Pilots Love These Navigation Apps. Too Bad They Can Be Hacked

Most airplane pilots know to look out for angry birds in the sky. But many pilots, as well as the Federal Aviation Administration, aren't yet considering another potential airborne threat: cheap, commercially available in-flight apps. Or even 'Angry Birds' on an iPad.

In-flight apps that function as live displays for weather, air traffic, and static documents like flight checklists are a cost-effective alternative to traditional devices. But according to security experts, they are also fundamentally insecure.

A new study by researchers at the University of California—San Diego and Johns Hopkins Hospital analyzed the security features of several popular apps for pilots, including ForeFlight and Garmin Pilot, and discovered a number of security vulnerabilities.

Most pilots in the world of non-commercial aviation don't have access to the kinds of $20,000 devices that airline pilots use to navigate. Instead, they turn to consumer apps like ForeFlight and Garmin Pilot, which each cost a mere $75 per year.

But commercial pilots are also using iPad apps in the air. United Airlines uses an iPad app developed in-house to display flight planning information. American Airlines uses the commercially available Jeppesen Mobile Terminal Chart application to do the same. Frontier Airlines uses ForeFlight.

"Because it's easier to make [the apps] just work," Devin Lundberg, the study's lead author, told me, "security is an afterthought. You see this throughout internet and with mobile manufacturers. They make something, they get it working, they make it pretty, and security is kind of something that prevents bad things from happening, but it's not considered necessary. They're just trying to get their product out there as fast as possible."

The crux of the issue is that planes and air traffic control communicate with each other using ADS-B signals. These signals are unencrypted and unauthenticated.

Inaccurate data, the authors note, can be sent to the apps by intercepting their connection to the kinds of commercially available ADS-B receivers that pilots bring with them into the cockpit, and then "spoofing" the signal. This makes the app think it's getting data from an authentic source, when in reality the signal is coming from an inauthentic source, perhaps a malicious attacker.

The result of a successful hack on a pilot's app or receiver would be the presentation of false weather or traffic information to a pilot.

According to Lundberg and his colleagues, ForeFlight—the app most popular with non-commercial pilots, and used by Frontier Airlines—can be hacked while being used by a pilot, as long as the attacker is in relative proximity to the receiver in order to spoof its signal.

Other apps, like Garmin Pilot and WingX Pro7, have a more severe vulnerability: all their update-related communications are unencrypted, which enabled the researchers to load malicious code into the apps while receiving a firmware update.

The FAA does not currently have any standards or regulations in place to address the security of commercially available apps for pilots. And the FAA's resistance to addressing computational security on planes is well known to some experts.

Take Brad Haines, a Canadian hacker in his mid-30s. Last year, he designed a system that would have allowed him to spoof the ADS-B signal of a commercial flight, had he chosen to.

"My experience has been that the aircraft industry—the FAA and the ICAO, the International Civil Aviation Organization—is very insular," Haines told me. "They aren't used to talking to outsiders. They have their own experts that they refer to that don't necessarily have their head in the same place as people like myself do. They haven't had a lot of experience with this sort of thing."

The FAA did not respond to multiple requests for comment. We'll update this story accordingly if we hear back.

Both Haines and Lundberg agree that computational security is a new field for regulatory bodies overseeing avionics. The focus for disaster-mitigating design has traditionally been on safety—system redundancy, sturdy mechanics, and strict protocols—but not security, which is a different matter entirely.

"I don't feel as though they've written a lot of regulations having to do with problems when there's a malicious attacker in the setting," Lundberg told me. "They're more interested in actually putting up that infrastructure, and I'm not sure why they haven't put security first."

An aircraft of any kind has a certain amount of redundancy built into its control system in order to ensure that a pilot can refer to a number of devices to confirm that the information displayed on an app is accurate. The effects of a hack would largely depend on a pilot's training, the amount of trust she places in devices, and conditions like visibility.

Coincidentally, George Richmond, Motherboard writer Ben Richmond's dad, is an ex-commercial pilot with decades of experience who now flies privately. In his view, disastrous effects resulting from a pilot's iPad being hacked are unlikely.

"Most pilots don't use iPad devices for sole-source navigation, or at least cross check the info presented with some other means," Richmond wrote in an email. "We all should be running a 'does this make sense' check as we go along."

"When I do access the internet in conjunction with ForeFlight, it is through Wi-Fi at home or 3G when Wi-Fi is not available, and all I get then are data updates such as charts and text or radar weather," he continued. "I don't see how my iPad app could be hacked by anyone while I'm in flight, unless they are on board with me."

Of course, this is exactly how an app can be hacked, according to Lundberg and his colleagues. Cryptography is a game that involves thinking about all the angles—every insecure access point and every device that could be tapped. And for Haines, a lack of strict protocol regarding how personal devices like iPads are used in the air is a key point of concern.

"How is [the app] being updated? Is it over Wi-Fi? How are they verifying that those are the access points that they're supposed to talk to?" Haines asked. "They say it's encrypted, but is that data in transit? Is it encrypted at rest, when it's on the iPad itself? Are pilots taking them home and loading Angry Birds on it?"

The best way to close the security gap in the apps that pilots are using is for the FAA to begin regulating their development and use, Lundberg said.

"Having the FAA regulate this in some way would give them some incentive to make sure their product is secure, and can actually prevent the kinds of threats that could appear in the cockpit," he told me.

If security hawks like Lundberg and Haines are right about the threats that insecure apps like ForeFlight and Garmin Pilot pose, then regulatory bodies and pilots alike might do well to consider the importance of encrypting data, even when 30,000 feet in the air.