The Hacked Airplane


For better or worse, the relentless march of technology means we’re more connected than ever, in more places than ever. For the most part that’s good. We benefit from improving communication, situational awareness, and reduced pilot workload in the cockpit. But there’s a dark side to digital connectivity, and I predict it’s only a matter of time before we start to see it in our airborne lives.

Consider the recent Heartbleed security bug, which exposed countless user’s private data to the open internet. It wasn’t the first bug and it won’t be the last. Since a good pilot is always mindful the potential exigencies of flying, it’s high time we considered how this connectivity might affect our aircraft.

Even if you’re flying an ancient VFR-only steam gauge panel, odds are good you’ve got an Android or iOS device in the cockpit. And that GPS you rely upon? Whether it’s a portable non-TSO’d unit or the latest integrated avionics suite bestowed from on high by the Gods of Glass, your database updates are undoubtedly retrieved from across the internet. Oh, the database itself can be validated through checksums and secured through encryption, but who knows what other payloads might be living on that little SD card when you insert it into the panel.

“Gee, never thought about that”, you say? You’re not alone. Even multi-billion dollar corporations felt well protected right up to the moment that they were caught flat-footed. As British journalist Misha Glenny sagely noted, there are only two types of companies: those that know they’ve been hacked, and those that don’t.

Hackers are notoriously creative, and even if your computer is secure, that doesn’t mean your refrigerator, toilet, car, or toaster is. From the New York Times:

They came in through the Chinese takeout menu.

Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.

Remember the Target hacking scandal? Hackers obtained more than 40 million credit and debit card numbers from what the company believed to be tightly secured computers. The Times article details how the attackers gained access through Target’s heating and cooling system, and notes that connectivity has transformed everything from thermostats to printers into an open door through which cyber criminals can walk with relative ease.

Popular Mechanics details more than 10 billion devices connected to the internet in an effort to make our lives easier and more efficient, but also warns us that once everything is connected, everything will be open to hacking.

During a two-week long stretch at the end of December and the beginning of January, hackers tapped into smart TVs, at least one refrigerator, and routers to send out spam. That two-week long attack is considered one of the first Internet of Things hacks, and it’s a sign of things to come.

The smart home, for instance, now includes connected thermostats, light bulbs, refrigerators, toasters, and even deadbolt locks. While it’s exciting to be able to unlock your front door remotely to let a friend in, it’s also dangerous: If the lock is connected to the same router your refrigerator uses, and if your refrigerator has lax security, hackers can enter through that weak point and get to everything else on the network—including the lock.

We can laugh at the folly of connecting a bidet or deadbolt to the internet, but let’s not imagine we aren’t equally vulnerable. Especially in the corporate/charter world, today’s airplanes often communicate with a variety of satellite and ground sources, providing diagnostic information, flight times, location data, and more. Gulfstream’s Elite cabin allows users to control window shades, temperature, lighting, and more via a wireless connection to iOS devices. In the cockpit, iPads are now standard for aeronautical charts, quick reference handbooks, aircraft and company manuals, and just about everything else that used to be printed on paper. Before certification, the FAA expressed concern about the Gulfstream G280’s susceptibility to digital attack.

"There's an app for that!" The Gulfstream Elite cabin can be controlled from iOS devices.

“There’s an app for that!” The Gulfstream Elite cabin can be controlled from iOS devices.

But the biggest security hole for the corporate/charter types is probably the on-board wi-fi systems used by passengers in flight. Internet access used to be limited below 10,000 feet, but the FAA’s recent change on that score means it’s only a matter of time before internet access is available at all times in the cabin. And these systems are often comprised of off-the-shelf hardware, with all the attendant flaws and limitations.

Even if it’s not connected to any of the aircraft’s other systems, corporate and charter aircraft typically carry high net-worth individuals, often businessmen who work while enroute. It’s conceivable that a malicious individual could sit in their car on the public side of the airport fence and hack their way into an aircraft’s on-board wi-fi, accessing the sensitive data passengers have on their laptops without detection.

