A new claim by a security consultant that he could take control of an aircraft’s autopilot through vulnerabilities in ADS-B has elicited a response from the FAA, which said, in part, “It does not work.” The consultant, Hugo Teso,recentlymadeheadlines for himself and his employer when he demonstrated an Android app of his creation at a security conference in Amsterdam. Teso used his system to remotely hack into Flight Management System (FMS) software and upload data. He claimed that access allowed him to control the aircraft. The FAA has now responded saying it has determined that Teso’s exact technique would not work on certified hardware. EASA agreed, but questions remain.
The FAA has been hounded by concerns that its NextGen air traffic control system includes pathways of communication that are vulnerable to hackers and addressed similar concerns just last year. Responding to the most recent concern, the FAA said “the described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot.” EASA noted that Teso’s demonstration hacked training software, as opposed to embedded FMS software. It said that major differences between the two systems meant Teso did not face “the same overwriting protection and redundancies” included in certified flight software. Teso is a certified pilot and works for a company called N.Runs, a security consultancy in Germany. The company has said Teso’s work aims to ensure that vulnerabilities in FMS software are addressed in such a way that they remove the possibility of similar hacking threats. Find Teso’s presentation slides here (PDF).
