After this is done, an attacker could send specifically crafted ACARS messages to the targeted aircraft to exploit vulnerabilities identified in the code of its FMS. In order to do this, the attacker could build his own software-defined radio system, which would have a range limit depending on the antenna being used, or he could hack into the systems of one of the two main ground service providers and use them to send ACARS messages, a task that would probably be more difficult, Teso said.
Either way, sending rogue ACARS messages to real aircraft would most likely lead to the authorities searching and eventually locating you, the researcher said.
Teso created a post-exploitation agent dubbed SIMON that can run on a compromised FMS and can be used to make flight plan changes or execute various commands remotely. SIMON was specifically designed for the x86 architecture so that it can only be used in the test lab against virtual airplanes and not against flight management systems on real aircraft that use different architectures.
The researcher also created an Android app called PlaneSploit that can automate an entire attack, from discovering targets using Flightradar24 to exploiting vulnerabilities in their FMS, installing SIMON and then performing various actions, like modifying the flight plan.
As previously mentioned, the research and demonstrations were performed against virtual planes in a lab setup. However, the FMS vulnerabilities identified and the lack of security in communication technologies like ADS-B and ACARS are real, Teso said
In a real-world attack scenario, the pilot could realize that something is wrong, disengage the auto-pilot and fly the plane like in the old days using analog systems, Teso said. However, flying without auto-pilot is becoming increasingly difficult on modern aircraft, he said.
Teso did not reveal any specifics about the vulnerabilities he identified in flight management systems because they haven't been fixed yet. The lack of security features like authentication in ADS-B and ACARS is also something that will probably take a lot of time to address, but the researcher hopes that it will be done while these technologies are still being deployed. In the U.S., the majority of aircraft are expected to use ADS-B by 2020.
N.runs has been in contact with the European Aviation Safety Agency (EASA) for the past few weeks about the issues identified during this research, Teso said, adding that he has been pleasantly surprised by their response so far. "They haven't denied the issues, they listened to us and they offered resources," he said. "They're trying to help us to take this research on a real plane."