Certain controlled area network (CAN) bus systems aboard aircraft might be vulnerable to hacking when an attacker has “unsupervised physical access to the aircraft," the U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned yesterday in an alert (ICS-ALERT-19-211-01). It cited a report that an attacker with access to the aircraft could attach a device to an avionics CAN bus to “inject false data, resulting in incorrect readings in avionic equipment.”
Issued ahead of next week’s Def Con “Hacker” Conference, that report, from IT consultancy Rapid7, stated, “After performing a thorough investigation on two commercially available avionics systems, Rapid7 demonstrated that it was possible for a malicious individual to send false data to these systems, given some level of physical access to a small aircraft’s wiring.” Using such a device attached to the bus could lead to incorrect engine telemetry readings, incorrect compass and attitude data, and incorrect altitude, airspeed, and angle of attack (AoA) data. Pilots might not be able to distinguish between false and legitimate readings, Rapid7 added.
That research was conducted in a lab environment. Such an event would involve a hacker gaining unauthorized physical access to the aircraft systems and then be able to access the CAN bus, according to the DHS division. CISA thus recommends that aircraft owners restrict access to aircraft and that manufacturers review implementation of CAN bus networks “to compensate for the physical attack vector.” The agency notes that the automotive industry has implemented safeguards to hinder such attacks.
“The DHS alert correctly points to the mitigations that are used to manage security in the aviation industry,” said Jens Hennig, vice president of operations for the General Aviation Manufacturers Association. “In evaluating such risk, it is important to consider actual real-world scenarios, especially by providing recognition of the protections our overall systems approach provides to managing aviation safety and security.”