Initially, saw this as a POC against simulation software and certainly a wakeup call to promote safety. However, Hugo’s comments are worth noting below … He noted software exploits and vulnerabilities, that with the right delivery system that could be potentially manipulated. While there are limitations on what can be accomplished, there are many mitigating controls that make this impractical currently. Still industrial automation and especially remote control systems must be as secure as possible.
QUOTE: After reading some of the news related to my talk at HITB 2013, I am writing this post with the goal of clarifying some misunderstandings, probably due to the lack of time I had during the talk, because I omitted details or other reason. Some of the most common wrong statements I have seen are related to:
- The Android application: No, the Android application I developed cannot attack an airplane by itself. This application is just a user interface that send commands to the base station and receives feedback. Without the base station, and all the other hardware shown on the slides, the application is by itself useless.
- The flight simulator: I did not found the vulnerabilities in the flight simulator; I found all the vulnerabilities on real software and hardware of on-board aircraft systems.
- ACARS exploitation: No, I did not attack ACARS, neither ADS-B. I just used those protocols to send and receive information to/from the aircrafts. Exploits and payloads are delivered using those protocols but I don’t attack them. That would be like saying that an exploit attacks TCP just because it is delivered via the network.
- Real airplanes: No, none of my tools or code can be used directly against real aircrafts. I did and kept it this way on purpose, but the vulnerabilities I found apply to real aircraft systems and code.
- Old hardware: For my research I targeted both old FMS models (dating back from the 70s) as well as some of the newest ones (two or three years old).
- Exploitability: I understand the skeptical community saying “this is not possible because ACARS does not offer commands for doing X or Y”. Once again, I only used ACARS as a communication channel and my research targeted the FMS. So, have you ever heard of memory corruption? Also, when I mentioned “No rootkit” I was referring to the fact that hiding is currently not necessary so it was not implemented, not that the post-exploitation did not include hooking.
A counter-response is noted in this thread, which documents some key safety controls that make the scenario shared very difficult to achieve (and these type comments, led to the points above)