- They are testing a handheld radio that receives a single SDR signal. In reality a plane has two separate radios (different antenna locations) receiving a signal from a powerful antenna array at the end of the runway, that you try to squeeze your SDR signal in between. So the real attack is far different from their test setup, because you're going to have several conflicting signals instead of only one that they calculate in the test.
- If you overpower the real signal, which needs a really strong transmitter, the monitoring equipment at the airport will easily detect it. That alerts the tower and they will not allow a plane to use the approach. This monitoring is even in place in simple en-route navigation beacons (VORs)
- They claim to be able to make a plane land short of the runway, but every ILS approach has an altitude check by the pilots that's independent of the ILS signal. It works by checking the altitude based on air pressure (not spoofable) at a specific location (based on a system separate from ILS, usually DME or GPS) to the altitude at which the ILS puts the plane. If the two don't match, the pilots will break-off the approach. That check is not a nice to have, if you skip it at a flight-test (every 6 months) you would fail.
- Their calculation needs to know where the plane really is. That's easy to pull from the API of X-Plane (the hobby computer game they use as their simulator) but you don't know in the real world, unless you can see the plane. If you can see the plane, the pilots can see the runway and they're not going to be flying a CAT II or CAT III approach.
They also claim that no system exists to counteract this, but aircraft GPS systems all have mandatory error checking. If you fake a GPS signal, the receiver will compare it to the other signals and either ignore the fake signal (just like it will ignore a faulty satellite) or if not possible to calculate a correct position refuse to fly the approach.
Another alternative already available for years is MLS (microwave landing system), that has a digital signal to tell the plane its position relative to the runway. You cannot fake that without making it obvious to the receiver that you have two conflicting signals and again refusing to fly the approach.
A DoS attack on airplane landing systems is absolutely possible by jamming either ILS, MLS or GPS signals. But making an airliner land next to the runway is really not as easy as this article makes it sound.
Here's a sim of some pilots aborting a CAT IIIB. https://m.youtube.com/watch?v=o9s2jQixK9w
Additionally the tighter the tolerances on the landing, the closer everything has to agree.
In better weather there are also physical glide slope indicators like the PAPI lights. These are the four lights to the side of the runway, if you're too low they show all red, too high they're all white. You want half red half white. They're entirely passive.
> Their calculation needs to know where the plane really is [...] but you don't know in the real world
ADS-B Out from the aircraft will give you a pretty good idea where the aircraft is. Whether it's accurate enough for this attack is hard to know without doing some research, but it does transmit position.
2-4-5. Monitoring of navigation facilities.
It is FAA policy to provide a monitoring system for all electronic navigation facilities used in support of instrument flight procedures. Internal monitoring is provided at the facility through the use of executive monitoring equipment that causes a facility shutdown when performance deteriorates below established tolerances. A remote status indicator may also be provided through the use of a signal-sampling receiver, microwave link, or telephone circuit.
Lots of things can go wrong with a navaid, from electronics failures to storm damage moving a directional antenna. So there has to be a receiver downrange and an alarm system. The signals are jammable, but not without being noticed.
ICAO has a study on navigation in degraded environments.
For GPS jammers, there are now handheld GPS jammer detector/locator units.
False glideslopes occur for many reasons, not just tilting the antenna, but also reflection or approaching them from outside the coverage area (the signal can leak in other directions). The protection is mostly in the check by the pilots that the altitude based on air pressure is correct for the indications. And there are regular calibration flights where the signals are checked against for example GPS position.
Apart from that the signals are monitored on the airport itself, but I'm not sure that would detect tilting it down just a little bit. I think it's more for other signals interfering or the transmitters failing in some way.
Edit: Oh and we have our GPS (or DME based) ground speed visible in the cockpit and know the descent rate in feet/minute (also displayed on the primary instruments) to expect for a correct glidepath with that speed. So if the descent rate is "off" almost any pilot would notice and start to think about what's causing it. If you can't figure out why the combination of data doesn't make sense, go around. That's basically in the first lesson of instrument flying.
Whether it's ILS, MLS, GPS, GBAS-LS or GNSS; spoofing, jamming and replay attacks may imply the capability to degrade or disrupt airport operations.
Usenix is not publishing techniques for military grade electronic warfare... I'd hope so.
I don't think the attack could realistically cause a plane to land off-runway in normal ILS conditions, but it coul certainly shut down the airport.
