US Issues Hacking Security Alert for Small Planes (securityweek.com) 70
wiredmikey writes: The DHS has issued a security alert for small planes, warning that modern flight systems are vulnerable to hacking if someone manages to gain physical access to the aircraft. The alert stems from research done by security firm Rapid7, which found that an attacker could potentially disrupt electronic messages transmitted across a small plane's network, for example by attaching a small device to its wiring, that would affect aircraft systems. Engine readings, compass data, altitude and other readings "could all be manipulated to provide false measurements to the pilot," according to the DHS alert.
DHS (Score:5, Insightful)
if someone manages to gain physical access to the aircraft.
If someone manages to gain physical access to the aircraft, the aircraft can be damaged. Isn't there anything else for DHS to do?
Re: (Score:2, Insightful)
if someone manages to gain physical access to the aircraft.
If someone manages to gain physical access to the aircraft, the aircraft can be damaged. Isn't there anything else for DHS to do?
Any the reason why small planes aren't falling out of the sky regularly? I'm going with anyone (the few and far between) who might be the target of something like this knows it, and has security...
Re: DHS (Score:3)
Re: (Score:1)
or, you know, just steal the spark plugs or cut ignition wires if you didn't want to KILL anyone but just stop the plane.
Jeeze, you guys are bloodthirsty.
Re: (Score:1)
I'm going with anyone (the few and far between) who might be the target of something like this knows it, and has security...
That, and getting down safely when the electronic instruments go all wibbley-wobbley is a skill every pilot has to know and demonstrate to get their ratings.
Re: (Score:3)
I'm going with anyone (the few and far between) who might be the target of something like this knows it, and has security...
That, and getting down safely when the electronic instruments go all wibbley-wobbley is a skill every pilot has to know and demonstrate to get their ratings.
Sure, but honestly I don't think pilots even have to worry about it as I suspect the occurrences of small aircraft sabotage are pretty close to limited to a few members of criminal enterprise...
Re: (Score:3)
Re: (Score:2)
In related news, kitchens are vulnerable to baking by anyone who gains access to the oven.
Re: (Score:2)
Reading TFA (https://www.us-cert.gov/ics/alerts/ics-alert-19-211-01) they are saying that there are things that car manufacturers have already done to mitigate some of this stuff, and aircraft manufacturers should do the same.
That seems reasonable. I don't know if aircraft have a diagnostic port like cars, but if they do and it's not firewalled then it would be fairly easy to install something there without having to do any major surgery. It also stops compromise of one system allowing the attacker to easil
"if someone manages to gain physical access" (Score:1)
"if someone manages to gain physical access to the aircraft"
If somebody has physical access, they can just cut any physical wire...
Re: (Score:1)
Physically cut wires will cause the aircraft to fail its preflight checks. They will simply be repaired on the ground. Inconvenient, but not dangerous in practice. (No sane pilot ignore skips his preflight.)
Compromised avionics can take down a plane in flight.
Re: (Score:2)
Physically cut wires will cause the aircraft to fail its preflight checks. They will simply be repaired on the ground. Inconvenient, but not dangerous in practice. (No sane pilot ignore skips his preflight.)
Compromised avionics can take down a plane in flight.
If an attacker has enough physical access that they can install a black box in the avionics wiring, they can install a bomb that can also take down a plane in flight.
This seems more like an case of weak physical security than an avionics vulnerability.
Re: (Score:2)
Both, in fact. Of course this news is scaremonging but, nevertheless there should be at least SOME due diligence built into the data bus security but yet there's no one.
In other news, it's exactly the same on your car.
On other other news, it's also the same on commercial airliners.
On the other hand, there's something to be said for keeping it simple so if your altimeter forgets the encryption key to your data bus, you don't have to re-pair it while you're trying to land in inclement weather with an engine out.
More complexity means more failure modes.
As opposed to just normal sabotage? (Score:1)
Doesn't take much.
why hack? (Score:1)
if i would want to kill someone while aving access to the wiring, i would simply put a timer that when the power is on, it would countdown and have something ignite at the end of that timer, burning all wires and you're done! why complicate things with a dongle that changes values, unless you're in a night flight, any pilot should be abel to tell that his instruments are not making any sense...
I'm shocked, SHOCKED!!! (Score:5, Insightful)
It's always been known that if an attacker gains physical access to a system, you're totally hosed.
