
Hackers can fake radio signals to 'hijack' aircraft landing systems - wglb
https://www.computing.co.uk/ctg/news/3075890/hackers-aircraft-landing-fake-radio-signals
======
ChuckMcM
Given my sort of 'maker' inclinations, I find these articles amusing. The "3D
print a gun!" ones were similar.

Basically they come down to, if you learn how a system works, or how something
is made, you can learn to implement or influence that system and/or build that
thing. Back in the 60's the click bait was "kid learns how to build an atomic
bomb!" This was pretty eye catching but really it is just physics, material
science, and a bit of math.

That said, so many people rarely look past the surface of things, seeing
something like a cell phone as an opaque magical brick that can do wondrous
things. And yet all that the phone does, and how it does it, are knowable if
someone chooses to invest the time. (admittedly it is a _lot_ of time if you
don't have the basics).

The headline, "People who know how radios work can affect systems that are
based on radio." is so much less scary.

~~~
jlg23
> The headline, "People who know how radios work can affect systems that are
> based on radio." is so much less scary.

No, it is not. Nobody should be able to influence air traffic in that way just
because she/he understands the transport layer.

After spending a night with a friend who just returned from a security audit
(lots of cocktails were involved too) 15 years ago, I am convinced that the
only reason we have not seen major disruptions yet is because of a pretty
strict adherence to hacker ethics: one of the global "airport tech players"
was deploying systems that used UDP for ground traffic control.... Having a
bus or lorry use an active runway is just a single, malicious UDP packet
away...

~~~
mopsi
> Having a bus or lorry use an active runway is just a single, malicious UDP
> packet away...

There are multiple safeguards in place to avoid single points of failure, such
as runway crossing procedures with mandatory call to air traffic control unit
for explicit permission before entering a runway. Many ATC recordings on
VASAviation Youtube channel show that even rescue services (during
emergencies) adhere to that.

Taxiways leading to runways are marked with holding positions that may not be
crossed without authorization:
[https://i.imgur.com/dCF8lFi.jpg](https://i.imgur.com/dCF8lFi.jpg) For extra
visibility in poor weather, many airports are also equipped with runway guard
lights paved into the ground or blinking on either side of the taxiway:
[https://i.imgur.com/dbix1Aw.png](https://i.imgur.com/dbix1Aw.png)

Surface movement radars and transponder-based systems have also become
widespread. They trigger alerts when a vehicle is about to enter an active
runway: [https://i.imgur.com/sJQ94zq.jpg](https://i.imgur.com/sJQ94zq.jpg)

~~~
djsumdog
True, and you have real pilots. Many really busy airports do visual approaches
and I know a couple pilots personally who don't often bother with ILS unless
the conditions are bad.

Remember in San Fransisco where a plane almost landed on a taxi way instead of
the runway? It's worth reading the complex situation with the off-line runway
and the way ILS was setup with those runways being so close together, but what
prevented the disaster was a pilot in the Taxi line of aircraft getting on the
radio and saying, "Where is this guy going?!" and everyone suddenly realizing
they were lined up for the Taxi way!

Real people, being aware, looking and reacting prevented that accident. That's
why human checks and cross-checks are so important.

~~~
godelski
> I know a couple pilots personally who don't often bother with ILS unless the
> conditions are bad

Because it is a pain.

Every pilot has to learn to do visual approaches.

I think it just makes one thing apparent though. If we go to fully automated
flying then there must ALSO be a visual check. In fact we can make it better
than humans because we should make sure that the plane can see through fog.
But key point is that there is always some redundancy built in.

~~~
inferiorhuman
_If we go to fully automated flying then there must ALSO be a visual check._

I don't think a _visual_ check is needed (otherwise you would be much more
limited in where/when you can land), but cross-checking some other data is.
Turns out we're already there, and in an ILS approach the pilots should
already be checking other instruments.

------
sokoloff
The localizer (lateral deviation indication) is going to be harder to spoof
due to the beat/squeal that it would introduce when broadcast alongside the
legitimate localizer. The pilot (or PNF) will monitor the audio signal for the
Morse code that identifies the localizer and the squeal will be apparent.

The glideslope signal (vertical deviation indication) would be easier to
spoof. Set that up 1/2 mile short of the runway and aligned to intercept the
proper glideslope shortly before the true glideslope intercept point (Maltese
cross on the chart). That has a chance of working and going undetected. If
you're able to get an aircraft onto the rogue glideslope lobe, even when ATC
gets a low altitude alert, the crew is likely to report they're perfectly on
glideslope. I'm not sure this is as practical an attack as simply firing on an
aircraft on approach, of course.

