CAN Newsletter magazine
The reported case requires access to the CAN network. The CAN data frames were injected by means of a CAN dongle.
The complete article is published in the December issue of the CAN Newsletter magazine 2019. This is just an excerpt.
The Rapid7 cybersecurity company detected this CAN security case. “After performing a thorough investigation on two commercially available avionics systems, Rapid7 demonstrated that it was possible for a malicious individual to send false data to a small aircraft’s wiring.”
The article describes some details of the findings in the two aircrafts. In the first aircraft 11-bit IDs were used and the network in the second aircraft was based on 29-bit IDs. After the description of these cases, a summary is given.
Of course, in military and commercial aviation, the physical access to aircrafts is limited and controlled. Nevertheless, the reported vulnerabilities can be critical in other applications. The researchers from Rapid7 recommend a message authentication protocol. They propose to use CAN FD for this purpose, because there is sufficient payload available.
News and reports