Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hijacking Airplanes With an Android Phone

Soulskill posted about a year ago | from the for-god's-sake-don't-tell-the-TSA dept.

Transportation 131

An anonymous reader writes "Until today, hacking and hijacking planes by pressing a few buttons on an Android mobile app has been the stuff of over-the-top blockbuster movies. However, the talk that security researcher and commercial airplane pilot Hugo Teso delivered today at the Hack in the Box conference in Amsterdam has brought it into the realm of reality and has given us one more thing to worry about and fear (presentation slides PDF). One of the two technologies he abused is the Automatic Dependent Surveillance-Broadcast (ADS-B), which sends information about each aircraft (identification, current position, altitude, and so on) through an on-board transmitter to air traffic controllers, and allows aircrafts equipped with the technology to receive flight, traffic and weather information about other aircrafts currently in the air in their vicinity. The other one is the Aircraft Communications Addressing and Reporting System (ACARS), which is used to exchange messages between aircrafts and air traffic controllers via radio or satellite, as well as to automatically deliver information about each flight phase to the latter. Both of these technologies are massively insecure and are susceptible to a number of passive and active attacks. Teso misused the ADS-B to select targets, and the ACARS to gather information about the onboard computer as well as to exploit its vulnerabilities by delivering spoofed malicious messages that affect the'behavior' of the plane."

cancel ×

131 comments

It has? (1)

tocsy (2489832) | about a year ago | (#43416139)

"Until today, hacking and hijacking planes by pressing a few buttons on an Android mobile app has been the stuff of over-the-top blockbuster movies."

I... don't think I've ever seen a movie where that happens (planes getting hijacked that way). Maybe I just don't see enough movies.

Re:It has? (4, Informative)

localman57 (1340533) | about a year ago | (#43416191)

... don't think I've ever seen a movie where that happens (planes getting hijacked that way).

Die Hard 2. Except it was a room full of computer shit in a nearby church, rather than a smart phone. But, you know, technological progress and all that.

Re:It has? (1)

lesincompetent (2836253) | about a year ago | (#43416235)

aaaaand they were screwing with the airport's ILS, not with the plane itself.

Re:It has? (4, Informative)

localman57 (1340533) | about a year ago | (#43416345)

They were executing a man in the middle attack against aircraft and their ground based navigation infrastructure. Same thing here, just different technology. Don't be so pedantic.

Re:It has? (1)

lesincompetent (2836253) | about a year ago | (#43416459)

It's the ground-based signal that got changed: the aircraft simply followed it to its doom. Yes i know i am pedantic.

Re:It has? (2)

pixelpusher220 (529617) | about a year ago | (#43416489)

You totally missed it!

has given us one more thing to worry about and fear (presentation slides

I'm already afraid of presentation slides, but apparently that fear is now renewed!

Re:It has? (3, Insightful)

Obfuscant (592200) | about a year ago | (#43416495)

They were executing a man in the middle attack against aircraft and their ground based navigation infrastructure.

A MITM attack requires intercepting the original message and replacing it with a modified version. That's not what was happening in DH2. In DH2 they were allegedly modifying the original message itself, in a way that is ridiculously impossible.

A MITM would have the black hats intercepting the ILS radio signals and modifying them. There would be no need to do that, since all you need is the ability to transmit your own ILS signal. That would have required the physical presence of a transmitter several hundred feet prior to the threshold in order to put the TDZE below ground. You cannot do that by simply changing the signals transmitted by the FAA ILS system itself.

Re:It has? (4, Informative)

davros74 (194914) | about a year ago | (#43417963)

While DH2 is a good movie, the whole concept behind the ILS manipulation is horse manure. ILS isn't a digitally encoded system with GPS coordinates or something, it's a localizer beam with elevation and azimuth. The plane picks up the radio waves and "rides the beam" down. The only way to move the landing point is to go physically move the transmitter. And in the case of DH2, bury the transmitter 100' below ground or something. (And expect the pilots and flight computer to ignore the ground altimeter, which is pretty hard to mess with remotely).

Re:It has? (1)

Obfuscant (592200) | about a year ago | (#43418049)

And in the case of DH2, bury the transmitter 100' below ground or something.

Easier to put it 1000' prior to the TDZ. That would put the TDZE below ground. And the point about ignoring the radar/pressure altimeter is also valid, as is one that they'd have to ignore the ILS FAF altitude (final approach fix, a 3-d point in space defined by glideslope, localizer and one other lateral fix) which has a published altitude and is part of the final approach checklist. And they'd have to ignore the DH, which is the altitude (radar or pressure) at which they must either have the runway/environment in sight or cannot descend further.

Re:It has? (1)

localman57 (1340533) | about a year ago | (#43418193)

A MITM attack requires intercepting the original message and replacing it with a modified version. That's not what was happening in DH2. In DH2 they were allegedly modifying the original message itself, in a way that is ridiculously impossible.

The MITM attack I was thinking of was when they took over voice control...

Re:It has? (5, Informative)

Obfuscant (592200) | about a year ago | (#43416383)

Aaaaand they were moving the touchdown zone elevation below ground, which is not a function of the signals being transmitted but of the physical location of the transmitting antennas. In fact, the entire ILS system is based on the physical properties of the antennas (bolted in place).

