back to article The plane, it's 'splained, falls mainly without the brain: We chat to boffins who've found a way to disrupt landings using off-the-shelf radio kit

Aircraft instrument landing systems (ILS) are susceptible to radio signal spoofing using off-the-shelf equipment, boffins have found, calling into question the adequacy of aviation cybersecurity. In a research paper titled "Wireless Attacks on Aircraft Instrument Landing Systems," scheduled to be presented at the 28th USENIX …

  1. SkippyBing

    So they proved they could spoof a flight simulator?

    Just to be clear standard ILS is a very simple system, having originated a few decades ago, and basically relies on two overlapping radio signals. Messing with it shouldn't be that complicated, apart from setting up a powerful transmitter in the vicinity of an airport. Which might get noticed.

    1. macjules

      Anyone who has watched Diehard 2 knows this.

      1. Anonymous Coward
        Anonymous Coward

        "That concludes our object lesson for this evening"

        Came here to say exactly the same thing.

    2. Dagg Silver badge

      They were bending the beams as far back as the second world war.

      1. This post has been deleted by its author

    3. NoneSuch Silver badge
      Coffee/keyboard

      "Cryptography will prevent spoofing but won't stop record-and-replay attacks,"

      It does if you change the flipping codes with reasonable frequency.

    4. a_yank_lurker

      As posted below, similar systems have been spoofed off and on since WWII. Nothing new really other than someone cannot read a history book. Spoofing and jamming signals for various reasons has been since WWII on a wide scale by militaries in combat operations and possibly done to a limited extent in WWI.

  2. James Anderson

    As any valdal kno...

    It's easy to break things.

    1. David Shaw

      Re: As any valdal kno...

      True, and I broke this particular thing around a decade ago, but I didn't publicise it

  3. Magani
    Black Helicopters

    It has a monitor

    While the mass media has been on its usual click-baiting we're-all-gonna-die theme, no one seems to have raised the topic of the ILS monitoring sensors that ensure the beams are transmitting where they're supposed to be.

    While my knowledge is now a bit rusty, it didn't take much to trigger an alarm if the beams weren't where they were supposed to be.

    Black helicopters don't need no stinking ILS.

  4. ma1010

    This sort of thing went on in WW II

    During WW II, the Germans used a technology in many ways similar to the radio beams used in ILS. In this case there was no glide slope signal, but two beams beams like a localizer (horizontal location beam) were projected from two different stations and intersected over a particular spot). The purpose was to guide German bombers to cities in Blighty at night. British boffins figured out what they were doing and came up with ways of spoofing the beams. That caused a lot of German bombs to miss cities and land in the countryside, no doubt saving many lives. If anyone is interested in the details, see R.V. Jones' excellent book, Most Secret War.

    The fact that a radio beam technology like ILS can be attacked is obvious. The solution to preventing such attacks is less so.

    1. Anonymous Coward
      Anonymous Coward

      Re: This sort of thing went on in WW II

      Yes although that story gets pretty interested as they progressed from the Lorenzo beam to the X-Gerät.

      However, there FAA approved RNAV GPS approaches with the same minimums as ILS so there is already an alternative.

    2. joma0711

      Re: This sort of thing went on in WW II

      "Most Secret War" - Second hand copy purchased and on its way, thanks for the tip :-)

      1. Anonymous Coward
        Anonymous Coward

        Re: This sort of thing went on in WW II

        References to Feynman and to R V Jones in one set of comments.

        I'm so pleased I didn't cancel my subscription :)

        Meanwhile, for those with five minutes or so to spare, here's R V Jones demonstrating a bit of laser-based "security research" at the Royal Institution Christmas Lectures sometime in the last decade or two of the 20th century (1981, actually):

        https://www.youtube.com/watch?v=MTpZsKCUvcc

        There's more where that came from. Well worth a look.

    3. JimC

      Re: This sort of thing went on in WW II

      And because this sort of thing went on in WW2 and is bleedin' obvious as a vector for causing mischief, I severely doubt the military don't already have techniques for dealing with it. So I wonder what value this research actually has other than being fun for the students and generating headlines.

      1. bazza Silver badge

        Re: This sort of thing went on in WW II

        There's no specific way of countering spoofing / jamming of ILS, but a military response would be rather less subtle. A jammer is, inevitably, giving away its position to any SIGINT system in the locality, and a military response to such jamming might be rather kinetic, most energetically so.

        Basically, anyone trying out such a caper in the modern age would find out just how readily locatable they are by the authorities in pretty short order. Even OFCOM (the sprectrum regulator here in the UK) could find an ILS jammer without having to borrow any resources from anyone else; they've already got it and use it. And it's airborne.

  5. A. Coatsworth Silver badge
    Black Helicopters

    No need to spend thousands of dollars in radio equipment to disrupt an airport, when you can achieve the same with Schrödinger's drones

  6. Malcolm Weir

    The article says "The attacks described in the paper are of particular concern during CAT III operations, where the decision height is low, making it possibly too late to regain altitude and try to land again".

