On July 30, 2019, the U.S. Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) released ICS-ALERT-19-211-01 about the hackability of CAN Bus avionics networks in civilian aircraft. Some larger aircraft use CAN bus, such as the Airbus A380, which uses the technology for entertainment systems but not for vital avionics. As for the flight deck, some avionics available for experimental and certified light airplanes use CAN bus.
“An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment,” said CISA. “The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot. The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft.”
Faced with this threat, “CISA recommends aircraft owners restrict access to planes to the best of their abilities,” said the ICS Alert. “Manufacturers of aircraft should review implementation of CAN bus networks to compensate for the physical attack vector.”
The “public report of insecure implementation of CAN bus networks” that motivated CISA to issue this alert came from the software security firm Rapid7, led by the company’s senior security consultant Patrick Kiley. He outlined his concerns online in the July 30, 2019 Rapid7 blog entry, Investigating and Reversing Avionics CAN Bus Systems. CISA issued its ICS Alert based on Kiley’s research the same day.
The fact that CISA acted on Kiley’s research at lightning speed (unusual in itself for a federal agency) suggests that the CAN bus hacking vulnerability is one that needs to be taken seriously. At the same time, Kiley’s reasons for doing this research (discussed at length with AIN), the mainstream media’s trumpeting of this hack’s existence, and the aviation industry’s reluctance to speak candidly on this topic have arguably made the CAN bus vulnerability a bigger issue than it deserves to be.
This article’s mission is to put the CAN bus vulnerability in context; both to make sense of the actual vulnerability and to see what it says about the aerospace industry’s ability to deal with serious cyber threats.
CAN Bus Vulnerability
Patrick Kiley is a security analyst, a “white hat” (good guy) hacker, and an engineer building his own Rutan-derived Cozy MK IV experimental amateur-built airplane. While doing so, Kiley learned that some homebuilt airplanes use the CAN bus network architecture found in modern computer-heavy cars and trucks.
The good side of using CAN bus is that its two-wire shared avionics network “was really easy to hook up,” Kiley told AIN. The downside: “I knew CAN bus had zero security built-in, so I decided to investigate whether any security research has been done.”
He couldn’t find any, so Kiley launched a research project at Rapid7 to see how vulnerable an aircraft running on CAN bus is to hacking. A link to his full research paper, Investigating CAN Bus Network Integrity in Avionics Systems, is available in the Rapid7 blog entry. Kiley’s CAN bus paper was prepared in part for the DEF CON 27 hackers’ convention in Las Vegas August 8-11, 2019.
Here’s the CAN bus vulnerability as laid out in Kiley’s research paper: “A single CAN bus network uses a shared medium, which means that all nodes (i.e. avionics devices) on the network see all individual messages on the network. Unfortunately, from a security perspective, CAN bus nodes do not natively enforce the trust models and authentication schemes common in other networking applications. Therefore, any device placed onto a CAN bus that manipulates the voltages of the High and Low wires can send any message using any arbitration ID and expect it to be acted upon by the device on the bus expecting a message from that particular arbitration ID.”
In plain English, a hacker can attach an external microprocessor-driven device to the CAN bus network within the aircraft and then use that device to send false readings to the avionics connected to it. According to Kiley, the external device can be programmed to start sending false readings when the aircraft achieves a certain altitude, airspeed, or any other metric shared by the aircraft’s avionics across the CAN bus network.
Connecting the external device to the CAN bus network is easy. “You just need to tap two wires, using a Raspberry PI microcomputer with a CAN adapter, an Arduino, or a Carloop,” said Kiley. (A Carloop is an automotive diagnostic device that plugs into a car’s OBD II port under the dash. It is the same port used by car mechanics to read trouble codes when the “check engine” light comes on. “Nothing needs to be disabled,” he said, “you just need to access the wires.”
Since Carloops are available in 3G/LTE models that connect directly to cellphone networks, a hacked aircraft could be controlled from a distance, with the hacker able to see the aircraft’s avionics readings in real time, provided the airplane is within reach of the cellphone network.
“The scenario would work like this,” said Kiley: “Build a 3G/LTE Carloop device. Attach that device to the CAN+ and CAN- connectors of the Carloop, using vampire taps. Have that Carloop establish a connection to a server under the control of the adversary. Use that server to send commands to the Carloop, thereby controlling the CAN bus of the aircraft.”
Two conditions—physical access to the aircraft and its use of the CAN bus architecture—are important limits to the risks associated with the CAN bus hack, especially as relate to business aircreaft. This explains the exasperation expressed by National Business Aviation Association spokesman Dan Hubbard, when faced with the many frantic general media stories on this subject, such as this one from the Associated Press: “US issues hacking security alert for small planes.” Even if an intruder manages to break into a secured hangar and access the aircraft’s CAN bus network, he said, “it is never sitting out on the dining table in the cabin” ready to be hacked. In fact, the CAN bus network wires are incorporated into inaccessible areas of the airframe, and the bus wires are not labeled, “attach hacking vampire taps here.”
These facts lead to a third limit: A CAN bus hacker would have to be a savvy computer programmer, plus familiar with computer and avionics systems, to succeed. This eliminates casual hackers from the mix, reducing the threat, though not removing it entirely.
These limits explain why General Aviation Manufacturers Association v-p of operations Jens Hennig isn’t overly concerned about the CAN bus vulnerability. “Nobody views the risk around that as being very high,” he said.
Patrick Kiley himself has never presented the CAN bus vulnerability as a serious likelihood, just as a risk that exists and needs to be managed, the way CISA did when it issued its CAN bus alert.
“After we published my article and during DEF CON, I spoke to a few individuals who informed me of a standard that will greatly enhance the current CAN security model,” Kiley said. “The organization is called AUTOSAR [a worldwide industry group working on automotive open architecture], and the standard is a specification of secure onboard communication [SECOC].”
CAN or Not?
The Aircraft Electronics Association is well aware of the issues raised by the ICS alert. Ric Peri, the association's v-p of industry and government affairs, told AIN, "The systems that they tested and based their research and subsequent report on are for experimental aircraft, LSA, or entry-level certified GA [bridging technology]." He acknowledged that "the CAN bus is used throughout aviation at varying levels," but "the link [as many have reported] to all of GA is not realistic nor accurate. As the certitude of aircraft and systems increases, so does the cybersecurity oversight and controls. As you can see from the 2017 research on CAN bus in vehicles, it is not the CAN bus itself but rather the architecture of the system which is technically being reported. Low-cost systems are more vulnerable than higher cost, more sophisticated systems. This is true in computers, automobiles, as well as aircraft. I believe that the media is doing more to encourage hackers to 'break' our cybersecurity measures every time we report that we have controls in place. Nothing is foolproof and the more we talk about it not being a problem, the more this becomes a challenge for those who dabble in this arena."
Based on the available facts, the CAN bus vulnerability is judged to be a real but difficult-to-execute threat against aircraft. And heeding CISA’s advice to keep aircraft properly secured and monitored is a reasonable response to this vulnerability; as is keeping an eye out for any signs of tampering within an aircraft on an ongoing basis.