Attention: small airplane hack

[aviatoreb]

Apparently there is a homeland security warning of a systems vulnerability subject to physical access of your airplane.  I head it on NPR just now and then followed up seeing it on a few news sources.

https://www.washingtonpost.com/business/technology/apnewsbreak-us-issues-hacking-alert-for-small-planes/2019/07/30/a3278928-b2c7-11e9-acc8-1d847bacca73_story.html?utm_term=.df3df755df1e

Keep em' locked up friends.

Edited July 30, 2019 by aviatoreb

[TonyK]

TonyK  has checked in SAFE from this hack.  Chalk one up to steam gauges and ancient radio stacks! 

[aviatoreb]

15 minutes ago, TonyK said:

TonyK  has checked in SAFE from this hack.  Chalk one up to steam gauges and ancient radio stacks! 

..and rods vs fly by wire.

Nonetheless, this is serious since the instruments can be spoofed to give wrong readings.  Engine monitors, GPS, autopilot commands.  But it seems they need physical access to your airplane to hack it, as I understand this.

E

[RLCarter]

My guess is the odds of your airplane or the avionics being stolen is greater than the threat of someone hacking it 

[jaylw314]

34 minutes ago, aviatoreb said:

Apparently there is a homeland security warning of a systems vulnerability subject to physical access of your airplane.  I head it on NPR just now and then followed up seeing it on a few news sources.

https://www.washingtonpost.com/business/technology/apnewsbreak-us-issues-hacking-alert-for-small-planes/2019/07/30/a3278928-b2c7-11e9-acc8-1d847bacca73_story.html?utm_term=.df3df755df1e

Keep em' looked up friends.

Hard to tell, but it seems like they were specifically looking at aircraft where information and control is communicated through a network.  I can't imagine any small GA aircraft do so, although there may be some larger or execjet type aircraft that do?

I suspect this does not applied to the directly-wired serial interfaces we have between most of our boxes.  To disrupt or hack them, you'd have to physically latch onto each connection between two boxes.  Do we have any data infrastructure protocols that allow for a common network between multiple boxes?

[Jim Peace]

49 minutes ago, aviatoreb said:

Apparently there is a homeland security warning of a systems vulnerability subject to physical access of your airplane.  I head it on NPR just now and then followed up seeing it on a few news sources.

https://www.washingtonpost.com/business/technology/apnewsbreak-us-issues-hacking-alert-for-small-planes/2019/07/30/a3278928-b2c7-11e9-acc8-1d847bacca73_story.html?utm_term=.df3df755df1e

Keep em' looked up friends.

can you post the article....not a member of that paper

[kortopates]

23 minutes ago, jaylw314 said:

Hard to tell, but it seems like they were specifically looking at aircraft where information and control is communicated through a network.  I can't imagine any small GA aircraft do so, although there may be some larger or execjet type aircraft that do?

I suspect this does not applied to the directly-wired serial interfaces we have between most of our boxes.  To disrupt or hack them, you'd have to physically latch onto each connection between two boxes.  Do we have any data infrastructure protocols that allow for a common network between multiple boxes?

Yes, the CAN bus that originated in the automotive industry now used in aviation. Its even used on the Airbus A380 and Boeing uses their own dreivative of it.  But for GA,  Garmin also uses it to connect LRU's. Some  Garmin examples are G3X and G5s. I've read  that many of the avionics manufacturers use some derivative of the CAN bus, especially popular in the experimental avionics (i.e including Dynon) now making their way into certified aircraft for easier hacking

Here is an old article on background https://www.aviationtoday.com/2009/05/01/can-bus-in-aviation/ 

Here is a more recent how to do it CAN Bus article for experimental application: https://experimentalavionics.com/can-bus/ 

Edited July 30, 2019 by kortopates

[aviatoreb]

3 minutes ago, kortopates said:

Yes, the CAN bus that originated in the automotive industry now used in aviation. Its even used on the Airbus A380 and Boeing uses their own dreivative of it.  But for GA,  Garmin also uses it to connect LRU's. Some  Garmin examples are G3X and G5s. I've read  that many of the avionics manufacturers use some derivative of the CAN bus, especially popular in the experimental avionics (i.e including Dynon) now making their way into certified aircraft for easier hacking

Here is an old article on background https://www.aviationtoday.com/2009/05/01/can-bus-in-aviation/ 

Here is a more recent how to do it CAN Bus article for experimental application: https://experimentalavionics.com/can-bus/ 

Thank you.

