Security Experts:

FAA Dismisses 'PlaneSploit' Creator's Claims

The Federal Aviation Administration has said that a researcher’s claims that he could hack an aircraft in-flight using only an Android application and a desktop computer are not possible. The FAA’s dismissal comes after Hugo Teso, a German information technology consultant, presented his findings during the Hack in the Box conference earlier this month.

According to Teso, security issues with the Honeywell NZ-2000 Flight Management System (FMS), allowed him to send signals via his Android device, compromising the FMS within a simulated environment. His research was carried by many news outlets, and sparked some concern.

However, the FAA, in a statement sent to SecurityWeek, says that there is no risk - as the technique doesn’t work against certified flight hardware.

“The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer,” the statement said.

“The FAA has determined that the hacking technique described during a recent computer security conference does not pose a flight safety concern because it does not work on certified flight hardware. The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot. Therefore, a hacker cannot obtain “full control of an aircraft” as the technology consultant has claimed.”

The dismissals have additional significance as the FAA was given access to the complete process Teso used to exploit the FMS, something that wasn’t publically released. For those interested, a copy of the presentation can be found here.

In addition, further explanations are online here

In 2012, a similar spoofing attack was discussed at Black Hat, which is covered in detail here

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.