Gone are the days of mile-high airplane hijackings carried out with guns or knifes. In the future all a hijacker or a terrorist might need is a computer or a smartphone - and some good hacker skills.
Ruben Santamarta, a security researcher at IOActive, showed a packed room at the Black Hat security conference in Las Vegas on Thursday how several types of satellite communications equipment used in airplanes all over the world can be hacked.
Taking advantage of "critical" holes in these devices, an attacker could tamper with the plane's satellite communications, he said, interfering with its navigation and safety systems.
And all they'd need is to be on a plane's WiFi and in-flight entertainment system.
"That doesn't mean we can crash an aircraft," Santamarta said during a press conference ahead of his talk. But he did say a hack like this could lead to dangerous situations, like a scenario in which a pilot is fed fake data from the ground.
Santamarta's findings might be hard to replicate in the real world.
They were done in a lab, reverse engineering the firmware of the devices. But they do show that manufacturers selling equipment commonly deployed in airplanes have left gaping holes in their hardware.
"The fact is that those vulnerabilities are there, so maybe it's possible, maybe not," Santamarta said. "But it's something that should be fixed."
Other experts agreed. "The type of vulnerabilities he discovered are pretty scary just because they involve very basic security things that vendors should already be aware of," Vincenzo Iozzo, a member of Black Hat's review board, told Reuters, which first reported on Santamarta's research.
The manufacturers of the devices, however, all dismissed the research, saying the risks are "minimal" or "small" or that the hackers would need physical access to the device to carry out the exploit.
IOActive already published a white paper on this topic in April, but Santamarta disclosed new technical details at his talk on Thursday.
Security researchers have been looking into airplane systems' security for some time. Last year, Hugo Teso showed how a hacker could exploit a protocol used to transmit data to commercial airplanes from the ground with an Android phone, potentially giving the hacker the ability to take over the plane, via a malicious radio signal.
As with Santamarta's research, Teso's was also done only at an experimental level. It was dismissed as unlikely to work by European and American aviation authorities.
Also at Black Hat in 2012, another researcher showed he could make nonexistent planes appear on the screen of air traffic controllers, perhaps scaring real planes into trying to avoid them.
This hack took advantage of a vulnerability in the next-generation air traffic control system, the Automatic Dependent Surveillance-Broadcast (ADS-B).