The US Department of Homeland Security cyber-security department (CISA) has issued a security alert today warning owners of small aircraft about vulnerabilities that can be exploited to alter airplane telemetry.
The vulnerabilities reside in avionics (electronic equipment fitted in an aircraft), and more specifically inside a small aircraft’s CAN bus.
A Controller Area Network (CAN bus) component is fitted inside various vehicles — such as planes, cars, airplanes, boats — and works as a central network through which other components talk to each other.
Vulnerabilities require physical access
“An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment,” DHS CISA said today.
CISA has sent this security alert after Patrick Kiley, a security researcher with cybersecurity firm Rapid7, published today a report about vulnerabilities in various CAN bus components sold by two (unnamed) vendors.
Kiley said that an attacker with access to a plane’s CAN bus could use these vulnerabilities to alter engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack.
CISA fears that, if exploited, these vulnerabilities could provide false readings to pilots, and lead to crashes or other air incidents involving small aircraft.
Kiley will be presenting his work at the Avionics Village at the DEFCON security conference in two weeks.
Airplanes not as secure as modern cars
In a separate blog post published on his employer’s website today, the Rapid7 researcher also highlighted that the aviation industry is lagging behind the automotive industry when it comes to cyber-security.
For starters, airplane manufacturers are failing at preventing access to planes’ CAN bus. On the other hand, accessing a CAN bus on a modern car is much harder, and usually requires breaking down or removing car components in order to access some hidden port.
“Unfortunately, it looks like the avionics sector is lagging in network security when it comes to CAN bus, and I think part of the reason is the heavy reliance on the physical security of airplanes,” Kiley said.
“Cars are relatively easy to get your hands on-people just leave them parked on the street-but airplanes exist in a much more secure environment, which typically includes a lot of physical security controls,” he added.
“But, just as football helmets may actually raise the risk of brain injuries, the increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyber-attack, not less.”
Through the release of this research, Kiley would like to raise an alarm about these issues so that the aviation industry will start to secure CAN buses with stronger defensive measures that don’t rely on the fact that airplanes aren’t easily accessible to attackers, which may not be true.
In the meantime, CISA recommends that aircraft owners restrict access to planes avionics’ components “to the best of their abilities.”
Related government coverage: