Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

FAA Dismisses ‘PlaneSploit’ Creator’s Claims

The Federal Aviation Administration has said that a researcher’s claims that he could hack an aircraft in-flight using only an Android application and a desktop computer are not possible. The FAA’s dismissal comes after Hugo Teso, a German information technology consultant, presented his findings during the Hack in the Box conference earlier this month.

The Federal Aviation Administration has said that a researcher’s claims that he could hack an aircraft in-flight using only an Android application and a desktop computer are not possible. The FAA’s dismissal comes after Hugo Teso, a German information technology consultant, presented his findings during the Hack in the Box conference earlier this month.

According to Teso, security issues with the Honeywell NZ-2000 Flight Management System (FMS), allowed him to send signals via his Android device, compromising the FMS within a simulated environment. His research was carried by many news outlets, and sparked some concern.

However, the FAA, in a statement sent to SecurityWeek, says that there is no risk – as the technique doesn’t work against certified flight hardware.

“The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer,” the statement said.

“The FAA has determined that the hacking technique described during a recent computer security conference does not pose a flight safety concern because it does not work on certified flight hardware. The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot. Therefore, a hacker cannot obtain “full control of an aircraft” as the technology consultant has claimed.”

The dismissals have additional significance as the FAA was given access to the complete process Teso used to exploit the FMS, something that wasn’t publically released. For those interested, a copy of the presentation can be found here.

In addition, further explanations are online here

In 2012, a similar spoofing attack was discussed at Black Hat, which is covered in detail here

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.