Now, I suppose you could put the high beam audio onto the low beam and vice versa IF the transmitters were computer controlled (and they almost certainly aren't.). All that would do is create confusion as the pilot intercepted the glideslope and noticed that he was flying into the glideslope from below yet the instrument said he was intercepting it from above. I don't think that would flag the display, but it certainly would have the pilot ignoring the ILS at least, and going around as a precaution.

But move the TDZE down? Impossible.

Re:It has? (1)

lesincompetent (2836253) | about a year ago | (#43416467)

Mod parent up! Thanks for the crystal clear explanation!

Re:It has? (1)

DoubleJ1024 (1287512) | about a year ago | (#43416887)

my kingdom for my expired mod points. (they expired less than one hour ago)

Re:It has? (4, Funny)

RabidReindeer (2625839) | about a year ago | (#43418325)

Aaaaand they were moving the touchdown zone elevation below ground, which is not a function of the signals being transmitted but of the physical location of the transmitting antennas. In fact, the entire ILS system is based on the physical properties of the antennas (bolted in place).

Now, I suppose you could put the high beam audio onto the low beam and vice versa IF the transmitters were computer controlled (and they almost certainly aren't.). All that would do is create confusion as the pilot intercepted the glideslope and noticed that he was flying into the glideslope from below yet the instrument said he was intercepting it from above. I don't think that would flag the display, but it certainly would have the pilot ignoring the ILS at least, and going around as a precaution.

But move the TDZE down? Impossible.

Hey! You are talking about a movie where they faxed fingerprints (100dpi) and got clear identification. Obviously they know more about science than YOU do!

Re:It has? (1)

morcego (260031) | about a year ago | (#43416265)

... don't think I've ever seen a movie where that happens (planes getting hijacked that way).

Die Hard 2. Except it was a room full of computer shit in a nearby church, rather than a smart phone. But, you know, technological progress and all that.

That, and they used hardwire (cable) to connect directly to the airport network.

Re:It has? (2)

localman57 (1340533) | about a year ago | (#43416311)

That, and they used hardwire (cable) to connect directly to the airport network.

Well, That puts them one up on the guy in this article. He didn't connect to any hardware or network. Just some simulators.

From TFA:

When talking about the range, please keep in mind that we are talking about a proof-of-concept application used in a virtual environment. In real life, the range would be limited depending on the antennas used (if going directly for the plane), or global (if misusing one of the two big ACARS players such as SITA or ARINC).

Re:It has? (4, Informative)

Cosgrach (1737088) | about a year ago | (#43416831)

Except that as a pilot, I can tell you that everything that they did in that movie was so fucking far out of the realm of possibility as to be a joke. ILS is a fixed installation and must be physically moved to affect the glide slope. And blowing up the transmitter? Really?!? What about all the other aircraft sitting on the ramp - each one with it's own shiny transmitter? What about those?

Re:It has? (0)

wonkey_monkey (2592601) | about a year ago | (#43416929)

You must've hated Airplane.

Re:It has? (2, Funny)

Anonymous Coward | about a year ago | (#43417357)

He's an inflatable autopilot, you insensitive clod!

Re:It has? (1)

martinX (672498) | about a year ago | (#43417361)

Airplane? That movie was a joke, too.

Re:It has? (1)

Cosgrach (1737088) | about a year ago | (#43417589)

Actually, I liked Airplane - it was meant to be a comedy and did not even try to portray real life possibilities.

But when asked to suspend disbelief in a situation and then get so many things wrong on so many levels - it really fucks up a story.

Re:It has? (1)

wonkey_monkey (2592601) | about a year ago | (#43420255)

Die Hard 2 wasn't exactly meant to make you think "what if...?". Films that strictly depict real life possibilities tend to be either very worthy or very very dull (and sometimes both).

Re:It has? (1)

delt0r (999393) | about a year ago | (#43421063)

News flash. The Die hard series is suppose to be a action comedy. Not a documentary. And really what movie doesn't get so many things wrong on so many levels? Its probably the very few good docos...Since so many documentaries are equally bad.

Re:It has? (1)

Obfuscant (592200) | about a year ago | (#43417995)

ILS is a fixed installation and must be physically moved to affect the glide slope.

Actually, I think you can change the angle (slope) of the glideslope by changing the modulation levels of the tones on the two radio beams, and theoretically there could be an obstruction that would intrude in the flight path if you lowered it a degree. I don't know the TERPS (approach designer) criteria for protected zones.

However, this would screw the glideslope intercept altitude shown on the approach and the pilot would know something is wrong if he's paying attention, and this is one of the points of the approach he's supposed to pay attention to. At least I was taught to verify that I was intercepting at the right altitude (or passing through that altitude at the marker/locator if I intercepted higher.)

Changing slope, maybe, but changing the intercept -- no. That's fixed at a point just past the antennas. Not at the antennas, since they are above ground and non-zero distance apart, but at a point following the glideslope angle behind them.

