Hacker News new | past | comments | ask | show | jobs | submit login
Wireless attacks on aircraft instrument landing systems (acolyer.org)
121 points by signa11 on Sept 28, 2019 | hide | past | favorite | 46 comments

Their test setup isn't realistic at all and looks more like a way to make the article sound interesting. Several big errors:

- They are testing a handheld radio that receives a single SDR signal. In reality a plane has two separate radios (different antenna locations) receiving a signal from a powerful antenna array at the end of the runway, that you try to squeeze your SDR signal in between. So the real attack is far different from their test setup, because you're going to have several conflicting signals instead of only one that they calculate in the test.

- If you overpower the real signal, which needs a really strong transmitter, the monitoring equipment at the airport will easily detect it. That alerts the tower and they will not allow a plane to use the approach. This monitoring is even in place in simple en-route navigation beacons (VORs)

- They claim to be able to make a plane land short of the runway, but every ILS approach has an altitude check by the pilots that's independent of the ILS signal. It works by checking the altitude based on air pressure (not spoofable) at a specific location (based on a system separate from ILS, usually DME or GPS) to the altitude at which the ILS puts the plane. If the two don't match, the pilots will break-off the approach. That check is not a nice to have, if you skip it at a flight-test (every 6 months) you would fail.

- Their calculation needs to know where the plane really is. That's easy to pull from the API of X-Plane (the hobby computer game they use as their simulator) but you don't know in the real world, unless you can see the plane. If you can see the plane, the pilots can see the runway and they're not going to be flying a CAT II or CAT III approach.

They also claim that no system exists to counteract this, but aircraft GPS systems all have mandatory error checking. If you fake a GPS signal, the receiver will compare it to the other signals and either ignore the fake signal (just like it will ignore a faulty satellite) or if not possible to calculate a correct position refuse to fly the approach.

Another alternative already available for years is MLS (microwave landing system), that has a digital signal to tell the plane its position relative to the runway. You cannot fake that without making it obvious to the receiver that you have two conflicting signals and again refusing to fly the approach.

A DoS attack on airplane landing systems is absolutely possible by jamming either ILS, MLS or GPS signals. But making an airliner land next to the runway is really not as easy as this article makes it sound.

Even up to a CAT IIIB approach, pilots still have a decision height where you go around if you don't see the runway or the approach lights. That's not very high for CAT IIIB (15m), but pilots are trained to abort and are basically waiting with their hands on the throttle. You can find stories of people aborting landings when already over the threshold.

Here's a sim of some pilots aborting a CAT IIIB. https://m.youtube.com/watch?v=o9s2jQixK9w

Additionally the tighter the tolerances on the landing, the closer everything has to agree.

In better weather there are also physical glide slope indicators like the PAPI lights. These are the four lights to the side of the runway, if you're too low they show all red, too high they're all white. You want half red half white. They're entirely passive.

I agree with your analysis here minus one nit:

> Their calculation needs to know where the plane really is [...] but you don't know in the real world

ADS-B Out from the aircraft will give you a pretty good idea where the aircraft is. Whether it's accurate enough for this attack is hard to know without doing some research, but it does transmit position.

True, but it's a delayed position so I'm not sure it would help you create a signal that combines correctly with the original accurately enough.

It is delayed by at most 1 second plus the update rate of the GPS (about 0.1 seconds), and gives current heading and speed. WAAS receivers are accurate to a few meters. For a plane following an instrument approach to intercept the ILS, it would be trivial to predict their real-time position given the information available.

I'm not sure what you mean by "delayed". Retrieving it from a web service might be delayed, but if you've got a radio receiver on the ground it's going to be pretty close to real-time. Plus, since they don't turn on a dime, doing motion prediction would be pretty straightforward.

FAA Order 8260/19H

2-4-5. Monitoring of navigation facilities.

a. Monitors.

