A security alert was issued by federal officials Tuesday focusing on small planes after authorities voiced concerns that modern flight systems are vulnerable to hacking in the event a malicious actor is able to gain physical access to the aircraft.
The alert from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency said that a security flaw of open electronics systems known as "the CAN bus" was discovered by a Boston-based cybersecurity company and reported to the federal government, which found the systems are "exploitable."
"An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment," CISA said in its alert. "The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot."
Most airports have security officers in place to restrict unauthorized access. While so far no one has appeared to exploit the vulnerability in a real-world scenario, a DHS official told The Associated Press the agency independently confirmed the security flaw with outside partners and a national research laboratory, and decided it was necessary to issue the warning.
The cybersecurity firm, Rapid7, found an attacker could potentially disrupt electronic messages transmitted across a small plane's network, for example by attaching a small device to its wiring, that would be intended to affect aircraft systems.
If an aircraft were to have its systems compromised, CISA warns that pilots wouldn't be able to rely on readings from instruments.
"The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft," the agency noted.
The vulnerability disclosure report is the product of nearly two years of work by Rapid7. After their researchers assessed the flaw, the company alerted DHS. Tuesday's DHS alert recommends manufacturers review how they implement these open electronics systems known as "the CAN bus" to limit a hacker's ability to perform such an attack.
The CAN bus functions like a small plane's central nervous system. Targeting it could allow an attacker to stealthily hijack a pilot's instrument readings or even take control of the plane, according to the Rapid7 report obtained by The AP.
Only a few years ago, most auto manufacturers used the open CAN bus system in their cars. But after researchers publicly demonstrated how they could be hacked, auto manufacturers added on layers of security, like putting critical functions on separate networks that are harder to access externally.
"The automotive industry has made advancements in implementing safeguards that hinder similar physical attacks to CAN bus systems," CISA noted.
The Rapid7 report focused only on small aircraft because their systems are easier for researchers to acquire. Large aircraft frequently use more complex systems and must meet additional security requirements. The DHS alert does not apply to older small planes with mechanical control systems.
In its warning, CISA recommends that aircraft owners "restrict access to planes to the best of their abilities."
But Patrick Kiley, Rapid7's lead researcher on the issue, told the AP an attacker could exploit the vulnerability with access to a plane or by bypassing airport security.
"Someone with five minutes and a set of lock picks can gain access [or] there's easily access through the engine compartment," Kiley said.
CISA also recommended that aircraft manufacturers should "review implementation of CAN bus networks to compensate for the physical attack vector."
The Associated Press contributed to this report.