    But a moment's thought would suggest that there is no time at which it's too late to go around. Think about it: a moment before touchdown you are moving fast enough to be flying (although sinking). The runway is long enough to gather enough speed to fly. Therefore if you're about to touch down at the end of the runway you have the whole length available to accelerate to a speed sufficient to climb and go around.

    The only reason the attacks are of more concern during CAT III operations is that under low visibility conditions the pilots are unable to double check their position using their eyes until moments before touchdown. So if you had an attack that could move the apparent glide path 200 metres north, say, you could line an aircraft up on the Bath road instead of LHR Runway 27R.

    (Cat IIIb is designed so that the pilot doesn't see the runway until he's 50ft above it, and he can only see a few hundred feet ahead -- i.e.. one or two plane lengths. 50ft is roughly twice the height of a lamppost, so you can see the problem, even if the pilot can't).

    1. Anonymous Coward
      Anonymous Coward

      And that would be why I never do a Cat-III without having confirmed with at least one other system first and at least one identifiable light, also an airport that I've landed at before. And I don't know why the FAA even allows it. 200' feet is far too low to trust to a single signal, especially since your aircraft is still going to be sinking while you reconfigure for go-around. Even in the best case, a 737 is still going to shed 50-100' feet before you can regain any altitude. Which, at a lot of airports, if you happened to be 100' to the side of the runway, might put you face to face with with Ground Traffic Controller.

      Personally, I set my own decision height at twice the distance it would take for craft to start climbing again + the height of the tallest object within 3 nmi of the airport and 1 nmi of the approach path.

      I may be way over-cautious, but from the years I spent in IT before going into aviation, I can no longer trust singular systems, I know how common things like bugs, faulty assumptions, and shoddy hardware are, and there is no way I'm trusting 300+ lives to the QA process of Honeywell or Rockwell (Although I do have in trust in that it is astronomically rare that they'd both screw up in the exact same way)

      1. Anonymous Coward
        Anonymous Coward

        Not over cautious, realistic and honest

        ". . . from the years I spent in IT . . . . . I can no longer trust singular systems"

        I think just about everyone who's willing to be honest about it feels the same way. Sadly of course, this excludes the Kool-Aid drinking fan-bois.

    2. This post has been deleted by its author

  7. Chairman of the Bored

    Crypto cannot mitigate replay?

    Not sure I agree. Negotiate a strong session key for each aircraft / airport interaction, and timestamp every message before encryption. Radical departure from the current crossed fan beam approach but should be secure against replay

    1. Anonymous Coward
      Anonymous Coward

      Re: Crypto cannot mitigate replay?

      To do this would require every single ILS-equipped aircraft and every single ILS-equipped airport to be upgraded or re-equipped.

      Before you can start the upgrade, you have to design, implement ***and certificate*** as safe for landing in almost zero visibility your new airport software and your new aircraft software. There are numbers of manufacturers of both ground and aircraft equipment, so this would be an enormous task.

      .

      By the way, there is nothing new about the theory of this kind of attack, what is new is calling it "aviation cybersecurity"

      1. Chairman of the Bored

        Re: Crypto cannot mitigate replay?

        Absolutely! I agree it would be a stupendous and expensive task, which is why you will probably see ILS gradually replaced as a standard, but not for decades after any potential decision to do so. Unless people deliberately start crashing aircraft using combined ILS/GNSS spoofing. In that case, industry will drag it's feet, and it will take decades.

        At least on the US what I see is some thinking that we can possibly eschew large, expensive airport systems for dependent broadcasts from the aircrafts' own nav systems. As in, ultimately replace primary and secondary radar with ADSB.

        I think that's idiotic from a perspective of denial of service through ADSB jam/spoof, GNSS jam/spoof, ASAT attacks, truck bombs into GNSS ground stations, etc. But it's cheaper! Must be better!

        At some point we might realize that a secure off board source of precision nav might be nice for landing. Given the need is decades out, the process should probably start now.

        1. Anonymous Coward
          Anonymous Coward

          Re: the need is decades out, the process should probably start now.

          Lovely idea, little chance.of it happening in 21st century corporate-dominated economies.

          Unless there's an Uber/Facebook-style short term profit in it for the people who count, "the markets" just won't let it happen.

          Which is a real shame for the rest of us.

  8. niio

    The difficulty for the disruptor is to be able to do it long enough to cause more than a temporary disruption. Plans exist to deal with this kind of attack. The signal's power is easy to find with the right equipment, which the authorities have, and it would take only a couple of missed approaches to start the hunt. Then off to prison for the offenders.

  9. I3N
    Coat

    Number 3

    In a letter to his wife Gweneth, Richard Feynman from from the Grand Hotel, in Warsaw Poland writes

    "I am not getting anything out of the meeting. I am learning nothing. Because there are no experiments this field is not an active one, so few of the best men are doing work in it. The result is that there are hosts of dopes here (126) and it is not good for my blood pressure: such inane things are said and seriously discussed that I get into arguments outside the formal sessions (say, at lunch) whenever anyone asks me a question or starts to tell me about his "work."