What are the trade secrets and business plans of, say, a Fortune 100 company worth? And what kind of liability would the loss of such information create for the hapless charter company who found themselves on the receiving end of such an attack? I often think about that when I’m sitting at Van Nuys or Teterboro, surrounded by billions of dollars in jet hardware.

Internet connectivity is rapidly becoming available to even the smallest general aviation aircraft. Even if you’re not flying behind the latest technology from Gulfstream or Dassault, light GA airplanes still sport some cutting-edge stuff. From the Diamond TwinStar‘s Engine Control Units to the electronic ignition systems common in many Experimental aircraft to Aspen’s Connected Panel, a malicious hacker with an aviation background and sufficient talent could conceivably wreak serious havoc.

Wireless data transmission for the GA cockpit: Aspen's Connected Panel

Wireless data transmission for the GA cockpit: Aspen’s Connected Panel

Mitigating these risks requires the same strategies we apply to every other piece of hardware in our airplanes: forethought, awareness, and a good “Plan B”. If an engine quits, for example, every pilot know how to handle it. Procedures are committed to memory and we back it up with periodic recurrent training. If primary flight instruments are lost in IMC, a smart pilot will be prepared for that eventuality.

As computers become an ever more critical and intertwined part of our flying, we must apply that same logic to our connected devices. Otherwise we risk being caught with our pants down once the gear comes up.

This article first appeared on the AOPA Opinion Leaders blog.

The Connected Cockpit

SPZ-8400 avionics suite in the Gulfstream IV-SP

Aviation electronics have always been a topic of particular interest to me. For one thing, in a previous life I worked as a freelance web developer and computer programmer (read: nerd). As such, I’ve watched the evolution of general aviation avionics with great admiration for those who create them.

SPZ-8400 avionics suite in the Gulfstream IV-SP

As a pilot, however, I have to interact with these gizmos all day long, and as an instructor must know the avionics well enough to efficiently teach them to others. This makes them a continual source of frustration because computers are supposed to make our lives easier and modern day avionics don’t always do that. From teaching Garmin’s chapter/page philosophy to learning the Honeywell FMS and SPZ-8400 systems in the Gulfstream IV, it seems I spend more time working with avionics than I do flying the airplane.

When I was at Simuflite, my G550-rated sim partner told me that the initial Gulfstream 550 training course was 33% longer than the G-IV course due solely to the complexity of the avionics. My own observation training experienced pilots to fly the Avidyne and G1000 panels is that it adds at least that much time and money to reach an instrument-proficient level.

A stack of King "Silver Crown" series avionics

It used to be much easier. For many years, a the gold standard was silver. Silver Crown, that is — a line of digital radios manufactured by Bendix/King. Oh, there were more advanced things out there. LORAN, Omega, VOR/DME-style RNAV systems. But they were expensive and esoteric. For the most part, a decent avionics suite meant a couple of VHF com radios, a pair of VOR receivers, DME, ADF, an audio panel and a Mode C transponder. When you bought a new airplane or retrofitted an old one, that’s usually what you got. These radios were simple to operate and required no programming.

These days it’s a bit more complex. While GPS and computers have led to tremendous capabilities, it has also left us with systems which are complex enough that they can cause serious flight safety issues. “What’s it doing now?” Things wouldn’t be so bad if there were standards for the way pilots interface with the avionics, but aside from the location of essential flight data (pitch, airspeed, altitude, etc) on a Primary Flight Display, each manufacturer has their own nomenclature and operating logic for the systems they offer. The way each button, switch and knob works is different. The location of those controls varies widely.

And there are so many companies out there! Garmin, Avidyne, Aspen, Blue Mountain, Honeywell, Bendix, Becker, Chelton, Dynon, L-3, Sandel, Rockwell Collins, TruTrak, and more. These are just the ones I could think of off the top of my head.

The pace of development has increased over the past few years as hardware components have become less expensive and more capable. An AHRS which used to cost $10,000 can be purchased today for a few hundred dollars, for example. It’s led me to wonder what the “end game” in this avionics mish-mash would look like. Will one manufacturer (probably Garmin) take enough market share to force the rest of the industry to adopt it’s standards? Or perhaps some sort of avionics related safety issue will cause the FAA to step in and publish standards for avionics system interfaces?