Re:It has? (1)

hughk (248126) | about a year ago | (#43420341)

Yes, the antennas are fixed but the ILS can be tweaked and often had to be (worked a long time ago at a place that built ILS equipment). They are supposed to be self maintaining using ground mounted calibration antennas but every so often an aircraft has to check the slope out by probing the ILS envelope (flying deliberately off the glide path) under VFR conditions. However, on top of the glide slope, there are radar altimeters (on the plane) and marker beacons (on the ground).

Re:It has? (1)

Big Hairy Ian (1155547) | about a year ago | (#43420481)

Oh surely this is "Nerds on a Plane!!!" :)

Re:It has? (0)

Anonymous Coward | about a year ago | (#43416209)

This movie [imdb.com]

Re:It has? (0)

Anonymous Coward | about a year ago | (#43416215)

Yeah, that is not as cool as a massive zero-g gunfight as the plane dives dramatically.

Re:It has? (0)

Anonymous Coward | about a year ago | (#43416331)

It's approximately the plot to Battlestar Galactica

Re:It has? (0)

Anonymous Coward | about a year ago | (#43416869)

"Until today, hacking and hijacking planes by pressing a few buttons on an Android mobile app has been the stuff of over-the-top blockbuster movies."

I... don't think I've ever seen a movie where that happens (planes getting hijacked that way). Maybe I just don't see enough movies.

The Lone Gunman Pilot episode comes in mind for me.

An Apple marketing ploy? (1, Interesting)

Master Moose (1243274) | about a year ago | (#43416177)

Could apple now be trying to make people scared to purchase Android devices should they be targeted by the TSA as potential terrorists? :)

Re:An Apple marketing ploy? (2)

cjpa (796302) | about a year ago | (#43416197)

yes

Re:An Apple marketing ploy? (1)

Anonymous Coward | about a year ago | (#43416705)

Both of you. Get a fucking life.

Re:An Apple marketing ploy? (5, Interesting)

Anonymous Coward | about a year ago | (#43417569)

NO. I saw the guy talk at Black Hat last year, and he's full of shit. "OMG!!! I can tell that there's an airplane in the air!!! That must be bad!!! But I don't have any explanation why it[s bad..." He even prefaced his talk with "I'm nowhere near an expert in aviation or how planes work, so it's possible that there's stuff going on here that I don't know."

He's a kid crying wolf when he sees sheep, because a wolf might attack the sheep, but he doesn't even try to find the sheepdog, or the shepard carrying a rifle, or the fence around the sheep, or...

Oh shit, Obama's in trouble! (2)

Iniamyen (2440798) | about a year ago | (#43416239)

Would aircraft hijacked by phones be considered drones?!

Re:Oh shit, Obama's in trouble! (0)

Anonymous Coward | about a year ago | (#43416373)

This should breathe new life into the 9/11 conspiracy theories.

Secure it..... (3, Insightful)

Murdoch5 (1563847) | about a year ago | (#43416241)

You designed a broken system that remained hidden, now that it's out fix it!

Re:Secure it..... (2)

gandhi_2 (1108023) | about a year ago | (#43416387)

...or at least jail those who figured it out!

Re:Secure it..... (1)

CodeReign (2426810) | about a year ago | (#43416407)

Sadly this will be the solution. Make it so unthinkable to try and find vulnerabilities that nobody does it. Except those whom are willing to use them maliciously and willing to pay the price for their noncompliance.

Not true (1)

s.petry (762400) | about a year ago | (#43416391)

It was not designed broken, that was management mandated changes later on in order to garner bonuses by saving money on the project. I'm sure you know the term transponder, and even if you don't you can look it up. All communications between planes and ATC are supposed to go through the transponder. No code, no data.

So the question should be: Is the manager that got the nice fat bonus check going to return the money and go to jail? But of course we'd never want to punish an exec for doing something wrong, so I realize that my question is not just rhetorical but silly.

nope (5, Informative)

hypergreatthing (254983) | about a year ago | (#43416245)

Sorry, but to have a android device that can transmit and receive ACARS is close to impossible. Might as well take android out of the equation. I guess it could be possible to take a software radio and any mobile platform (windows, ubuntu tablet, raspberry pi, android, ios) and make it capable of receiving and sending out altered ACARS messages since i'm fairly sure the system has no encryption built in, but i dunno. Hijacking seems to be a stretch.

Re:nope (1)

X0563511 (793323) | about a year ago | (#43416435)

No kidding. Newsflash: radios can transmit radio waves.

Re:nope (1)

Anonymous Coward | about a year ago | (#43417071)

There are plenty of implementations that use radio waves that aren't susceptible to attacks. The newsflash here is that essential FAA systems have no encryption or security built in. Android was likely part of the story solely to convince people to click through.

Re:nope (2)

jcdr (178250) | about a year ago | (#43416721)

Sorry, but to have a android device that can transmit and receive ACARS is close to impossible.

I would not bet on that !

The lasts superphones embeds so much high speed subsystems (2,3,4G/WiFia,b,n,g/BT/FM/AM/NFC/RFID/PAL/NTSC/HDMI/USB2,3/Audio/ and certainly a few more at each generation) that there are probably capable of processing some signals at virtually any frequencies if some high skilled hackers are motivated to do it.

