back to article Hack a small airplane? Yes, we CAN (bus) – once we physically break into one, get at its wiring, plug in evil kit...

An investigation into the computer security of small airplanes, the results of which were made public this week, will be sure to generate some flashy headlines. However, there are important caveats. The probe in question, carried out by Patrick Kiley, a senior security consultant at Rapid7, shows just how easy it is to hack a …

  1. Starace
    Alert

    Threat model

    So basically you could do something because there's a non-encrypted bus, but it's a complicated way to achieve something you could do much more easily in other ways with the same level of access.

    It's a bit of a common theme with security research to state the obvious and look for problems that really aren't.

    1. Unbelievable!

      Re: Threat model

      Fair comment. I agree mostly. But, 'unlikey' doesn't mean 'disregardable'.

      There's nothing not worth trying in a hackers mindset. Therefore anything vulnerable needs to be secured.

      Who'd have thought 80 million could have been swiped via a bad router in a bank?

      1 rule: Don't underestimate the enemy, he may have garnered inside knowledge.

      One fairly simple example implementation of this exploit would be targeting a millionaire that just laid of a number of staff.

      1. Alan Johnson

        Re: Threat model

        "One fairly simple example implementation of this exploit would be targeting a millionaire that just laid of a number of staff."

        Or if you wanted to murder such a millionaire and had direct phsycial access to his personal plane and the technical knowedge to exploit it you could simply sabotage it in a myriad of other ways or even plant a bomb.

        No system is going to be secure against a threat where there is both:

        a) direct physcial access

        b) a technically sophisticated opponent

        1. stratofish

          Re: Threat model

          A bomb is obvious and signals that there is a bomber.

          Strange readings and the system going haywire ends up like the 737-Max where software can be blamed and the culprit can get away without being suspected. (note. I'm not suggesting that the 737-max is in any way deliberate)

          1. Cynic_999 Silver badge

            Re: Threat model

            The probability is that even if a light aircraft were to be hacked in such a way, the pilot will still land it safely (albeit maybe not at an airport). I can think of nothing that can be done on a CAN bus that would be beyond the capabilities of a reasonable private pilot to cope with. Even if the electronic IFR instruments were rendered inoperative, any aircraft certified to fly in cloud must be fitted with a "basic panel" consisting of mechanical instruments (ASI, compass and T&S). After all, the plane must be safe in the event of a complete electrical failure.

            So the idea that evidence of tampering would be lost in the resulting crash would be rather optimistic on the part of the saboteur, because at least 9 times out of 10, there would not *be* a crash.

            1. LeahroyNake

              Re: Threat model

              Raising the flaps on landing could be quite difficult to control and induce a stall maybe. Not that difficult to initiate from a hacker perspective, read altitude and airspeed then raise flaps close to stall speed? Maybe not a fatal crash but its not going to be pleasant or easy to control if you are not expecting it.

              If they have enough access and can input fail codes or similar to distract the pilot or worst case indicate failures where there are none and shut down working systems before the pilot realised and goes eyes / hard data only? It only takes a few seconds to go from ummm what's happening to crunch.

              I'm not a pilot but looking at the recent crashes due to software or sensor failure I expect small craft are even more vulnerable unless you have Chuck Yeager at the controls.

              1. Martin an gof Silver badge

                Re: Threat model

                Chuck Yeager? No, you need Eric "Winkle" Brown :-)

                M.

              2. Crazy Operations Guy

                Re: Threat model

                If the pilot is only a few seconds from crashing, they already fucked up. A pilot assumes everything is operating properly all the time is a pilot that is going to get themselves killed regardless of any malicious activity. Any pilot worth their weight in piss is constantly planning for worst-case scenarios and how they will resolve that. A pilot on approach has already performed a dozen landings mentally with many different scenarios ranging from "What if the runway isn't empty? What if there is a sudden cross wind? What if my engine fails?". If they failed that, then its time for a go-around.

