
Wireless attacks on aircraft instrument landing systems - signa11
https://blog.acolyer.org/2019/09/27/wireless-attacks-on-aircraft-instrument-landing-systems/
======
t0mas88
Their test setup isn't realistic at all and looks more like a way to make the
article sound interesting. Several big errors:

\- They are testing a handheld radio that receives a single SDR signal. In
reality a plane has two separate radios (different antenna locations)
receiving a signal from a powerful antenna array at the end of the runway,
that you try to squeeze your SDR signal in between. So the real attack is far
different from their test setup, because you're going to have several
conflicting signals instead of only one that they calculate in the test.

\- If you overpower the real signal, which needs a really strong transmitter,
the monitoring equipment at the airport will easily detect it. That alerts the
tower and they will not allow a plane to use the approach. This monitoring is
even in place in simple en-route navigation beacons (VORs)

\- They claim to be able to make a plane land short of the runway, but every
ILS approach has an altitude check by the pilots that's independent of the ILS
signal. It works by checking the altitude based on air pressure (not
spoofable) at a specific location (based on a system separate from ILS,
usually DME or GPS) to the altitude at which the ILS puts the plane. If the
two don't match, the pilots will break-off the approach. That check is not a
nice to have, if you skip it at a flight-test (every 6 months) you would fail.

\- Their calculation needs to know where the plane really is. That's easy to
pull from the API of X-Plane (the hobby computer game they use as their
simulator) but you don't know in the real world, unless you can see the plane.
If you can see the plane, the pilots can see the runway and they're not going
to be flying a CAT II or CAT III approach.

They also claim that no system exists to counteract this, but aircraft GPS
systems all have mandatory error checking. If you fake a GPS signal, the
receiver will compare it to the other signals and either ignore the fake
signal (just like it will ignore a faulty satellite) or if not possible to
calculate a correct position refuse to fly the approach.

Another alternative already available for years is MLS (microwave landing
system), that has a digital signal to tell the plane its position relative to
the runway. You cannot fake that without making it obvious to the receiver
that you have two conflicting signals and again refusing to fly the approach.

A DoS attack on airplane landing systems is absolutely possible by jamming
either ILS, MLS or GPS signals. But making an airliner land next to the runway
is really not as easy as this article makes it sound.

~~~
tonyarkles
I agree with your analysis here minus one nit:

> Their calculation needs to know where the plane really is [...] but you
> don't know in the real world

ADS-B Out from the aircraft will give you a pretty good idea where the
aircraft is. Whether it's accurate enough for this attack is hard to know
without doing some research, but it does transmit position.

~~~
t0mas88
True, but it's a delayed position so I'm not sure it would help you create a
signal that combines correctly with the original accurately enough.

~~~
parsimo2010
It is delayed by at most 1 second plus the update rate of the GPS (about 0.1
seconds), and gives current heading and speed. WAAS receivers are accurate to
a few meters. For a plane following an instrument approach to intercept the
ILS, it would be trivial to predict their real-time position given the
information available.

------
colechristensen
The authors miss the simple defense of the air traffic controller politely
asking the pilot where the heck they think they're going and a quick exchange
that would result in all flights diverted and the FCC chasing down the van (or
fleet of vans) with big radio transmitters and antennas.

~~~
fyfy18
Are their systems accurate enough to identify an aircraft being 15m off the
centerline of the runway? Take the incident at SFO a few years ago where an
aircraft nearly landed on the taxiway - it was only detected by a pilot on the
ground (on the taxi way) saying the approaching aircraft looks off course.

