Hacker Claims Airplanes Vulnerable at 30,000 Feet

Cyber hackers have already shown what damage they can do, but this may be the scariest hacking story yet, if it came true.

What if they could hack into the air traffic control system? It's frightening to imagine, you're at 30-thousand feet and suddenly your pilot is flying blind or taking evasive action to avoid another plane.

Brad "Renderman" Haines, who works in IT support for a small company in Canada by day and is a hacker by night, told CNBC that he has proof that the air traffic control system can be hacked.

(Read More: Cyber Threats Escalate as Banks Go Paperless)

The Federal Aviation Administration's next generation air traffic control system, which, when it's fully in place by the end of this decade, is supposed to make flying "more convenient and dependable."

According to Haines, what it really does is make the whole system vulnerable to hackers because the system uses GPS (Global Positioning System) data instead of just radar.

"No good is gonna come of this," he added.

The problem with this is that the signals they are using are unencrypted and unauthenticated. And because it's unauthenticated, you can't prove that this actually came from the real plane.

In theory, that means a hacker could wreak havoc on the system by generating flights that don't exist.

"You could theoretically ground everybody," Haines said.

Haines and a fellow hacker put data that would be used in the FAA system, known as NextGen, into a flight simulator to show what could happen if the system is hacked.

"We were able to create a flight…we were able to take off from SFO [San Francisco] circle back over the bay, come back and buzz the tower," Haines explained.

The consequence of putting a ghost flight on the air traffic controller's panel could be disastrous.

"If I suddenly injected 50 extra flights onto their radar screen that they hadn't expected, they're going to be panicking trying to figure out what's going on," he said.

(Read More: Hacker Claims He Can Hijack Any Airplane Using a Mobile App)

Inside Denver's TRACON or Terminal Radar Approach Control center at DIA.
Helen H. Richardson | Denver Post | Getty Images
Inside Denver's TRACON or Terminal Radar Approach Control center at DIA.

University of Texas professor Todd Humphreys is an expert on navigation systems, and thinks Haines is onto something.

"It ought to be obvious to the FAA. This is an obvious problem. This is something that's using antiquated technology from the 1980s," said Humphreys.

(Read More: CNBC's Ongoing Coverage of the Cyber Threat)

Haines said he brought his evidence to the FAA, but claimed they ignored him.

CNBC reached out to the FAA about his claims, and a spokesman said the agency has a thorough process in place to identify and mitigate risks in the system...the process is ongoing...and there are backups to ensure safe operations.

In the statement, the FAA declined to say what risks it has identified, saying that information is "security sensitive."

By CNBC's Scott Cohn; Follow him on Twitter @ScottCohnCNBC

CNBC's Catherine Corrigan contributed to this post; Follow her on Twitter @CatCorrigan
CNBC's Gennine Kelly contributed to this post; Follow her on Twitter @GKellyCNBC