3 min read
By using a $600 software defined radio, the researchers can now spoof airport signals that cause a pilot’s navigation instruments to falsely indicate that a plane is off course.
Attackers can attack by sending a signal that causes a pilot’s course deviation indicator in order to show that a plane is slightly too far to the left of the runway, even when the plane is perfectly aligned. The pilot will react by guiding the plane to the right and inadvertently steer over the centerline.
The spoofed signals can also be used to indicate that a plane’s angle of descent is more gradual than it actually is. The spoofed message can also generate a “fly down” signal that instructs the pilot to steepen the angle of descent, possibly causing the aircraft to touch the ground before reaching the start of the runway.
In this paper, the researchers have investigated and demonstrated the vulnerability of aircraft instrument landing systems to wireless attacks. The researchers have further analyzed the instrument landing system (ILS) waveforms’ and have shown the feasibility of spoofing radio signals. This might lead to last-minute go around decisions, and in worst case scenarios, it can even lead to missing the landing zone in low-visibility scenarios.
The researchers have first shown that it is possible to fully and in fine-grain control the course deviation indicator, as displayed by the ILS receiver, in real time, and further demonstrate it on aviation-grade ILS receivers. They have also analyzed the potential of both an overshadowing attack, and a lower-power single-tone attack.
Note: The overshadowing attack involves sending specific ILS signals at a high power level to overpower legitimate ILS signals. The single-tone attack interferes with a legitimate ILS signal through the transmission of a lower power frequency tone which alters the plane’s course deviation indicator needle.
For evaluating the complete attack, the researchers have developed a tightly-controlled closed-loop ILS spoofer. This spoofer adjusts the adversary’s transmitted signals as a function of the aircraft GPS location which maintains power and keeps the deviation consistent with the adversary’s target position, causing an undetected off-runway landing.
They have also demonstrated the integrated attack on an FAA (Federal Aviation Administration) certified flight-simulator (XPlane) by incorporating a spoofing region detection mechanism. This mechanism triggers the controlled spoofing on entering the landing zone to reduce detectability.
The researchers have evaluated the performance of the attack against X-Plane’s AI-based autoland feature, and demonstrated a systematic success rate with offset touchdowns of 18 meters to over 50 meters. The researchers have investigated the security of aircraft instrument landing system against wireless attacks.
For both these attacks, the researchers have generated specially crafted radio signals that are similar to the legitimate ILS signals using low-cost software-defined radio hardware platform. They have successfully induced aviation-grade ILS receivers, in real time, to lock and display arbitrary alignment to both horizontal and vertical approach path. This also demonstrates the potential for an adversary to trigger multiple aborted landings that would cause air traffic disruption and might let the aircraft to overshoot the landing zone or miss the runway entirely.
The researchers then discuss potential countermeasures including failsafe systems such as GPS and show that these systems also do not provide sufficient security guarantees.
They have also highlighted that implementing cryptographic authentication on ILS signals is not enough as the system could be vulnerable to record and replay attacks. Therefore, the researchers highlight on an open research challenge of building secure, scalable and efficient aircraft landing systems.
To know more about this, check out the research paper.