[https://www.mercurynews.com/2017/07/11/sfo-near-miss-air-
can...](https://www.mercurynews.com/2017/07/11/sfo-near-miss-air-canada-
flight-got-extremely-close-to-planes-on-taxiway/)

~~~
sokoloff
15m laterally is still well within the obstacle protected zone and would put
the nosewheel onto pavement on most ILS-served runways (and probably all
common airline ILS runways). It would take a small sidestep at 200’ AGL to put
the offside main gear onto pavement.

------
mopsi
The article fails to mention ILS integrity monitoring systems. They are
mandatory for Cat II and Cat III operations.

ILS degradation is a well-known risk and concerns are mostly associated with
environmental effects like signal reflections from other aircraft or airport
vehicles. 1979 FAA report "Far Field Monitor for Instrument Landing Systems"
explores the issue in depth:
[https://apps.dtic.mil/dtic/tr/fulltext/u2/a079663.pdf](https://apps.dtic.mil/dtic/tr/fulltext/u2/a079663.pdf)

------
bambax
> _even supporting cryptographic authentication on ILS signals would still
> leave systems vulnerable to record and replay attacks_

Not necessarily? It should be possible to encode at least a timestamp so that
a replay wouldn't work; or even implement a challenge-response so that each
plane has their own signal? Not trivial of course but possible...?

~~~
TickleSteve
The normal defence against replay attacks is to use a framecounter rather than
a timestamp.

Either way, there are normal crypto techniques to resolve this issue.

~~~
krisoft
Out of curiosity: airplane receives the broadcasted properly signed packets
with frame counter included. How does it know if the antenna broadcasting is
the official one or one replaying the official at 2 miles south of the normal
glideslope?

~~~
throw0101a
> * How does it know if the antenna broadcasting is the official one or one
> replaying the official at 2 miles south of the normal glideslope?*

With multipole antennas, one can use MLat to determine where the signal came
from:

* [http://www.multilateration.com/surveillance/multilateration....](http://www.multilateration.com/surveillance/multilateration.html)

* [http://www.navcanada.ca/EN/products-and-services/Pages/on-bo...](http://www.navcanada.ca/EN/products-and-services/Pages/on-board-operational-initiatives-mlat.aspx)

* [https://en.wikipedia.org/wiki/Multilateration](https://en.wikipedia.org/wiki/Multilateration)

If the signal was received on the antenna pointing forward, then the signal
probably came from where you're headed; if it came from an antenna off to the
side, then someone may be spoofing.

------
supernova87a
It is an interesting vulnerablity.

But the one advantage of ILS against such attacks is that each site is
separate and to try this at scale would require lots of co-conspirators. It's
not similar to a GPS or other system-wide exploit. Also, I guess you would
need a highly directional antenna setup to be able to track a plane and
overwhelm the legitimate ILS signal (i.e. why is that weird van parked here).

Attempt this at even one airport and you'd have law enforcement / FAA on you
very quickly with a penalty of getting sent to federal ass-pounding prison for
tampering with life-critical navigation systems.

~~~
t0mas88
This. And also, the article claims:

> Commercial flights typically fly CAT II or CAT III approaches.

That's not true at all. We fly by far the most CAT I approaches, or visual
with the navigation instruments only as a backup.

To be allowed do a CAT II or CAT III approach, the ground environment needs to
be managed differently by air traffic control. They will monitor and keep
completely empty a big area around the ILS transmitters and the runway.
Specifically to avoid any interference with the signals.

Not even official airport cars are allowed in while doing CAT II or III
operations. So anyone that would want to transmit something nefarious would be
standing in an empty grass and asphalt area that is actively monitored by ATC.

------
crankylinuxuser
THIS is exactly what I'm talking about when I created my RadioInstigator
tablet.

[https://hackaday.com/2019/06/05/mobile-sigint-hacking-on-
a-c...](https://hackaday.com/2019/06/05/mobile-sigint-hacking-on-a-civilians-
budget/)

Radio in all its forms has been considered a "safe" way to send and receive
digital data. That was only because attacking signals was traditionally only
in the hands of nation-states. The hardware and know-how was erudite and
tremendously expensive. That quaint idea is no longer true.

Locally, our city is installing IoT water monitors that chirp out consumption
every 1/2-1h. A simple replay attack could cause peoples' water bills to go in
excess of $30k. Our power meters are similar.

The tornado siren alert structures also sit on 400MHz spectrum, and are
trivial to remotely trigger with no way to turn off. The system was built to
trust any radio signal that it understands, full stop.

So seeing that planes are also attackable this way is obvious to me. Of course
the authentication/authorization/auditing/encryption/signature part of the
stack cost money, so was not included.

What do we do? Well, _We_ (royal) fix the grid in all places to do things
right. Individually, be wary and very careful in the radios you put in your
vicinity.

------
a012
A man was charged for jamming mobile phones signal while driving[0], so it's
not hard for the authority to find the perpetrator.

[0] [https://www.theverge.com/2014/5/1/5672762/man-
faces-48000-fi...](https://www.theverge.com/2014/5/1/5672762/man-
faces-48000-fine-for-driving-with-cellphone-jammer)

------
colechristensen
There is already a replacement for ILS developed and in use at a couple of big
US airports and some international ones.

It consists mostly of a GPS station at an airport that broadcasts error
corrections to aircraft who then use their corrected, satellite sourced GPS
location data to land.

[https://www.faa.gov/about/office_org/headquarters_offices/at...](https://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/techops/navservices/gnss/faq/laas/)

