DHS Alert : small aircraft vulnerability could enable attackers to easily hack the plane’s CAN bus and take control of key navigation systems


What is CAN bus?. A quick answer for that would be, it is the network inside a typical modern car where control commands for various components inside the vehicle travel.

Throughout this article, you would gain great deal of knowledge on the network inside a typical modern vehicle called Controller Area Network (CAN).

To make things easy to understand, I would dive into details of one of the most retrofitted component inside that network which is the Head Unit/infotainment system. The Head Unit/Infotainment system is likely to be connected to internet for better entertainment and navigation experience.

Also it is highly likely to be connected to the vehicle CAN bus. We will be using Evoque 2016 throughout this article as an example of a modern vehicle that has a CAN bus network.

Controller Area Network (CAN)

Modern cars consist of a number of different computer components, called Electronic Control Units (ECUs).

A typical car contains from 20-100 ECUs, with each ECU being responsible for one or more particular features of the vehicle. For example, DCU (Door Control Unit) is the ECU that controls and monitors various accessories in the car door. Driver DCU offers features like automatic window movement, close-open door, mirror folding, child lock safety, and mirror adjustment.

CAN bus is a set of 2 electrical wires (CAN_Low & CAN_High) in the car network where information can be sent to and from ECUs.

The network inside the car that allows ECUs to communicate with each other is called CAN (Controller Area Network). In Evoque, the CAN network is divided into subnetworks connected together using a Gateway Module ECU. Every ECU with it’s CAN controller and CAN Transceiver is called a node.

ECUs need to pass data to one another so they can make decisions on how to act. For example, If you open the door of your car, a message would be sent on the Comfort CAN to communicate that the car door is open. Then it would get picked up by AHU-Audio System ECU and get displayed on the Touch Screen. Another example, if reverse gear were to be selected:

  • A message would be sent on the CAN bus to tell any interested ECU that reverse gear is selected.
  • The message would be picked up by AHU-Audio ECU which would make the rear view camera displayed on the Touch Screen, overriding the currently displayed information.
  • The message would also be picked up by the ECU that controls the reverse light to set it on.

Some ECUs communicate with the outside world as well as the internal vehicle network. These ECUs pose the biggest security risk. I will dedicate Part II of this article to discuss the security risks as well as controls to mitigate these risks.

The ECU that we will detail in this article is the AHU-Audio System (Audio Head Unit) ECU. This is the ECU where the Evoque Touch Screen is plugged to.

AHU-Audio System ECU

AHU-Audio System ECU in that version of Evoque is manufactured by Harman Automotive (https://www.harman.com). The Audio Head Unit (AHU) is located below the front right seat (for RHD, it is under the driver seat).

Digital Transformation: Vehicle CAN Bus Security Risks

AHU-Audio System ECU has the following features:

1Integrated (inside AHU) 4 channel Audio Amplifier Module (AAM)
2AM/FM Radio
3External media player inputs (USB & Auxilary port)
4Bluetooth Connectivity
5Navigation system with Secure Digital (SD) memory card updates
6Voice Recognition
Digital Transformation: Vehicle CAN Bus Security Risks

AHU-Audio ECU has a Quadlock 40 Pin connector connected to several components inside the vehicle including speakers, microphone, Comfort CAN System Bus, Steering wheel controls, power & ground.

Audio signals originate from the AHU (Radio, Music, Navigation, Phone, etc.) are passed to the vehicle speakers via hardwired connections (40 pin connector as per the above diagram). Audio signals generated by other vehicle systems (e.g. Anti-theft Alarm System, Parking Sensors alerts) are passed to the AHU on the Medium Speed (MS) Controller Area Network (CAN) comfort systems bus. The AHU processes the signals and passes the audio output to the speakers.