Analog filters never cut abruptly; DSP can be reprogrammed to abuse the surrounding components. Any interfaces can leaks some creative signals. Take a look at this for example: http://bellard.org/dvbt/ [bellard.org]

Re:nope (1)

hughk (248126) | about a year ago | (#43420391)

Nope.

A good demonstration of this was the issue about Nexus 4s being able by accident, to transmit a little bit on LTE (only one frequency) and only because the LTE frequencies were enabled by accident in the software. Unless there are antennas designed, the signal would be weak as hell even if you can get it out of the phone. Then you have to get the signal out of the fuselage which is normally working, more or less, as a Faraday cage to an antenna pointing at the ground or a satellite. The vulnerability that worries aircraft manufacturers (about mobile phone use) is the fact that ageing RF cabling and connectors may have faulty shielding.

Re:nope (2)

jcdr (178250) | about a year ago | (#43420737)

Nope ? How can you be so certain ? I have passed long days in electromagnetic testing room, and I can say that you will be surprised by what can happens with complex and highly programmable electronics !

Your "demonstration" prove that a software modification can open up the frequency range. This is not a surprise as most RF subsystem uses DSP and only a minimal of analog components. Your example is just about a bug; think of what can happens if the DSP are fully reprogrammed... Yes, the signal can be weak, but it could be enough to deal with very sensible antenna of some receiver on the aircraft. Placing in a cleaver way some metal part can greatly increase the gain. The size of smartphone antenna will almost not see the fuselage if you put it close to a window. In addition, a lot of wires in a aircraft are not shielded to reduce weight, making path up to more sensible material.

If you have read the publication subject of this article, you will see that aircraft manufacturers have actually not worried at all about vulnerability. There is simply no protection at all in many protocols. Finally the current testing practice of device against electromagnetic field susceptibility is only done using a high energy sinus weave slowly changing his frequency. RF subsystem can communicate with fare fare lower energy than the tested limits if modulated in a proper way. Don't mix security and vulnerability !

Re:nope (1)

Anonymous Coward | about a year ago | (#43416985)

I have it on good authority that SDR solutions are already present in some cellphone chipsets (although optimized for the frequencies usually required by cellphones of course which will hopefully stop the "hack an aircraft" apps that do not require additional hardware connected to the phone...) Most likely these SDR devices will not be able to physically transmit at the frequencies required as cellphones require fairly high frequencies compared to the frequencies in use by ACARS for example.

(However, the frequencies are fairly close to normal FM radio frequencies, and some phones have low power FM radio transmitters, although most likely these chips are not SDR based at the moment and probably not usable as different modulations are required and so on...)

Re:nope (1)

AmiMoJo (196126) | about a year ago | (#43421023)

If you wanted to hijack the aircraft, i.e. make it go to a destination of your choice rather than its intended one, spoofing GPS might be a better bet. It worked for Iran, at least.

With ACARS you might be able to socially engineer the flight crew to divert from their planned course perhaps.

Shiver... (-1)

Anonymous Coward | about a year ago | (#43416247)

The plural of aircraft is aircraft. If you wish to discuss something that one or more aircraft possess(es), then aircraft's is what you need. Aircrafts is never correct.

Massively insecure (0)

Anonymous Coward | about a year ago | (#43416283)

as well as massively stupid. Broadcast position, speed, mass, size, fine. Also broadcast identity? Not such a great idea. It's useful, of course, but not necessary for the purpose of working out where not to go so as to avoid flying into occupied airspace. And for that reason, it shouldn't require it.

Even better, though, is not to rely on systems shouting "I'm here!" and instead fit short-range radars to simply look where you're going instead. That helps against flying into mountains too, which is useful since those generally aren't fitted with transponders to tell you where not to fly.

Re:Massively insecure (1)

0123456 (636235) | about a year ago | (#43416617)

How are you going to tell who's sending the message without sending the aircraft ID?

Re:Massively insecure (0)

Anonymous Coward | about a year ago | (#43420067)

Since you can't tell now (easily spoofable), it doesn't matter a whit. Thus: Better look for yourself (radar, lidar, sonar, whatevar) than to rely on a device broadcasting "I'm here! Honest! Don't thread on me! I'm here!"

Need to hijack a plane??? (4, Funny)

It doesn't come easy (695416) | about a year ago | (#43416291)

There's an app for that!

Finally a good reason for phone ban (0)

Anonymous Coward | about a year ago | (#43416301)

This is the first good reason I have heard of for banning the use of electronics on airplanes.

Too bad it still lets a terrorist organization take a small plane up and get close enough to take control of a jetliner.

I call BS (2)

Beer_Smurf (700116) | about a year ago | (#43416305)

I am going to call BS on this one.
These are indication systems.
Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.

Remote control 101 Re:I call BS (1)

fleebait (1432569) | about a year ago | (#43416411)

I am going to call BS on this one.
These are indication systems.
Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.

Remote control is not a direct connect. It follows communications paths, and the information and control path apparently connects through the internet, both through the display and control path.

No one needs direct connection within the airplane -- all ya need to do is control it through the internet, at any receiver path, and any transmitting path. with additional directional antenna paths.

Can't do it from onboard, has to be from a remote site, and will involve additional receiver and transmit packages, not included on the android phone. (don't even have to be near the android used for control).

