Imagine the kind of devastation that terrorists could cause if they were able to remotely hijack an airplane using something as simple as an Android app? With just a few taps on the screen, hackers could gain control of an aircraft and remotely alter its course. The consequences of this happening simply don’t bear thinking about, and yet… according to one German security researcher, this scenario could become a reality if aviation chiefs don’t remove their heads from the clouds.

At the Hack in The Box conference in Amsterdam this week, Hugo Teso spelled out just how easy it could be to make an airline dance to his tunes using nothing more than an Android smartphone. By using an app called PlaneSploit, a radio transmitter and flight management software program, Teso says that it’s perfectly possible to take full control of an airplane by infiltrating radio broadcasts between it and the air control tower.

Teso’s exploits were reported by Help Net Security, which says that the hack involves piercing various systems on the aircraft in order to send fake messages to the pilot, which appear to come from air traffic control. The app doesn’t work like some kind of real-life arcade game, but instead allows the hacker/terrorist to give false instructions to the plane’s onboard computer, ordering it to change course or carry out other maneuvers.  It also has the ability to scare the life out of pilots, by making lights and switches in the cockpit flash randomly, giving them the impression that multiple systems were failing.

Here are just a few of PlaneSpoilt’s capabilities, as reported by Help Net Security:

• Please go here: A way of interacting with the plane where the user can dynamically tap locations on the map and change the plane’s course.
• Define area: Set detailed filters related to the airplane, for example activate something when a plane is in the area of X kilometers or when it starts flying on a predefined altitude.
• Visit ground: Crash the airplane.
• Kiss off: Remove itself from the system.
• Be punckish: A theatric way of alerting the pilots that something is seriously wrong – lights start flashing and alarms start buzzing.

That’s a pretty scary list of capabilities, but thankfully we’re not likely to find PlaneSpoilt popping up on Google Play anytime soon. The purpose of the app, says Teso, is to illustrate just how insecure these air traffic control systems are, and how urgently airlines need to fix them. In other words, PlaneSploit is just proof-of-concept software, designed to work in a closed virtual environment, and it won’t ever end up in the wrong hands. But even so, the fact that Teso was able to create it means that others could build something similar.

Teso didn’t actually take control of a real airplane during his demo, instead showing off its capabilities in a virtual lab. Nevertheless, he did demonstrate just how easily it would be to do so. He also stated that he has no intention of ever publicizing details of the exploits and vulnerabilities he found:

“That is not the goal of this series, it is intended to illustrate the process to study an unusual system, display the status of its safety and learn as much as possible in the process.”

It isn’t clear just how potent a threat PlaneSploit is however. Just hours after the story emerged, the Federal Aviation Administration came out to strongly deny Teso’s claims that he could hack a modern airliner using cheap software:

“The FAA is aware that a German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer,” said Les Dorr, spokesperson for the FAA.

“The FAA has determined that the hacking technique described during a recent computer security conference does not pose a flight safety concern because it doesn’t work on certified flight hardware.”

The FAA may well be right in one sense, but their comments seem to ignore the larger picture. Just because modern airliners are immune from this kind of attack, it doesn’t make it any less dangerous. After all, there are plenty of smaller, privately owned aircraft buzzing about in the skies, and if these smaller aircraft can be hacked and steered towards a busy commercial flight path, the potential consequences are far too dangerous to ignore.