From now on, anyone who has an Android mobile on a plane is extremely dangerous, and all because of the application PlaneSploit, which allows you to hijack a plane. It may sound like a joke, but it is as real as you are reading this. An expert in computer security, with a commercial airplane pilot license, has been the one who has developed this application.
Hugo Teso is the name of the computer security expert who has demonstrated that the broadcasting and communication systems used to target aircraft, known as ADS-B and ACARS, are quite prone to computer attacks. He was able to hack these systems in a Virtual environment and has even created an Android app that allows control an airplane. The application is called PlaneSploit and is capable of instructing the aircraft to change course and flight plan.
It seems incredible, but it's true. Among all the possibilities of this application, we find that it is also capable of establishing guidelines for action in certain situations, such as modifying the direction when reaching a certain altitude. But what is most scary is that it is capable of causing a failure in the system, in such a way that the plane takes the direction of making a visit against the ground. It is even capable of controlling the direction of the plane through the accelerometer of the smartphone or tablet. These demonstrations were carried out in simulators and laboratories, not on certified aircraft in operation.
The application only works when the plane is on autopilot activated, and the pilot can resume flight at any time, without the application having any effect. However, Hugo Teso has warned that once the application has been connected to the system, it can work without being warned by the pilots. We remember, yes, that most likely no user with basic knowledge will be able to hijack a plane with this application. However, it is possible that it can also be useful in cases of hijacking, so that the pilots can continue to control the plane even if they are not in the cockpit. The author himself stressed that his research is aimed at highlighting flaws and did not publish operational details that would allow for its actual use.
Who is Hugo Teso and what did he present?
A security consultant and commercial pilot, Teso presented his work at a cybersecurity conference in Amsterdam. There he described a testing framework called SIMON, designed to investigate vulnerabilities of aeronautical systems in virtual environments, and showed the Android app PlaneSploit as an interface to launch tests against such systems within the laboratory. As he explained, he combined hardware acquired in open markets y publicly available software to build its test bench, an architecture that faithfully reproduces aeronautical connection and communication methods, but without touching real aircraft.
ADS-B and ACARS: Why They Were Targeted as Vectors
Teso's work focuses on two pillars of modern aviation: ADS-B (Automatic Dependent Surveillance–Broadcast), which broadcasts identification, position and altitude of aircraft and facilitates situational awareness among traffic and control, and ACARS (Aircraft Communications Addressing and Reporting System), which manages the exchange of messages between aircraft and ground stations via radio or satellite. The research highlights that, by historical design, lack strong authentication and encryption, which opens the door to spoofing or message injection attacks. Lab tests.
On that basis, the test team demonstrated in simulators how an attacker could, if the system is vulnerable, influence the FMS (Flight Management System) and autopilot logic. The PlaneSploit interface described capabilities such as locating flights (based on public sources such as Flightradar24), identifying potentially vulnerable targets, and, if appropriate in the simulated environment, sending test payloads.
- Modify navigation parameters (heading, altitude, speed) in virtual aircraft.
- Generate notices or events in the cabin, such as alerts, or interact with screens depending on the simulator.
- Schedule conditional changes (for example, at a certain altitude) within the test environment.
- Gesture control of some actions using phone sensors in the demo.
The disturbing hypothesis is clear: without strong cryptographic controls, trust in the origin of messages may be compromised. However, whether this hypothesis is exploitable in the field depends on multiple factors, including the certified software on board, the segregation measures between systems and the operational procedures.
What manufacturers and authorities said
Following the presentation, manufacturers such as Honeywell y RockwellCollins They stressed that the tests were carried out about simulators and that the certified commercial aviation software incorporates integrity protections and controls to prevent unauthorized overwrites. Organizations such as the FAA and European Aviation Safety Agency They have publicly assessed that this demonstration, by itself, does not entail a direct risk for hardware and software in operation.
Teso indicated having notified responsibly to the companies and competent authorities, who accepted the reports to study mitigations. Independent analysts, such as Graham Cluley, added a note of caution: without testing on real aircraft or published technical details, the impact is unclear Exactly in commercial fleets, although publicizing the problem helps prioritize its solution.
Implications, risks and good practices
The PlaneSploit case illustrates the tension between innovation, technological legacy, and security. While the most alarming scenario grabs headlines, the key messages are: the app does not exist on public channels, the test was run on controlled environments, and the industry already applies additional defensive layers. In any potential incident, pilots can turn off autopilot and manually manage the flight following established procedures.
From a cybersecurity perspective, the solution is to strong authentication in critical links, segmentation of systems, anomaly monitoring and programs responsible disclosureIf you detect any technical errors or suspicions, it is best to refer them to the manufacturers' reporting channels or to CERT teams, never share instructions that facilitate misuse.
Hugo Teso's research does not in itself make any smartphone an immediate threat on board; it does point out structural weaknesses historical and opens the door to improvements. That is the true value: accelerating the reinforcement of systems so that the aeronautical ecosystem remains one of the safest in the world.