A security alert was issued by federal officials on Tuesday focusing on small aircraft after authorities expressed concern that modern aircraft systems are vulnerable to hacking in case a malicious operator can physically access the aircraft.
The Department of Homeland Security's cybersecurity and infrastructure security agency alert said a security breach in open electronic systems known as the "CAN bus" was detected by a Boston-based cybersecurity company and reported to the federal government, which found the systems are "useful."
"An attacker with physical access to the aircraft may attach a device to an airplane CAN bus that can be used to inject false data, resulting in incorrect readings in avionics equipment," CISA said in its alert. "The researchers have outlined that the engine's telemetry readings, compass and attitude data, altitude, airspeed and angle of attack could all be manipulated to provide false measurements to the pilot."
ALLEGED SEATTLE HACKER ARRESTED IN CAPITAL ONE BREACH, BOASTED ON SOCIAL MEDIA: REPORT
Most airports have security officers in place to restrict unauthorized access. While it has so far not seemed to exploit the vulnerability in a real-life scenario, a DHS official told The Associated Press that the agency independently confirmed the security flaw with external partners and a national research laboratory, and decided that the warning had to be given.
The cybersecurity firm, Rapid7, found an attacker could potentially interfere with electronic messages transmitted over a small aircraft's network, for example by connecting a small device to the wires, that is, intended to affect aircraft systems.
If an aircraft should have compromised its systems, CISA warns that pilots will not be able to rely on instrument readings.
"Researchers have further outlined that a pilot that relies on instrument readings would not be able to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft," the agency noted.
SMALL PLAN LANDS ON WATER NEAR MARYLAND BEACH FOR THE VOICE OF ONLOOKERS
The Safety Rejection Report is a product of nearly two years of work from Rapid7. After their researchers assessed the error, the company notified DHS. Tuesday's DHS alert recommends manufacturers review how to implement these open electronic systems known as the "CAN bus" to limit a hacker's ability to carry out such an attack.
The CAN bus acts as a small aircraft central nervous system. If you target it, an attacker can stealthily hijack a pilot's instrument readings or even take control of the aircraft, according to the report Rapid7 obtained by The AP.
Just a few years ago, most automakers used the open CAN bus system in their cars. But after scientists publicly demonstrated how they could be hacked, automakers added security, like putting critical features on separate networks that are more difficult to access remotely.
"The automotive industry has made progress in implementing safety conditions that prevent similar physical attacks on CAN bus systems," noted CISA.
CLICK HERE FOR FOK NEWS APP
The Rapid7 report focused only on small aircraft because their systems are easier for scientists to obtain. Large aircraft often use more complex systems and must meet additional safety requirements. The DHS alert does not apply to older small aircraft with mechanical control systems.
In its warning, CISA recommends that airline owners "restrict access to aircraft to the best of their ability."
But Patrick Kiley, Rapid7's leading researcher in the case, told the AP an attacker could exploit the vulnerability with access to an aircraft or by circumventing the airport's security.
"Anyone with five minutes and a set of lock pick can access [or] there is easy access through the engine compartment," Kiley said.
CISA also recommended that aircraft manufacturers "review the implementation of CAN bus networks to compensate for the physical attack vector."
The Associated Press contributed to this report.