A vulnerability in the avionics systems on some airliners could allow someone with access to the aircraft to manipulate the flight data that is provided to pilots, the US Department of Homeland Security (DHS) has warned.

In an informational alert warning, DHS said the vulnerability is in the controller area network (CAN) data buses used on some aircraft.

Introduced in automobiles in the 1980s, the CAN bus is a serial communications protocol that allows various avionics units to communicate with each other. Airbus first applied the CAN bus on A318 and A340 airliners for cabin ventilation system control.

“An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment,” the DHS Cybersecurity and Infrastructure Security Agency (CISA) said July 30.

CISA said it was alerted to the vulnerability through a report by security analytics company Rapid7 of Boston.

“The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds and angle of attack could all be manipulated to provide false measurements to the pilot,” CISA said. It added that a pilot relying on instruments would be unable to distinguish between false and legitimate readings.

The agency recommends operators restrict access to their aircraft “to the best of their abilities.” Manufacturers should review their implementation of CAN bus networks “to compensate for the physical attack vector” and evaluate safeguards such as “CAN bus-specific filtering, whitelisting and segregation.”

Airborne use of the data-transfer medium was specified in ARINC 825, a standard developed by the Airlines Electronic Engineering Committee and published by ARINC (now part of Collins Aerospace) in 2007.

Bill Carey, bill.carey@aviationweek.com