US-CERT issues Cyber Alert on small aircraft

An ICS alert has been issued after it was revealed that cybersecurity vulnerabilities had been found in small aircrafts

Security researcher, Patrick Kiley, published a report on the vulnerabilities in various Controller Area Network (CAN) bus components, sold by two vendors.

If an attacker were to gain access to a plane’s CAN bus, the vulnerabilities could be exploited and the attacker has the potential to alter “engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack”. 

CISA stressed that a “pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft”. 

The Rapid7 researcher, Kiley, who is also a pilot, emphasised that the aviation industry is heavily reliant on the physical security of airplanes, and lacks in network security when it comes to CAN bus. 

Kiley explained that cars are easy “to get your hands on” whilst airplanes are much more difficult to acquire, as they are in placed in a much more secure environment. 

“But, just as football helmets may actually raise the risk of brain injuries, the increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyber-attack, not less. 

“Think about it: If you felt like your internal LAN was totally and completely untouchable by attackers, you probably wouldn’t worry much about software patching or password management. Of course, LANs aren’t impregnable, and neither are CAN bus networks, so we’re worried about this mindset when it comes to avionics security.”

Kiley hopes that by the release of his research, the aviation industry will start to enforce measures to mitigate the risk of CAN bus. 

CISA has recommended that “aircraft owners restrict access to planes to the best of their abilities. Manufacturers of aircraft should review implementation of CAN bus networks to compensate for the physical attack vector”. 


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.