The signal by which planes find the runway can be faked using a walkie-talkie for $600
Aircraft demonstrating the attack on the radio due to fake signals sits to the right of the runway
Virtually every aircraft that has taken to the skies in the last 50 years - whether it's a single-engine Cessna or a giant 600-seat airliner - has used radio stations to land safely at airports. These ILS (instrument landing system) systems are considered precision approach systems because, unlike GPS and other navigation systems, they provide vital real-time information about the horizontal attitude of the aircraft relative to the landing lane and vertical angle of descent. In many conditions - especially during landings in fog or in the rain at night - this radio navigation remains the main way to ensure that the aircraft touches the ground at the beginning of the runway and exactly in the middle.
Like many other technologies created in the past, KGS did not provide protection against hacking. Radio signals are not encrypted and their authenticity is not confirmed. Pilots simply assume that the audio signals received by their systems on the frequency assigned to the airport are the real signals broadcast by the airport operator. For many years, this lack of security didn't really bother anyone, mostly because the cost and complexity of signal spoofing made attacks pointless.
But now researchers have developed a low-cost hack that raises questions about the security of the CGS used at virtually every civilian airport in the industrialized world. Using a $600 radio with , researchers can spoof airport signals so that the pilot's navigational instruments indicate that the aircraft is off course. According to the training, the pilot must correct the rate of descent or the orientation of the vessel, thereby creating a threat of an accident.
One technique of attack is that the fake signals indicate that the angle of descent is less than it actually is. The forged message contains the so-called. a "take down" signal telling the pilot to increase the angle of descent, possibly causing the aircraft to touch the ground before the start of the runway.
The video shows an otherwise tampered with signal that could pose a threat to an aircraft coming in to land. An attacker can send a signal telling the pilot that his plane is left of the runway centerline, when in fact the plane is exactly centered. The pilot will react by pulling the plane to the right, causing it to eventually move to the side.
Researchers at Northeastern University in Boston consulted with a pilot and a safety expert, and are careful to note that such signal spoofing is unlikely to cause an accident in most cases. CGC malfunctions are a known threat to flight safety, and experienced pilots receive detailed training on how to respond to them. It will be easy for a pilot in clear weather to notice that the aircraft is not aligned with the center line of the runway, and he will be able to go around.
Another reason for reasonable skepticism is the complexity of the attack. In addition to a programmable radio, you will need directional antennas and an amplifier. All of this equipment would be quite difficult to smuggle onto a plane if a hacker wanted to attack from the plane. If he decides to attack from the ground, it will take a lot of work to align the equipment with the runway without attracting attention. What's more, airports usually monitor for interference on critical frequencies, which could potentially stop an attack shortly after it starts.
In 2012, explorer Brad Haynes, known by the callsign , in the ADS-B (Automatic Dependent Surveillance-Broadcast) system that aircraft use to determine their location and transmit data to other aircraft. He summed up the difficulties of actually faking KGS signals as follows:
If it all comes togetherβlocation, hidden equipment, bad weather, a suitable target, a well-motivated, smart, and financially capable attackerβwhat happens? In the worst case scenario, the aircraft will land on grass, with possible injury or death, but safe aircraft development and rapid response teams ensure that there is very little chance of a huge fire with the loss of the entire aircraft. In this case, in such a case, the landing will be suspended, and the attacker will no longer be able to repeat it. At best, the pilot will notice the discrepancy, get his pants dirty, raise his altitude, go around, and report that something is wrong with the CSC - the airport will start an investigation, which means that the attacker will no longer want to stay nearby.
So, if everything converges, then the result will be minimal. Compare that to the return-to-investment ratio and economic impact of one goat with a $1000 drone flying around Heathrow Airport for two days. Certainly the drone was a more effective and workable option than such an attack.
And yet, researchers say there are risks. Airplanes that don't land on the glide path - the imaginary line that an airplane follows when landing perfectly - are much harder to detect, even in good weather. What's more, some busy airports are telling planes not to rush go-arounds, even in poor visibility, to avoid delays. landing guidelines from the US Federal Aviation Administration, followed by many US airports, indicate that such a decision should be made at an altitude of only 15 m. Similar instructions apply in Europe. They leave the pilot very little time to safely abort the landing if the visual environmental conditions do not match the data from the CSC.
βDetection and recovery in case of failure of any instruments during critical landing procedures is one of the most difficult tasks of modern aviation,β the researchers wrote in their paper. titled "Wireless Attacks on Course-Glide Path Systems of Aircraft", adopted at . βGiven how heavily pilots rely on the SSC and instruments in general, failure and malicious interference can lead to disastrous consequences, especially during autonomous takeoffs and flights.β
What happens to CGS failures
Several landings that almost led to disaster demonstrate the danger of CGS failures. In 2011, a Singapore Airlines flight SQ327 with 143 passengers and 15 crew on board suddenly banked to the left while 10 meters above the runway at Munich Airport in Germany. After landing, the Boeing 777-300 veered to the left, then turned right, crossed the center line, and stopped when the landing gear was in the grass to the right of the runway.
