Earlier this week, a story about how an airplane's navigation system could be commandeered with a simple Android app made headlines and caused quite a bit of commotion. The tale was based on findings published by security researcher Hugo Teso. Teso claimed that he had developed an Android app that took advantage of apparently lax security in the navigation systems used in modern aircraft, and he could use this app to perform simple pranks like making oxygen masks fall from the ceiling or more serious things like crash the plane into another aircraft. He said he had tested this hack in a closed system using PC-based simulation software, but that it would be easy to perform on a live aircraft if you knew how to take advantage of the security flaws. However, the Federal Aviation Administration and the European Aviation Safety Administration have issued statements concerning the alleged exploit, and neither group feels that it is a threat to flight safety.
"A hacker cannot obtain 'full control of an aircraft' as the technology consultant has claimed."
As reported by Information Week, the FAA's said that it "is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer," but the hack does not "pose a flight safety concern because it does not work on certified flight hardware." Additionally, the FAA says that "the described technique cannot engage or control the aircraft's autopilot system using the FMS or prevent a pilot from overriding the autopilot," meaning that "a hacker cannot obtain 'full control of an aircraft' as the technology consultant has claimed."
That jibes with the EASA's position on the matter. "There are major differences between a PC-based training FMS software and an embedded FMS software," said the group. "In particular, the FMS simulation software does not have the same overwriting protection and redundancies that is included in the certified flight software."
Neither agency can fully put the concern to rest however, as Information Week notes that it is still unclear if the hack won't work because flight control systems are using completely different software than what Tero tested or if it is because of the redundancies built into the systems. If it is because of the redundancies, there is a chance that enterprising hackers could step stone their way to other exploits in the systems. Fortunately for airline passengers everywhere, Tero has not released the keys to his exploit and he claims that he is working with governing agencies to make sure the systems are patched and updated if need be.