Posted on July 31, 2019 at 2:31 PM
According to the new warning issued by the DHS (Department of Homeland Security), it would appear that a new vulnerability was discovered in the modern flight systems. According to the warning, it is possible for hackers to exploit this flaw, and even gain access to the planes’ controls.
The situation is not as dire as it seems, as the DHS pointed out that hackers would need to gain physical access to aircraft in order to hack it. However, they did warn that the danger is still quite real, and the critical infrastructure computer emergency response team recommends that plane owners must restrict unauthorized access to all aircraft, at least until the vulnerability is addressed.
Security exploit could affect the planes’ instruments
The new flaw was discovered by researchers at Rapid7 — a cybersecurity firm based in Boston. After discovering the flaw — which was a result of two years of research — the company immediately reported the vulnerability to the federal government, and the warning was issued soon after.
Restricting unauthorized access should not be too big of a problem for most airports, as they already have similar measures in place. Further, there is no evidence that would suggest that the vulnerability was ever exploited in the past. Despite this, the DHS managed to confirm that the flaw is there with an outside partner, which is why they believed it best to issue the warning nonetheless.
Meanwhile, according to security researchers from Rapid7, if an attacker did manage to gain physical access to planes, they could cause numerous issues for the aircraft. One possibility would be for them to disrupt electronic messages transmitted across the planes’ network. Another possibility is for them to affect compass data, engine readings, and even altitude information, All of this would provide the pilot with false measurements, and potentially risk the lives of individuals on board the plane.
Interestingly enough, older planes do not seem to be affected by the flaw. Only newer ones are endangered due to their systems’ increased reliance on networked communications systems. Similar issues were already proposed when it comes to modern cars. In addition, researchers stated that they only focused on smaller planes.
The reason for this is the fact that it was easier to acquire their systems. Systems used by larger aircraft are usually significantly more complex. Not only that, but they have to meet a different set of security requirements. As for small plains, Rapid7’s lead researcher, Patrick Kiley, stated that anyone with a set of lockpicks and five minutes-long access to the plane could potentially hack it and disrupt its instruments.
It would seem that the Aviation Information Sharing and Analysis Center president, Jeffrey Troy, has similar concerns. He insisted that networked operating systems require greater security. The network’s physical security controls are mandated by law, and since the hack depends on the hacker bypassing the physical security — that is what must be addressed as well.
The Federal Aviation Administration itself, however, believes that it is highly unlikely that someone would be able to gain unrestricted access. But, they admitted that it is important to remain vigilant.
Modern planes and cars dealing with the same security issues
This is not the first time that aviation cybersecurity concerns have emerged in recent years. Earlier this year, in March, the US Department of Transportation’s inspector general reported that the FAA failed to complete a comprehensive strategic policy framework that would identify and fend off security risks. The FAA admitted its fault, noting that the plan would be designed by September this year. The United Nations’ aviation body proposed its own solution that is set to arrive before September’s General Assembly.
Meanwhile, the DHS also alerted aircraft manufacturers, tasking them to find a way to repair the flaw and implement the fix to the open electronics systems, also known as ‘The CAN bus.’ Cybersecurity expert Chris King commented on the CAN bus, stating that it is completely insecure and that it was not designed to be in an adversarial environment. In other words, it is not capable of assessing whether the instructions are coming from a legitimate source or not.
Carmakers used to employ the same system, although they strengthened it up a few years back after it was demonstrated how it could be hacked. The discovery of the flaw is yet another reminder just how vulnerable software can be, and how important it is to understand that information security, cybersecurity, and safety are often overlapping — something that aviation often tends to forget.