Π about the incident, published by the German Federal Aircraft Accident Investigation Commission, it is written that the plane overshot the landing point by 500 m. Although no casualties were reported, this event highlighted the severity of the failure of the KGS systems. Other near-tragic incidents with LHC failure include New Zealand flight NZ 60 in 2000 and Ryanair flight FR3531 in 2013. The video explains what went wrong in the latter case.
Vaibhab Sharma runs a Silicon Valley security company around the world and has been flying small planes since 2006. He also holds an amateur operator's license and volunteers for the Civil Air Patrol, where he trained as a lifeguard and radio operator. He flies the plane in the X-Plane simulator, demonstrating a signal spoofing attack that causes the plane to land to the right of the runway.
Sharma told us:
Such an attack on the KGS is realistic, but its effectiveness will depend on a combination of factors, including the knowledge of the attacker's air navigation systems and the conditions on the approach. If used appropriately, an attacker will be able to steer the aircraft towards obstacles surrounding the airport, and if done in poor visibility conditions, it will be very difficult for the pilot team to detect and deal with deviations.
He said the attacks have the potential to threaten both small aircraft and large jet aircraft, but for different reasons. Small planes move at slower speeds. This gives the pilots time to react. Large jet aircraft, on the other hand, have more crew members who can respond to adverse events, and the pilots of such aircraft are usually trained more often and more thoroughly.
He said that the most important thing for large and small aircraft will be to assess the environmental conditions, in particular the weather, at the time of landing.
βAn attack like this is likely to be more effective when pilots have to rely more on instruments to make successful landings,β Sharma said. βIt could be night landings in poor visibility, or a combination of poor conditions with busy airspace that requires pilots to be more busy and heavily dependent on automation.β
Aanjan Ranganathan, a researcher at Northeastern University who helped develop the attack, told us that GPS is almost non-existent when the CGS fails. Deviations from the runway during an effective attack with a substitution will be from 10 to 15 meters, since anything more will be visible to pilots and air traffic controllers. GPS will have a hard time detecting such deviations. The second reason is that it is very easy to change GPS signals.
βI can change the GPS in parallel with the change in the CGS,β Ranganathan said. βItβs all about the motivation of the attacker.β
KGS predecessor
KGS tests have begun , and the first working system was deployed in 1932 at the German airport Berlin-Tempelhof.
KGS remains one of the most efficient landing systems. Other approaches, such as , locator beacon, global positioning system and similar satellite navigation systems are considered inaccurate because they only give a horizontal or lateral orientation. The CGS is considered an accurate rendezvous system, since it provides both horizontal and vertical (glide path) orientation. In recent years, inaccurate systems have been used less and less. KGS was increasingly associated with autopilots and autolanding systems.
How the CGS works: localizer [localizer], glide slope [glideslope] and marker beacons [marker beacon]
The KGS has two key components. The localizer tells the pilot if the aircraft is off to the left or right of the runway centerline, and the slope of the glide path tells if the descent angle is too great for the aircraft not to overshoot the start of the runway. The third component is marker beacons. They function as milestones to allow the pilot to determine the distance to the runway. Over the years, they have increasingly been replaced by GPS and other technologies.
The localizer uses two sets of antennas emitting two different pitch sounds - one at 90 Hz and the other at 150 Hz - and at a frequency assigned to one of the runways. Antenna arrays are located on both sides of the runway, usually after the takeoff point, and so that the sounds cancel each other out when the landing aircraft is positioned directly above the center line of the runway. The deviation indicator shows a vertical line in the center.
As the aircraft deviates to the right, the sound at 150 Hz becomes increasingly audible, causing the deviation indicator pointer to move to the left of center. If the aircraft deviates to the left, the sound at 90 Hz becomes more audible and the pointer moves to the right. The localizer, of course, cannot completely replace the visual control of the position of the aircraft, it provides a key and very intuitive means of orientation. Pilots simply need to keep the pointer centered to keep the aircraft exactly above the center line.
The slope of the glide slope works in much the same way, only it shows the angle of the aircraft's descent relative to the start of the runway. When the angle of the plane is too small, the sound at 90 Hz becomes more audible, and the instruments indicate that the plane needs to descend. When the descent is too abrupt, a signal at 150 Hz tells the plane to climb higher. When the aircraft remains at the prescribed glide path angle of approximately three degrees, the signals cancel each other out. Two glide slope antennas are located on the tower at a certain height determined by the glide slope angle suitable for a particular airport. The tower is usually located close to the touchdown zone.
