The vulnerabilities he exploited in his presentation relate to ACARS (Aircraft Communications Addressing and Reporting System), which is used for exchanging text messages between aircraft and ground stations via radio (VHF) or satellite, he said in a blog post previewing his presentation. Notably, ACARS messages aren't authenticated, and thus could be spoofed. "ACARS has no security at all. The airplane has no means to know if the messages it receives are valid or not," Teso said. "So they accept them and you can use them to upload data to the airplane that triggers these vulnerabilities. And then it's game over."
Teso hasn't publicly detailed the precise vulnerabilities he used to craft his attack code, which he dubbed SIMON, but said he's disclosed the flaws to the Federal Aviation Administration and the European Aviation Safety Administration (EASA), as well as to businesses in the aerospace industry that may be affected.
