The US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on newly found vulnerabilities in the controller area network (CAN) bus networks used on small aircraft that could be abused by an attacker with physical access to a plane.
"An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment. The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot," the alert said.
Researchers at Rapid7, who discovered the vulnerabilities and reported them to the DHS CISA, noted in their findings that such an attack with phony readings would be undetectable by a pilot.
DHS recommends that aircraft manufacturers study their products' CAN bus networks for possible mitigations of the attack, and that owners of small aircraft restrict physical access to their planes.