Post-HITB Talk clarifications

After reading some of the news related to my talk at HITB 2013, I am writing this post with the goal of clarifying some misunderstandings, probably due to the lack of time I had during the talk, because I omitted details or other reason.

Some of the most common wrong statements I have seen are related to:

  • The Android application: No, the Android application I developed cannot attack an airplane by itself. This application is just a user interface that send commands to the base station and receives feedback. Without the base station, and all the other hardware shown on the slides, the application is by itself useless.
  • The flight simulator: I did not found the vulnerabilities in the flight simulator; I found all the vulnerabilities on real software and hardware of on-board aircraft systems.
  • ACARS exploitation: No, I did not attack ACARS, neither ADS-B. I just used those protocols to send and receive information to/from the aircrafts. Exploits and payloads are delivered using those protocols but I don't attack them. That would be like saying that an exploit attacks TCP just because it is delivered via the network.
  • Real airplanes: No, none of my tools or code can be used directly against real aircrafts. I did and kept it this way on purpose, but the vulnerabilities I found apply to real aircraft systems and code.
  • Old hardware: For my research I targeted both old FMS models (dating back from the 70s) as well as some of the newest ones (two or three years old).
  • Exploitability: I understand the skeptical community saying "this is not possible because ACARS does not offer commands for doing X or Y". Once again, I only used ACARS as a communication channel and my research targeted the FMS. So, have you ever heard of memory corruption? Also, when I mentioned "No rootkit" I was referring to the fact that hiding is currently not necessary so it was not implemented, not that the post-exploitation did not include hooking.

I hope these few statements can clarify what was (and was not) explained during my talk.

So, what now?

Shortly the video of my talk will be released, the slides are available here. Also, now that HITB 2013 is over, I will soon reengage the Aero Series and I will explain step by step, and with more detail, what I explained on my HITB 2013 talk and many other contents of my research. Of course any vulnerability or exploit details will be skipped.


If you are interested in the topic and want to discuss anything or be aware of future posts, do it through twitter.