NO KIDDING (Score:1)
They could also plant a small bomb without hacking anything.
So wait... (Score:5, Insightful)
You are telling me that if someone gained physical access to a plane and was able to install some kind of device into the wiring of the aircraft, this could do damage? Incredible...
Just like prior to CAN bus (Score:5, Insightful)
Anything generating fake signals can mess with a system made to receive radio signals. Any pilot looking outside the window is going to detect the false readings in a very quick timeline. Yes, you can send false gps signals, or VOR, or add magnetic interference on a compass. My plane has 2 seperate GPS receivers built in, plus my Stratus handheld, plus my Ipad's gps, plus my VOR receivers, plus my compass, plus the fact I can look out the windows and look at my charts and see that things look wrong. Good luck faking out all my systems even though there's no encrypted or trusted communication system in place.
I guess you could muck with the gauge readings, but every pilot also knows the patterns and would recognize that things look abnormal in short order. The only thing I think that would boggle me is if the interference managed to make my fuel senders read accurate for a change.
Aircraft have simple and easy to verify systems. This is more of a threat for automated things like drones that can be duped into following bad signals. Planes have people with brains and training (trust the instruments but also always compare to see if one is malfunctioning and train on how to ignore bad readings). Since we specifically train to expect things to break or screw up, the threat level is pretty low. They would have to get all the systems to agree, I doubt a 5 minute part added into a wire will do that.
Re: (Score:2)
Excellent take on the situation, would mod this up if I hadn't already posted.
Re: (Score:2)
Indeed. How is putting a malicious device on the CAN bus any different than surreptitiously adding a resistor in-between the nav radio receiver and the glideslope indicator, causing the analog glideslope meter needle to indicate higher than actual? Is DHS going to issue a security alert for soldering irons?
In any case, if you under ATC control, they are going to get on your back pretty quickly if you significantly deviate from your assigned course / altitude. And if you are not under ATC control, you
Re: (Score:2)
Whew! (Score:1)
I'm so glad my modern road vehicle CAN not be attacked like this!
Re: (Score:2)
If man were meant to fly he'd have a Faraday Cage exoskeleton with wings.
Bullshit (Score:2)
Anybody competent with physical access can do extreme damage. Not new and not surprising.
Big Planes are Immune? (Score:2)
Are big planes immune to this type of physical attack? How about medium planes? Or those little drones? And how about big nuclear missiles - are they immune if someone gets in there with a screw driver, a tesla coil, and a Raspberry Pi?
Lots of planes are not up to 2001 standards (Score:2)
If you look into the FAA data, you'll find that seaplanes from firms like Horizon Air that operates out of Lake Union in the heart of Seattle with an unlicensed airport that was never agreed to, don't even have transponders, and are very vulnerable to attacks like this, which are fairly easy to accomplish.
Plus, they continually violate both noise and hours of operation requirements for flying over residential communities and schools, and like to buzz large towers, which we all know no terrorist would ever w
Re: (Score:2)
If you look into the FAA data, you'll find that seaplanes from firms like Horizon Air that operates out of Lake Union in the heart of Seattle with an unlicensed airport that was never agreed to, don't even have transponders, and are very vulnerable to attacks like this, which are fairly easy to accomplish.
Horizon Air does not operate out of Lake Union. They have no floatplanes in their fleet at all. If they tried to land a Q400 in Lake Union it would make a very big splash. Kenmore Air and Seattle Seaplanes do operate out of Lake Union. Both of their airport operating areas are licensed, approved, inspected, and monitored by the FAA. The airport identifiers are W55, and 0W0, respectively. W55 was approved and started operating in September 1947, and 0W0 in April 1986. All of their aircraft not only hav
Or all cars? (Score:3, Interesting)
Re:Or all cars? (Score:5, Informative)
Re: Or all cars? (Score:2)
Garbage in, garbage out (Score:2)
I think Charles Babbage said it well in 1864:
On two occasions I have been asked, "Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?"
Obviously? (Score:2)
I've said this numerous times of anything tech - if I've got physical access, all bets are off. How is this news?
Unless of course someone plants something on the CAN bus on your plane .... ?
Re: (Score:2)
Anyone who didn't already know this for decades either isn't paying any attention, or wasn't born yet.
Seriously, this qualifies as "news"???
Facepalm (Score:1)
Other dangers (Score:2)