You may remember action movies where villains were theoretically able to take over and use airplanes for evil purposes without the pilots knowing what was happening. Or you may have read or seen news reports that speculate about this possibility. Is any of this true? Can an airplane or its avionics really be “hacked”?
There continues to be persistent misinformation and hype related to aircraft electronic security and the ability to deviously tap into today’s avionics, from portable units to highly sophisticated digital cockpits, by international terrorists, corporate espionage agents, or others. This misinformation has led to increasing the aircraft and avionics certification burden and delayed the implementation of safety enhancing functions for pilots and passengers without good cause. As one of the world’s leading designers and manufacturer of avionics, we hope this blog entry will help clarify the avionics security threat for our customers.
The misinformation about aircraft electronic security has real-life consequences because some policymakers read these misperceptions and form opinions based on them. For example, a presentation on hacking a flight management system (FMS) and taking over a flight deck at a 2013 security conference in Europe caused a media frenzy. The presentation was reported extensively in the press and has had a significant negative impact on the avionics industry. But what was not reported nearly as extensively was that the foundation and integrity of the entire presentation was questionable since the “flight deck takeover” did not use certified avionics hardware and software, but instead used PC simulators and avionics equipment with unknown pedigree and uncertain airworthiness approval.
Reports like these have contributed to an international certification authority requiring safety-enhancing data link weather and safety-enhancing ADS-B In traffic features to be disabled on an aircraft being certified with Garmin avionics. Ultimately, these safety-enhancing features were re-enabled, but only after some aircraft were delivered with these features disabled and only after Garmin and the aircraft manufacturer had to expend significant resources educating the certification authority involved. That time and money could have been better devoted to developing and deploying new safety-enhancing features and functions in our avionics.
As another example, Garmin’s portable and certified aviation equipment do not run their software under common operating systems like Windows, iOS, or Android which are often affected by attacks utilizing viruses or malware. Instead, Garmin aviation equipment runs proprietary operating systems that would make it much more difficult to successfully accomplish an attack. Additionally, proprietary protocols, data input validations, and other mitigations are in place to prevent viruses or malware from infecting, or affecting, our equipment. Unlike these common operating systems, there has been no need for Garmin to roll out software patches to address security issues.
Additionally, prior to equipment certification, the authorities require avionics manufacturers to perform a system safety assessment process that includes analyzing what might happen due to data corruption of any sort – malicious or not. The manufacturer must then develop mechanisms or mitigations within the equipment to protect against providing misleading information.
For example, the capability to upload flight plans through common mechanisms, such as ACARS, has been in existence for a long time. Very straight-forward and effective techniques for mitigating data corruption that might occur with equipment that supports flight plan upload capability also have been in existence for a long time. One such mitigation is requiring pilots to review the flight plan and accept it before it becomes the basis for active navigation. While it is conceivable that a pilot could accept a flight plan with an erroneous waypoint position, there are additional mitigating factors that a pilot can use to determine whether the uploaded flight plan is really going to navigate along the intended route like the active flight plan page, which displays desired track and distance for each leg, moving maps that display the active flight plan, and comparison of both of these against published charts. These are the same mechanisms pilots use to ensure that the flight plan adjustments they make manually as requested by ATC are properly entered.
Further, the authorities require certified avionics manufacturers to analyze field reports for potential safety issues and provide information to our customers about issues that may lead to unsafe flight conditions as well as fielding necessary equipment updates. Every pilot should do their part and make sure their avionics are maintained and updated with required Service Bulletins.
Ultimately, the pilot is always in control and any misbehaving system can be turned off.
To be sure, no system is perfect. Garmin, as well as the rest of the avionics industry, is vigilant to these potential threats and is continually striving to ensure that system integrity is assured. Part of that vigilance includes ensuring the system architecture is robust against failures and resistant to attack. In this and many other ways, modern avionics are fundamentally different from off-the-shelf computers.
As a pilot or a passenger, you can rest assured that Garmin, and other avionics manufacturers, apply rigorous processes to ensure threat sources are adequately mitigated so that you can trust both the safety and the security of the information the avionics provide.