DHS Warns Small Airplanes Vulnerable To Flight Data Manipulation Attacks

It has been reported the United States Department of Homeland Security’s (DHS) has issued an alert for the same, warning owners of small aircraft to be on guard against a vulnerability that could enable attackers to easily hack the plane’s CAN bus and take control of key navigation systems. The vulnerability, discovered by a cybersecurity researcher at Rapid 7, resides in the modern aircraft’s implementation of CAN (Controller Area Network) bus—a popular vehicular networking standard used in automobiles and small aircraft that allows microcontrollers and devices to communicate with each other in applications without a host computer. Rapid7 researcher Patrick Kiley demonstrated that a hacker with physical access to a small aircraft’s wiring could attach a device—or co-opt an existing attached device—to the plane’s avionics CAN bus to insert false data and communicate them to the pilot.

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Nigel Stanley
InfoSec Expert
August 2, 2019 11:28 am

Cybersecurity research in this field has to be applauded, but I remain a bit underwhelmed by the end result here. There are some challenges in executing this type of attack, and as the researcher admits physical access is key.

Having piloted general aviation (GA) aircraft in the past, I get where the research is coming from but believe me there are far easier ways of damaging or disrupting light aircraft. I’d admit that many GA airfields can be remote and poorly protected, but any pilot worthy of the title should pick up the tell-tale traces of such an attack in the pre-flight walk around.

Avionics are notoriously difficult to mess with and unless you really know what you are doing you will likely disable other systems or components by mistake. I would have been more enthused by the research if it was discovered that the CAN bus implementations had some form of cryptographic primitives in place! Bad weather, ego and inexperience are more likely to kill or injure a private pilot than this type of cyber-attack.

Last edited 3 years ago by Nigel Stanley
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x