CISA: Small Planes Vulnerable to Flight Data Manipulation

Raimonds Romans raymoonds/

Pilots would be unable to tell the difference between the real and fake readings, “which could result in loss of control of the affected aircraft,” CISA officials warned.

A vulnerability in the network protocols of small planes could allow anyone with physical access to the aircraft to manipulate its flight data, according to the Homeland Security Department.

The Cybersecurity and Infrastructure Security Agency on Tuesday issued a warning about an insecure implementation of CAN bus networks, the protocols that allow the various devices within planes, cars and other machines to communicate with each other. The vulnerability, reported by the cybersecurity firm Rapid7, could allow bad actors to inject false data into the aircraft, CISA officials said.

By physically tapping into the CAN bus system, an adversary could alter numerous aircraft measurements, including engine telemetry readings, compass and attitude data, altitude and airspeed, according to CISA.

“The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft,” officials said.

CISA advised aircraft owners to limit physical access to their planes and suggested the aviation industry implement different safeguards that would mitigate potential threats, something car manufacturers have already done successfully.

In a blog post detailing the findings, Rapid7 Researcher Patrick Kiley said the aviation industry hasn’t devoted enough attention to securing aircrafts’ digital networks, at least in part because of the heavy focus on airplanes’ physical security systems.

“Just as football helmets may actually raise the risk of brain injuries, the increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyberattack[s], not less,” Kiley said. “While physical restrictions are great, we really feel like avionics, in particular, need to implement defense-in-depth.”

The announcement comes days after a New York Times investigation highlighted significant shortcomings in the Federal Aviation Administration’s oversight operations. In February, the Trump administration called on the government to unify its efforts to combat cyberthreats in U.S. airspace.

NEXT STORY: What ever happened to CyberStat?