DHS warns of cybersecurity vulnerability in small airplanes

The Department of Homeland Security’s (DHS) cybersecurity agency issued a security alert on Tuesday warning of a cyber vulnerability in small aircraft that could enable malicious actors to change key readings on the planes.

The alert was issued after cybersecurity group Rapid7 reported to DHS’s Cybersecurity and Infrastructure Security Agency (CISA) that an aircraft’s Controller Area Network (CAN) bus system can be exploited by a cyber attacker if the hacker has physical access to the plane.

{mosads}CISA warned that the hacker could attach a device to the aircraft’s CAN bus system that could “inject false data,” leading to incorrect readings.

Attackers could manipulate the plane’s altitude, airspeed and angle of attack data, CISA noted, adding that pilots would not be able to “distinguish between false and legitimate readings” and could lose control of the airplane.

In order to prevent this type of attack, CISA recommended that aircraft owners restrict physical access to the planes, and that aircraft manufacturers review the implementation of CAN bus networks to increase security.

Rapid7 also put out a paper on its findings on Tuesday, with the group’s Patrick Kiley writing that the perception that airplanes are kept in secure environments could be “making them more vulnerable to cyber-attacks, not less.”

Kiley added that “while physical restrictions are great, we really feel like avionics, in particular, need to implement defense-in-depth.”