Flawless forgery
The attack by researchers at Northeastern University uses commercially available software radio transmitters. These devices, which sell for $400-$600, transmit signals that pretend to be real signals sent by the airport's CSC. The attacker's transmitter can be located both on board the attacked aircraft and on the ground, at a distance of up to 5 km from the airport. As long as the intruder's signal exceeds the real signal in power, the KGS receiver will perceive the attacker's signal and demonstrate the orientation relative to the vertical and horizontal flight path planned by the intruder.
If the substitution is poorly organized, the pilot will see sudden or erratic changes in the readings of the instruments, which he will mistake for a malfunction of the CGS. To make the fake harder to recognize, the attacker can determine the exact location of the aircraft using , a system that transmits an aircraft's GPS position, altitude, ground speed, and other data to ground stations and other vessels every second.
Using this information, an attacker can start signal spoofing when an approaching aircraft has moved left or right of the runway and send it a signal that the aircraft is level. The optimal time to attack is when the aircraft has just passed the waypoint, as shown in the demo video at the beginning of the article.
The attacker can then apply a real-time correction and signal generation algorithm that will constantly tweak the malicious signal to ensure that the offset relative to the correct path matches all aircraft movements. Even if the attacker lacks the skill to make a flawless fake signal, he can confuse the CGS so that the pilot cannot rely on it when landing.
One variant of signal spoofing is known as "shadowing attack". The attacker sends specially prepared signals with a power greater than the signals of the airport transmitter. An attacker's transmitter would typically need to send 20 watts of power to do this. Shadowing attacks make it easier to perform convincing signal spoofing.
Shadow Attack
The second variant of signal substitution is known as "one-tone attack". Its advantage is that it is possible to send sound of one frequency with a power lower than that of the airport CGS. It has several drawbacks, for example, the attacker needs to know exactly the specifics of the aircraft - for example, the location of its KGS antennas.
One tone attack
Lack of easy solutions
The researchers say there is no way to eliminate the threat of spoofing attacks yet. Alternative navigation technologies - including omnidirectional beacon, locator beacon, global positioning system and similar satellite navigation systems - are wireless signals that do not have an authentication mechanism and are therefore susceptible to spoofing attacks. Moreover, only KGS and GPS can provide information on the horizontal and vertical approach trajectory.
In their paper, the researchers write:
Most of the security problems faced by technologies such as , ΠΈ , can be fixed by implementing cryptography. However, cryptography will not be enough to prevent localization attacks. For example, encryption of the GPS signal, similar to military navigation technology, can prevent spoofing attacks to a certain extent. All the same, an attacker will be able to redirect GPS signals with the time delays he needs, and achieve a location or time substitution. Inspiration can be drawn from the existing literature on preventing GPS spoofing attacks and build similar systems on the receiver side. An alternative would be to implement a large-scale secure localization system based on distance limits and secure proximity confirmation techniques. However, this will require two-way communication, and this option requires further study regarding its scalability, feasibility, etc.
The US Federal Aviation Administration said they did not have enough information about the demonstration conducted by the researchers to comment.
This attack and the considerable amount of research that has been done is impressive, but the main question in the paper remains unanswered - how likely is it that someone would actually want to put in the effort to implement such an attack? Other types of vulnerabilities, such as those that allow hackers to remotely install malware on users' computers or bypass popular encryption systems, are easy to monetize. With a KGS substitution attack, this is not the case. Life-threatening attacks on pacemakers and other medical devices also fall into this category.
And although the motivation for such attacks is harder to see, it would be a mistake to dismiss their possibility. IN , published in May by C4ADS, a non-profit organization covering global conflicts and interstate security, indicated that the Russian Federation has often engaged in large-scale tests of GPS violations, as a result of which the navigation systems of ships were wrong in their position by 65 miles or more [in fact, the report says that during the opening of the Crimean bridge (that is, not "often", but only once), the global navigation system was knocked down by a transmitter located on this bridge, and its work was felt even near Anapa, located in 65 km (not miles) from this place. βAnd so everything is rightβ (c) / approx. transl.].
βThe Russian Federation has a relative advantage in exploiting and developing the ability to deceive global navigation systems,β warns the report. βHowever, the low cost, availability in the open market, and ease of use of such technologies, gives not only states, but also insurgents, terrorists and criminals ample opportunity to destabilize state and non-state networks.β
And while CGS spoofing seems esoteric in 2019, itβs unlikely that it will be all that fantastic to assume that it will become more commonplace in the coming years, as attack technologies become clearer and software-controlled radio transmitters become more widespread. Attacks on the CGS do not have to be carried out in order to cause accidents. They can be used to disrupt airports, as illegal drones closed London's Gatwick Airport last December, a few days before Christmas, and Heathrow Airport three weeks later.
βMoney is one motivation and a show of power is another,β Ranganathan said. β From the point of view of protection, these attacks are very critical. This needs to be taken care of, as there are enough people in this world who want to demonstrate strength.β
Source: habr.com