The "computer industry" that you and everyone else sees is entirely different than the industry that makes life-critical systems. I'm seriously baffled by how you can argue that because some hotel door locks are insecure, therefore the computers on an airliner probably are too.
non-denial denial
does not pose a flight safety concern because it does not work on certified flight hardwareHow is that not a straight up denial that the alleged exploit works?
"Doesn't work on certified flight hardware" implies that it does work on some kind of hardware, which is a story in itself.
"But as Teso readily admits, the version he used of our flight management system is a publicly available PC simulation, and that doesn’t have the same protections against overwriting or corrupting as our certified flight software.""Certified" is not some BS term. The software that this was tested against is not certified for flight exactly because it doesn't have the protections that would prevent this attack.
posted by kiltedtaco at 6:29 AM on April 12, 2013 [2 favorites]
miyabo: The FAA's non-denial denial made me believe the story more. "Doesn't work on certified flight hardware" implies that it does work on some kind of hardware, which is a story in itself.And that story is the link in the FPP. The hardware it does work on was part of the demonstration itself. But it's not on a plane. Anywhere.
miyabo: The FAA's non-denial denial... is a point-by-point denial of the claims. Do you need to see the FAA's birth certificate or something?
posted by IAmBroom at 11:49 AM on April 12, 2013
Maybe the media should've Asked The Pilot before running with this story...
posted by Strange Interlude at 1:03 PM on April 12, 2013 [1 favorite]
posted by Strange Interlude at 1:03 PM on April 12, 2013 [1 favorite]
The "computer industry" that you and everyone else sees is entirely different than the industry that makes life-critical systems. I'm seriously baffled by how you can argue that because some hotel door locks are insecure, therefore the computers on an airliner probably are too.
Well ok...you see the locks were just an example. My point was in the very first sentence of my comment. (aka if there's a will, there's a way)
Now with that said....I agree with you that these systems are not in immediate danger, and likely are far more secure than the systems we rely on in order for businesses or even the internet to work. But it's asking for trouble by saying a system that is remotely accessible is impervious to exploit, because it brings it out of the realm of "security through obscurity" and into the interests of those who are knowledgeable and want to cause harm or find flaws...no matter how certified and well thought a system is. If we humans were able to secure our digital assets 100%, we wouldn't need virus scanners and critical firmware updates....we wouldn't need to get our RSA keys replaced due to data leaks from the company that provided them in the first place.
Basically, if it is currently possible to interface with FMSes with current "secure" ACARS, then it is possible for ANYONE that figures out the magic formula of sequences to do the same. It might be sophisticated...it might be obscure...but it's not 100% secure.
posted by samsara at 2:58 PM on April 12, 2013
Well ok...you see the locks were just an example. My point was in the very first sentence of my comment. (aka if there's a will, there's a way)
Now with that said....I agree with you that these systems are not in immediate danger, and likely are far more secure than the systems we rely on in order for businesses or even the internet to work. But it's asking for trouble by saying a system that is remotely accessible is impervious to exploit, because it brings it out of the realm of "security through obscurity" and into the interests of those who are knowledgeable and want to cause harm or find flaws...no matter how certified and well thought a system is. If we humans were able to secure our digital assets 100%, we wouldn't need virus scanners and critical firmware updates....we wouldn't need to get our RSA keys replaced due to data leaks from the company that provided them in the first place.
Basically, if it is currently possible to interface with FMSes with current "secure" ACARS, then it is possible for ANYONE that figures out the magic formula of sequences to do the same. It might be sophisticated...it might be obscure...but it's not 100% secure.
posted by samsara at 2:58 PM on April 12, 2013
« Older "The Real Truth About Blacks and Unemployment…" | Time Square Still Hell On Earth Newer »
This thread has been archived and is closed to new comments
posted by randomkeystrike at 8:22 AM on April 11, 2013