An insecure networking standard could allow a hacker with physical access to a small aircraft to trick the plane’s equipment into giving false readings of critical flight data, according to a warning from the Department of Homeland Security.
The vulnerability, discovered by cybersecurity company Rapid7, is in the implementation of CAN bus, a popular networking standard that allows communication between microcontrollers in planes, cars and other machinery.
A hacker would need physical access to carry out the hypothetical attack, which involves attaching a device to the plane’s CAN bus to insert false data. Engine readings, altitude and airspeed are among the data that could be manipulated, according to Rapid7 researcher Patrick Kiley.
Kiley said the aviation sector is lagging in securing CAN bus networks because of an apparent reliance on physical security.
Because the assumption is that hackers won’t get physical access to airplanes, “the increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyberattack, not less,” Kiley wrote in research published Tuesday.
There is no evidence of the vulnerability being maliciously exploited. Kiley did not name the two vendors that he tested the attack on. The research is not vendor-specific but rather applies to the CAN bus standard.
“Manufacturers of aircraft should review implementation of CAN bus networks to compensate for the physical attack vector,” DHS said in the advisory from its Cybersecurity and Infrastructure Security Agency (CISA). It pointed to advances the automotive industry had made in protecting CAN bus systems from physical attacks.
The Aviation Information Sharing and Analysis Center (ISAC), the industry’s cyberthreat sharing organization, thanked the researchers for bringing the issue to light while emphasizing the need for physical access for the attack to succeed.
“The most important factor affecting the ability of a threat actor to execute this hack is unauthorized physical access to the aircraft,” the Aviation ISAC said in a statement. “The individual component targeted is secondary to one’s ability to bypass physical security controls mandated by government agencies and implemented by aviation providers.”
Rapid7’s findings are the latest sign that aviation is an emerging frontier for security research. DHS cybersecurity specialists have been probing vulnerabilities in aircraft since at least 2016, when an official in the department’s Science and Technology Directorate said his team had remotely compromised a system on a Boeing 757 during a test.
Other aspects of transportation are also getting increased scrutiny: U.S. Cyber Command recently ran an exercise involving seaport security.
The Associated Press was first to report on the DHS advisory.