Re:Remote control 101 Re:I call BS (1)

scheme (19778) | about a year ago | (#43417239)

I am going to call BS on this one. These are indication systems. Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.

Remote control is not a direct connect. It follows communications paths, and the information and control path apparently connects through the internet, both through the display and control path.

No one needs direct connection within the airplane -- all ya need to do is control it through the internet, at any receiver path, and any transmitting path. with additional directional antenna paths.

Can't do it from onboard, has to be from a remote site, and will involve additional receiver and transmit packages, not included on the android phone. (don't even have to be near the android used for control).

Are you in sales or marketing by any chance? Because this is the sport of keyboard heavy information free verbiage that typically comes from them.

Re:I call BS (1)

Krojack (575051) | about a year ago | (#43416439)

From my understanding, you could be on a plane and start sending signals that another plane is heading right for you. This would in return cause all sorts of alarms to go off and maybe cause the pilots to freak out and take extreme measures.

Re:I call BS (1)

T-Bucket (823202) | about a year ago | (#43416497)

No, you're thinking of the TCAS system. That isn't in any way attatched to the ACARS or ADS-B systems.

Plus, the pilots are used to seeing "normal" ACARS messages every day, if something odd came across, they'd notice something was up IMMEDIATELY.

Re:I call BS (3, Insightful)

msmart13 (1187753) | about a year ago | (#43416567)

Incorrect. ADS-B has two components, FIS-B for weather and TIS-B for traffic. If you spoof airplanes via ADS-B you can trigger the exact same kinds of collision avoidance alerts and pilot reactions as a spoofed TCAS. http://en.wikipedia.org/wiki/Automatic_dependent_surveillance-broadcast#Traffic_information_services-broadcast_.28TIS-B.29 [wikipedia.org]

Re:I call BS (1)

hughk (248126) | about a year ago | (#43420441)

Except that TIS-B is not wired into TCAS at the moment. In fact, I have not heard of any use of ADS-B for air to air, just air to ground. Separations are controlled via time slots outside controlled air space and inside controlled airspace, by ground controller using good old fashioned PPI displays. Yes, those displays are "enhanced" by information from ADS-B but many smaller or older aircraft don't have it.

Re:I call BS (1)

Obfuscant (592200) | about a year ago | (#43416531)

This would in return cause all sorts of alarms to go off and maybe cause the pilots to freak out and take extreme measures.

Thanks for the FUD. Pilots who fly aircraft with these systems have training to know how to deal with collision avoidance alerts and they don't "freak out" every time one happens, and the measures are rarely extreme.

Re:I call BS (1)

sabri (584428) | about a year ago | (#43420043)

Thanks for the FUD. Pilots who fly aircraft with these systems have training to know how to deal with collision avoidance alerts and they don't "freak out" every time one happens, and the measures are rarely extreme.

Actually, it is not FUD. Since the crash over southern Germany, it has been made very clear in ICAO rules that pilots are to follow their TCAS advisories. See this article [wikipedia.org] .

Re:I call BS (0)

Anonymous Coward | about a year ago | (#43416463)

I looked at the slides (I know, it's against the Slashdot code). I really couldn't find any facts there about any actual exploits. Just lots of LOLCAT style graphics and naming of well known protocols. Oh, and lots of SDR rambling that's entirely unrelated. I'd give this student a low but passing grade for the effort.

Re:I call BS (4, Informative)

Hentes (2461350) | about a year ago | (#43416517)

It does affect the behaviour of the pilot. If it's on autopilot, the change in behaviour may even be simulated and precisely planned beforehand. Still, it's not as effective than hacking the fly-by-wire controls, I wonder if that's possible from onboard.

Re:I call BS (1)

ThunderBird89 (1293256) | about a year ago | (#43416847)

Think mucking with the tempomat's speed sensor while simultaneously turning the speedometer needle back with your pliers. The car does indeed go faster.

Re:I call BS (1)

tamyrlin (51) | about a year ago | (#43416907)

The problem seems to be (if I understand the article correctly) that for example the FMS can be hacked (presumably by buffer overflows or similar exploits) and then used to take over other functionality.

This seems similar to how a malformed RDS packet sent via FM radio can disable the brakes on a certain car: http://www.autosec.org/pubs/cars-usenixsec2011.pdf (among other things).

Exactly how similar these attacks are are difficult to ascertain as the presentation leaves a lot to be guessed, although the net-security report on his talk gives some more details.

I call false analogy. (2)

SuperBanana (662181) | about a year ago | (#43417021)

I am going to call BS on this one. These are indication systems. Think of smashing your speedometer and turning the needle with pliers and expecting the car to go faster.

The article is bullshit because they claim "with an Android phone" when they mean "with a bunch of custom hardware that happens to be driven by a UI running on an Android phone"...but if they're able to present false information, your analogy is not correct.

If someone is able to spoof a transponder signal enough to be believed by collision warning systems, then absolutely, they're going to affect the plane - all it would take would be simulating a plane coming at the target in question, and the pilots on board will take evasive action. That's absolutely a form of "control".

Well I'm sold! (1)

mcmonkey (96054) | about a year ago | (#43416327)

Let's get those driverless cars on the road! In fact, let's outlaw people driving their own cars in traffic, because the software will be so much better than a human driver. Because the developers working on driverless cars are so much smarter than the fools working on those silly airplanes.

