Hijackers could remotely take over the computer-controlled flight guidance and navigational systems of a modern jumbo jet armed only with a smartphone and some special computer code, a “white hat” hacker told a security conference this week.
Hugo Teso, a security researcher at German IT consultancy N.Runs and a commercial airline pilot, unveiled his special software at the “In the Box” security conference in Amsterdam Wednesday, and posted his presentation online.
The presentation outlines his methodology but does not include technical details that would allow others to replicate his work. He said he was working with the FAA and the EASA to try and patch the holes.
Mr. Teso told Forbes magazine he spent three years reverse-engineering hardware and software for the Aircraft Communications Addressing and Report System, or ACARS. The technology is built into every commercial plane, allowing onboard computers to receive updates on weather data and flight schedules — and changes to the plane’s flight management system or FMS, better known as the autopilot.
“ACARS has no security at all,” Mr. Teso said. “The airplane has no means to know if the messages it receives are valid or not, so they accept them and you can use them to upload data to the airplane” that can be used to take over the aircraft’s systems.
“And then it’s game over,” he said.