                Besides, flaps aren't really quiet or fast, and they are visible from the pilot's seat on nearly all small craft. The only aircraft I've flown that don't have the flaps visible from the pilot's seat are aircraft that don't have flaps int he first place. Flaps take longer to retract than it would for a pilot to open the throttle and raise airspeed above clean-stall.

    2. Graham Cobb Silver badge

      Re: Threat model

      In my mind, the issue isn't what can be achieved today: it is a "heads up" warning to the manufacturers to make sure they improve the security before they develop further.

      For example, there is an incentive, for ease of maintenance, to consider adding wireless access to the CAN bus (for example, to allow logs and data to be read automatically every time the plane returns to base, without waiting for a service interval). But this report shows that if they just add wireless access today, they would be creating a massive problem.

      There may be other simple developments they are considering which would open this up (for example, if they add an entertainment system which could allow access to the can bus from the passenger compartment of an executive jet). The mindset of small plane manufacturers will need to change, as the automotive manufacturers are slowly learning.

  2. a_yank_lurker Silver badge

    Physical Access

    It seems many potentially horrific hacks require physical access to the device. If someone can gain physical access you have serious issues than a hack because the perimeter has been thoroughly penetrated. In this case there is a lot more someone can do to a plane if they can get to it or anything else. The bus may be insecure internally but unless you are talking about making the plane a giant radio controlled model it is not really that important. What the researchers never said was other than physical access how would one access the bus while in flight.

    1. martinusher Silver badge

      Re: Physical Access

      If you have physical access to the plane then you could do a lot more damage with a lot less hassle by unhooking a control linkage (weakening it so it passes pre-flight but comes apart during use) or screwing with the engine.

      This is a blatant paranoia play that relies on most people not knowing much about GA aircraft. The vast majority of them are still stuck in the 40s -- twin magneto ignition, carburettors, iron instruments, rods and cables for flight controls and so on. Yes, they have GPS and upscale transponders but most people who fly them are rated for visual flight rules -- that is, they look out the window. They can be flown with total electrical systems failure because procedures are still in place at airports to handle aircraft that don't have radios (although they're not used very often).

      There are modern planes about but they are relatively few and far between because they're expensive. Really expensive. Even then they should have some measure of redundancy -- if they have fly by wire (unlikely in a GA aircraft) then it will need significant redundancy to be certifiable.

      1. Joe W Silver badge

        Re: Physical Access

        Wasn't it a requirement for (some of) the instruments to be the old fashioned kind? That is, tubes connected directly to the mechanical gauges - at least for speed and altitude? Those are of course much more expensive than the electronic stuff, so I can totally see why they want to get rid of those... My license expired a few years back, so I am definitely not up to date with the current rules and regulations.

        1. werdsmith Silver badge

          Re: Physical Access

          . My license expired a few years back, so I am definitely not up to date with the current rules and regulations.

          Where are you in the world? In UK your license is for life, only the CofE goes out of date.

        2. Crazy Operations Guy

          Re: Physical Access

          In Canada and the US, the regulation for IFR is just an additional set of instruments that are independent from your primary instruments. Most people use the old steam gauges because those are known-good and already designed in. I recently upgraded my old C172-J to a full glass cockpit, no steam gauges at all, not even a mechanical compass, and its approved for IFR. I was going to need to replace the instruments anyway due to its age, and decided to just toss it all and go full-glass.

          All I needed in my panel was:

          2x Dynon Skyview display (Only 1 needed)

          1x Garmin G5 w/ backup battery

          1x Garmin GNX-375

          1x Dynon 2-axis Autopilot kit.

          I carry a handheld Aviation radio and a compass as backup, but they're not required.

      2. big_D Silver badge

        Re: Physical Access

        I agree with you, in principal. But, if you are looking to sabotage an aircraft, it provides more ways that will be harder to discover - such as nothing to see in pre-flight or even an inspection, but hide a black box that starts working after an hour of flight, above a certain altitude or at specific coordindate and it is much more difficult to spot, until it is too late.

        Again, this is only for a very serious case of sabotage, this isn't hi-jinx or fun and normal sabotage will be easier to carry out, although more easily spotted before it is too late.