ILS degradation is a well-known risk and concerns are mostly associated with environmental effects like signal reflections from other aircraft or airport vehicles. 1979 FAA report "Far Field Monitor for Instrument Landing Systems" explores the issue in depth: https://apps.dtic.mil/dtic/tr/fulltext/u2/a079663.pdf
Not necessarily? It should be possible to encode at least a timestamp so that a replay wouldn't work; or even implement a challenge-response so that each plane has their own signal? Not trivial of course but possible...?
Either way, there are normal crypto techniques to resolve this issue.
Neither frame counters nor timestamps are sufficient to robustly detect a replay attack that delays the signal by a fraction of a single bit.
With multipole antennas, one can use MLat to determine where the signal came from:
If the signal was received on the antenna pointing forward, then the signal probably came from where you're headed; if it came from an antenna off to the side, then someone may be spoofing.
Authentication provides this, not encryption.
The receivers would need a valid certficate to authenticate the transmission.
But the one advantage of ILS against such attacks is that each site is separate and to try this at scale would require lots of co-conspirators. It's not similar to a GPS or other system-wide exploit. Also, I guess you would need a highly directional antenna setup to be able to track a plane and overwhelm the legitimate ILS signal (i.e. why is that weird van parked here).
Attempt this at even one airport and you'd have law enforcement / FAA on you very quickly with a penalty of getting sent to federal ass-pounding prison for tampering with life-critical navigation systems.
> Commercial flights typically fly CAT II or CAT III approaches.
That's not true at all. We fly by far the most CAT I approaches, or visual with the navigation instruments only as a backup.
To be allowed do a CAT II or CAT III approach, the ground environment needs to be managed differently by air traffic control. They will monitor and keep completely empty a big area around the ILS transmitters and the runway. Specifically to avoid any interference with the signals.
Not even official airport cars are allowed in while doing CAT II or III operations. So anyone that would want to transmit something nefarious would be standing in an empty grass and asphalt area that is actively monitored by ATC.
Radio in all its forms has been considered a "safe" way to send and receive digital data. That was only because attacking signals was traditionally only in the hands of nation-states. The hardware and know-how was erudite and tremendously expensive. That quaint idea is no longer true.
Locally, our city is installing IoT water monitors that chirp out consumption every 1/2-1h. A simple replay attack could cause peoples' water bills to go in excess of $30k. Our power meters are similar.
The tornado siren alert structures also sit on 400MHz spectrum, and are trivial to remotely trigger with no way to turn off. The system was built to trust any radio signal that it understands, full stop.
So seeing that planes are also attackable this way is obvious to me. Of course the authentication/authorization/auditing/encryption/signature part of the stack cost money, so was not included.
What do we do? Well, We (royal) fix the grid in all places to do things right. Individually, be wary and very careful in the radios you put in your vicinity.
It consists mostly of a GPS station at an airport that broadcasts error corrections to aircraft who then use their corrected, satellite sourced GPS location data to land.
> Are there any easily deployable defences?
> All of the backup systems, including GPS, fail to provide sufficient security guarantees, and even supporting cryptographic authentication on ILS signals would still leave systems vulnerable to record and replay attacks.
So seems solving with GPS is not enough.
Neither "sufficient security guarantees" or how GPS systems fail to meet them is written anywhere.
GPS WAAS is allowing approaches to minimums to almost any airport, even ones that do not have an ILS.
It's a semi-hypothetical Defcon presentation on insecure wireless communications directly with the aircraft.
The most important thing the movie doesn't do that would happen in real life is, when there's any problem everybody diverts to their alternate, even including people queued up already to land. "Huh, they had some kind of problem, guess we should go to... uh... Baltimore? Find that for me and I'll let them know". Nobody's going to hang about waiting to see if they can get killed by terrorists.
But yes, they also recalibrate the height wrong in the movie to kill a 747 full of passengers and that wouldn't work either.
He put a smiley face by the suggestion to use a drone transmitter FFS.
I think the defense against this attack is noticing that the needle isn't moving according to any control inputs. If you're on course and the needle suddenly deflects (as opposed to moving gradually), that's something to think about. If you're off course and you fly the airplane towards the needle and it doesn't move, you're going to think twice. Presumably this realization would occur before descending too low, so it's not a major problem.
Ultimately, though, if someone is jamming the ILS and it is really a zero-visibility situation... you will have to divert to another airport. Flight planning requires that fuel for that be available... so it's somewhat unlikely that someone who reads HN and gets an SDR on eBay is going to kill a lot of people this way.
I can't imagine a pilot not being able to spot being off course, even by a small amount, given pilots are able to land large aircraft by visual aids only (however commercial pilots don't do it often).
You would have the ILS (or GPS based approach) as a backup on your screens to verify. If what you see out the window does not match the systems, you stop the approach, climb, take some time to "debug" and then try again.