    The "work" is always:

    (1) completely un-understandable,

    (2) vague and indefinite,

    (3) something correct that is oblivious and self-evident, but worked out by a long and difficult analysis, and presented as an important discovery, or

    (4) a claim based on the stupidity of the author that some obvious and correct fact, accepted and checked for years, is, in fact, false (these are the worst: no argument will convince the idiot),

    (5) an attempt to do something probably impossible, but certainly of no utility, which, it is finally revealed at the end, fails ..., or

    (6) just plain wrong."

    "What Do You Care What Other People Think?", Richard P. Feynman.

  10. Trollslayer

    Castles

    made of sand.

    1. GnuTzu

      Re: Castles

      Queue Jimi.

  11. Ochib
    Joke

    Blockchain

    Why hasn't anyone mentioned Blockchain, surely this is the solution to all problems

    1. This post has been deleted by its author

  12. imanidiot Silver badge

    Easy to describe, VERY hard to pull off

    ILS is a pretty robust system (Which is why we've been using it for this long)

    Also, it's not actually 2 overlapping signals. The guidance is achieved with a single radio beam at a certain carrier frequency (The frequency dialed in by the pilot and noted on the charts) modulated with 2 sidebands at 90 and 150 Hz offsets. By using a phased antenna array, one sideband is received stronger on one side of the center line, the other sideband on the other side of the centerline.

    There's a very good manual with explanations for a Thales ILS system on the FCC website here and also a shorter and slightly more readable (for me anyway) post on Stackexchange here

    Also, good luck overpowering a 15W ILS system with directional phased array antennas with a simple handheld. It's potentially possible, but I very much doubt anyone would be able to do so anywhere closer to the airport (where there's actually a second antenna system transmitting an overlapping signal to cancel out potential side-lobes in the longer range signal) where it actually matters most. (At that point the monitoring systems of the ILS system would probably conclude there is a problem, report an error and stop transmitting.

    I also have my doubts an attacker knows the aircraft position (especially close in to the runway) precisely enough to generate a smooth signal. ILS systems are surprisingly precise, to the point where airports prefer airlines NOT use autoland to touchdown because it pummels the tarmac to absolute shreds in a very small zone. Manual approaches smear this beating out over a much larger zone. If an attacker doesn't generate his signal to within a few meters accuracy the receiver system on the aircraft is going to act noticeably weird (And remember he has to match the relationship/modulation depth between 2 sideband signals, not just a certain signal timing)

    1. SkippyBing

      Re: Easy to describe, VERY hard to pull off

      'Also, it's not actually 2 overlapping signals. The guidance is achieved with a single radio beam at a certain carrier frequency (The frequency dialed in by the pilot and noted on the charts) modulated with 2 sidebands at 90 and 150 Hz offsets.'

      D'oh, you are of course correct, my limited defence to describing it as such was that I only learnt about it to pass the CPL exams, but have never used it in anger as I don't need an instrument rating. You know plus being too lazy to look it up...

  13. JaitcH
    FAIL

    You Can Mess Up Airport Operations For Far Less

    Airports and aircraft use antiquated VHF / AM.

    An unstable oscillator, modulated by an equally unstable oscillator, and fed into a RF amplifier would be as effective as diddling with ILS.

    And installing SSB gear in aircraft, as they did back in the days of Yasser Arafat and his desert fires of aircraft, wouldn't be of much use, either. Standby for for Gatwick to suddenly experience ILS failures!

    Encryption faces a challenge - every aircraft would need equipment to handle encryption and the chances are details would leak in weeks, if not days.

    1. un

      Re: You Can Mess Up Airport Operations For Far Less

      That's the real problem, and its one that has to be addressed worldwide and not just the UK.

      Its probably the simplest communication systems in use today and heavily used with no authentication, encryption or validation. Even the antiquated shipping VHF systems are slightly more complex. It totally relies on human trust and effective operators with good intuition (ATC). The back-up even in this day of age is signal lamps and flares! Sometimes the simple solutions are the best, but in this case it's so vulnerable it's frightening.

      1. SkippyBing

        Re: You Can Mess Up Airport Operations For Far Less

        To be honest, if I was experiencing that kind of problem, I'd probably try phoning the tower...

  14. jtaylor

    Great article

    Thanks for giving us a solid news story with good information and which correctly (but gently) uses technical terms like Decision Height.

    Bravo.

  15. adam 40
    FAIL

    Been there, done that

    I was on a 747 in the mid '70's coming into a US airport - might have been LAX, or possibly the eastern seaboard on the way over. Either '74 or '77.

    The touchdown was quite eventful - there was one almighty crash, then we bounced up, and eventually landed with quite some deceleration.

    Rumours now, but according to the ground staff they thought we were goners the plane was coming in so hard. It turned out the pilot was landing on ILS even though it was a clear day, to test the system. And - another rumour - the engineers had been fiddling with the antenna array (presumably the beams were set wrongly?)

    So maybe all you need is a screwdriver and a spanner and fiddle with the antenna array of the real ILS.

    P.S. Back then you could smoke at the back of the plane - thems were the days!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like