I believe I’m starting to see an answer, and it’s due to a company which doesn’t even make avionics, and has never been involved in aviation. What are the odds of that? I’m referring, of course, to Apple and it’s iPad tablet.

I have to admit, when the iPad was first announced, I thought it would be a failure. Looking at the device, it didn’t do anything you couldn’t already do with an iPhone. In fact, it did less. It couldn’t make phone calls and at the time did not have a camera. Most importantly, it wasn’t small enough to put in your pocket, meaning it would have to be carried around in-hand everywhere you go. It was an near-iPhone with a larger screen. Who would pay for something like that?

Clearly I was wrong. Given the degree to which sales have surpassed even Apple’s initial estimates, few people had enough foresight to anticipate how the iPad would be used. I’m especially impressed by software development for the iPad because Apple uses a closed software system wherein each application must be approved by the company before it becomes available on their app store. Apple maintains tight control over the design of apps which run on their hardware. Yet this hasn’t stifled creativity and as a result the iPad is being used by physicians, librarians, teachers, and yes even pilots.

On the Gulfstream, we’ve replaced hundreds of pounds of paper charts with an iPad weighing just 1.3 pounds. Airlines are using the iPad for that same purpose with FAA blessing, something I thought I’d never see due to their reticence to accept anything not specifically certified (at tremendous expense, I might add) for aviation purposes. Part 91 Subpart K fractional operators are also using the iPad. And last but not least, owner-flown Part 91 aircraft can frequently be found with an iPad in the cockpit.

As great is the iPad is, we’re still missing a way to link it directly to the aircraft’s built-in avionics. This is vital because it’s the best way to eliminate all the data input from the programming process. For example, yesterday we made a flight from Van Nuys to Santa Monica, then on to Windsor Locks, CT and ending in Teterboro, NJ. Three legs, and each leg required a significant investment of time and effort to pick up airport information, receive a clearance, and program that flight plan into the avionics.

The duplication of effort could easily be eliminated. A computer at Arinc came up with a flight plan for us. Then it was filed with the FAA, whose computer system came up with an acceptable route based on that filing. That route was read to us verbally over a radio and manually programmed into a computer on the aircraft by me. Why not simply beam the data to a device like an iPad, which pilots could verify before zapping it to the avionics? It would have easily saved an hour of time yesterday. Time is money. Do the math.

You’d think the answer would come from the FAA or the airlines, as they would have the most to gain from increased efficiency and safety such a system would provide. Instead it’s coming from the bottom up. I don’t just mean general aviation, but specifically experimental GA. AVweb posted this video demonstrating the Aspen Avionics’ Connected Cockpit:

The Aspen rep explains it far better than I could. “A way to connect personal devices with the certified avionics installed in the aircraft”. Ideally this will be a two-way communication link, allowing you to download transfer essential flight data like block times, fuel burned, distance traveled, ground track, etc. back to the tablet for use in filling out logbooks, trip sheets, tracking maintenance requirements, and generally leaving the pilots free to aviate instead of program computers and complete paperwork.

Once we have that link and the programming has been eliminated, we’re on easy street because people will be able to bring a personal device like an iPad (which they already know how to use) and a software package they’re comfortable with (ForeFlight comes to mind) and communicate with whatever may be installed in the aircraft. Aspen Avionics gets that, and I believe their Connected Cockpit is just the beginning of The Great Integration. It can’t get here soon enough.

When Glass Breaks


It’s tempting to think that flying a modern “glass panel” airplane with redundant alternators, batteries, buses, screens, sensors, and instruments means you’ll never have to fly partial panel again, doesn’t it?

These avionics suites are professionally-designed, installed, FAA-certified and can run $50,000 or more even for a lowly single-engine piston aircraft. They benefit from the latest technology and are designed to be fault tolerant. They’ve been torture-tested and engineered to withstand the environmental rigors they will endure.

