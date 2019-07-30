An Air Europa-branded Boeing 737 MAX aircraft at a storage area at Boeing Field in Seattle, Wash., July 1, 2019. (Lindsey Wasson/Reuters)

The federal government issued a security alert Tuesday warning that the flight systems of small planes could be hacked remotely if a bad actor were able to gain physical access and attach a particular device to the aircraft.

A notice from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency urged pilots of small planes to restrict physical access to their aircraft after a Boston-based cybersecurity firm exposed vulnerabilities that could be exploited remotely through an attached device.

The firm, Rapid7, found and reported to DHS that an attacker with physical access could attach a device to planes’ Controller Area Network bus systems, through which he could ensure that a pilot received false readings of engine, compass, altitude, airspeed, and angle-of-attack data, endangering the lives of everyone on board.

“Someone with five minutes and a set of lock picks can gain access [or] there’s easily access through the engine compartment,” said Patrick Kiley, Rapid7′s lead researcher on the two-year project.

Kiley added that physically restricting access to planes should not be the only security step taken.

“The increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyber-attack,” he said. “While physical restrictions are great, we really feel like avionics, in particular, need to implement defense-in-depth.”

“Safeguards such as CAN bus-specific filtering, whitelisting, and segregation should also be evaluated by aircraft manufacturers,” the DHS notice recommended.

The cybersecurity firm’s report addressed only small planes’ potential network weaknesses as larger planes frequently are protected by additional cybersecurity measures.

Auto manufacturers have addressed similar vulnerabilities by adding extra layers of security to their vehicles’ CAN bus networks as cars become increasingly reliant on the networks.