An alert from the DHS critical infrastructure computer emergency
response team recommends that plane owners ensure they restrict
unauthorized physical access to their aircraft until the industry
develops safeguards to address the issue, which was discovered by a Boston-based cybersecurity company and reported to the federal
Most airports have security in place to restrict unauthorized access
and there is no evidence that anyone has exploited the vulnerability.
But a DHS official told The Associated Press that the agency
independently confirmed the security flaw with outside partners and a
national research laboratory, and decided it was necessary to issue
Engine readings, compass data, altitude and other readings "could all
be manipulated to provide false measurements to the pilot," according
to the DHS alert.
The warning reflects the fact that aircraft systems are increasingly
reliant on networked communications systems, much like modern cars.
The auto industry has already taken steps to address similar concerns
after researchers exposed vulnerabilities.
The Rapid7 report focused only on small aircraft because their systems
are easier for researchers to acquire. Large aircraft frequently use
more complex systems and must meet additional security requirements.
The DHS alert does not apply to older small planes with mechanical
But Patrick Kiley, Rapid7's lead researcher on the issue, said an
attacker could exploit the vulnerability with access to a plane or by
bypassing airport security.
"Someone with five minutes and a set of lock picks can gain access
(or) there's easily access through the engine compartment," Kiley
Jeffrey Troy, president of the Aviation Information Sharing and
Analysis Center, an industry organization for cybersecurity
information, said there is a need to improve the security in networked operating systems but emphasized that the hack depends on bypassing
physical security controls mandated by law.
With access, "you have hundreds of possibilities to disrupt any system
or part of an aircraft," Troy said.
The Federal Aviation Administration said in a statement that a
scenario where someone has unrestricted physical access is unlikely,
but the report is also "an important reminder to remain vigilant"
about physical and cybersecurity aircraft procedures.
Aviation cybersecurity has been an issue of growing concern around the
In March, the U.S. Department of Transportation's inspector general
found that the FAA had "not completed a comprehensive, strategy policy framework to identify and mitigate cybersecurity risks." The FAA
agreed and said it would look to have a plan in place by the end of
The UN's body for aviation proposed its first strategy for securing
civil aviation from hackers that's expected to go before the General
Assembly in September, said Pete Cooper, an ex-Royal Air Force fast
jet pilot and cyber operations officer who advises the aviation
The vulnerability disclosure report is the product of nearly two years
of work by Rapid7. After their researchers assessed the flaw, the
company alerted DHS. Tuesday's DHS alert recommends manufacturers
review how they implement these open electronics systems known as "the
CAN bus" to limit a hacker's ability to perform such an attack.
The CAN bus functions like a small plane's central nervous system.
Targeting it could allow an attacker to stealthily hijack a pilot's
instrument readings or even take control of the plane, according to
the Rapid7 report obtained by The AP.
"CAN bus is completely insecure," said Chris King, a cybersecurity
expert who has worked on vulnerability analysis of large-scale
systems. "It was never designed to be in an adversarial environment,
(so there's) no validation" that what the system is being told to do
is coming from a legitimate source.
Only a few years ago, most auto manufacturers used the open CAN bus
system in their cars. But after researchers publicly demonstrated how
they could be hacked, auto manufacturers added on layers of security,
like putting critical functions on separate networks that are harder
to access externally.
The disclosure highlights issues in the automotive and aviation
industries about whether a software vulnerability should be treated
like a safety defect — with its potential for costly manufacturer
recalls and implied liability — and what responsibility manufacturers
should have in ensuring their products are hardened against such
attacks. The vulnerability also highlights the reality that it's
becoming increasingly difficult to separate cybersecurity from
"A lot of aviation folks don't see the overlap between information
security, cybersecurity, of an aircraft, and safety," said Beau Woods,
a cyber safety innovation fellow with the Atlantic Council, a
Washington think tank. "They see them as distinct things."
The CAN bus networking scheme was developed in the 1980s and is
extremely popular for use in boats, drones, spacecraft, planes and
cars — all areas where there's more noise interference and it's
advantageous to have less wiring. It's actually increasingly used in
airplanes today due to the ease and cost of implementation, Kiley
Given that airplanes have a longer manufacturing cycle, "what we're
trying to do is get out ahead of this."
The report didn't name the vendors Rapid7 tested, but the company
alerted them over a year ago, the report states. ----------------------------------------------------------------------
ICS Alert (ICS-ALERT-19-211-01)
CAN Bus Network Implementation in Avionics
Original release date: July 30, 2019
All information products included in http://ics-cert.us-cert.gov are
provided "as is" for informational purposes only. The Department of
Homeland Security (DHS) does not provide any warranties of any kind
regarding any information contained within. DHS does not endorse any
commercial product or service, referenced in this product or
otherwise. Further dissemination of this product is governed by the
Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see http://www.us-cert.gov/tlp/.
1 EXECUTIVE SUMMARY
CISA is aware of a public report of insecure implementation of CAN bus
networks affecting aircraft. According to this report, the CAN bus
networks are exploitable when an attacker has unsupervised physical
access to the aircraft. CISA is issuing this alert to provide early
notice of the report.
An attacker with physical access to the aircraft could attach a device
to an avionics CAN bus that could be used to inject false data,
resulting in incorrect readings in avionic equipment. The researchers
have outlined that engine telemetry readings, compass and attitude
data, altitude, airspeeds, and angle of attack could all be
manipulated to provide false measurements to the pilot. The
researchers have further outlined that a pilot relying on instrument
readings would be unable to distinguish between false and legitimate
readings, which could result in loss of control of the affected
CISA recommends aircraft owners restrict access to planes to the best
of their abilities. Manufacturers of aircraft should review
implementation of CAN bus networks to compensate for the physical
attack vector. The automotive industry has made advancements in
implementing safeguards that hinder similar physical attacks to CAN
bus systems. Safeguards such as CAN bus-specific filtering,
whitelisting, and segregation should also be evaluated by aircraft manufacturers.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended
practices on the ICS webpage on us-cert.gov. Several recommended
practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Additional mitigation guidance and recommended practices are publicly
available on the ICS webpage on us-cert.gov in the Technical
Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion
Detection and Mitigation Strategies.
Rapid7 reported this finding to CISA.
For any questions related to this report, please contact the NCCIC at: