An alert issued by the Department of Homeland Security in late July warned of discovered vulnerabilities with implementations of Controller Area Network (CAN bus) networks in avionics. The discovered vulnerabilities permit an attacker with physical access to the aircraft to spoof messages sent across the CAN bus network in a way that could lead to loss of control to the aircraft.

The alert released by the DHS, Cybersecurity and Infrastructure Security Agency (CISA) was in reference to a recently published article by Patrick Kiley, Senior Security Researcher and Penetration Tester with Rapid7. His article describes how easily CAN bus networks can be abused.

CAN bus networks are commonly used in vehicles, aircraft, and even spacecraft as a means of communication between systems and the mechanical components due to its electro-magnetic properties, simplistic design, and commercial off-the-shelf (COTS) software support.

Kiley’s analysis found that a malicious actor could connect a computer to the aircraft to analyze messages being sent across the CAN bus network and identify messages responsible for reporting critical navigational metrics, as well as mechanical telemetry to the Air Data, Altitude, and Heading Reference System (AHRS). Once the message IDs are discovered, the attacker can craft and send messages indicating false readings to the Primary Flight Display (PFD).These false messages when combined with auto-pilot functionality could be used to cause the pilot to lose control of the aircraft, and ultimately crash the aircraft.

Some would contend that the criticality of this vulnerability is lower due to the fact that exploitation requires attackers to have physical access to the aircraft, and that such access is highly regulated in the United States under the Code of Federal Regulations. However, with the growing sophistication and capabilities of cybercriminal and nation-state actors, it would be naive to think adversaries wouldn’t have the resources to execute an attack of this nature. It also bears to mind alternative risks such as an insider threat.  In 2018 a baggage handler at Sea-Tac International Airport managed to steal a passenger plane and get it into the sky. If this is a possibility, then a rogue airline employee with a more advanced technical skillset could most certainly manage to engage in an attack like this.

Applying the Principles of Defense in Depth

The concept of Defense in Depth involves applying a multifaceted approach to manage risk so that if one defensive layer fails, subsequent defensive layers will prevent a breach. Defense in Depth is commonly referred to as the “castle approach” because it reflects the layered defenses of a medieval castle. Attackers of a castle must overcome several obstacles before reaching the throne room: the moat, the gate, and even flaming arrows from a keep.

The need for layered security is even more vital when using COTS products since most do not provide a high degree of protection against sophisticated attacks. Relying solely on strong physical access control to prevent exploitation of this vulnerability is only one defensive measure.

Here are three more things you can do to increase the defensive posture of your CAN bus networks:

  1. CAN Gateways act like a firewall that have the capability to segment trusted communications from untrusted. This gateway can authenticate trusted connections before granting access to critical systems. This can be applied to help prevent attackers from gaining access to CAN bus through exposed interfaces.

     

  2. Message authentication code (MAC) is a short piece of code used to authenticate a message. MAC can be used to protect a message’s data integrity as well as its authenticity. With development of CAN Flexible Data-Rate (CAN FD) in 2012, the message size was increased from 8 bytes to 64 bytes. This extra space can be utilized to insert a tag containing this code.

     

  3. Whitelisting involves creating a list of known senders on the network and explicitly permitting those endpoints to send messages across the network. This would effectively block malicious actors from connecting to a CAN bus network and spoofing messages.
John Sutton

John Sutton

Associate Security Engineer

John is an Associate Security Engineer with an accomplished background in network and systems engineering. He has acquired deep technical knowledge through his experience in designing and securing OT/ICS networks in the manufacturing sector, as well as managing highly-secure classified and unclassified mission-critical networks in the U.S. Marines.