~~~
AWildC182
And with WAAS, the world is moving towards GPS approaches anyway. Even without
careful planning anyone with a mildly powerful VHF radio and a yagi antenna
can jam ILS, VORs and ATC comms rather effectively and has been able to since
the end of WWII.

I've seen these articles pop up a few times in the past couple days but
everyone in aviation already knows that there isn't any security on this
stuff. People even jam ATC for giggles sometimes[1]. There's enough redundancy
that nothing bad has happened as a result so everyone goes on with life. I
think this is just low hanging defcon fruit targeting non aviation-aware
readers.

[1] [https://www.youtube.com/watch?v=ZvA_-
linhg8](https://www.youtube.com/watch?v=ZvA_-linhg8)

~~~
dbcurtis
> People even jam ATC for giggles sometimes.

Or impersonate. One of my pilot friends was planning a trip across the CA
Central Valley, and he reported with some bemusement that there was at active
NOTAM (NOtice To Air Men) to be on guard about some guy in the Fresno area
that was impersonating ATC. Apparently it had been happening for months and
nothing much by way of investigation had taken place.

At this point I pretty much concluded that bad Part 15 devices or PG&E power
line noise h0rk1ng over my ham radio reception was not going to get any
attention, ever, if the FCC can't be bothered to find an ATC impersonator. I
mean really, there are hams that do hidden transmitter hunts purely for sport.
A posse of them could find that clown easily on any random Saturday morning
and not be late for lunch.

~~~
inetknght
> _there are hams that do hidden transmitter hunts purely for sport. A posse
> of them could find that clown easily on any random Saturday morning and not
> be late for lunch._

So why don't they?

~~~
dbcurtis
What is a bunch of random nerds going to do? They have no power to fine or
arrest. All they can do is document the evidence and turn it over to the FCC,
which does happen on occasion. But, I have listened to ARRL division directors
talking about trying for _years_ to get well-documented egregious cases of
malicious interference dealt with by the FCC. The FCC just can not be
bothered. It's not so much that they can't be bothered to collect evidence,
which they can't, but even if they have evidence, that can't be bothered to
act on it. The FCC should be a technical organization but is pathetically
political.

One of my ham friends deals with the FCC often, because he works in spectrum
management at the NTIA. The stories he tells make me never want to set foot in
D.C. except to visit all the museums that my taxes fund.

~~~
inetknght
No power to fine or arrest isn't entirely true.

What stops them from finding who's transmitting and then filing a civil suit?

~~~
zymhan
They keep telling you that the FCC has the power to do it but does not have
the political will.

------
dontbenebby
This is an issue, but I wouldn't be too alarmist. It probably wouldn't _crash_
a plane though, just severely cripple an airport. (Cause all take offs to be
cancelled, all incoming flights diverted, and the planes in the air land one
by one in order of fuel urgency using line of sight.)

~~~
antsar
(not a pilot) I'd think causing the autopilot to believe it is substantially
off-course would induce a sharp bank to correct course. That bank at low
altitude can lead to a wing strike. If not, still seems plausible to deviate
enough to impact obstacles near the runway.

~~~
dontbenebby
Possibly? Not a pilot either (but I took multiple human factors courses which
talk a _lot_ about air crashes).

I'd hope that the pilot would notice something is off and abort the landing
before that. (Eg: visually be like "oh there is something on the runway I
thought I was cleared on)

Theoretically even if cleared for landing they should keep an eye out and
abort if, say, an errant baggage cart was in the way.

~~~
bdamm
Pilots aren't always that eagle-eyed, and it is of course much more difficult
at night. The very close call of the Air Canada jet that nearly landed on four
or five other jets waiting on the taxiway at SFO is a testament to just how
badly this can go. And an attack that leads the aircraft into terrain or
buildings could put the aircraft into a local minimum that it can't fly out
of.

Frankly aviation is ripe for cyber attack. The problem is not simple to solve,
mainly because introducing crypto into critical navigation systems will also
introduce failures where legitimate service is interrupted due to system
glitches. It will take crashing a jet before the industry decides to take this
seriously, and it is entirely possible that a terrorist group or state actor
will use this weakness. Government and industry can and would respond, but it
would take money and time.

~~~
dontbenebby
>Pilots aren't always that eagle-eyed, and it is of course much more difficult
at night.

I would not place blame with a pilot who is cleared for landing, and fails to
see something on the runway. Even if they are making a good faith effort to
scan the runway, it's _hard_ to see things from the sky with your eyes.

>It will take crashing a jet before the industry decides to take this
seriously, and it is entirely possible that a terrorist group or state actor
will use this weakness.

I agree it's an issue that should be worked on, but I think it's much more
likely (as a parent pointed out) someone will simply fly a drone into the
airspace.

After all, bird strike incidents are a major cause of crashes:

> _The Federal Aviation Administration (FAA) estimates bird strikes cost US
> aviation 400 million dollars annually and have resulted in over 200
> worldwide deaths since 1988.[56] In the United Kingdom, the Central Science
> Laboratory estimates[8] that worldwide, the cost of birdstrikes to airlines
> is around US$1.2 billion annually. This cost includes direct repair cost and
> lost revenue opportunities while the damaged aircraft is out of service.
> Estimating that 80% of bird strikes are unreported, there were 4,300 bird
> strikes listed by the United States Air Force and 5,900 by US civil aircraft
> in 2003._

[https://en.wikipedia.org/wiki/Bird_strike](https://en.wikipedia.org/wiki/Bird_strike)