So, at the very least, the odds of a major in-flight failure should be lower than when flying behind a panel with 30 year-old analog gauges with all their vibration and attitude-sensitive moving parts.

Alas, in my experience this has not proven to be the case. Quite the contrary, in fact. Much like flying a multi-engine aircraft, there are simply a lot more parts and systems to fail on a glass panel. Those systems are electronic and as such tend to be far more sensitive that their predecessors to things like moisture, improper or unstable voltage, and grounding issues.

When they work as designed, for the most part they are a major asset to flight safety. When they don’t, it can really leave you scratching your head about what’s going on. While it’s rare for the whole panel to go dark, when problems do crop up they can be quite vexing to troubleshoot. I had a flight like that recently in a Cirrus SR22.

Garmin GNS-430 data card failure

I had just departed Napa County Airport (KAPC) for John Wayne (KSNA) with a planned route covering about 320 nautical miles. It was a low IFR departure at night with ceilings of about 500′ AGL. I broke out of the clouds at about 2000′ and continued climbing southbound.

The first problem I encountered was a failure of the #1 Garmin GNS-430 data card. This was more or less a non-issue. Data cards are inserted and removed every 30 days to update the database, and every now and then the jostling will cause one will go bad. The 430 was still useful for radio communication, so I simply elected to use it’s screen as a place to display traffic.

I was passing east of San Jose a few minutes after departure when the traffic sensor failed. Again, I’ve seen this before. After checking that no circuit breakers were blown, I rebooted the avionics bus and the traffic sensor came back online.

Avidyne PFD failure

About 10 minutes later, the PFD suddenly failed. It was receiving power, as evidenced by backlighting around the buttons surrounding the screen bezel, but the screen was badly corrupted. Again, I’ve seen this on various SR22s, but it usually happens on boot-up. So I powered down and rebooted the entire electrical system, batteries, alternators, avionics, the whole works. No change. Again, no breakers were blown and the emergency checklist for PFD failure was not much help.

When I encounter avionics issues in an aircraft, one of the first things I check is the health of the electrical system. As I mentioned earlier, unstable or improper voltage does bad things to electronics. In this case, the bus voltages were a bit odd. Normally in an SR22 the main bus should run at 28 volts and the essential bus at 28.75. What I saw on the MFD engine page was ~28.5 and ~29.3. Roughly a half-volt too high on both buses.

I’d never seen that before. Was it possible that both alternators were producing too much voltage? They are independent devices and a malfunction in one alternator shouldn’t affect the other, so perhaps the problem was in the Master Control Unit or somewhere else.

It was about this time that the yellow “Alt 2″ light appeared on the annunciator panel, indicating that alternator #2 was offline. Yet the according to the MFD, the essential bus (which is powered by alternator 2) was still running about three quarters of a volt higher than the main bus — a sign that alternator 2 was still working.

Like I said, a head scratcher.

(For you Cirrus gurus out there, I should note that this is one of the SR22 aircraft with the improved electrical systems built after they replaced the analog engine gauges with the storage box in the upper right corner of the panel.)

Anyway, a bit more sleuthing revealed that TAWS, sferics, and autopilot systems were also offline. A TAWS system test said “TAWS system unavailable. Computer OK. AHRS bus not available.” The sferics system was coming and going.

The autopilot, despite what the PFD failure checklist said about being able to use the autopilot without the PFD, would not work correctly in any mode. It always wanted to turn right. The S-Tec 55X is a rate-based autopilot, and it gets rate-of-turn information from an analog turn coordinator located behind the instrument panel. I recalled something about the S-Tec only being able to connect to GPS 1 for navigation guidance without the PFD, and since that radio had no navigation data available due to the faulty data card, it was stymied. But it should have at least been able to function as a wing-leveler.

So there I was, flying southward on a very dark (though clear and technically VFR) night with no visible horizon in an all-electric aircraft with a bum electrical system. From the flight up to Napa, I knew there was a horizon out there, it was just masked by all the light emanating from the instrument panel. After reducing the panel lights to the minimum possible, I was able to make out a faint horizon. I’m sure my ophthalmologist would have commented on the eye strain this was sure to cause, but you gotta do what you gotta do, right?