It is FAA policy to provide a monitoring system for all electronic navigation facilities used in support of instrument flight procedures. Internal monitoring is provided at the facility through the use of executive monitoring equipment that causes a facility shutdown when performance deteriorates below established tolerances. A remote status indicator may also be provided through the use of a signal-sampling receiver, microwave link, or telephone circuit.

Lots of things can go wrong with a navaid, from electronics failures to storm damage moving a directional antenna. So there has to be a receiver downrange and an alarm system. The signals are jammable, but not without being noticed.

ICAO has a study on navigation in degraded environments.[2]

For GPS jammers, there are now handheld GPS jammer detector/locator units.[3]

[1] https://www.faa.gov/documentLibrary/media/Order/Order_8260.1...

[2] https://www.icao.int/EURNAT/Other%20Meetings%20Seminars%20an...

[3] https://www.navtechgps.com/ctl3520_handheld_directional_gps_...

Articles and comments like this make me appreciate just what a deeply considered system modern commercial aviation is.

How resistant are those systems with respect to tampering with the physical antenna ? Would someone tilting the antenna a few degrees towards the ground with a screwdriver cause significant perturbation ? Would flying a drone just in front of the antenna be enough to cause a misread ? What about a well positioned actively controlled reflector ?

They are positioned literally at the runway, so the first protection is that you're probably not going to get to them with a screwdriver.

False glideslopes occur for many reasons, not just tilting the antenna, but also reflection or approaching them from outside the coverage area (the signal can leak in other directions). The protection is mostly in the check by the pilots that the altitude based on air pressure is correct for the indications. And there are regular calibration flights where the signals are checked against for example GPS position.

Apart from that the signals are monitored on the airport itself, but I'm not sure that would detect tilting it down just a little bit. I think it's more for other signals interfering or the transmitters failing in some way.

Edit: Oh and we have our GPS (or DME based) ground speed visible in the cockpit and know the descent rate in feet/minute (also displayed on the primary instruments) to expect for a correct glidepath with that speed. So if the descent rate is "off" almost any pilot would notice and start to think about what's causing it. If you can't figure out why the combination of data doesn't make sense, go around. That's basically in the first lesson of instrument flying.

Anyway, airports are highly dependent on the correct functioning of all the instruments involved in IFR approaches.

Whether it's ILS, MLS, GPS, GBAS-LS or GNSS; spoofing, jamming and replay attacks may imply the capability to degrade or disrupt airport operations.

Usenix is not publishing techniques for military grade electronic warfare... I'd hope so.

apparently flying a toy is enough to shutdown an airport completely for hours, so the DOS threshold is very low.

Aircraft position can be derived from ADS-B.

I don't think the attack could realistically cause a plane to land off-runway in normal ILS conditions, but it coul certainly shut down the airport.

The authors miss the simple defense of the air traffic controller politely asking the pilot where the heck they think they're going and a quick exchange that would result in all flights diverted and the FCC chasing down the van (or fleet of vans) with big radio transmitters and antennas.

Are their systems accurate enough to identify an aircraft being 15m off the centerline of the runway? Take the incident at SFO a few years ago where an aircraft nearly landed on the taxiway - it was only detected by a pilot on the ground (on the taxi way) saying the approaching aircraft looks off course.


15m laterally is still well within the obstacle protected zone and would put the nosewheel onto pavement on most ILS-served runways (and probably all common airline ILS runways). It would take a small sidestep at 200’ AGL to put the offside main gear onto pavement.

On a normal (CAT I) ILS approach, the pilot will land manually, visually, from a height of 200 feet. You'd have to confuse the pilot as well as the ILS; otherwise the pilot will go around on seeing the deviation (if it's not correctable).

No, ATC radar systems are not accurate enough to show such a small offset and also don't update fast enough. You could probably write an algorithm to have a computer check it, but the controller in the tower will not notice because this is less than 1 pixel on their screen.

The article fails to mention ILS integrity monitoring systems. They are mandatory for Cat II and Cat III operations.