~~~
bdamm
Birds do most of the work to avoid bird strikes, and are avoiding airplanes
daily. The same can't be said for terrorists.

------
sascha_sl
This is news?

Def Con in 2012
[https://www.youtube.com/watch?v=e1QAjCH_1oU](https://www.youtube.com/watch?v=e1QAjCH_1oU)

~~~
lsh123
1990:
[https://m.imdb.com/title/tt0099423/](https://m.imdb.com/title/tt0099423/)

~~~
wiml
1700: [https://opencurtains.wordpress.com/2014/04/22/false-
lights/](https://opencurtains.wordpress.com/2014/04/22/false-lights/)
[https://en.wikipedia.org/wiki/Wrecking_(shipwreck)](https://en.wikipedia.org/wiki/Wrecking_\(shipwreck\))

(Fictional, but widely believed to be true, at least for a time)

------
mopsi
Skimmed over the whitepaper and did not notice any mention of ILS monitoring
systems. Modern ILS has continuous automatic monitoring that triggers alerts
or shuts off the whole system if disturbance of beam characteristics is
detected.

Such monitoring systems date back to 1960s: [https://sci-
hub.tw/10.1049/ree.1967.0009](https://sci-hub.tw/10.1049/ree.1967.0009)

------
sciurus
Ars Technica covers this story much better at
[https://arstechnica.com/information-
technology/2019/05/the-r...](https://arstechnica.com/information-
technology/2019/05/the-radio-navigation-planes-use-to-land-safely-is-insecure-
and-can-be-hacked/)

------
wglb
The underlying paper here:
[https://aanjhan.com/assets/ils_usenix2019.pdf](https://aanjhan.com/assets/ils_usenix2019.pdf)

------
bjt2n3904
There's too much sensation on this headline. The hacker does not take control
of the aircraft, simply gives misleading information to the pilot.

"Hacking" is a bit of a heavy handed word here, too.

------
meatmanek
ILS works pretty much the same way as the Lorenz/Knickebein system used in
WWII by the Germans to guide bombers (described in
[https://news.ycombinator.com/item?id=19737056](https://news.ycombinator.com/item?id=19737056)),
so the attack described in TFA sounds basically the same as the
countermeasures deployed by the British.

------
mlindner
This is well known and has been for decades. Unlike attacks based on the
internet though it’s trivial to track down people who are doing illegal
broadcasts. There isn’t a concern here.

------
sbhn
I can see all the politicians lining up now, “ME, ME, ME. Let ME remind the
people that they are under attack”, from something they have no control over

------
sdca
Sounds like a single point of failure if the pilots rely on ATC too much. Low
visibility landings and such.

------
cjrp
How powerful would a malicious transmitter need to be in order to overpower
the legitimate ILS signal?

~~~
NegativeLatency
If you got it close enough you could probably do it with a pretty low power
transmitter. (Radio on a drone or something)

~~~
jethro_tell
You'd need to be out by the transmitter in the middle of the airfield though
to truely spoof it.

~~~
penagwin
If you flew low at night I think you'd have a decent chance of getting a drone
to the right location. You'll need either a decent setup or a decent position
to control it though.

Although as others have mentioned, if you're trying to crash a plane or cause
a disruption at the airport there's easier ways. Including just flying the
drone over the runway (to close an airport).

------
xvf22
HFDL and ACARS (encryption is optional) don't have much in the way of
protection either.

------
themark
How about MCAS?

~~~
outworlder
Irrelevant to this discussion.

~~~
NikkiA
I think the point being made is that this feels an awful lot like a 'hey,
don't keep talking about mcas.... look at this huge problem that terrorists
might exploit (if they rent die hard 2), look how scary it is, boogaboogaboo'

~~~
pageandrew
I didn't know we could only talk about one thing at a time.

I don't think anyone has forgotten about MCAS