[aviatoreb]

30 minutes ago, jaylw314 said:

Hard to tell, but it seems like they were specifically looking at aircraft where information and control is communicated through a network.  I can't imagine any small GA aircraft do so, although there may be some larger or execjet type aircraft that do?

I suspect this does not applied to the directly-wired serial interfaces we have between most of our boxes.  To disrupt or hack them, you'd have to physically latch onto each connection between two boxes.  Do we have any data infrastructure protocols that allow for a common network between multiple boxes?

I don't know.  Simplicity of systems could well make the smallest airplanes easier targets than say a biz jet.  I mean imagine the havoc of a simple glass panel like an aspen where it is confidently showing false data while you are flying ifr.  Perhaps showing you higher than you are while on an approach.  That could be bad.  Remember terrorists are in the business of terror.  So scaring people and reducing their confidence is the goal.  That could be achieved perhaps with a rash of small airplanes falling out of the sky. The relative infrastructure damage would be relatively low, but the scare factor would be high.  On the other hand, could well be hooligans getting their yayas with otherwise the same effect.

So I am not actually specifically scared of this since it is unlikely to happen to many airplanes so safety in numbers is a factor.  Still I figured something worth an FYI to my fellow owners.  Lock em' up.  And as Robert said, avionics theft was always a factor too.

Edited July 30, 2019 by aviatoreb

[kortopates]

27 minutes ago, Jim Peace said:

can you post the article....not a member of that paper

Worked for me Jim without a subscription, something else is wrong, adblocker? cookies?

[aviatoreb]

35 minutes ago, kortopates said:

Worked for me Jim without a subscription, something else is wrong, adblocker? cookies?

I think you get like 10 free views without a subscription.  Anyway search on small airplane hack on google and you will find many hits.

[steingar]

If a hacker could gain access to an aircraft's avionics, why would he or she hack them rather than just steal them and sell them on Ebay?

[jaylw314]

9 minutes ago, steingar said:

If a hacker could gain access to an aircraft's avionics, why would he or she hack them rather than just steal them and sell them on Ebay?

The consult was requested and paid for by DHS, which needs to justify its existence by "finding" security risks, which you could find anywhere if you look in a free country.  Sounded like a pretty cushy consulting gig, if you ask me.

Edit: I retract that.  Looks like Rapid7 is a for-profit network security company.  Unclear, but it sounds like they sent DHS an unsolicited "alert", and DHS responded with a public alert.  I wonder if or how DHS vetted the alert from Rapid7.

Edited July 30, 2019 by jaylw314

[EricJ]

1 hour ago, steingar said:

If a hacker could gain access to an aircraft's avionics, why would he or she hack them rather than just steal them and sell them on Ebay?

Because the proper operation of the ATC system is critical for life safety and national security.   It's akin to throwing an infected USB dongle in the parking lot of a secure facility:  somebody is going to pick it up and plug it in to a network connected to secured assets just to see what's on it.   Once you're in the network, the network is compromised and susceptible to attack.

A GA airplane is the access to the network.   If it can be programmed even for a DoS attack, e.g., just stick the mic keyed on a couple of important ATC frequencies, you can do some damage with it.   If you can program the transponder to 7700 or 7600 or something useful to create confusion at a particular moment to create a vulnerability, that's very useful, too.

If you have a few dozen or a few hundred GA aircraft all do that at once, you'll have a pretty effective means to cripple or bring down big chunks of the ATC system, or potentially all of it if you're particularly successful.

How to do that?   Well, stick something on the CAN bus that sorts out what equipment is there and than picks the appropriate strategy and then waits.   It could even wait and get the occasional WiFi signal and phone home for further instructions.   It might even get connected to ship's power and run for a long time waiting for to be activated, or just collect data and send it back to its masters.

So there's a LOT of utility for such things to people with resources that wish to do harm.   The purpose of the warning is to try to make it more difficult to anybody who might want to do that.   If you think such forces couldn't happen, humor the rest of us and just try to secure your stuff as well as you can.