        1. stiine Silver badge

          Re: Physical Access

          Do you mean like Kennedy Jr flying into Martha's Vineyard in '99?

          1. Crazy Operations Guy

            Re: Physical Access

            That was caused by bad planning and flying in night IMC without training in either.

    2. Giles C Silver badge

      Re: Physical Access

      This is similar to an argument I had over security on a router. My view is that the console port should not be subject to authentication from a remote server. If a hacker has got access to the port then nothing can save the system.

      Whereas putting security in place can hinder the one time you need to fix it in a hurry...

      If you wanted to bring an aircraft down when it is flying and you have access, then do something like make the fuel gauge read full when it is almost empty, or something else mechanical. You wouldn’t waste your time on recoding the on board computers

    3. big_D Silver badge

      Re: Physical Access

      Given that security at many small airfields is poor to non-existent, I would say this is a relatively easy hack to perform. And judging by reality-TV like the aircraft repo series, getting onto a guarded airfield and flying away isn't all that difficult either.

      What the hack allows is for the "easy" fixing of an aircraft to sabotage it. If you mess with the wings, fuel, flaps, fuel in the oil etc. you can cause it problems, but they could be discovered in pre-flight. Hide a small black box attached to the CAN bus that has a 30 minute or hour delay, before it becomes active and you have a much better chance. Make it radio controlled and you can change things on the fly.

      1. imanidiot Silver badge

        Re: Physical Access

        "aircraft repo"

        You do know that show is ENTIRELY scripted and staged right? It's ALL fake (except the pilot season, that was much closer to reality)

    4. Steve Graham

      Re: Physical Access

      My car has an Android system with wifi connected to the CANbus. Nice and secure!

      (It's to interface to the audio controls on the steering wheel, and write stuff to the dashboard display.)

    5. druck Silver badge
      FAIL

      Re: Physical Access

      If this story was about about being able to get CAN commands on to the aircraft's bus via a comms or nav system, then that would be an issue, this isn't.

  3. Mayday
    Terminator

    I'm a GA Pilot and I've wondered

    How things like this are feasible.

    One aircraft system I use has wifi and bluetooth capability for navigation as well as entertainment purposes. The wifi can be used for a specialist iPad app (called an Electronic Flight Bag/EFB and there are a few products there that do this job) talks to the plane's systems and does "things". I'm guessing/presuming that security is not much of a factor in the design consideration as opposed to ease of use for a not-so tech-savvy pilot just wanting it to "work".

    I've also thought that the risk of someone being within wifi range to do nasties whilst the aircraft is in use (ie flying) is extremely low.

    Not to mentoin if it _does_ go horribly wrong I can press the red button which disables all the electronic bizzo and fly by looking out the window and looking at my paper maps.

    Few things to think about really.

    1. Frederic Bloggs

      Re: I'm a GA Pilot and I've wondered

      And, if necessary, look at the backup instruments which are the old fashioned analogue type.

      Also CANBUS connectors are not usually in nice accessible places and, should you be thinking of fiddling there in flight - particularly on a retrofit - it might be rather obvious when you stick your head under the panel trying to find one. Mind you, whilst you are doing this you'll probably be fouling the yoke/stick and bumping lord know what. Meanwhile the pilot (seated to the left of you), could be wondering what you're up to. After all, at this point you be will be trying to kneel on a seat that is too small and the only thing that will be approximately upright will be your bum.

      It would be interesting to see the result of a loop with a 180 on top with you in this position (4G will likely not be kind).

      1. Cem Ayin

        Re: I'm a GA Pilot and I've wondered

        @Mayday: While attacks on your aircraft's CAN bus should certainly not be the most important of your worries as a pilot it should be noted that this type of attack potentially provides two specific advantages for a professional and well-funded attacker:

        - stealth: an attacker could conceivably sabotate the aircraft in a way that is virtually indetectable not only during a pre-filght check but even a thorough routine inspection.

