DHS Warns Small Airplanes Vulnerable to Flight Data Manipulation Attacks

WASHINGTON — The Department of Homeland Security issued a security alert Tuesday for small planes, warning that modern flight systems are vulnerable to hacking if someone manages to gain physical access to the aircraft.

An alert from the DHS critical infrastructure computer emergency response team recommends that plane owners ensure they restrict unauthorized physical access to their aircraft until the industry develops safeguards to address the issue, which was discovered by a Boston-based cybersecurity company and reported to the federal government.

Most airports have security in place to restrict unauthorized access and there is no evidence that anyone has exploited the vulnerability. But a DHS official told the Associated Press that the agency independently confirmed the security flaw with outside partners and a national research laboratory, and decided it was necessary to issue the warning.

The cybersecurity firm, Rapid7, found that an attacker could potentially disrupt electronic messages transmitted across a small plane’s network, for example by attaching a small device to its wiring, that would affect aircraft systems.

Engine readings, compass data, altitude and other readings “could all be manipulated to provide false measurements to the pilot,” according to the DHS alert.

The warning reflects the fact that aircraft systems are increasingly reliant on networked communications systems, much like modern cars. The auto industry has already taken steps to address similar concerns after researchers exposed vulnerabilities.

The Rapid7 report focused only on small aircraft because their systems are easier for researchers to acquire. Large aircraft frequently use more complex systems and must meet additional security requirements. The DHS alert does not apply to older small planes with mechanical control systems.

But Patrick Kiley, Rapid7′s lead researcher on the issue, said an attacker could exploit the vulnerability with access to a plane or by bypassing airport security.

“Someone with five minutes and a set of lock picks can gain access (or) there’s easily access through the engine compartment,” Kiley said.

Jeffrey Troy, president of the Aviation Information Sharing and Analysis Center, an industry organization for cybersecurity information, said there is a need to improve the security in networked operating systems but emphasized that the hack depends on bypassing physical security controls mandated by law.

With access, “you have hundreds of possibilities to disrupt any system or part of an aircraft,” Troy said.

What could be more horrifying than knowing that a hacker can trick the plane's electronic systems into displaying false flight data to the pilot, which could eventually result in loss of control?

Of course, the attacker would never wish to be on the same flight, so in this article, we are going to talk about a potential loophole that could allow an attacker to exploit a vulnerability with some level of "unsupervised" physical access to a small aircraft before the plane takes off.

The United States Department of Homeland Security's (DHS) has issued an alert for the same, warning owners of small aircraft to be on guard against a vulnerability that could enable attackers to easily hack the plane's CAN bus and take control of key navigation systems

The Federal Aviation Administration said in a statement that a scenario where someone has unrestricted physical access is unlikely, but the report is also “an important reminder to remain vigilant” about physical and cybersecurity aircraft procedures.

Aviation cybersecurity has been an issue of growing concern around the world.

In March, the US Department of Transportation’s inspector general found that the FAA had “not completed a comprehensive, strategy policy framework to identify and mitigate cybersecurity risks.” The FAA agreed and said it would look to have a plan in place by the end of September.

The UN’s body for aviation proposed its first strategy for securing civil aviation from hackers that’s expected to go before the General Assembly in September, said Pete Cooper, an ex-Royal Air Force fast jet pilot and cyber operations officer who advises the aviation industry.

The vulnerability disclosure report is the product of nearly two years of work by Rapid7. After their researchers assessed the flaw, the company alerted DHS. Tuesday’s DHS alert recommends manufacturers review how they implement these open electronics systems, known as “the CAN bus,” to limit a hacker’s ability to perform such an attack.

The CAN bus functions like a small plane’s central nervous system. Targeting it could allow an attacker to stealthily hijack a pilot’s instrument readings or even take control of the plane, according to the Rapid7 report obtained by the AP.

“CAN bus is completely insecure,” said Chris King, a cybersecurity expert who has worked on vulnerability analysis of large-scale systems. “It was never designed to be in an adversarial environment, (so there’s) no validation” that what the system is being told to do is coming from a legitimate source.

Only a few years ago, most auto manufacturers used the open CAN bus system in their cars. But after researchers publicly demonstrated how they could be hacked, auto manufacturers added on layers of security, like putting critical functions on separate networks that are harder to access externally.

The disclosure highlights issues in the automotive and aviation industries about whether a software vulnerability should be treated like a safety defect — with its potential for costly manufacturer recalls and implied liability — and what responsibility manufacturers should have in ensuring their products are hardened against such attacks. The vulnerability also highlights the reality that it’s becoming increasingly difficult to separate cybersecurity from security overall.

“A lot of aviation folks don’t see the overlap between information security, cybersecurity, of an aircraft, and safety,” said Beau Woods, a cyber safety innovation fellow with the Atlantic Council, a Washington think tank. “They see them as distinct things.”

The CAN bus networking scheme was developed in the 1980s and is extremely popular for use in boats, drones, spacecraft, planes and cars — all areas where there’s more noise interference and it’s advantageous to have less wiring. It’s actually increasingly used in airplanes today due to the ease and cost of implementation, Kiley said.

Given that airplanes have a longer manufacturing cycle, “what we’re trying to do is get out ahead of this.”

The vulnerability, discovered by a cybersecurity researcher at Rapid 7, resides in the modern aircraft's implementation of CAN (Controller Area Network) bus—a popular vehicular networking standard used in automobiles and small aircraft that allows microcontrollers and devices to communicate with each other in applications without a host computer.

Rapid7 researcher Patrick Kiley demonstrated that a hacker with physical access to a small aircraft's wiring could attach a device—or co-opt an existing attached device—to the plane's avionics CAN bus to insert false data and communicate them to the pilot.

The attacker can manipulate the following data:

Engine telemetry readingsCompass and attitude dataAltitude, airspeed, and angle of attack (AoA) data "The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft," the DHS' cyber division warned Tuesday.

Kiley demonstrated the attack after investigating avionics systems—an electronic control and navigation system fitted in an aircraft—from two unnamed commercial aircraft manufacturers specialized in light aircraft

Though the attack sounds scary, it is not easy to gain "unsupervised" physical access to a plane, given "current industry practices and regulations," nevertheless, the Rapid7 report is worth paying attention to.

The researcher also pointed out that the avionics sector is lagging behind the automotive industry when it comes to the CAN bus system.

The automotive industry has made advancements in implementing safeguards, such as CAN bus-specific filtering, whitelisting, and segregation, that prevent similar physical attacks to CAN bus systems. Aircraft makers should also implement these safeguards.

For more depth analysis visit SOURCE : 1 2

An Ethical hacker should know the penalties of unauthorized hacking into a system. Read more at: Legality and Ethics

#homelandsecurity #homelandsecurityadvisorysystem #cargo #TSA #3pk9 #cargoscreening #csk9 #germanshepherd #k9unit #policedog #picoftheday #dogsofinstagram #photooftheday #dogs #police #mansbestfriend #furmissile #hardwork #interdiction #america #hideandseek #nofear #stayzero #justice #thinblueline #lawandorder #counterterrorism #cops #doglover #doglife


For more tricks and update over hacking stay tuned to our site: Note 4 Tech


Recent Posts

See All