The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on July 30 issued an informational alert about CAN bus network implementation in avionics. CISA said a public report claims that insecure CAN buses—a type of data communications network—in aircraft might be exploited if an attacker had physical access to the aircraft and attached a device to the network, which then could inject false data. The report stressed that CAN bus networks are exploitable only if an attacker has unsupervised physical access to the aircraft.
A Controller Area Network, or CAN, data bus is a serial communications protocol commonly used in some aircraft, similar to the ARINC 429 and 629 data buses. The CAN bus originally was introduced in the automobile industry in the 1980s, about the same time the ARINC 429 came on the scene. Although they are not found on many piston aircraft models, CAN buses are found in some high-performance and turbine aircraft. Some airliners employ both ARINC and CAN data buses.
“General aviation aircraft owners take many precautions to protect their aircraft to keep aviation secure. It is very difficult for an unknown person to access a cockpit of an aircraft, let alone access the electronics,” she said. “We are committed to educating general aviation pilots and operators about increased threat awareness and we take any threat of cybersecurity seriously.”
Reinsch noted that It is a federal offense to unlawfully access an aircraft and tamper with any aircraft systems. “The penalty for doing so is severe, given the safety of pilots and passengers could be at risk. Current, multilayered federal security requirements are designed to prevent unauthorized access to aircraft. In addition, the AOPA Airport Watch program—established in partnership with the Transportation Security Administration in 2002—adds another layer of security.”
AOPA’s Airport Watch program encourages pilots to report suspicious activity using a toll-free national hotline (1-866-GA-SECURE, or 1-866-427-3287) answered 24 hours a day, seven days a week by the TSA’s Transportation Security Operations Center (TSOC). Based on the information provided about a possible threat, TSOC will notify the appropriate local, state, and federal law enforcement agencies as needed.
“The DHS alert correctly points to the mitigations that are used to manage security in the aviation industry,” said Jens Hennig, vice president of operations for the General Aviation Manufacturers Association. “In evaluating such risk, it is important to consider actual real-world scenarios, especially by providing recognition of the protections our overall system of systems approach provides to managing aviation safety and security.”
Avionics manufacturer Garmin International, Inc. shares Hennig’s thoughts. “Garmin reviewed the report released by Rapid7 and believes that the report fails to consider the numerous system safety protections, physical protections, and pilot skill that mitigate the risk of felony aircraft tampering,” the company said in a statement. “The report is based on extremely unlikely hypotheticals and therefore does not reflect real-world scenarios.”
CISA recommends aircraft owners restrict access to airplanes to the best of their abilities. Aircraft manufacturers should review implementation of CAN bus networks to compensate for the physical attack vector. The automotive industry has made advancements in implementing safeguards that hinder similar physical attacks to CAN bus systems, CISA noted.
The Aviation Information Sharing and Analysis Center, a nonprofit membership association that shares vulnerabilities, threat intelligence, and best practices to reduce operational risks, said the most important factor affecting the ability of a threat actor to execute this hack is unauthorized physical access to the aircraft. “The individual component targeted is secondary to one’s ability to bypass physical security controls mandated by government agencies and implemented by aviation providers,” Aviation ISAC said in a statement. “With unauthorized physical access, one opens up hundreds of possibilities to disrupt any system, or part, on an aircraft or any product in any industry.”
The vulnerability was identified by Rapid7, a security consulting firm, and addressed in the company’s blog. However, some in the aviation community are questioning the motives of Rapid7, at least in its timing; its research was completed in January 2018 and May 2018, although it was not publicly released until July 30, 2019—about 10 days before a large hacker convention, mentioned alongside the company’s research report on the topic.