Thursday, November 20, 2014

UCSD/JHU Study Finds Vulnerabilities in Mobile Information Cockpit Systems

New Study Finds Vulnerabilities in Mobile Information Cockpit Systems


The study was produced by a group of computer scientists from the University of California, University of San Diego [sic.] and Johns Hopkins University. The group examined three combinations of devices and apps most commonly used by GA pilots, including; the Appareo Stratus 2 receiver with the ForeFlight iPad app; the Garmin GDL 39 receiver with the Garmin Pilot iPad app; and the SageTech Clarity CL01 with the WingX Pro7 iPad app. This popular combination of a receiver paired with an iPad and app is referred to as a Mobile Cockpit Information System (MCIS) by the research group.

When used in-flight, depending on the aeronautical information services supported by the receiver, these devices and apps give GA pilots access to Flight Information System-Broadcast (FIS-B), a data broadcasting service that works with Automatic Dependent Service-Broadcast (ADS-B) ground stations to provide weather and airspace restrictions, among other information, through a data link to the cockpit. Pilots can also use them to access the Traffic Information System-Broadcast(TIS-B) service offered to ADS-B users as well. The information is obtained by the receiver and displayed via the application interface on the iPad to the pilot.

"We found a number of vulnerabilities that would allow an attacker to manipulate information that a pilot would see on the iPad that we think are serious," Kirill Levchenko, a computer scientist at the Jacobs School of Engineering at UC San Diego, told Avionics Magazine

During testing, researchers found significant safety flaws in all three systems. Two of the systems allowed an attacker to replace completely the firmware, which is home to the programs controlling the devices. The Appareo Stratus 2 allowed the firmware to be downgraded to any older version. All three devices allowed an attacker to tamper with the communication between receiver and tablet. Both types of attacks give an attacker full control over safety-critical real-time information shown to the pilot.
Click Here for a HighResolution Version
Two of the systems allowed an attacker to replace completely the firmware, which is home to the programs controlling the devices.
By tampering with the aircraft position, altitude, and direction indications, also known as heading, as well as weather data and positions of other aircraft displayed to the pilot, an attacker can deceive the pilot, leading them to take actions detrimental to flight safety. Factors such as visibility and pilot workload increase the likelihood of a catastrophic outcome. For example, misrepresenting aircraft position during final approach in poor weather could result in a collision with other aircraft or a crash into nearby terrain.
Researchers point to several secure design practices that can remedy the flaws they identified. Among them, cryptographically securing communication between receiver and tablet, pairing the receiver with the tablet (in the same way that Apple smart phones are paired with specific computers), signing firmware updates and requiring explicit user interaction before updating device firmware. Data such as maps and approach procedures should be downloaded to the tablet using HTTPS or digitally signed by the vendor.
Most of the systems are fairly new to the market, researchers point out. “It’s a great time to make them secure from the get-go,” Levchenko said.
In addition to Levchenko, co-authors on the paper are UC San Diego computer science Ph.D. students Devin Lundberg, Brown Farinholt, Edward Sullivan and Ryan Mast, UC San Diego computer science professors Stefan Savage and Alex C. Snoeren, as well as Johns Hopkins computer science professor Stephen Checkoway. Lundberg is the first author on the paper.
This work was supported by the National Science Foundation grant NSF-0963702 and by generous research, operational and/or in-kind support from the UC San Diego Center for Networked Systems (CNS).

 



Devin Lundberg, Brown Farinholt, Edward Sullivan, Ryan Mast, Stephen Checkoway, Stefan Savage, Alex C. Snoeren, and Kirill Levchenko, “On The Security of Mobile Cockpit Information Systems” UC San Diego, Johns Hopkins University. In M. Yung and N. Li, eds., Proceedings of CCS 2014. ACM Press, Nov. 2014.


ABSTRACT
Recent trends in aviation have led many general aviation pilots to adopt the use of iPads (or other tablets) in the cockpit. While initially used to display static charts and documents, uses have expanded to include live data such as weather and traffic information that is used to make flight decisions. Because the tablet and any connected devices are not a part of the onboard systems, they are not currently subject to the software reliability standards applied to avionics. In this paper, we create a risk model for electronic threats against mobile cockpit information systems and evaluate three such systems popular with general aviation pilots today: 
Appareo Stratus 2 Receiver
WingX Pro7 app
Garmin Pilot App
We found all three to be vulnerable, allowing an attacker to manipulate information presented to the pilot, which in some scenarios would lead to catastrophic outcomes. Finally, we provide recommendations for securing such systems. 

Author References


Stephen Checkoway :: JHU CS
a member of

Some other Security Vulnerability Analyses


 

No comments: