Researcher and hacker Brad “Renderman” Haines knew airplanes could be hacked a year ago, before news hit of a German researcher’s app that can take over a plane’s flight controls. Now, he’s telling the nay-saying Federal Aviation Administration to prove its systems are safe, and says drones might have a similar problem.
“Really, it’s put up or shut up. If they say it’s secure, there should be no harm in publicly giving access to a test lab,” said Haines in an interview with VentureBeat. “Now, you don’t have to be a nation state in order to tinker with this stuff. You can be some bored guy on a couch.”
This week, German researcher Hugo Teso revealed an app that manipulates the Aircraft Communications Addressing and Report System (ACARS), which can give you access to the plane’s flight management system (FMS). You can communicate with ACARS through hacking the airline’s systems or using a special radio, according to Teso. From there, he could send his own information to the plane, such as “turn left.”
“Pilots receive no training on what happens … if there’s an outside intelligence manipulating the data. They’re not trained for that,” said Haines.
But the FAA, the European Aviation Safety Agency, as well as FMS creators Honeywell and Rockwell Collins have all denied that this can actually happen. They say Teso only tested his hack on simulated flight software and that the certified software couldn’t be tampered with or disabled in the same way.
The FAA’s statement as obtained by Forbes reads:
The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer. The FAA has determined that the hacking technique described during a recent computer security conference does not pose a flight safety concern because it does not work on certified flight hardware. The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot. Therefore, a hacker cannot obtain “full control of an aircraft” as the technology consultant has claimed.
But Haines is calling them out. Last year, he discovered a similar problem that lets you take over the transmissions between a pilot and the tower. He claims you can send fake transmissions that say things like, “There’s a plane coming straight at you!” The FAA — a year later — still hasn’t gotten in touch with him about the hack, according to Haines. Now, he’s turning his attention to drones.
As they start to enter our airspace, Haines says, drones are becoming aware of what’s around them so they can effectively get out of the way if a plane is headed in the same direction. But using the same hack as the one Haines created last year, he says drones could be tricked to actually move a plane’s path.
His research isn’t yet complete, but he says he’d like to “talk to [Teso] and compare notes and see if we can work together.”
He said, “It’s nice to see someone else looking at this and coming to the same conclusions. I’m not crazy.”
Brad Haines image via Dean Takahashi/VentureBeat
You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here