The United States’ Department of Homeland Security (DHS) recently warns against a severe issue present in small planes. CBS News reported that the warning pertains to a hacking vulnerability found in these planes.
The attack can infiltrate target vehicles by physically accessing the aircraft and attaching a hacking device. Attackers only have to install the mechanism to the Controller Area Network (CAN bus). This is considered the plane’s “electronic central nervous system.”
With the device in place, the attackers have the ability to send erroneous data to the plane, placing it in danger. Attackers can alter bits of data shown to pilots including altitude, airspeed, telemetry readings and angle of ascent.
The device also has the potential to allow malicious parties to take control of the vehicle. Combined with inaccurate data, pilots can “lose control of the aircraft”.
Rapid7 replicated the vulnerability in a controlled environment. Rapid7 director of research Tod Beardsley said that hackers can do “pretty much anything the pilot can do.”
Aside from the vulnerability, another alarming aspect of this discovery is that it requires little skill to implement. According to Patrick Kiley, the device can be installed as long as the attacker has access to the engine compartment. Kiley works at Rapid7 and is the lead researcher on the matter.
Less secure than cars
In another statement, Kiley noted that the aviation sector is behind in cybersecurity compared to the automotive sector, reported ZDNet. One of the most significant issues is the aviation industry’s failure to improve security on CAN buses. Kiley remarked that CAN buses on modern cars are much harder to access.
The researcher attributed this to the lax view on the physical security of airplanes. Kiley said that the sector fails to improve security measures because of the assumption that planes are harder to access. On the other hand, cars are found in common areas, requiring better security.
Meanwhile, the vulnerability of aircraft is not new information to DHS. In 2018, DHS has conducted a study on a Boeing 757 showing that the larger vehicle can be hacked. The organization said that without proper solutions, such vulnerabilities can lead to airline breaches.
In the meantime, the Federal Aviation Administration said that operators, pilots, and manufacturers should improve physical security. Rapid7 also sent notices to aircraft manufacturing companies to develop more secure builds. Manufacturers are also urged to invest in cybersecurity.