        - precision: an attacker could arrange for a fatal failure to happen just when it its most dangerous and the pilot has least time to react, say, during initial climb at 200 ft GND; and it would be possible to plant the exploit code weeks or months in advance and activate it only during a pre-set time window, only on a very specific route, or by casually strolling by while holding a bluetooth dongle some time before takeoff - the possibilities are virtually endless...

        @Frederic Bloggs: Yes, EFIS-equipped GA aircraft have purely barometrical backups for ASI (Air Speed Indicator) and altimeter but not necessarily any backups for the engine control. Just think of all the havoc you could wreak on a FADEC-controlled engine if you were able to manipulate the FADEC (Full Authority Digital Engine Control) unit via the CAN bus. But even just manipulating readouts of critical engine temperatures could soon prove to be fatal for the aircraft and all persons aboard. And no, planting any such malware in-flight is probably impractical. But as the attacker, you don't want to be on board when it strikes anyway.

        That said, none of the scenarios explored above will ever kill nearly as many GA pilots as the classical combination of bad weather and imprudent/impatient pilot...

    2. imanidiot Silver badge
      Joke

      Re: I'm a GA Pilot and I've wondered

      "fly by looking out the window and looking at my paper maps."

      Are fuel-to-noise-converter pilots actually capable of looking outside?

  4. Paul 87
    Joke

    Boeing PR team spot an opportunity...

    ...we'll shortly hear that the 737-MAX crashes were due to hackers, and thus totally not their fault

  5. Anonymous Coward
    Anonymous Coward

    So which attack would you do?

    This is like if you had physical access to a car and you want to kill its driver. You could either figure out how to hack the car's computer, or you could simply pinhole the brake lines. If done right it would be indistinguishable from normal wear/damage/defect but if an investigation found the car's software had been tampered with it is an immediate murder investigation - and you better hope you aren't the only potential suspect with low level programming experience!

  6. ShortLegs

    Until someone works out it is possible to attach a remote interface to the CAN bus, and then change the altimeter reading remotely...

  7. Alister Silver badge

    Unlike cars, however, Kiley says there is little in the way of protection from malicious or unauthorized activity on the CAN system for aircraft.

    My understanding is that it's exactly like cars, they don't normally have any security or encryption on the CAN bus.

    1. The Oncoming Scorn Silver badge
      Coat

      A Different Kiley

      Kaylee Frye " And don't ride in anything with a Capissen 38 engine, they fall right out of the sky."

      Icon - Browncoat.

  8. llaryllama

    Sometimes IT security IS more trouble than it's worth

    I think this is one of those situations where extra security like encryption or authentication of messages has very little real world value, while the chance of something getting borked due to an error in the security protocol is a real hazard. Kind of like putting bars on your windows if you live in a high crime area then not being able to escape in a fire.

  9. thosrtanner

    Umm. Why are people discounting the 'need physical access to the aircraft'. It's not very clear from the article whether or not the researcher was sitting in the cockpit fiddling with wires, or whether he was say in a passenger seat where the wiring conveniently went past. Or whether he managed to get a wifi or bluetooth connection - because wire is expensive don'cha know.

    9/11 shows that people are willing to crash aircraft while they're on it. There's plenty of security now against people getting guns on. But if someone gets on with a mobile phone or laptop - and I've done both since 9/11 with no problem - well, as far as I can see, there is the potential for a lot of nastiness.

    1. big_D Silver badge

      Who needs to be in the aircraft, when it is flying? This would be something you could rig-up, when the plane is left unattended at an airfield. You set it up and walk off. It is only after the plane is flying that the box would become active and cause havoc.

  10. eldakka Silver badge
    Happy

    This bank has a security issue, it's too easy to steal money from it!

    I mean, once you've smashed in the front doors, incapacitated the guards, taken out the security cameras and alarm systems, and cracked the vault, the money is just lying around in totally unsecured shelving lining the walls of the vault.

  11. Mike007

    If you are a passenger on a small aircraft and would like to crash it simply take out your laptop and start setting up cables and plugging things in to the aircraft. Once everything is connected properly you should open a debugging terminal so you look like a proper hacker, then take a spare cable and wrap it around the pilot's throat.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021