Spoofing a CAN or ARINC429 bus requires physical access. At that point an attacker has access to the physical systems of the plane, at which point the plane is compromised anyway. What he uses to take over the plane is essentially arbitrary and there is absolutely nothing that would give any protection.
I gather a perp only has to access the right piece of equipment in any phase of the logistics.
These buses are employed mostly in the avionics industry, but they are also utilized in ground vehicles, weapons systems, and other commercial and military equipment industries.[1]
I worked for ages in the automotive industry. Here is the thing: They don't have just one CAN bus, but multiple, connected via gateways that function both as message router and also firewall between these busses. At least that is the idea, the reality is ... commercial software development with all the issues that come with it (see various hacks where they broke through these gateways).
Someone posted a story as part of this subthread here, i.e. if a passenger is able to access an airplane bus and issue engine control commands that actually do something, the overall security setup is utterly broken. The infotainment units in the passenger cabin requiring access to some internal bus is actually ok, but issuing flight control commands from these should be (silently?) ignored, and this can only happen if you partition the busses via such gateways, for example.
Funnily enough, in this case it also helps safety, because you can be more relaxed about the overall (software) quality of these infotainment units (decomposition effect in safety systems).
Either that, or you must make your way into the bay while in flight with said wirecutters.
Now, a dongle quietly manipulating enough variables to make the plane uncontrollable in flight, on the other hand... (No idea if that is even possible given access to this bus, but I will read this paper with some interest tomorrow (As I fly AMS-EWR... :)
Just because someone can load up my car on a flat bed tow truck doesn't mean it's pointless for me to have locks on the doors and ignition.
No, wasting time, resources and money while increasing the inherent complexity and risk of a system to gain absolutely no benefit is a very bad idea.
>Just because someone can load up my car on a flat bed tow truck doesn't mean it's pointless for me to have locks on the doors and ignition.
Idiotic comparison, which makes me think you are just totally disingenuous. The point I made was that with the same amount of effort a plane is compromised, with or without a secure bus. This is fake security, it doesn't protect anything.
Just tell me an attack on the bus of an airplane which couldn't have just as easily been performed outside of the bus.
Good to have someone more knowledgeable explain that I'm not necessarily crazy.
> This paper investigates cyber-physical attacks on avionics data buses, specifically focusing on the ARINC 429 protocol. The objective is to demonstrate how message injection, modification, and deletion attacks can be executed, enabling an attacker to gain full control over the transmitted data.
I wish that vehicular systems all had air-gap level separation of messages, rendering it physically impossible to disrupt messages to critical systems like flight controls. I suppose that's a naive perspective, but in the long run it's hard to believe that we won't have to resort to provably correct systems to thwart attacks.
> To accomplish this, we propose a method that involves modifying messages on the data bus without segmenting it.
Can we really live with avionics platforms as a setting for the same kind of perpetual arms race against attackers that we have for general operating systems?
Not to say that physical compromise of the wire is unbeatable; encryption makes it effectively impossible to spoof or rewrite messages, but the wires and communication protocol are already only intended for communication between trusted components (if you are communicating to untrusted components then you have to use something else like a data diode). The only really interesting part of the highlighted attack vector is that the "trusted wires" are likely not particularly physically separated from "non-trusted wires" or easy access which makes physical compromise at least plausible to achieve for a external malicious actor as compared to physically modifying one of the actual critical flight computers.
From what I read ARINC 429 is a one-way bus making this completely redundant and unnecessary.
From what I'm reading, ARINC 429 is as air-gapped as you can get. It is a one-way serial protocol (separate wires for transmit and receive). Only the wires that need to be connected are. Messages go from->to where they need to be.
Unless by air gapped you literally mean "don't connect anything together" at which point you no longer have a functioning vehicle.
Internet is almost certainly the cheapest and easiest thing, which is why it's used.
Any modern jet will function without internet.
>I wish that vehicular systems all had air-gap level separation of messages, rendering it physically impossible to disrupt messages to critical systems like flight controls.
This is just false. There is nothing in the world which makes physically separating two airplane systems impossible.
>Can we really live with avionics platforms as a setting for the same kind of perpetual arms race against attackers that we have for general operating systems?
The comparison is false. OSs are exposed to the entire world. Airplane systems require physical access.
... to potentially only one of the components within the system, at any point in its lifetime, across the entire supply chain and all build, test/verify, operations and maintenance processes.
(Edit in reply to child: Yes, obviously "the components within the system" means those actually connected, not a number 3 sprocket in seat 63E's incline mechanism. You have re-iterated my point.)
TL;DR it's already a standard and has been ever since possiblity of sharing the networks came to be
More interesting IMHO would be what can be done to accelerate the adoption of new technologies (especially w/r/t cryptography) in avionics. This is more than anything a cultural problem; How to convince regulative bodies, how to satisfy processes, how to re-balance the proven-in-use argument (where stuff gets more favorable safety assessments when it has been used long enough) vs crypto-agility (where the same thing from today just tomorrow becomes insecure without changing itself, because of some external discovery).
The technology is there, but the aviation community is not yet. Another nice read in this domain is "Economy Class Crypto: Exploring Weak Cipher: Usage in Avionic Communications via ACARS"[1, 2]. I only say mono-alphabetic substitution cipher.
An interesting connection of Blockchain-tech, safety and security can be found in "Verifiable Computing in Avionics for Assuring Computer-Integrity without Replication" [3]. Here the authors leverages zero-knowledge proofs to prove to a downstream actuator that its commands are indeed correct results yielded by the application of the appropriate control law on the provided sensor inputs. However, this work is probably at least a decade away from being applicable in actual certified aircraft.
[1] https://link.springer.com/chapter/10.1007/978-3-319-70972-7_... [2] https://www.cs.ox.ac.uk/files/9693/fc-paper.pdf [3] https://publ.sec.uni-stuttgart.de/reinhartluettighuberliedtk...
Also in some aircraft types these data buses are unfortunately not so very hard to access (i.e. accessible from the cabin, with undetected access being even plausible in some cases). So some resilience might not hurt in these cases.
It's important that failure of critical systems is far less threatening than systems providing plausible, yet incorrect data. Redundancy and monitoring catches most of the former but not the latter.