(BTW, the above is sarcasm. There is no reason to think the developers working on cars are any better than the developers working on any other system, and no reason to think driveless cars will be any more secure or bug-free than any other software, including the system in this article.)

Re:Well I'm sold! (0)

Anonymous Coward | about a year ago | (#43416551)

Your a dumbass.

Re:Well I'm sold! (1)

Anonymous Coward | about a year ago | (#43420135)

Your a dumbass.

You're the dumbass.

Re:Well I'm sold! (0)

Anonymous Coward | about a year ago | (#43416745)

The rate of plane crashes has decreased as we have used more information technology in air transit. But you use this one claim of a potential attack to justify your predisposed belief system.

Re:Well I'm sold! (1)

PRMan (959735) | about a year ago | (#43416775)

400,000 real-world miles repeated hundreds of times regression-tested against their software. Trust me, Google isn't leaving this one to chance. It's already orders of magnitude better than a human being. https://www.youtube.com/watch?v=7Yd9Ij0INX0 [youtube.com]

Re:Well I'm sold! (1)

jittles (1613415) | about a year ago | (#43416937)

400,000 real-world miles repeated hundreds of times regression-tested against their software. Trust me, Google isn't leaving this one to chance. It's already orders of magnitude better than a human being. https://www.youtube.com/watch?v=7Yd9Ij0INX0 [youtube.com]

Until you have hundreds of thousands of these cars on the road, you're just talking statistical anomalies. I've probably driven close to 400,000 miles myself without ever getting into an accident (maybe even more). I also know a professional driver who has millions of miles and has never been in an accident.

Re:Well I'm sold! (1)

YrWrstNtmr (564987) | about a year ago | (#43417733)

I've probably driven close to 400,000 miles myself without ever getting into an accident (maybe even more).

Hell....I had 207,000 miles on one vehicle with only one minor parking lot bump.
The reason it didn't get to 208,000 miles and on to 300k was because of a idiot texting/phoning teenager. She destroyed it running a red light.

Re:Well I'm sold! (1)

fast turtle (1118037) | about a year ago | (#43417897)

400,000 miles? That's nothing. As a retired commercial driver, I averaged 120,000 miles a year and that's just a single truck. With all the commercial rigs (18 wheelers) on the road with a combined avg miles in excess of 1billion a year, with less then 1 accident per 250,000 miles avg (google for current stats), that simply doesn't impress me.

Now if you were talking 100,000 cars averaging 400,000 miles a year w/o accident, then I'd be willing to listen but when you mix in idiots like Joe and Tina Sixpack who's either drinking, fixing their god damn hair, reading a fucking book, talking on the cell phone and a whole rash of other stupid activities, you aint going to match the accident rate that commercial drivers have until you take Joe & Tina Sixpack's licenses away.

Re:Well I'm sold! (1)

jittles (1613415) | about a year ago | (#43418079)

400,000 miles? That's nothing. As a retired commercial driver, I averaged 120,000 miles a year and that's just a single truck. With all the commercial rigs (18 wheelers) on the road with a combined avg miles in excess of 1billion a year, with less then 1 accident per 250,000 miles avg (google for current stats), that simply doesn't impress me.

Now if you were talking 100,000 cars averaging 400,000 miles a year w/o accident, then I'd be willing to listen but when you mix in idiots like Joe and Tina Sixpack who's either drinking, fixing their god damn hair, reading a fucking book, talking on the cell phone and a whole rash of other stupid activities, you aint going to match the accident rate that commercial drivers have until you take Joe & Tina Sixpack's licenses away.

That's exactly my point. He's pointing out a handful of Google operated automated cars. I'm Joe Sixpack, more or less, and I have gone 400k or more in my lifetime. My point is that commercial drivers do amazingly well and that his example just isn't statistically relevant.

Re:Well I'm sold! (1)

Anonymous Coward | about a year ago | (#43417795)

400,000 real-world miles repeated hundreds of times regression-tested against their software. Trust me, Google isn't leaving this one to chance. It's already orders of magnitude better than a human being.

https://www.youtube.com/watch?v=7Yd9Ij0INX0 [youtube.com]

Have you ever seen one of these on the road? It drives like a fucking maniac! Seriously, it tailgates and it will change lanes into a gap that no considerate driver would attempt. Basically, drives like your average coked up executive late for a golf meeting.

Re:Well I'm sold! (1, Insightful)

AK Marc (707885) | about a year ago | (#43417059)

Humans are about the worst possible software to be in control of a car. If the bar is "better than the average human" we passed that 10 years ago. But the bar is "better than the best human under all possible (not just likely, possible) circumstances" which we are close to, but can't even test, so we aren't sure how close we are. Humans are very susceptible to hacks as well. People pulled over by fake cops, then robbed and killed. People who kill themselves trying to avoid wildlife. Missing or misunderstanding traffic signals. It'd be hard to build functional software as bad at driving as humans are.

