Earlier today, the U.S. Department of Homeland Security released an alert on the vulnerability of small aircraft to cyberattack. The issue affects what is known as the CAN bus network on the aircraft, which is the system that connects instrumentation information to mechanical components. A successful hack, the alert says, could mean that telemetry readings, such as compass and attitude data, altitude, and airspeed, could be manipulated to send incorrect readings to the pilot.
To accomplish the attack, the perpetrator would need physical access to the aircraft, underscoring the importance of physical access security controls. The vulnerability was discovered by cybersecurity firm Rapid7. A lead researcher on the project, Patrick Kiley, noted in a blog post that the auto industry has also used CAN bus networks, but with a more stringent emphasis on security.
“Unfortunately, it looks like the avionics sector is lagging in network security when it comes to CAN bus, and I think part of the reason is the heavy reliance on the physical security of airplanes,” he wrote. “Cars are relatively easy to get your hands on—people just leave them parked on the street—but airplanes exist in a much more secure environment, which typically includes a lot of physical security controls. But the increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyber-attack, not less.”