Today we introduced an interesting report published by researchers at Rapid7 about the hacking of avionics systems via CAN bus, now the DHS issues an alert to warn owners of small airplanes of flight data manipulation attacks.
The scenario is disconcerting, hackers could manipulate the electronic systems in the small airplanes to force them displaying false flight data to the pilot, with unpredictable consequences.
The attackers, of course, need to have in some way physical access to small airplanes before they take off.
“An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment. The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot.” reads the alert published by the US Department of Homeland Security’s (DHS). “The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft. “
The DHS confirms that it issued the alert because CISA is aware of a public report of cyber attacks against avionics systems in small airplanes through CAN bus.
Patrick Kiley, a senior security consultant at Rapid7 conducted an investigation into the security of avionics systems
The expert focused the analysis on the Controller Area Network (CAN) bus implements by two commercially available avionics systems from aircraft manufacturers who specialize in light aircraft.
The CAN is a crucial component in vehicles and aircraft that allows data and signaling information to be’ exchanged between the
Unfortunately, an attacker can abuse the CAN bus to interfere with the ordinary operations even if unlike cars, airplanes adopt some protection measures.
Kiley was able to able to send forged messages to the control systems of the aircraft and perform malicious activities.
The expert demonstrated that it is possible to change the altitude and airspeed readings, changing engine telemetry readings, altering telemetry, and disabling or rerouting the autopilot.
“The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft,” the DHS’ cyber division warned Tuesday.
Kiley demonstrated the attack after investigating avionics systems—an electronic control and navigation system fitted in an aircraft—from two unnamed commercial aircraft manufacturers specialized in light aircraft.
Kiley found that the key problem with the avionics CAN bus is that it is integrated into the aircraft’s other components without any firewalls or authentication, which means untrusted connections over a USB adapter attached to the plane can send unauthorized commands to its electronic systems.
CISA recommends owners of small airplanes to restrict access to the aircraft. The US agency also urges manufacturers of aircraft to review the implementation of CAN bus networks and implement mitigations such as CAN bus-specific filtering, whitelisting, and segregation should also be evaluated by aircraft manufacturers.
“CISA recommends aircraft owners restrict access to planes to the best of their abilities. Manufacturers of aircraft should review implementation of CAN bus networks to compensate for the physical attack vector.” concludes the alert. “The automotive industry has made advancements in implementing safeguards that hinder similar physical attacks to CAN bus systems. Safeguards such as CAN bus-specific filtering, whitelisting, and segregation should also be evaluated by aircraft manufacturers.”
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.