This is even worse than car security (2)

tamyrlin (51) | about a year ago | (#43416491)

It seems that the aircraft industry is about as security conscious as the car industry. The following page at http://lwn.net/Articles/518923/ discusses how researchers were able to take almost complete control, including the breaks, but excluding the steering IIRC by for example the following attack vectors: Malware infested CD inserted into car stereo, malformed RDS package sent via FM radio, some sort of bluetooth hacking, etc. (Also the ODBC-II port of course, although that is cheating....)

At the time I read the lwn article and the associated papers I thought to myself that the car industry should learn security and stability from the aerospace industry. Unfortunately it now turns out that they seem to have done so :(

Re:This is even worse than car security (0)

Anonymous Coward | about a year ago | (#43416663)

aerospace "security" has always been to have system redundancy. the 787-8 is the first airliner I've seen to use PKI encryption. working firsthand with these techs the worst they could do would be to freak out ATC into initially thinking a hijacking took place, but one of the many redundant communication systems would immediately confirm it has not been.

Re:This is even worse than car security (1)

hughk (248126) | about a year ago | (#43420471)

It seems that the aircraft industry is about as security conscious as the car industry.

Not really.

Aircraft typically carry different ways of getting the same vital information, passenger aircraft must do so. Equipment in former times was very unreliable, so essentially the plane must carry two (or more) of everything. Critical components, may have the "A" and "B" computers programmed by different teams or even using different architectures. They also carry a human, who may notice if their are strange instruments.

Drones are a different matter and do seem to be spoofable.

ADS-B is Trust Based (0)

Anonymous Coward | about a year ago | (#43416613)

ADS-B is considered trust based. There are some guards in place to make it difficult for any fool to broadcast, but it is well known that a transmitter can lie. Given that, I hope a pilot wouldn't overreact to a fake plane that came out of nowhere.

ADS-B (1)

Anonymous Coward | about a year ago | (#43416671)

I really need to look hard at this article. I find it hard for an Android Device to insert Aircraft Coordinates into the Squitter Pulses from / to the Mode-S Transponder. I could believe the ACARS is more susceptible, but that is a stretch. You do not use ACARS for Primary Navigation, only Company to Crew Coordination. Besides TCAS will not allow a collision as well as Ground Based intervention. For the readers reference, I was part of the first Operation Evaluation in July of 1999 at ILN with the CAA. Three Airlines Demonstrated the Feasibility. Airborne Express, which was the Airline I was the Principle Avionics Inspector for. FedEx and UPS. Google this and you can find the report. ADS-B First Ops Eval July 1999 at ILN

Re:ADS-B (1)

Kraig Hayner (2893431) | about a year ago | (#43416723)

Sorry, I forgot to log in for the article Post. KHayner, Retired FAA Inspector.

how long?? (1)

lkcl (517947) | about a year ago | (#43416729)

and for how long has ACARS and ADS-B been insecure? that's what's so embarrassing about these things. skype being insecure since it was created, relying on security-through-obscurity just as adobe does for RTMP, such that the russian govt has had the ability to eavesdrop on skype for at least the past 4 years.... and *not* told anyone about it.

it's the same here. someone *somewhere* will have been exploiting ACARS and ADS-B... and not telling anyone that they're doing it. conferences like these are a wake-up call to the idiots who believe that nobody - ever - will work out their "security".

the question is: when will they learn to get proper security reviews *before* designing the protocol??

Re:how long?? (1)

EmperorArthur (1113223) | about a year ago | (#43417073)

And how long have police radios relied on insecurity? That's the same question you're asking.

The protocol is very secure and error resistant. It is not, and never has been spoof resistant. All of these signals are unencrypted, and that's a good thing. I don't know about you, but I enjoy seeing where all the planes are. Or are you against open data?

Saying that you could modify the behavior of an airplane by spoofing these signals is like saying you could modify a cars behavior by spoofing GPS signals. Well duh, you can modify an instrument or two, but aircraft have a bunch of backups, the most important ones being the pilots. Actually, GPS spoofing doesn't even work against airliners. They have internal measurement units, and laser ring gyros as redundant backups. You have three fully separate systems voting on everything, including position information.

While someone could in theory spoof some messages, there are reasons why Die Hard 2 was stupid. The largest one being, that pilots have charts that they are required to keep updated, and look at before a flight. They know where they are, and they have good old fashioned paper maps of where everything else is, and it's elevation.

Re:how long?? (2, Interesting)

Anonymous Coward | about a year ago | (#43417807)

Well, therein lies the problem actually. You are of course correct that airplanes of all sizes have all kinds of communications and navigations gear, most of which isn't really all that connected. Airliners have computers that will read signals from multiple inputs at once and present it in a single display, just like smaller GA glass cockpits have started doing, but that's not really the problem.

The problem is when people, especially people who like to plan things and do budget spreadsheets, start asking questions like "why do we need VOR transmitters when we have GPS?" Or "why do we need ILS (simple enough, well understood technology) when we can replace it with GPS enhancing equipment made by very expensive contractors and look cool". So you get things like the FAA planning on turning off a bunch of VORs, NDBs and other such navaids, and then of course planning on replacing primary and secondary radar with ADS-B. When you get right down to it, ADS-B is essentially airplanes telling each other where they are. What could possibly go wrong? (Definition for the uninitiated: primary radar is like what you see in WWII movies, but computer enhanced. Secondary radar is what interrogates transponders to get actual data from planes in flight about things like altitude and coded numbers so the computer can tag planes with the right data. It's not really "radar" but it is a ground based interrogation/response system that works along with primary radar. The ATC computers put both together on displays for the controllers. They can use one without the other, but things work better with both.)