 

 

[jaylw314]

3 minutes ago, EricJ said:

Because the proper operation of the ATC system is critical for life safety and national security.   It's akin to throwing an infected USB dongle in the parking lot of a secure facility:  somebody is going to pick it up and plug it in to a network connected to secured assets just to see what's on it.   Once you're in the network, the network is compromised and susceptible to attack.

A GA airplane is the access to the network.   If it can be programmed even for a DoS attack, e.g., just stick the mic keyed on a couple of important ATC frequencies, you can do some damage with it.   If you can program the transponder to 7700 or 7600 or something useful to create confusion at a particular moment to create a vulnerability, that's very useful, too.

If you have a few dozen or a few hundred GA aircraft all do that at once, you'll have a pretty effective means to cripple or bring down big chunks of the ATC system, or potentially all of it if you're particularly successful.

How to do that?   Well, stick something on the CAN bus that sorts out what equipment is there and than picks the appropriate strategy and then waits.   It could even wait and get the occasional WiFi signal and phone home for further instructions.   It might even get connected to ship's power and run for a long time waiting for to be activated, or just collect data and send it back to its masters.

So there's a LOT of utility for such things to people with resources that wish to do harm.   The purpose of the warning is to try to make it more difficult to anybody who might want to do that.   If you think such forces couldn't happen, humor the rest of us and just try to secure your stuff as well as you can

 

The problem with that idea is that it does not require the airplane or system to propagate an attack.  Why would attackers go through the trouble of trying to surreptitiously wrest control of hundreds aircraft when all you need to do is buy a bunch of amateur transceivers and SDR's reprogrammed to spam 7700 or 7600 on 1090 Mhz?  Heck, why not just mail a bunch of suspicious packages to all the ARTCC facilities?  That'll only cost you 21 first-class stamps.

Good aircraft security will reduce the chances of your equipment getting stolen, but it will NOT protect the National Airspace System from even basic ne'er-do-wells.  To imply that there need to be "industry-produced safeguards" to such a "security risk" as small GA aircraft smells at best fear-mongering in the wrong places, and at worst snake-oil peddling from a company that makes money on people being fearful (and who likely will gladly provide paid consultation in developing those "industry-produced safeguards").  Whether their customers are fearful of the correct or incorrect risks is irrelevant.

[EricJ]

4 minutes ago, jaylw314 said:

The problem with that idea is that it does not require the airplane or system to propagate an attack.  Why would attackers go through the trouble of trying to surreptitiously wrest control of hundreds aircraft when all you need to do is buy a bunch of amateur transceivers and SDR's reprogrammed to spam 7700 or 7600 on 1090 Mhz?  Heck, why not just mail a bunch of suspicious packages to all the ARTCC facilities?  That'll only cost you 21 first-class stamps.

I can think of quite a few reasons why it would be very advantageous to actually be in aircraft networks, but I'll leave it at that.   Don't underestimate the inginuity of determined, resourceful attackers, and the warning regarding securing aircraft is a very useful step toward making it more difficult for the bad guys.   Dismiss it if you will, but at the warning is out there.

 

[jaylw314]

1 minute ago, EricJ said:

I can think of quite a few reasons why it would be very advantageous to actually be in aircraft networks, but I'll leave it at that.   Don't underestimate the inginuity of determined, resourceful attackers, and the warning regarding securing aircraft is a very useful step toward making it more difficult for the bad guys.   Dismiss it if you will, but at the warning is out there.

 

Warnings are a dime a dozen, though.  Actions that substantially mitigate risk are important, on the other hand.  Distinguishing between the two is the $60,000 question, of course...

 

[aviatoreb]

3 hours ago, steingar said:

If a hacker could gain access to an aircraft's avionics, why would he or she hack them rather than just steal them and sell them on Ebay?

Terrorists and thieves aren’t likely the same people and they have different goal.

if the goal is to cause small airplanes to start falling out of the sky and start scaring people...

[201er]

“Engine readings, compass data, altitude and other readings “could all be manipulated to provide false measurements to the pilot,” according to the DHS alert.”

Not a threat to a 1978 M20J! To hack one of those to give false measurements to the pilot you’d need a magnet, some tape, and maybe piss in the static. Too sophisticated for modern day teenagers to hack!

 

 

[jaylw314]

42 minutes ago, aviatoreb said:

Terrorists and thieves aren’t likely the same people and they have different goal.

if the goal is to cause small airplanes to start falling out of the sky and start scaring people...

