Hugo Teso, a researcher at security consultancy N.Runs who is also a commercial pilot, demonstrated the hack on a "virtual" airplane system at the Hack In The Box conference in Amsterdam, InformationWeek reported Thursday.
With an Android application he developed dubbed PlaneSploit, Teso used a smartphone to demonstrate how he could adjust the heading, altitude and speed of a virtual airplane by sending false navigation data to a flight management system (FMS.)
"You can use this system to modify approximately everything related to the navigation of the plane," Teso told Forbes. "That includes a lot of nasty things."
Teso hasn't publicly disclosed the vulnerabilities he exploited to create his attack app, but he said he's informed the Federal Aviation Administration and the European Aviation Safety Administration of the flaws.
Avionics manufacturers emphasized that Teso's hack involved training software, rather than systems as installed in aircraft.
Honeywell spokesman Scott Sayres downplayed real-world implications.
"If we talk very generically -- not just about Honeywell software -- PC FMS software is normally available as an online pilot training aid," Sayres told InformationWeek. "In other words, what Teso did was hack a PC-based training version of FMS that's used to simulate the flight environment, not the actual certified flight software installed on an aircraft."
A spokesman for the European safety administration agreed.
"This presentation was based on a PC training simulator and did not reveal potential vulnerabilities on actual flying systems," spokesman Jeremie Teahan said. "There are major differences between PC-based training FMS software and embedded FMS software. In particular, the FMS simulation software does not have the same overwriting protection and redundancies that is included in the certified flight software."