Getting rid of these "redundant" systems is a bunch of stupid ideas. Except they're not. Individually they're OK. They're stupid when you take the effect in total, which is going to be to make airplanes rely on essentially one external input for position information, plus whatever they can sense via INS systems, etc, at least until the accountants decide to start making planes without that stuff because it costs a lot and GPS works great, right?

Well, other than by remote management, which I'm sure they have but which can be interrupted, you can't turn off all the VORs all over the place all at once. You can't re-aim ILS systems for reasons that have already been beaten to death in this thread. NDBs? Essentially AM radios. You can even use commercial stations in a pinch if you know where the transmitter is. All relatively simple, very proven technologies--each of which has very real flaws, but well understood flaws.

So if somebody could spoof GPS signals or send fake ADS-B transmissions today, it's not a big deal. Become dependent on them, and by "dependent" I mean "using them because there's nothing else to use", then it becomes a really big deal.

Media propaganda aside, which is mostly fed by for-profit privatizers (airlines) trying to grab control of the ATC system, air traffic control in this country is not all that unsophisticated. It is, usually, as sophisticated as it needs to be for a given area. Remote airport with light traffic and decent weather? A controller with binoculars and maybe a radar repeating display is quite sufficient. Busy places? They go all out. They always do things that look weird to people who just have to have an app for everything. For instance, they print out clearances, write things on them, and send them around via vacuum tubes in lots of cases. Why? Because if you lose your tech all of the sudden you still have an idea where everybody is and what they're doing. Make things "efficient", start them working on tablets and such, and you've actually introduced risk into the system you didn't have before. Just like with making planes dependent on ADS-B by removing other sources of information.

Unlikely (5, Insightful)

borgasm (547139) | about a year ago | (#43416991)

IAAP

The concept of using ADS-B to spoof position reporting doesn't hold water, since there are backup systems (Mode C/S xpdr)...though it may trigger a traffic alert on a neighbor's TCAS if it only relies on ADS-B reports (which it shouldn't). You can't control anything with just ADS-B spoofing.

Hacking the FMS via something like vulnerability in the ACARS receive stack....ok that might be in the realm of possibility. Except its not very useful, because any deviation of course or altitude would be detected by the pilots and ATC nearly immediately. Redundancy is built in at the human level.

Does it only work if I'm on the plane? (1)

jader3rd (2222716) | about a year ago | (#43417081)

Why would I want to do this if I'm on the plane? Suicide wish?

"aircrafts" is not a word (0)

Anonymous Coward | about a year ago | (#43417157)

...even if you repeat over and over in TFS and TFA.

That slideshow is amazing (1)

bshell (848277) | about a year ago | (#43417435)

If you actually go through the slideshow you can see that there's a hell of a lot more involved than just pressing some buttons on an android phone. Among other things "Russian scrapings" on eBay and "Universal Software Radio Peripherals" are mentioned. I guess a very industrious group of engineers could pull this off, but this is not going to be that easy.

Here I was always just playing MS flight simulator (1)

damn_registrars (1103043) | about a year ago | (#43417665)

I guess I was doing it wrong.

Not anything like hijacking. (1)

EmagGeek (574360) | about a year ago | (#43418283)

You're not taking control of the plane. You are simply manipulating the information the pilot is receiving. The second the pilot realizes the information he is receiving is erroneous (and he will, quickly), the attack is over.

IAAP

Re:Not anything like hijacking. (1)

hughk (248126) | about a year ago | (#43420487)

Good point. And not only that, information is flowing into the pilot from multiple sources, visual clues, ATC and multiple instruments.

Just an android phone? (1)

dragonhunter21 (1815102) | about a year ago | (#43419273)

Unless the Galaxy S4 comes with an ADS-B transciever, I think these flights should be OK.

When the pilots start seeing multiple odd contacts on their ADS-B display, they'll call down to Center and ask what's going on. When they do, Center will tell them that there are no contacts in their area, and the flight will continue using more traditional navigation/avoidance procedures. This isn't a "shoot down an airliner free" card.

"Aircrafts" - TFS needs an editor! (2)

timbo234 (833667) | about a year ago | (#43420165)

FFS the plural of 'aircraft' is 'aircraft'. Yeah, yeah grammar Nazi and all that. But it doesn't change the fact that having basic grammatical errors repeated over and over in the summaries makes slashdot look terrible.

New safety rules. (0)

Anonymous Coward | about a year ago | (#43420267)

Smartphones, hell, all electronic devices, will now have to go in the checked luggage or they'll be confiscated.
The devices will have to be disabled or your bag won't get on the plane. This will be checked by specially trained cloned dogs.
This will be preferred solution, instead of implementing proper security other than "through obscurity" model existing today.

Subject (0)

Anonymous Coward | about a year ago | (#43420623)

For a second there, I thought of how could the Snackbars abuse this.
Then I remembered they're just primates and could never handle such a thing.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...