Vulnerable, Part I

Let me start this post by asking my readers two questions.

  • Do you agree that hacking is possible?
  • Do you agree that airplane flight systems are computerized?

If you’re a reasonable person who is aware of 21st century events, I assume your answer to both question is Yes.

Now, I ask you to waive the current news reports about the Germanwings Flight 4U9525. If you are willing to do this, then consider my premise: My belief is that this airplane’s Flight Monitoring System (FMS) was hacked. In addition, I believe the same occurred in the December 2014 disaster of Air Asia Flight QZ8501. Both air tragedies bear striking similarities. |See my previous post about this subject.|

First, some background.


Hugo Teso

HUGO TESO

Hugo Teso is a youngish hacker, airline pilot and “security researcher” for the German IT consultancy N.Runs. Back in April 2013, Teso presented his disturbing demo application at Amsterdam’s Hack in the Box security conference. According to the many press reports, Teso had exploited a security flaw found in the flight management software of many airlines. His was not a new discovery, as hackers have known of these flaws for some time and warned the industry of these vulnerabilities.

Teso had created an application that could be initiated thru an Android Smart Phone. The application, according to his virtual simulation, could take full control of a vulnerable plane’s Flight Management System (FMS) as well as what’s called the Aircraft Communications Addressing and Report System (ACARS).

Teso’s demonstration and the dire possibilities surfacing for the aviation industry was published widely in credible publications including Forbes, ComputerWorld, The Independent,

After three years of research and development, Teso created an application he named PlaneSploit, which could be activated by a Smart phone. This app could potentially lead to terrifying results. One source described the capability of PlaneSploit. It could “enable the user to: change the plane’s course; crash the plane; set lights flashing in the cockpit; activate something when the plane is in a certain area.” (Emphasis added)

Also interested in Teso’s application were the U.S. Federal Aviation Administration (FAA) and the European Aviation Safety Administration (EASA), as well as several airline manufacturer’s including Honeywell and Rockwell Collins.

Within just a few days, the FAA, EASA and Rockwell Collins all came out with forceful statements denying the validity of Teso’s claims. And that was that.

Hugo Teso’s Hack in the Box presentation is archived and can be located here.


To come – Part II: Air Asia Flight QZ8501 and Germanwings Flight 4U9525.

Advertisements