Researchers from Johns Hopkins University and the University of California, San Diego found that apps and wireless devices used by private pilots to gather information are vulnerable to hacking. When these devices are attacked, hackers can control how the devices would work which could trigger them to provide misleading information to the pilot. This can lead to catastrophic outcomes, putting the lives of everyone on board on a life-threatening state.
The three device-app combinations that are most frequently used by private pilots include the SageTech Clarity CL01 with the WingX Pro7 app, the Garmin GDL 39 receiver paired with the Garmin Pilot app and the Appareo Stratus 2 receiver with the ForeFlight app. After pairing the devices with tablet PCs such as an iPad, pilots can start viewing valuable information such as the aircraft's location, the location of a nearby aircraft, the weather, and airspace restrictions.
"When you attack these devices, you don't have control over the aircraft, but you have control over the information the pilot sees," said Kirill Levchenko, head of the study and a computer scientist at UC San Diego's Jacobs School of Engineering.
During the study, the researchers learned that all of the combinations between the wireless devices and their respective apps had safety loopholes. Two of the systems can suffer from complete firmware alteration or downgrade, allowing the attacker to manipulate the program needed to operate the devices. Furthermore, hackers can tamper the communication between the receiver and the tablet.
The results of an attack can be disastrous. One example is when a pilot becomes misinformed on the aircraft position during flight under poor weather conditions. The aircraft can collide with another aircraft, collides on a mountain top, or crashes down.
The system that the researchers examined is valued at $1000 on a private plane. However, the same system is said to have a value of $20,000 when used in a high-end cockpit.
After exposing the systems' vulnerabilities, the researchers hoped that users would become more aware of the security flaws in their devices and demand to get some changes. Several recommendations have therefore been made to remedy the security flaws. These would include pairing the receiver with the tablet, cryptographically securing the exchange of communication between the receiver and the tablet, requiring user acknowledgment before allowing a firmware update, and downloading of data such as location and maps which either use HTTPS or one that is digitally vendor-signed.