The next step was to advise ATC of the issue. By this time I was well south of the San Francisco metropolitan area and over the San Joaquin Valley, which was socked in with low fog all the way to the Los Angeles basin. The best course of action seemed to be a diversion to the west since the fog wasn’t present in that area, so I proceeded in that direction and let Oakland Center know what was happening. Along the coast, there were plenty of VFR airports and the situation became more “visual” once I was in an area with city lights and highways.

The next question: weather to land at an intermediary airport or continue on to Los Angeles. I monitored the electrical system for the next 20 minutes and nothing got any better or worse. The PFD failure didn’t bother me. I just wasn’t keen on flying without communication radios. But the way I saw it, none of this stuff was going to affect the engine. I had good VFR conditions in an area and along a route I was very familiar with. In fact, it was hard to find a field I hadn’t been to. Even if all electrical power was suddenly lost, I had no concern about being able to make a safe landing at a known airport. So I continued the flight, and landed uneventfully at Santa Ana about an hour later.

In reviewing my logbook, about 2/5ths of my 5,500 hours are in glass panel airplanes. Yet they account for 100% of the electrical and partial panel abnormalities I’ve encountered. It’s not that the aircraft are poorly designed, built, or maintained. I believe it’s due to the fact that they are just more complex and, as I mentioned at the top of the page, less tolerant of voltage, humidity, and other conditions which are outside the design specifications. The failures can take on interesting forms.

On the plus side, I was discussing the flight with a fellow SR22 pilot and realized that even under “partial panel” conditions, I was still flying with a suite of avionics which would be the envy of many general aviation pilots.

I don’t look back on the situation as a hazardous one, but rather a puzzling scenario I have not been able to fully explain or duplicate. Nor is it one which I’ve ever seen simulated, something that’s worth considering when you think about the possibility of flying with broken glass.

Time for a Beat Down, Becker

Talk about art imitating life.

I snapped this photo today while Sunrise’s chief mechanic worked on the Becker com radio in our Extra 300. I had taxied out to the non-movement boundary and been attempting to contact clearance delivery (and ground, and tower, and company, and…. you get the picture) to no avail.

Matt working on the Extra 300's com radio

It was curious. We seemed to receive transmissions perfectly well. There was side-tone. The radio indicated that it was transmitting.

Now on the one hand, if a radio is the weakest part of your airplane, life can’t be too bad. On the other hand, it costs about $6 per minute to operate this aircraft, and the only other person on board the plane is the guy footing the bill. And he came all the way from Thailand to get some professional aerobatic training, not pay for me to idle there in the taxi lane. So we shut down the aircraft.

I knew the camera system processor had just been reinstalled. Perhaps something was loose or got bumped during that maintenance? Nothing looked amiss, but I double checked the antenna connections, tried a different helmet, checked the front seat headset jack connection, circuit breakers, etc.


Eventually, I called our mechanic, who knew enough to come over with a replacement radio. You see, this wasn’t the first problem we’ve had with this piece of equipment. Maybe it’s the 15 years worth of 10G pulls, but that radio has been back to the manufacturer more often than Joan Rivers has been to the botox clinic. Every time, Becker fixes it, certifies it, sends it back, and it works great.

For a while.

So when Matt pulled out the old radio and set it down on the pilot’s seat, I got the impulse to find a baseball bat and re-enact that classic Office Space scene where they take their frustrations out on a recalcitrant printer. Oooh, that would be so satisfying. The radio frequency knob shattered into a thousand tiny black pieces. The rectangular LCD screen leaking black fluid onto the ramp. Vengeance!!

I suggested this to Matt, who said he’d already tried that tactic and it hadn’t worked. From the tone of his voice, I got the impression that, unlike the printer, this thing fights back. “You want a piece ‘a me??”

Don’t tempt me, punk.

With the new radio installed, we were able to complete the flight without any light gun drama. And I will admit, at least the radio had the decency to fail on the ground and not in mid-air. Still, that Becker better hope I don’t find it just sitting on a shelf one day. I might have to steal something from work…