The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) informed aircraft owners Tuesday to take extra precautions in restricting access to the planes until the aviation industry addresses and introduces necessary security features to protect small planes’ CAN bus network.
“An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment,” the Tuesday notice reads. “[Engine] telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot.
With the system unable to deliver accurate readings, the pilot could ultimately lose control of the aircraft, resulting in a fatal crash.
The vulnerability disclosure report was delivered to the DHS by software company Rapid7 after approximately two years of research and is solely focused on smaller aircraft due to their more simplistic systems. Additional security measures are already present within larger planes.
The Associated Press reported that Patrick Kiley, a senior security consultant and the lead researcher on this issue, said someone only needs “five minutes and a set of lock picks” to get gain access to an aircraft or enter a plane “through the engine compartment.”
After gaining access, the hacker would have free reign over the small aircraft’s entire control system. In a Rapid7 statement obtained by the AP, cybersecurity expert Chris King explained that the CAN bus, which acts as the plane’s “central nervous system,” lacks security features because “it was never designed to be in an adversarial environment.”
Manufacturers must now review the CAN bus and figure out the proper protections that would block a potential attack.
The DHS’ release notes that strides have been made in the automotive industry in handling similar issues with their own CAN buses, but addressing aircraft systems is expected to a more difficult task due to the longer “manufacturing cycle” of a plane, according to Kiley.
“Safeguards such as CAN bus-specific filtering, whitelisting, and segregation should also be evaluated by aircraft manufacturers,” reads the second section of the notice. It also highlighted that in developing these new security measures, manufacturers must engage in “proper impact analysis and risk assessment” prior to their implementation.
