The US-CERT has been forced to issue an ICS alert after a security researcher revealed major cybersecurity shortcomings in small aircraft which could enable attackers to cause crashes.
The issues lie with the CAN bus networks, a common feature of automobiles which connect electronic sensors and actuators.
“An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment,” the alert noted.
“The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot. The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft.”
The research itself was carried out by Rapid7’s Patrick Kiley, who is also a pilot. He spotted an over-reliance in the avionics sector on physical security and called for more defense-in-depth.
“Just as football helmets may actually raise the risk of brain injuries, the increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyber-attack, not less,” he argued in a blog post introducing the research.
“Think about it: if you felt like your internal LAN was totally and completely untouchable by attackers, you probably wouldn't worry much about software patching or password management. Of course, LANs aren't impregnable, and neither are CAN bus networks, so we're worried about this mindset when it comes to avionics security.”
The hope is that, just as greater scrutiny of these systems in the automotive industry has led to steps being taken to mitigate risk, the same can happen in the light aircraft space.