Teso - a security researcher and a trained commercial pilot - has demonstrated the results of his experiment to the crowd attending the Hack In The Box Conference in Amsterdam, and has shared that both the European Aviation Safety Agency (EASA) and the Federal Aviation Administration (FAA) were informed of his research and have been working on fixing issues it unearthed.
But according to the latest statements released by both the organizations and by Honeywell and Rockwell Collins, companies that provide avionics, information technology systems and aerospace systems to aircraft manufacturers and whose simulation equipment Teso used in his research, the attack he described is not feasible.
The Federal Aviation Administration has stated that it "is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer. The FAA has determined that the hacking technique described during a recent computer security conference does not pose a flight safety concern because it does not work on certified flight hardware. The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot. Therefore, a hacker cannot obtain 'full control of an aircraft' as the technology consultant has claimed."
The EASA pointed out that certifiable embedded software sports "robustness that is not present on ground-based simulation software,” and Rockwell Collins commented for Forbes that "today’s certified avionics systems are designed and built with high levels of redundancy and security, and that Teso's researcher "involves testing with virtual aircraft in a lab environment, which is not analogous to certified aircraft and systems operating in regulated airspace."
Airline pilot Patrick Smith who writes the popular "Ask the Pilot" blog has written his own comment on why the type of attack presented by Teso is not possible.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.