How private jets and helicopters can be easily hacked and crashed
The U.S. National Homeland Security (NHS) decided to launch a safety alert for pilots and crew of small aircraft and helicopters after security audit specialists released a report that states that it is possible to hack their flight systems under certain circumstances, compromising the integrity of both aircraft and crew.
This inconvenience would have been detected and
reported by a private cybersecurity firm, which subsequently notified the federal
authorities. In the alert, DHS recommends that owners restrict unauthorized
physical access to aircraft at least until the industry develops the
mitigations necessary to correct the problem.
Thanks to strict security measures at U.S.
airports, the vulnerability has not been exploited in the wild. However, NHS
officials believe that this information needs to be publicly disclosed to
prevent any exploitation attempt.
Security audit experts at private firm Rapid7
say the vulnerability consists in the disruption of electronic messages
transmitted over the aircraft’s network, a situation that impacts flight
systems. “Multiple functions, such as engine readings, compass data, among
other readings, could be manipulated to send false measurements to the pilot of
an aircraft,” the experts said.
Like modern cars, aircraft flight systems are
increasingly dependent on network communications. However, the automotive
industry anticipated this breakthrough and multiple measures have already been
implemented to protect drivers and passengers and fix vulnerabilities.
Security audit experts focused their study on
smaller aircraft as their systems are easier to replicate or buy, unlike larger
aircraft, which must comply with more complex security measures. In addition,
flaws do not apply to aircraft with mechanical control systems.
Although industry members stress that multiple
physical security controls need to be evaded to exploit these flaws (which
greatly increases the complexity of the attack) it is necessary to raise
awareness of the owners of these aircraft and to frequent users about the risks
of not taking the required controls.
Recently, the Federal Aviation Administration
(FAA) stated that unauthorized physical access to an aircraft is an unlikely
scenario in practice, as a potential attacker, in addition to having physical
access, must have knowledge of the operating these systems.
Cybersecurity in aeronautics is a recurring
issue among industry members, researchers and security firms. A couple of
months ago, the U.S. Department of Transportation released a report revealing
that the FAA did not have a cybersecurity framework or protocols for action in
the event of a hacking incident or similar incidents. The FAA compromised to
implement new information security policies that will need to be ready by the
end of September.
According to security audit specialists from
the International Institute for Cyber Security (IICS), the NHS alert specifies
that small aircraft owners must fully review flight systems, specifically
systems known as “CAN” bus to mitigate any exploitation risk.
Basically, the CAN bus is the nervous system of
these aircraft; if a hacker were to compromise its integrity they could
inadvertently intercept flight readings or, in the worst case, they could even
take full control of the aircraft to perform malicious actions during a flight.
(Visited 4 1 times)
Gloss