A new class of apps and wireless devices used by private pilots during flights for everything from GPS information to data about nearby aircraft is vulnerable to a wide range of security attacks, which in some scenarios could lead to catastrophic outcomes, according to computer scientists at the University of California, San Diego and Johns Hopkins University. They presented their findings Nov. 5 at the 21st ACM Conference on Computer and Communications Security in Scottsdale, Ariz.
Researchers examined three combinations of devices and apps most commonly used by private pilots: the Appareo Stratus 2 receiver with the ForeFlight app; the Garmin GDL 39 receiver with the Garmin Pilot app; and the SageTech Clarity CL01 with the WingX Pro7 app.
The devices and apps allow casual pilots to access the same information available to the pilot of a private jet--at a fraction of the cost. All the instruments in a high-end cockpit can be valued at more than $20,000. By contrast, the systems the researchers examined are available for $1,000. All have to be paired with tablet computers, most often an iPad, to display information.
The devices researchers examined receive information about the aircraft’s location, the weather, the location of nearby aircraft and airspace restrictions, which they display on the tablet computers via an app. “When you attack these devices, you don’t have control over the aircraft, but you have control over the information the pilot sees,” said Kirill Levchenko, a computer scientist at the Jacobs School of Engineering at UC San Diego, who led the study.
ForeFlight, which pairs with the Appareo Stratus 2, is one of the top 50 grossing apps in the entire Apple App Store—ahead of Apple’s own Pages app, among others.
The team hoped that exposing the systems’ vulnerabilities would increase awareness among users and lead to demands for change. Researchers include several recommendations at the end of their study for safety improvements.
The FAA has the authority to regulate these systems but chooses not to because they are not an integral part of the aircraft, the researchers said. In commercial aircraft the FAA only allows static information, such as maps, to be displayed on tablet computers, cautioning pilots to rely on instruments to fly.
During testing, researchers found significant safety flaws in all three systems. Two of the systems allowed an attacker to replace completely the firmware, which is home to the programs controlling the devices. The Appareo Stratus 2 allowed the firmware to be downgraded to any older version. All three devices allowed an attacker to tamper with the communication between receiver and tablet. Both types of attacks give an attacker full control over safety-critical real-time information shown to the pilot.
By tampering with the aircraft position, altitude, and direction indications, also known as heading, as well as weather data and positions of other aircraft displayed to the pilot, an attacker can deceive the pilot, leading them to take actions detrimental to flight safety. Factors such as visibility and pilot workload increase the likelihood of a catastrophic outcome. For example, misrepresenting aircraft position during final approach in poor weather could result in a collision with other aircraft or a crash into nearby terrain.
Researchers point to several secure design practices that can remedy the flaws they identified. Among them, cryptographically securing communication between receiver and tablet, pairing the receiver with the tablet (in the same way that Apple smart phones are paired with specific computers), signing firmware updates and requiring explicit user interaction before updating device firmware. Data such as maps and approach procedures should be downloaded to the tablet using HTTPS or digitally signed by the vendor.
Most of the systems are fairly new to the market, researchers point out. “It’s a great time to make them secure from the get-go,” Levchenko said.
In addition to Levchenko, co-authors on the paper are UC San Diego computer science Ph.D. students Devin Lundberg, Brown Farinholt, Edward Sullivan and Ryan Mast, UC San Diego computer science professors Stefan Savage and Alex C. Snoeren, as well as Johns Hopkins computer science professor Stephen Checkoway. Lundberg is the first author on the paper.
This work was supported by the National Science Foundation grant NSF-0963702 and by generous research, operational and/or in-kind support from the UC San Diego Center for Networked Systems (CNS).
Jacobs School of Engineering
Ioana Patringenaru | EurekAlert!
Reversing cause and effect is no trouble for quantum computers
20.07.2018 | Centre for Quantum Technologies at the National University of Singapore
Study suggests buried Internet infrastructure at risk as sea levels rise
18.07.2018 | University of Wisconsin-Madison
A new manufacturing technique uses a process similar to newspaper printing to form smoother and more flexible metals for making ultrafast electronic devices.
The low-cost process, developed by Purdue University researchers, combines tools already used in industry for manufacturing metals on a large scale, but uses...
For the first time ever, scientists have determined the cosmic origin of highest-energy neutrinos. A research group led by IceCube scientist Elisa Resconi, spokesperson of the Collaborative Research Center SFB1258 at the Technical University of Munich (TUM), provides an important piece of evidence that the particles detected by the IceCube neutrino telescope at the South Pole originate from a galaxy four billion light-years away from Earth.
To rule out other origins with certainty, the team led by neutrino physicist Elisa Resconi from the Technical University of Munich and multi-wavelength...
For the first time a team of researchers have discovered two different phases of magnetic skyrmions in a single material. Physicists of the Technical Universities of Munich and Dresden and the University of Cologne can now better study and understand the properties of these magnetic structures, which are important for both basic research and applications.
Whirlpools are an everyday experience in a bath tub: When the water is drained a circular vortex is formed. Typically, such whirls are rather stable. Similar...
Physicists working with Roland Wester at the University of Innsbruck have investigated if and how chemical reactions can be influenced by targeted vibrational excitation of the reactants. They were able to demonstrate that excitation with a laser beam does not affect the efficiency of a chemical exchange reaction and that the excited molecular group acts only as a spectator in the reaction.
A frequently used reaction in organic chemistry is nucleophilic substitution. It plays, for example, an important role in in the synthesis of new chemical...
Optical spectroscopy allows investigating the energy structure and dynamic properties of complex quantum systems. Researchers from the University of Würzburg present two new approaches of coherent two-dimensional spectroscopy.
"Put an excitation into the system and observe how it evolves." According to physicist Professor Tobias Brixner, this is the credo of optical spectroscopy....
13.07.2018 | Event News
12.07.2018 | Event News
03.07.2018 | Event News
20.07.2018 | Power and Electrical Engineering
20.07.2018 | Information Technology
20.07.2018 | Materials Sciences