ILS degradation is a well-known risk and concerns are mostly associated with environmental effects like signal reflections from other aircraft or airport vehicles. 1979 FAA report "Far Field Monitor for Instrument Landing Systems" explores the issue in depth: https://apps.dtic.mil/dtic/tr/fulltext/u2/a079663.pdf

> even supporting cryptographic authentication on ILS signals would still leave systems vulnerable to record and replay attacks

Not necessarily? It should be possible to encode at least a timestamp so that a replay wouldn't work; or even implement a challenge-response so that each plane has their own signal? Not trivial of course but possible...?

The normal defence against replay attacks is to use a framecounter rather than a timestamp.

Either way, there are normal crypto techniques to resolve this issue.

GPS replay attacks only need to delay a signal by a very small amount - after all, a radio signal travels 300 meters in a microsecond. And the GPS C/A code has a bandwidth of 1 MHz - 1 microsecond per bit.

Neither frame counters nor timestamps are sufficient to robustly detect a replay attack that delays the signal by a fraction of a single bit.

Out of curiosity: airplane receives the broadcasted properly signed packets with frame counter included. How does it know if the antenna broadcasting is the official one or one replaying the official at 2 miles south of the normal glideslope?

> * How does it know if the antenna broadcasting is the official one or one replaying the official at 2 miles south of the normal glideslope?*

With multipole antennas, one can use MLat to determine where the signal came from:

* http://www.multilateration.com/surveillance/multilateration....

* http://www.navcanada.ca/EN/products-and-services/Pages/on-bo...

* https://en.wikipedia.org/wiki/Multilateration

If the signal was received on the antenna pointing forward, then the signal probably came from where you're headed; if it came from an antenna off to the side, then someone may be spoofing.

this does not solve the original issue of signal strength being faked.... but...

Authentication provides this, not encryption.

The receivers would need a valid certficate to authenticate the transmission.

As I understood the article, localization is based on signal strength, so cryptographically protecting the signal content is absolutely useless against an attacker who simply amplifies the signal without modifying it.

It is an interesting vulnerablity.

But the one advantage of ILS against such attacks is that each site is separate and to try this at scale would require lots of co-conspirators. It's not similar to a GPS or other system-wide exploit. Also, I guess you would need a highly directional antenna setup to be able to track a plane and overwhelm the legitimate ILS signal (i.e. why is that weird van parked here).

Attempt this at even one airport and you'd have law enforcement / FAA on you very quickly with a penalty of getting sent to federal ass-pounding prison for tampering with life-critical navigation systems.

This. And also, the article claims:

> Commercial flights typically fly CAT II or CAT III approaches.

That's not true at all. We fly by far the most CAT I approaches, or visual with the navigation instruments only as a backup.

To be allowed do a CAT II or CAT III approach, the ground environment needs to be managed differently by air traffic control. They will monitor and keep completely empty a big area around the ILS transmitters and the runway. Specifically to avoid any interference with the signals.

Not even official airport cars are allowed in while doing CAT II or III operations. So anyone that would want to transmit something nefarious would be standing in an empty grass and asphalt area that is actively monitored by ATC.

THIS is exactly what I'm talking about when I created my RadioInstigator tablet.


Radio in all its forms has been considered a "safe" way to send and receive digital data. That was only because attacking signals was traditionally only in the hands of nation-states. The hardware and know-how was erudite and tremendously expensive. That quaint idea is no longer true.

Locally, our city is installing IoT water monitors that chirp out consumption every 1/2-1h. A simple replay attack could cause peoples' water bills to go in excess of $30k. Our power meters are similar.

The tornado siren alert structures also sit on 400MHz spectrum, and are trivial to remotely trigger with no way to turn off. The system was built to trust any radio signal that it understands, full stop.

So seeing that planes are also attackable this way is obvious to me. Of course the authentication/authorization/auditing/encryption/signature part of the stack cost money, so was not included.

What do we do? Well, We (royal) fix the grid in all places to do things right. Individually, be wary and very careful in the radios you put in your vicinity.

