[Avionics Today 11-18-2014] A new study produced by a group of computer scientists has discovered vulnerabilities in a new class of iPad apps and mobile cockpit receivers commonly used by today's General Aviation (GA) pilots. According to the study, the popular combination of a cockpit-mounted GPS receiver and an iPad used to display live data such as weather and traffic information is vulnerable to hacker attacks that could cause significant in-flight problems.
Top: the SageTech Clarity CL01; bottom: the Appareo Stratus 2. Photo: Jacobs School of Engineering.
The study was produced by a group of computer scientists from the University of California, San Diego and Johns Hopkins University. The group examined three combinations of devices and apps most commonly used by GA pilots, including; the Appareo Stratus 2 receiver with the ForeFlight iPad app; the Garmin GDL 39 receiver with the Garmin Pilot iPad app; and the SageTech Clarity CL01 with the WingX Pro7 iPad app. This popular combination of a receiver paired with an iPad and app is referred to as a Mobile Cockpit Information System (MCIS) by the research group.
When used in-flight, depending on the aeronautical information services supported by the receiver, these devices and apps give GA pilots access to Flight Information System-Broadcast (FIS-B), a data broadcasting service that works with Automatic Dependent Service-Broadcast (ADS-B) ground stations to provide weather and airspace restrictions, among other information, through a data link to the cockpit. Pilots can also use them to access the Traffic Information System-Broadcast (TIS-B) service offered to ADS-B users as well. The information is obtained by the receiver and displayed via the application interface on the iPad to the pilot.
"We found a number of vulnerabilities that would allow an attacker to manipulate information that a pilot would see on the iPad that we think are serious," Kirill Levchenko, a computer scientist at the Jacobs School of Engineering at UC San Diego, told Avionics Magazine.
The study focused on iPad use in the GA environment. In contrast, for commercial aircraft, the FAA only allows static information, such as maps, to be displayed on tablet computers, forcing pilots to rely more on certified avionics while flying.
Levchenko, who led the study, said the group was aware of similar claims made by Hugo Tesso, a German IT consultant who gave a presentation in Amsterdam last year showing his ability to hack into Aircraft Communications Addressing and Reporting System (ACARS) data links to manipulate commercial airplane Flight Management Systems (FMS). But the European Aviation Safety Agency (EASA) ultimately proved that Teso was using avionics in a virtual aircraft in a lab environment, not the avionics systems that are certified to operate on air transport aircraft in commercial airspace.
According to Levchenko, the main difference between their two studies is that his group was actually able to simulate what a pilot actually uses, because none of the devices they tested actually interact with the aircraft.
"The stuff we looked at are portable electronics that a pilot brings onboard, a handheld receiver and the iPad with the app on it. That’s what we tested and that’s what a pilot would be using. There’s no issue of fidelity. This is the equipment," said Levchenko.
"With all three devices, we simulated attacks on the communication channel between the receiver and the iPad or on the receiver directly. We could replace the firmware on the devices, which is probably the most severe kind of attack because once you replace the firmware on the receiver the attacker has complete control over the information that the receiver sends. So you can change the GPS coordinates, altitude, you can suppress weather, you can add weather you can create phantom aircraft on that would appear via ADS-B on the iPad," he added.
During the simulated attacks, the researchers found that the Appareo Stratus 2, Garmin DL 39 and the SageTech Clarity CL01 would allow an attacker to tamper with the communication between the receiver and the tablet.
"Probably the most severe attack that we saw on these was the ability to change the firmware on the receiver," said Levchenko. "That vulnerability was found in the Garmin GDL 39, you could also do that if you do a software update with the SageTech. With the Foreflight app, you could also downgrade the firmware.”
Avionics Magazine reached out to Foreflight, SageTech and Garmin about the new study. While SageTech and Foreflight did not respond, Levchenko said his group has been in contact with Foreflight and that they "seem to be taking our work seriously."
Garmin is still reviewing the study, but released the following response to Avionics Magazine:
"Garmin has just started reviewing the University of California, San Diego and John Hopkins University research team’s article, as we were not contacted in connection with the article prior to its publication. Garmin takes safety and security very seriously and will thoroughly evaluate the concerns raised in this article. However, Garmin does not believe the article fairly characterizes the risk associated with the use of the Garmin Pilot App and the GDL 39. Portable devices provide supplementary information as an aid to situational awareness, but they are not to be used as primary flight instruments. The researchers’ methods to determine the safety impact of their work do not appear to have followed accepted methodology such as functional hazard assessment. In light of this, the statements regarding safety in the research team’s press release and published paper are unreasonably inflammatory."
Levchenko explicitly stated that his group is not looking to "sensationalize" their study and is not in search of "15 minutes of fame," but rather is looking to increase the security of these mobile cockpit information system setups as they become more popular.
"We’re a university and research group. We’re trying to find ways to make these systems more secure," said Levchenko.
Going forward, the group is looking to present its study to the FAA.