On July 30th, DHS issued an alert to small plane owners that modern flight systems are vulnerable to hacking if physical access to the aircraft wiring is possible. The alert does not apply to older aircraft with mechanical control systems. DHS recommends that small plane owners restrict physical access to their aircraft until industry develops safeguards to address the issue. As many small aircraft know restricting physical access to an aircraft greatly depends on the physical access controls are airport dependent. In a typical small airport in the United States there is a mix for aircraft parked outside and inside private hangers. However even the private hangers are typically secured by a typical hardware store padlock and could introduce even higher risk in this case since it would allow someone to access the aircraft without constant observation from people nearby.
The issue was discovered by Rapid7 a Boston based cybersecurity company and described in detail in the their report “Investigating CAN Bus Network Integrity in Avionics Systems. Controller Area Network (CAN) bus or “CAN bus” for short was developed by Robert Bosch in 1983 and the protocol released as ISO 11898-3 in 1986. Wikipedia provides a detailed explanation of the CAN bus protocol as well as this CAN overview from National Instruments. In summary it replaces the point-to-point wiring between sensors and instruments or controls by shared medium/network upon which all endpoints/nodes connect. Physically it utilizes a single twisted pair with a differential signaling making it in-expensive, lightweight and robust against electromagnetic (EM) interference. Logically it’s a packet-based protocol where all nodes see all messages practically identical to Ethernet which we all utilize in our homes/offices. A huge difference between the two protocols is that the CAN bus can provide guaranteed “real-time” communication between nodes on the network. It has this ability by ensuring that every message has a priority level assigned and the message with the highest priority is always transmitted without the loss of the lower priority message. Each node contains a CAN controller chip and is therefore capable of identifying errors as well as ensuring that the node cooperates with the design of the protocol. The CAN protocol has been widely implemented in the last 20 years not only in cars but also in streetcars, trams railways, medical equipment, escalators, etc. and even coffee machines. Within aircraft the CAN bus has been utilized for flight-state sensors, navigation systems, engine control systems, fuel systems, linear actuators, etc.
The CAN protocol design utilizes an Arbitration ID to tag the priority of the message with the lower IDs having the highest priority. The protocol also utilizes a logical 0 as the dominant bit; hence as each bit is transmitted onto the bus the node which first sends a logical 1, stops transmitting thereby allowing a message with smaller Arbitration ID to transmit first thus ensuring “real-time” communication. The CAN bus protocol structure has no native trust and/or authentication schemes. When a rogue node is introduced on the network it can transmit any Arbitration ID hence ensuring that it transmits first. In the case where the rogue node and the real node both transmit the same Arbitration ID concurrently most implementations of the protocol accept the last message of given ID as the most valid. Therefore, the attacker simply floods the network with forged packets and is practically guaranteed that the packets will be accepted by the destination node. The insecurity of the CAN bus has been demonstrated in cars since the mid-2010s and has deteriorated as cars have been enabled with cellular and WiFi communications which have piggy backed on to the CAN bus.
The Rapid7 hack utilized two different implementations of a CAN bus consisting of a combined Primary Flight Display (PFD) and MultiFunction Display (MFD), Attitude and heading reference system (AHRS), Electronic magnetometer, Engine Instrumentation controller and either an Avionics Concentrator or Autopilot servo. They were able to send false oil pressure, oil temperature, cylinder head temperature readings, incorrect aircraft orientation in the AHRS, as well as altitude, heading and airspeed in the PFD. It’s very clear from these tests that given these readings it becomes highly likely that the pilot could easily be misled into a Controlled Flight into terrain (CFIT) situation.
Although the CAN bus system in cars is undergoing several security changes the changes are centered on isolating the control and instrumentation of the cars from the connectivity and entertainment systems. There are some proposed methods such as encrypting the messages in the CAN bus, but this will require even more intelligent controllers as the nodes as described by the CANcrypt design. We will need to see if Aircraft Avionics companies start to adopt a more secure version of the CAN bus.