Evoque Touch Screen

Digital Transformation: Vehicle CAN Bus Security Risks

On the Touch Screen, there are multiple switches that controls multiple functions. All of the switches actions (on/off) are passed to AHU-Audio System ECU except the parking aid switch which is passed directly to the Parking Aid Control Module (PAM-Parking Aid ECU) to activate/deactivate parking sensors.

While this particular model of the car is not a connected one, it can become a connected one if you retrofit a new Head Unit capable of connecting to internet. You can have a look at my article here that details how to transform your non-connected car to a connected one.


Vehicle CAN Bus Security Risks gathering in the Digital Age

OBD-II (On-board diagnostics II) port (refer to Controller Area Network Illustration in the previous section), is the vehicle self-diagnostic and reporting capability.

If you want to get more details about CAN and ECUs in your car, you need to get OBD2 Port tool. Gap Diagnostic tool is only suitable for Land Rover cars. If you don’t have a Land Rover car, you can search on Amazon or eBay and you would find heaps of close or similar tools.

DHS Warns Small Airplanes Vulnerable to Flight Data Manipulation Attacks

What could be more horrifying than knowing that a hacker can trick the plane’s electronic systems into displaying false flight data to the pilot, which could eventually result in loss of control?

Of course, the attacker would never wish to be on the same flight, so in this article, we are going to talk about a potential loophole that could allow an attacker to exploit a vulnerability with some level of “unsupervised” physical access to a small aircraft before the plane takes off.

The United States Department of Homeland Security’s (DHS) has issued an alert for the same, warning owners of small aircraft to be on guard against a vulnerability that could enable attackers to easily hack the plane’s CAN bus and take control of key navigation systems.

The vulnerability, discovered by a cybersecurity researcher at Rapid 7, resides in the modern aircraft’s implementation of CAN (Controller Area Network) bus – a popular vehicular networking standard used in automobiles and small aircraft that allows microcontrollers and devices to communicate with each other in applications without a host computer.

Rapid7 researcher Patrick Kiley demonstrated that a hacker with physical access to a small aircraft’s wiring could attach a device—or co-opt an existing attached device—to the plane’s avionics CAN bus to insert false data and communicate them to the pilot.

“Modern aircraft use a network of electronics to translate signals from the various sensors and place this data onto a network to be interpreted by the appropriate instruments and displayed to the pilot,” Kiley said in a report published Tuesday.

small aircraft instrument panel

The attacker can manipulate the following data:

  • Engine telemetry readings
  • Compass and attitude data
  • Altitude, airspeed, and angle of attack (AoA) data

“The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft,” the DHS’ cyber division warned Tuesday.

Kiley demonstrated the attack after investigating avionics systems—an electronic control and navigation system fitted in an aircraft—from two unnamed commercial aircraft manufacturers specialized in light aircraft.

Kiley found that the key problem with the avionics CAN bus is that it is integrated into the aircraft’s other components without any firewalls or authentication, which means untrusted connections over a USB adapter attached to the plane can send unauthorized commands to its electronic systems.

“In avionics, these systems provide the foundation of control systems and sensor systems and collect data such as altitude, airspeed, and engine parameters such as fuel level and oil pressure, then display them to the pilot,” the researcher said.

“CAN packets also do not have recipient addresses or any kind of built-in authentication mechanism. This is what makes the bus easy to implement, but it also removes any assurance that the sending device was the actual originator of the message.”

Though the attack sounds scary, it is not easy to gain “unsupervised” physical access to a plane, given “current industry practices and regulations,” nevertheless, the Rapid7 report is worth paying attention to.

The researcher also pointed out that the avionics sector is lagging behind the automotive industry when it comes to the CAN bus system.

The automotive industry has made advancements in implementing safeguards, such as CAN bus-specific filtering, whitelisting, and segregation, that prevent similar physical attacks to CAN bus systems. Aircraft makers should also implement these safeguards.

The DHS’ CISA is urging aircraft manufacturers to consider network protections around the CAN bus system and make sure they restrict access to their planes to the best of their abilities.


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.