A bunch of Mooney's falling out of the sky is not going to scare people.  If that was your goal, you'd invest your time and energy into making a bunch of airliners fall out of the sky.  The infliction of terror requires attacking what is familiar to people and widely disseminated, and the general public is not familiar enough with GA for an attack there to cause terror.  Things that I think would have a higher terrorist ROI to attack include:

• Sporting events
• Mass transit
• Contamination of food/pharmaceuticals
• Logistics (mail, UPS, etc)
• Schools/children
• Military personnel
• Landmarks/historical sites

and so on.  Mooney's falling out of the sky would simply produce shoulder-shrugging and diffidence, since it is just affecting the toys of a bunch of rich people.

 

Edited July 31, 2019 by jaylw314

[aviatoreb]

25 minutes ago, jaylw314 said:

A bunch of Mooney's falling out of the sky is not going to scare people.  If that was your goal, you'd invest your time and energy into making a bunch of airliners fall out of the sky.  The infliction of terror requires attacking what is familiar to people and widely disseminated, and the general public is not familiar enough with GA for an attack there to cause terror.  Things that I think would have a higher terrorist ROI to attack include:

• Sporting events
• Mass transit
• Contamination of food/pharmaceuticals
• Logistics (mail, UPS, etc)
• Schools/children
• Military personnel
• Landmarks/historical sites

and so on.  Mooney's falling out of the sky would simply produce shoulder-shrugging and diffidence, since it is just affecting the toys of a bunch of rich people.

 

I don’t know... sometimes soft targets are more likely than big hardened targets.

yes a bunch of Mooneys Cessna cirrus piper beech and the rest - would be scary.

hey I’m not planning an attack and I’m not defending a stupid plan but I heard it on the radio read it in the newspaper and it seems like a plausible threat and I’m passing it on.

[toto]

AP coverage of the same warning:

https://www.apnews.com/6219f26c3ea145b6b29b5e69115504a9

... And the warning itself, from the CISA, courtesy of some security firm called Rapid7 ...

https://www.us-cert.gov/ics/alerts/ics-alert-19-211-01

[0TreeLemur]

Nothing to see here.  There is not a Mooney in the sky that uses CAN Bus protocol.  Some modern automobiles use dozens of computers and many of them communicate using CAN bus.   Our Mooneys might have two or three computers (GPS, EFIS, engine monitor), and they communicate limited data (Lat./Lon) over a serial connection. 

The simple fact is, take away the GPS, engine monitor, and for those lucky enough to have one- the EFIS, and you are piloting a fine piece of Apollo-era technology that is essentially as robust as the my favorite Huntsville lawn ornament: https://xkcd.com/1133/

It is un-hackable.

[Yetti]

Electronic security threats are entertaining.   Just so you know I work at a software company and sometimes we issue CERN alerts.    The tricky part is to tell people that there might be an issue, but not tell them how or why not to do so some who did not know does not go and exploit the vulnerability.   Entertaining enough a $35 Raspberry PI will transmit.  As everyone learned in flight school there are transmitters on the ground that provide directional guidance.      as we know things in the air transmit further.    

  It was an interesting read on the professional pilots forum when there were GPS issues in a part of the county a month or so ago.   Some planes did not launch because ops spec did not cover some modes of operating without gps.

There are lots of ways to shut down the country.   The good news is terrorist like big flashy targets to make bold statements.    So the FBI can focus on those events.

[N201MKTurbo]

8 hours ago, Fred₂O said:

Nothing to see here.  There is not a Mooney in the sky that uses CAN Bus protocol.  Some modern automobiles use dozens of computers and many of them communicate using CAN bus.   Our Mooneys might have two or three computers (GPS, EFIS, engine monitor), and they communicate limited data (Lat./Lon) over a serial connection. 

The simple fact is, take away the GPS, engine monitor, and for those lucky enough to have one- the EFIS, and you are piloting a fine piece of Apollo-era technology that is essentially as robust as the my favorite Huntsville lawn ornament: https://xkcd.com/1133/

It is un-hackable.

My airplane has a few CAN buses. The G5 system is CAN and I think the interboard communications in the Avidyne is CAN.

You are correct that the plane will fly just fine without them. I have a backup KX155 that I can fly anywhere in the world with. I did it for years!