Saturday, April 13, 2013

The FAA, Bananas, and Computer Security: Hacking Planes with Cell Phones

Hugo Teso recently reported on some pretty serious flaws in the security for airplane flight systems and pilot displays. He reports that using an Android device and some custom-written code, he was able to provoke actions by the flight systems and feed the pilot incorrect information. The Register has a pretty good summary of what Teso discussed.

In an interview with Forbes, Teso reported:

“You can use this system to modify approximately everything related to the navigation of the plane. That includes a lot of nasty things.”

Fortunately, The Register tells us:

Federal Aviation Administration and the European Aviation Safety Administration have both been informed and are working on fixing the issue.

That would seem to be an appropriate response to a flaw like that. You would really hate to think about al Qaeda sending a bunch of wackos with cell phones onto flights. And I don't think the FAA would seriously be able to take away peoples' cell phones on flights. Dealing with Alec Baldwin alone would stretch the resources of most Federal agencies.

Fortunately, the FAA has taken swift action to alleviate any concerns the flying public might have about some new-found sense of competency in that agency. The FAA reports that there is no real problem because the hack did not work when they tested it against a "flight certified" configuration.

The idea of "defense in depth" appears to have soared right past these people. If there is a problem in a component of an overall system, FIX IT.

Here's hoping that the FAA manages to stumble across a clue in between meetings about whether or not to allow people to bring fully-functioning bananas on planes.

Update

The app that Teso used is only effective against simulators. That does not mean that there is not an issue that needs to be resolved. The H Security reports that:
Teso says that the ACARS communication with a plane can be implemented locally via a software-defined radio system or globally via one of the two major ACARS providers, ARINC and SITA. The researcher added that a vulnerability would need to be found with the providers.

The manufacturer, Honeywell, is investigating to see to what extent the vulnerabilities in the PC product used in simulators are also applicable to hardware-based implementations used on planes.

Other media outlets, like Computerworld, are reporting on the differences between the PC simulator hardware and the hardware-based implementations. My opinion remains the same as it did earlier; problems need to be fixed. Working exploits depend on chaining problems together; a good security posture depends on removing as many links from the chain as possible.