A recently published study conducted by the University of California San Diego and Johns Hopkins University (Baltimore) claims to have identified security vulnerabilities in tablet apps and hardware used by pilots. The study examined three popular apps and hardware that provide data to these apps: ForeFlight Mobile and the Stratus 2; Garmin Pilot and the GDL 39; and WingX Pro7 and the SageTech Clarity CL01. According to the study’s abstract, “We found all three to be vulnerable, allowing an attacker to manipulate information presented to the pilot, which in some scenarios would lead to catastrophic outcomes.” The two equipment suppliers that responded to AIN’s questions dispute the alleged vulnerabilities.
The study seems to assume that pilots rely on iPad apps for flight-critical operations and specifically states that it is examining the use of mobile devices in general aviation “in which an iPad (or similar tablet) supplements conventional flight and navigation instruments.”
The combination of a tablet computer and a separate device containing a GPS sensor, ADS-B in receiver and magnetometer and accelerometers (AHRS) is labeled by the study as a Mobile Cockpit Information System (MCIS). While lead author Kirill Levchenko says he is well aware that MCIS are not sources of primary flight information, he fears that these devices might be tempting pilots not to pay attention to installed avionics. “Our concern is that pilots might rely on this more than they should,” he told AIN. “And there is no reason why these systems shouldn’t be more secure.” None of the study team members is a pilot or active user of these apps.
There are two primary attack vectors for MCIS, according to Levchenko. An attacker in close enough proximity could gain access via Wi-Fi or Bluetooth to the hardware device (ADS-B receiver) and reflash its firmware, altering the way the device works. The other attack is tricking a user into downloading a malicious app onto an iPad or Android tablet. “Getting a malicious app on an iPad is difficult but not impossible,” he said.
Assuming that these attack vectors could work–and this remains debatable–the study examines seven MCIS-related scenarios, most of which could have a catastrophic outcome, the study claims:
• “Attacker manipulates altitude and attitude information. Likelihood remote to extremely remote because pilot has primary altitude and attitude indicators in instrument panel.
• Attacker tampers with cruise position information. Likelihood depends whether pilot is flying VFR or IFR and how much dependence is placed on the MCIS.
• Attacker tampers with position during approach. Likelihood remote to probable, but the report assumes the pilot isn’t using installed avionics during poor-visibility operations.
• Attacker presents incorrect altimeter setting to pilot in a Metar. Likelihood, extremely remote because pilot obtains altimeter setting from Atis or ATC.
• Attacker presents incorrect weather information. Likelihood difficult to estimate “because it depends on the weather conditions and pilot experience. In poor weather conditions, a pilot is likely to turn to the MCIS to determine whether to continue flight and how to navigate around bad weather.”
• Attacker alters, adds or deletes traffic information. Likelihood of a midair collision due to this attack is extremely remote to improbable.
• Attacker modifies chart data. Likelihood probable to remote in poor visibility, “depending on pilot’s familiarity with terrain.”
The study team’s analysis of the three pairs of iPad apps and devices found what it claimed were several vulnerabilities.
In testing of the ForeFlight Mobile app and Stratus 2 receiver, the team was “able to impersonate the receiver and inject arbitrary information, which the app accepted and displayed.” The team was also able to use the Stratus 2 as a Wi-Fi access point to relay forged data to the iPad. Because ForeFlight uses a secure sockets layer (SSL) connection for subscription downloads, the team was not able to tamper with EFB data. It also could not modify the encrypted firmware image for the Stratus 2.
“For any of these attack scenarios described in the paper to apply to general aviation pilots,” said ForeFlight co-founder and CEO Tyson Weihs, “an attacker would either have to steal your ADS-B receiver and re-program it (if the receiver can be re-programmed–Stratus cannot be reprogrammed), or fly wingtip to wingtip with your aircraft and try to connect to your Wi-Fi network.” A pilot using ForeFlight and connected to an onboard Wi-Fi system could also expose the app to a potential hacker on the same flight, but ForeFlight’s Version 6.5 will include a “Genuine Stratus” onscreen indicator, he explained, “which reduces even further the likelihood of some of the very unlikely air-to-air and imposter scenarios.”
