Full Report
Kaspersky experts analyze aviation incidents and accidents caused by failures of digital avionics systems and warn of potential cyberattack risks
Analysis Summary
# Research: Faults in digital avionics systems threaten flight safety
## Metadata
- **Authors**: Kaspersky ICS CERT Experts
- **Institution**: Kaspersky
- **Publication**: Kaspersky ICS CERT Reports
- **Date**: July 17, 2024 (Note: Based on current real-world metadata for this report)
## Abstract
This research analyzes the increasing reliance of modern aviation on complex digital avionics and the security/safety implications thereof. By examining a series of historical aviation incidents caused by software glitches, sensor failures, and logic errors, Kaspersky experts illustrate how these inadvertent failures create a blueprint for potential malicious cyberattacks. The study warns that as cockpits move toward "glass" configurations and integrated modular avionics, the attack surface for flight-critical systems expands significantly.
## Research Objective
The research aims to determine how existing "natural" failures in digital avionics systems expose vulnerabilities that could be exploited by cyber-adversaries. It seeks to bridge the gap between aviation safety (accidental failure) and aviation security (intentional attack).
## Methodology
### Approach
The researchers employed a **comparative case-study analysis**. They identified documented aviation accidents/incidents involving avionics failures and reverse-engineered the technical cause of each. They then mapped these "unintentional" failure modes to potential "intentional" cyberattack vectors.
### Dataset/Environment
- **Case Studies**: Specific incidents involving the Boeing 737 MAX (MCAS system), Qantas Flight 72 (ADIRU failure), and Sukhoi Superjet 100 (Lightning strike/Direct Mode transitions).
- **System Focus**: Air Data Inertial Reference Units (ADIRU), Flight Management Systems (FMS), and Full Authority Digital Engine Control (FADEC).
### Tools & Technologies
- Technical documentation analysis of ARINC 429 and AFDX (Avionics Full-Duplex Switched Ethernet) protocols.
- Review of certification standards (DO-178C for software and DO-254 for hardware).
## Key Findings
### Primary Results
1. **Convergence of Safety and Security**: Systems designed for high reliability (Redundancy) are still vulnerable to "common-mode" failures if the underlying software logic is flawed.
2. **Sensor Manipulation as an Attack Vector**: If an attacker can spoof sensor data (AoA, Pitot tubes), they can force the aircraft's automation into catastrophic maneuvers.
3. **Complexity Risk**: The transition from federated systems to Integrated Modular Avionics (IMA) increases the risk of "cascading failures" where a low-priority system affects a high-priority one.
### Supporting Evidence
- **Qantas Flight 72**: A single erroneous data packet from an ADIRU caused the flight control computer to command a violent pitch-down, proving that digital filtering can be bypassed by specific data anomalies.
- **Boeing 737 MAX**: Demonstrated how reliance on a single sensor input for automated flight control (MCAS) creates a critical single point of failure.
### Novel Contributions
- The report formalizes the concept of **"Cyber-Physical Incident Transposition,"** suggesting that any past accident caused by a digital "glitch" is a verified template for a future targeted cyberattack.
## Technical Details
The research highlights the vulnerability of the **ARINC 429 bus**, a legacy protocol that lacks encryption and authentication. If an attacker gains physical or remote access to the bus, they can inject "Label" data that flight computers trust implicitly. Furthermore, the report discusses **Bit-flipping** in memory modules caused by cosmic radiation, noting that if an attacker can induce similar memory corruption via code injection, they can bypass safety inhibits.
## Practical Implications
### For Security Practitioners
- Aviation security can no longer rely on "air-gapping." Increased connectivity (EFB tablets, In-Flight Entertainment, and Maintenance gateways) provides potential entry points to the aircraft's internal networks.
### For Defenders
- **Input Validation**: Avionics software must implement more rigorous "sanity checks" to discard data that is physically impossible or logically inconsistent, even if it comes from a trusted sensor.
- **Redundancy Auditing**: Ensuring that redundant systems do not use identical codebases to prevent common-mode software exploits.
### For Researchers
- Focus on the security of SATCOM links and the Gatelink (WiFi/Cellular) systems used for transferring Flight Data Recorder (FDR) information.
## Limitations
- The research is based on public accident reports and high-level architectural analysis; it does not provide "proof-of-concept" exploits, as doing so would pose significant safety and legal risks.
- Access to proprietary source code for major OEMs (Boeing/Airbus) is limited.
## Comparison to Prior Work
While previous research focused on "Hacking IFE (In-Flight Entertainment)," this work shifts the focus toward **Flight-Critical Systems**. It moves beyond theoretical "RF jamming" to discuss the internal logic failures of flight control computers.
## Real-world Applications
- **Certification Upgrades**: Proposals for updating EASA and FAA certification to include more rigorous penetration testing of line-replaceable units (LRUs).
- **Forensics**: Developing "Cyber Black Boxes" that log network traffic on avionics buses to distinguish between a hardware failure and a cyberattack following an incident.
## Future Work
- Analysis of the security of **ADS-B NextGen** implementations.
- Studying the impact of AI-driven flight pilots and the potential for "adversarial machine learning" in autonomous aviation.
## References
- ICAO Document 8973 (Security Manual).
- DO-178C (Software Considerations in Airborne Systems).
- Related research: [https://ics-cert.kaspersky.com/reports/](https://ics-cert.kaspersky.com/reports/)