~~~
capableweb
The article ends with:

> Are there any easily deployable defences?

> No.

> All of the backup systems, including GPS, fail to provide sufficient
> security guarantees, and even supporting cryptographic authentication on ILS
> signals would still leave systems vulnerable to record and replay attacks.

So seems solving with GPS is not enough.

~~~
colechristensen
But those claims are not backed by anything.

Neither "sufficient security guarantees" or how GPS systems fail to meet them
is written anywhere.

------
eternalny1
This is going against ILS systems, but the world is changing.

GPS WAAS is allowing approaches to minimums to almost any airport, even ones
that do not have an ILS.

[https://www.faa.gov/about/office_org/headquarters_offices/at...](https://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/techops/navservices/gnss/library/factsheets/media/WAAS_QFSheets.pdf)

------
wiseleo
You may find this interesting
[https://www.youtube.com/watch?v=CXv1j3GbgLk](https://www.youtube.com/watch?v=CXv1j3GbgLk)
in particular about the bleed of ATSB data from virtual world into real world.

It's a semi-hypothetical Defcon presentation on insecure wireless
communications directly with the aircraft.

------
kens
This is basically the plot of Die Hard 2 (1990), where bad guys take over the
instrument landing system and make a plane crash on landing.
[https://en.wikipedia.org/wiki/Die_Hard_2](https://en.wikipedia.org/wiki/Die_Hard_2)

~~~
tialaramex
Sort of, you can see a real 747 pilot discuss the many inaccuracies (not that
Die Hard intends to be a pseudo-documentary) here:

[https://www.youtube.com/watch?v=GqLbUF-2nWk](https://www.youtube.com/watch?v=GqLbUF-2nWk)

The most important thing the movie doesn't do that would happen in real life
is, when there's any problem everybody diverts to their alternate, even
including people queued up already to land. "Huh, they had some kind of
problem, guess we should go to... uh... Baltimore? Find that for me and I'll
let them know". Nobody's going to hang about waiting to see if they can get
killed by terrorists.

But yes, they also recalibrate the height wrong in the movie to kill a 747
full of passengers and that wouldn't work either.

------
forfengeligfaen
"Activate the instrument landing system but recalibrate sea level minus 200
feet."

------
elif
This does not strike me as ethical disclosure. It would, as the author himself
describes it, take a redesign of every craft, before making this research
public would be safe.

He put a smiley face by the suggestion to use a drone transmitter FFS.

~~~
raverbashing
Well it's not "Ethical disclosure" but it's not like how ILS works is a big
mystery or that pilots blindingly follow ILS with no other backups or guidance
systems.

~~~
fyfy18
I'm interested to know if the test pilot in their simulator knew this was
going to happen or not. I'm thinking if they knew the risk (which this
disclosure provides) they may have been more aware and have seen there was a
problem.

I can't imagine a pilot not being able to spot being off course, even by a
small amount, given pilots are able to land large aircraft by visual aids only
(however commercial pilots don't do it often).

~~~
t0mas88
We land visually all the time. Especially in the US it is super common to be
cleared for a visual approach, because it increases the runway capacity (can
fly closer together if you can see the plane ahead and follow them).

You would have the ILS (or GPS based approach) as a backup on your screens to
verify. If what you see out the window does not match the systems, you stop
the approach, climb, take some time to "debug" and then try again.

------
anorphirith
this should NOT be publicized. hundreds of people's lives are at risk and
there are no workarounds for GA