The study team’s tests of the Garmin Pilot app and GDL 39 ADS-B receiver, which communicate via Bluetooth, showed the ability “to spoof requests from the app to the receiver. We were also able to determine the address of the GDL 39 wirelessly via sniffing and then connect to the device without pairing.” The team was also able to “modify the aeronautical charts received by the app and presented to the pilot.” This is because, it said, “The Garmin Pilot app updates its documents and charts over HTTP.” Further, “All update-related communication is unencrypted and unauthenticated; we were able to redirect both apps [Garmin Pilot or a GDL 39 utility app] to download our own firmware image.”
Garmin told AIN: “Garmin does not believe the article fairly characterizes the risk associated with the use of the Garmin Pilot app and the GDL 39. General aviation pilots are conscientious and trained to understand that portable devices provide supplementary information as an aid to situational awareness, but they are not to be used as primary flight instruments. Additionally the researchers’ methods to determine the safety impact of their work do not appear to have followed accepted methodology such as functional hazard assessment. In light of this, Garmin considers the statements regarding safety in the research team’s press release and published paper to be unreasonably inflammatory.
“The latest version of Garmin Pilot available through each platform’s official app store contains a number of new features and improvements, including security enhancements not present in the version tested by the research team. As our evaluation continues, additional security enhancements will be rolled out as necessary,” the company said.
For the combination of the WingX Pro7 app and SageTech Clarity CL01 receiver, the team noted that “The Clarity receiver transmits all data unencrypted and unauthenticated…it is possible to impersonate the Clarity device to the WingX Pro7 app and to inject packets into the channel. We were successful in doing both.” Also, “We were able to modify the aeronautical charts and other information retrieved by the device.” The team found that the Clarity device’s “firmware image is not encrypted or authenticated. We were able to update the Clarity firmware with a modified firmware image.” By press time, SageTech and WingX Pro7 developer Hilton Software had not responded to AIN’s questions about system security.
The paper concluded that while MCIS do not provide “security guarantees expected of similar avionics systems…the vulnerabilities we identified in existing systems are easily fixed by adhering to existing computer security best practices."
Levchenko has some security suggestions for pilots using iPads. “In a perfect world you would have an iPad dedicated to flying. Don’t let your kid play Flappy Bird on your iPad. If you’re using the iPad for other stuff, then it could become infected, either through vulnerabilities in the operating system where a malicious app gets on or or a downloaded app is malicious through the Apple Store. Apple does a lot to make sure apps are not malicious, but [bad] apps do get through. There are several kinds of attack vectors, say a clone of a popular game or an attacker compromised the developer and a [bad] app gets through. Getting a malicious app onto the iPad is difficult but not impossible. We’re not saying iPads are evil and pilots should not use them. We’re saying this is a new technology and it has a lot of promise. Pilots like it and find it very useful. There are going to be security implications.”
There is another way to protect against attacks that occur via wireless networks and that is to hard-wire the iPad to ADS-B receivers and other devices used in cockpits. This is the strategy employed by Avionics & Systems Integration Group (ASIG), which manufactures the flyTab XFB hard-wired mounting system for iPads used as EFBs.
“There are multiple considerations which affect data interface/app performance in the flight environment,” explained ASIG managing director Luke Ribich. “From the natural effect of high EMI/RMI environmental interference found in today’s modern transport aircraft, which cause link drops and data packet loss, to the potential for rogue passengers who independently, or in concert, seek to eavesdrop, molest or suppress the presentation of avionics system and sensor data passed to an EFB wirelessly over ‘soft target’ Wi-Fi 802.11 or Bluetooth. The latter, particularly when passenger motives are coordinated in order to disrupt transportation or economies, presents a severe and ever-increasing direct threat to flight safety and the sanitary nature of cockpit flight operations.”
The threats, he added, range from data-transfer latency affecting iPad EFBs or suppression of flight-critical data to induce pilot confusion regarding situational awareness. “It is a matter of when, not if, design deficiencies in COTS tablet operating systems could allow a transmitting PED to be hacked to the point of cutting off a pilot from his/her QRH or other abnormal or emergency checklists or operating procedures. This speaks to the very reason that closed architecture and wired interfaces are the best and only acceptable method to protect the aircraft and its occupants.”