A man was charged for jamming mobile phones signal while driving[0], so it's not hard for the authority to find the perpetrator.

[0] https://www.theverge.com/2014/5/1/5672762/man-faces-48000-fi...

There is already a replacement for ILS developed and in use at a couple of big US airports and some international ones.

It consists mostly of a GPS station at an airport that broadcasts error corrections to aircraft who then use their corrected, satellite sourced GPS location data to land.


The article ends with:

> Are there any easily deployable defences?

> No.

> All of the backup systems, including GPS, fail to provide sufficient security guarantees, and even supporting cryptographic authentication on ILS signals would still leave systems vulnerable to record and replay attacks.

So seems solving with GPS is not enough.

But those claims are not backed by anything.

Neither "sufficient security guarantees" or how GPS systems fail to meet them is written anywhere.

This is going against ILS systems, but the world is changing.

GPS WAAS is allowing approaches to minimums to almost any airport, even ones that do not have an ILS.


You may find this interesting https://www.youtube.com/watch?v=CXv1j3GbgLk in particular about the bleed of ATSB data from virtual world into real world.

It's a semi-hypothetical Defcon presentation on insecure wireless communications directly with the aircraft.

This is basically the plot of Die Hard 2 (1990), where bad guys take over the instrument landing system and make a plane crash on landing. https://en.wikipedia.org/wiki/Die_Hard_2

Sort of, you can see a real 747 pilot discuss the many inaccuracies (not that Die Hard intends to be a pseudo-documentary) here:


The most important thing the movie doesn't do that would happen in real life is, when there's any problem everybody diverts to their alternate, even including people queued up already to land. "Huh, they had some kind of problem, guess we should go to... uh... Baltimore? Find that for me and I'll let them know". Nobody's going to hang about waiting to see if they can get killed by terrorists.

But yes, they also recalibrate the height wrong in the movie to kill a 747 full of passengers and that wouldn't work either.

"Activate the instrument landing system but recalibrate sea level minus 200 feet."

This does not strike me as ethical disclosure. It would, as the author himself describes it, take a redesign of every craft, before making this research public would be safe.

He put a smiley face by the suggestion to use a drone transmitter FFS.

This attack is obvious to anyone that knows about ILS and radio. The article is a nice introduction if you've never heard about ILS... but it's not a difficult attack. If someone wants to do this, they would have done it by now.

I think the defense against this attack is noticing that the needle isn't moving according to any control inputs. If you're on course and the needle suddenly deflects (as opposed to moving gradually), that's something to think about. If you're off course and you fly the airplane towards the needle and it doesn't move, you're going to think twice. Presumably this realization would occur before descending too low, so it's not a major problem.

Ultimately, though, if someone is jamming the ILS and it is really a zero-visibility situation... you will have to divert to another airport. Flight planning requires that fuel for that be available... so it's somewhat unlikely that someone who reads HN and gets an SDR on eBay is going to kill a lot of people this way.

Well it's not "Ethical disclosure" but it's not like how ILS works is a big mystery or that pilots blindingly follow ILS with no other backups or guidance systems.

I'm interested to know if the test pilot in their simulator knew this was going to happen or not. I'm thinking if they knew the risk (which this disclosure provides) they may have been more aware and have seen there was a problem.

I can't imagine a pilot not being able to spot being off course, even by a small amount, given pilots are able to land large aircraft by visual aids only (however commercial pilots don't do it often).

We land visually all the time. Especially in the US it is super common to be cleared for a visual approach, because it increases the runway capacity (can fly closer together if you can see the plane ahead and follow them).

You would have the ILS (or GPS based approach) as a backup on your screens to verify. If what you see out the window does not match the systems, you stop the approach, climb, take some time to "debug" and then try again.

It could be a severe problem in low visibility conditions.

this should NOT be publicized. hundreds of people's lives are at risk and there are no workarounds for GA

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact