Governance & Risk Management , IT Risk Management , Next-Generation Technologies & Secure Development
Researchers: Aircraft Landing Systems Vulnerable
Study Finds Bogus Instrument Landing System Signals Could Send Planes Off CourseThe majority of aircraft accidents occur during landing. And during bad weather or low-visibility, pilots are trained to entirely trust their instruments.
See Also: 2024 Threat Landscape: Data Loss is a People Problem
But researchers say they can spoof wireless signals to a critical landing system, which could cause planes to miss runways. The research is due to be presented at the Usenix Security Symposium in Santa Clara, Calif., in August, but the paper has been released in advance.
The paper is authored by Harshad Sathaye, Domien Schepers, Aanjhan Ranganathan and Guevara Noubir of the Khoury College of Computer Sciences at Northeastern University in Boston.
The attack could be performed with software-defined radios, or SDRs, that cost just a few hundred dollars, the researchers write. The majority of wireless systems used in aviation are at risk of some form of cyber-physical attack, they contend.
"Over the years, the aviation industry has largely invested and succeeded in making flying safer," the researchers write. "Security was never considered by design as historically the ability to transmit and receive wireless signals required considerable resources and knowledge."
Signal Confusion
The test was carried out in close consulation with aviation experts and not with a real, flying plane. Instead, the researchers used the FAA-approved X-plane professional flight simulator and mimicked a landing at a mid-size airport in the U.S. in a laboratory setup.
Modern airplanes have a variety of guidance systems, but there are only two that provide precision guidance during landing: GPS and the Instrument Landing System, or ILS.
ILS uses radio signals as a plane approaches a runway to figure out how the plane is aligned with a landing strip. The "localizer" subsystem of ILS provides data on horizontal alignment.
Radios on the left side of the runway emit a 90 Hz tone, while the right side emits a 150 Hz tone. For an aligned landing, both signals should be at the same amplitude. Another subsystem, the glidescope, relates the plane's vertical position in a similar way.
In poor weather conditions, pilots are dependent on ILS. "If the instruments ask them to fly right, the pilots will fly right," according to the paper.
Many of the navigation tools in airplanes accept unauthenticated signals and are vulnerable to spoofing attacks, and ILS is no different. The researchers developed two kinds of attacks, both of which could cause ILS receivers to display arbitrary alignment. The effects could cause a pilot to overshoot the runway or miss it completely.
The first - called an "overshadow" attack - uses a rogue SDR to overpower the legitimate signals the ILS should be receiving. An ILS is designed to lock onto the strongest signal it receives, regardless if it is illegitimate.
The second attack is called a "single tone" attack. It seeks to interfere with one of the 90 Hz or 150 Hz tones. But unlike the overshadow attack, that signal does not have to be more powerful than the authentic one to cause problems. The transmission of a single tone can cause deflections in the course deviation indicator needle, according to the researchers.
In a video demonstration, the researchers show that the pilot's instruments indicate the airplane is aligned with the runway before landing, when in fact it's not.
Although a single-tone attack may be tricky to pull off, it could allow for a denial-of-service type scenario. "Such an attack, especially in an aircraft's final moments before landing can be disastrous," the researchers write.
Secure System Needed
The logical fix would be to ensure that signals received by the ILS are and encrypted and authenticated. But it's not that simple, unfortunately. The researchers write that encryption can potentially be overcome in localized attacks, as is possible with GPS.
"We highlight that implementing cryptographic authentication on ILS signals is not enough as the system would still be vulnerable to record and replay attacks," they write. Therefore, through this research, we highlight an open research challenge of building secure, scalable and efficient aircraft landing systems."