The U.S. National Homeland Security (NHS) decided to launch a safety alert for pilots and crew of small aircraft and helicopters after security audit specialists released a report that states that it is possible to hack their flight systems under certain circumstances, compromising the integrity of both aircraft and crew.
This inconvenience would have been detected and reported by a private cybersecurity firm, which subsequently notified the federal authorities. In the alert, DHS recommends that owners restrict unauthorized physical access to aircraft at least until the industry develops the mitigations necessary to correct the problem.
Thanks to strict security measures at U.S. airports, the vulnerability has not been exploited in the wild. However, NHS officials believe that this information needs to be publicly disclosed to prevent any exploitation attempt.
Security audit experts at private firm Rapid7 say the vulnerability consists in the disruption of electronic messages transmitted over the aircraft’s network, a situation that impacts flight systems. “Multiple functions, such as engine readings, compass data, among other readings, could be manipulated to send false measurements to the pilot of an aircraft,” the experts said.
Like modern cars, aircraft flight systems are increasingly dependent on network communications. However, the automotive industry anticipated this breakthrough and multiple measures have already been implemented to protect drivers and passengers and fix vulnerabilities.
Security audit experts focused their study on smaller aircraft as their systems are easier to replicate or buy, unlike larger aircraft, which must comply with more complex security measures. In addition, flaws do not apply to aircraft with mechanical control systems.
Although industry members stress that multiple physical security controls need to be evaded to exploit these flaws (which greatly increases the complexity of the attack) it is necessary to raise awareness of the owners of these aircraft and to frequent users about the risks of not taking the required controls.
Recently, the Federal Aviation Administration (FAA) stated that unauthorized physical access to an aircraft is an unlikely scenario in practice, as a potential attacker, in addition to having physical access, must have knowledge of the operating these systems.
Cybersecurity in aeronautics is a recurring issue among industry members, researchers and security firms. A couple of months ago, the U.S. Department of Transportation released a report revealing that the FAA did not have a cybersecurity framework or protocols for action in the event of a hacking incident or similar incidents. The FAA compromised to implement new information security policies that will need to be ready by the end of September.
According to security audit specialists from the International Institute for Cyber Security (IICS), the NHS alert specifies that small aircraft owners must fully review flight systems, specifically systems known as “CAN” bus to mitigate any exploitation risk.
Basically, the CAN bus is the nervous system of these aircraft; if a hacker were to compromise its integrity they could inadvertently intercept flight readings or, in the worst case, they could even take full control of the aircraft to perform malicious actions during a flight.