Vulnerabilities

Experts found critical vulnerability in aircraft operating systems

Members of the aviation industry are concerned about a potential security risk for the pilots and crew of some aircraft. “Today any system is exploitable, aviation is not safe from malicious hackers,” says Mark Lepak, vulnerability testing specialist.

The problem is related to the Controller Area
Network system (commonly known as CAN bus). This cable system allows an
aircraft’s navigation systems setting basic communication channels between each
other.

According to vulnerability testing specialists, the system proved vulnerable to a long-known attack variant. “This could compromise the integrity of an aircraft,” says Jonathan Stone, one of the researchers who discovered this flaw. 

Although it is a really dangerous vulnerability,
exploiting it in the wild is highly complicated, specialists point out. A
threat actor would require physical access to the aircraft to install a device
capable of altering the readings of some of the flight systems, such as flight
speed and altitude indicators, among others.

On the attack scenario, Stone mentions:
“If an aircraft flies in conditions of minimal visibility, depending
entirely on its flight instruments, false or altered readings could have tragic
consequences for crew members.” While it is difficult for this to happen,
vulnerability testing experts point out that it is completely feasible, so it
is necessary to reveal details about this flaw.

This report has already been shared with
multiple members of the aviation industry and has even caught the attention of
the Department of Cybersecurity and Infrastructure (CISA), a part of the U.S.
Department of Homeland Security (DHS), which has issued an alert reporting the
vulnerability. It is normal for pilots and manufacturers to be concerned about
the possible exploitation of these vulnerabilities, so the CISA report has
focused on a key element in preventing these incidents: the physical security
of the aircraft.

In the protection of this kind of technology it
is essential to have full control over people who have physical access to an
aircraft. Any unauthorized access could endanger the lives of crew members.

The safety controls of smaller aircraft are
usually older or non-updated, so in addition to controlling physical access to
the aircraft it is also necessary to implement some system updates to further
mitigate the risk of exploiting these flaws.

Vulnerability testing specialists from the
International Institute of Cyber Security (IICS) mention that attacks requiring
physical access to the target system affect all kinds of devices, from laptops
and smartphones to industrial systems and the above-mentioned flight
controllers on an aircraft. While physical access involves greater complexity
for exploiting these vulnerabilities, there are multiple ways to trick the operators
of these devices into accessing the target system, making system administrators
and infrastructure managers must always have all the necessary forms of
protection and mitigate the risk of exploitation.

To Top

Pin It on Pinterest

Share This