Experts found critical vulnerability in aircraft operating systems

Members of the aviation industry are concerned about a potential security risk for the pilots and crew of some aircraft. “Today any system is exploitable, aviation is not safe from malicious hackers,” says Mark Lepak, vulnerability testing specialist.

The problem is related to the Controller Area Network system (commonly known as CAN bus). This cable system allows an aircraft’s navigation systems setting basic communication channels between each other.

According to vulnerability testing specialists, the system proved vulnerable to a long-known attack variant. “This could compromise the integrity of an aircraft,” says Jonathan Stone, one of the researchers who discovered this flaw. 

Although it is a really dangerous vulnerability, exploiting it in the wild is highly complicated, specialists point out. A threat actor would require physical access to the aircraft to install a device capable of altering the readings of some of the flight systems, such as flight speed and altitude indicators, among others.

On the attack scenario, Stone mentions: “If an aircraft flies in conditions of minimal visibility, depending entirely on its flight instruments, false or altered readings could have tragic consequences for crew members.” While it is difficult for this to happen, vulnerability testing experts point out that it is completely feasible, so it is necessary to reveal details about this flaw.

This report has already been shared with multiple members of the aviation industry and has even caught the attention of the Department of Cybersecurity and Infrastructure (CISA), a part of the U.S. Department of Homeland Security (DHS), which has issued an alert reporting the vulnerability. It is normal for pilots and manufacturers to be concerned about the possible exploitation of these vulnerabilities, so the CISA report has focused on a key element in preventing these incidents: the physical security of the aircraft.

In the protection of this kind of technology it is essential to have full control over people who have physical access to an aircraft. Any unauthorized access could endanger the lives of crew members.

The safety controls of smaller aircraft are usually older or non-updated, so in addition to controlling physical access to the aircraft it is also necessary to implement some system updates to further mitigate the risk of exploiting these flaws.

Vulnerability testing specialists from the International Institute of Cyber Security (IICS) mention that attacks requiring physical access to the target system affect all kinds of devices, from laptops and smartphones to industrial systems and the above-mentioned flight controllers on an aircraft. While physical access involves greater complexity for exploiting these vulnerabilities, there are multiple ways to trick the operators of these devices into accessing the target system, making system administrators and infrastructure managers must always have all the necessary forms of protection and mitigate the risk of exploitation.