DHS warns of vulnerability that could be used to alter flight data in small planes

The aviation sector appears to be lagging in securely implementing a popular networking standard for machinery.
aircraft, airplane, airport, aviation cybersecurity
(Getty Images)

An insecure networking standard could allow a hacker with physical access to a small aircraft to trick the plane’s equipment into giving false readings of critical flight data, according to a warning from the Department of Homeland Security.

The vulnerability, discovered by cybersecurity company Rapid7, is in the implementation of CAN bus, a popular networking standard that allows communication between microcontrollers in planes, cars and other machinery.

A hacker would need physical access to carry out the hypothetical attack, which involves attaching a device to the plane’s CAN bus to insert false data. Engine readings, altitude and airspeed are among the data that could be manipulated, according to Rapid7 researcher Patrick Kiley.

Kiley said the aviation sector is lagging in securing CAN bus networks because of an apparent reliance on physical security.


Because the assumption is that hackers won’t get physical access to airplanes, “the increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyberattack, not less,” Kiley wrote in research published Tuesday.

There is no evidence of the vulnerability being maliciously exploited. Kiley did not name the two vendors that he tested the attack on. The research is not vendor-specific but rather applies to the CAN bus standard.

“Manufacturers of aircraft should review implementation of CAN bus networks to compensate for the physical attack vector,” DHS said in the advisory from its Cybersecurity and Infrastructure Security Agency (CISA). It pointed to advances the automotive industry had made in protecting CAN bus systems from physical attacks.

The Aviation Information Sharing and Analysis Center (ISAC), the industry’s cyberthreat sharing organization, thanked the researchers for bringing the issue to light while emphasizing the need for physical access for the attack to succeed.

“The most important factor affecting the ability of a threat actor to execute this hack is unauthorized physical access to the aircraft,” the Aviation ISAC said in a statement. “The individual component targeted is secondary to one’s ability to bypass physical security controls mandated by government agencies and implemented by aviation providers.”


Rapid7’s findings are the latest sign that aviation is an emerging frontier for security research. DHS cybersecurity specialists have been probing vulnerabilities in aircraft since at least 2016, when an official in the department’s Science and Technology Directorate said his team had remotely compromised a system on a Boeing 757 during a test.

For the first time this year, the Def Con hacking conference will have a “village” dedicated to aviation security, some of which falls under the broad category of industrial control systems (ICS).

Other aspects of transportation are also getting increased scrutiny: U.S. Cyber Command recently ran an exercise involving seaport security.

The Associated Press was first to report on the DHS advisory.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts