Hugo Teso: Post #HITB2013AMS Talk clarifications
Following his mind blowing talk at HITBSecConf2013 - Amsterdam, Hugo Teso has made a blog posting with some clarifications regarding his presentation:
After reading some of the news related to my talk at HITB 2013, I am writing this post with the goal of clarifying some misunderstandings, probably due to the lack of time I had during the talk, because I omitted details or other reason.
Some of the most common wrong statements I have seen are related to:
- The Android application: No, the Android application I developed cannot attack an airplane by itself. This application is just a user interface that send commands to the base station and receives feedback. Without the base station, and all the other hardware shown on the slides, the application is by itself useless.
- The flight simulator: I did not found the vulnerabilities in the flight simulator; I found all the vulnerabilities on real software and hardware of on-board aircraft systems.
- ACARS exploitation: No, I did not attack ACARS, neither ADS-B. I just used those protocols to send and receive information to/from the aircrafts. Exploits and payloads are delivered using those protocols but I don't attack them. That would be like saying that an exploit attacks TCP just because it is delivered via the network.
- Real airplanes: No, none of my tools or code can be used directly against real aircrafts. I did and kept it this way on purpose, but the vulnerabilities I found apply to real aircraft systems and code.
- Old hardware: For my research I targeted both old FMS models (dating back from the 70s) as well as some of the newest ones (two or three years old).
- Exploitability: I understand the skeptical community saying "this is not possible because ACARS does not offer commands for doing X or Y". Once again, I only used ACARS as a communication channel and my research targeted the FMS. So, have you ever heard of memory corruption? Also, when I mentioned "No rootkit" I was referring to the fact that hiding is currently not necessary so it was not implemented, not that the post-exploitation did not include hooking.