Security Flaws Found in Small Aircraft Equipment

Rapid7 researchers discovered and reported vulnerabilities to the Cybersecurity and Infrastructure Security Agency (CISA) that impact Controller Area Network (CAN bus) components in small airplanes. A malicious actor with physical access to the aircraft could attach a device to an avionics CAN bus to manipulate or inject false data, thereby affecting engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack. The incorrect readings of avionic equipment could result in the pilot’s inability to distinguish between false and legitimate readings, and ultimately result in loss of control of the aircraft. The NJCCIC recommends aircraft owners restrict physical access to airplanes, review the Rapid7 report, and review the CISA alert for recommended practices and mitigation strategies.