Cyberattack warning to small plane owners: How your aircraft could be vulnerable

Corporate business jet setting on ramp with door open and sun setting in the background.

The Department of Homeland Security issued an alert Tuesday about the potential for small aircraft to be hacked by cyber hijackers.

Continue Reading Below

The alert from the DHS critical infrastructure computer emergency response team warns that modern flight systems are vulnerable to hacking if a person manages to gain unrestricted access to an aircraft. The alert also recommends that small plane owners restrict unauthorized physical access to their aircraft the best they can. It warns that access should remain limited until the aviation industry takes further steps to address the issue.

The Cyber Security and Infrastructure Security Agency, a part of DHS, received a report detailing the issue from a Boston-based cybersecurity company. The cybersecurity firm, Rapid7, found that an attacker could potentially disrupt electronic messages transmitted across a small plane’s network, for example by attaching a small device to its wiring, that would affect aircraft systems.

The alert details that engine readings, compass data, altitude data and airspeeds, among other systems, could be "manipulated to provide false measurements to the pilot." It also added that a pilot relying on such instrument readings would be unable to distinguish between false and legitimate readings. This could cause a pilot to lose control of the aircraft.

A pilot demonstrates how a tablet inflight controls the Aurora Flight Sciences' Aircrew Labor In-Cockpit Automantion System (ALIAS), which is mounted in a Cessena Caravan aircraft at Manassas Airport in Manassas, Va., Monday, Oct. 17, 2016. Governmen

Although most airports have security measures in place to restrict unauthorized access to aircraft, a DHS official told The Associated Press that the agency confirmed the security flaw and decided a national warning was necessary.

There is no evidence yet that anyone has exploited the vulnerability, but Patrick Kiley, Rapid7′s lead researcher on the issue, said an attacker could exploit the vulnerability with access to a plane or by bypassing airport security.

“Someone with five minutes and a set of lock picks can gain access (or) there’s easily access through the engine compartment,” Kiley said.

The Federal Aviation Administration said in a statement that a scenario where a person has unrestricted access to an airplane is unlikely. But the FAA did note that the report is “an important reminder to remain vigilant” about physical and cybersecurity aircraft procedures.

The alert also advised aircraft manufacturers to review the implementation of "CAN bus networks," an open electronic system similar to a small plane's "central nervous system." Hacking this system would allow an attacker to manipulate instrument readings and gain control of the plane. Some aviation experts also agree the system is insecure.

The auto industry also uses CAN bus systems and has already taken steps to implement safeguards against similar physical attacks.

The U.S. Department of Transportation said in March that the FAA has not done enough to mitigate cybersecurity threats. The FAA has since agreed and said it would have a comprehensive plan in place by the end of September.


The U.N.'s body for aviation -- the International Civil Aviation Organization -- is also expected to have its first aviation cybersecurity strategy go before the General Assembly in September.

The Associated Press contributed to this report.