Aviation Village - Wireless Attacks on Aircraft Instrument Landing Systems (ILS)

Cite

DEF CON

Sathaye, Harshad Schepers, Domien Ranganathan, Aanijhan Noubir, Guevara

Formal Metadata

Title

Aviation Village - Wireless Attacks on Aircraft Instrument Landing Systems (ILS)

Title of Series

DEF CON 27

Number of Parts

335

Author

Sathaye, Harshad

Schepers, Domien

Ranganathan, Aanijhan

Noubir, Guevara

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/48482 (DOI)

Publisher

DEF CON

Release Date

2019

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Modern aircraft heavily rely on several wireless technologies for communications control, and navigation. Researchers demonstrated vulnerabilities in many aviation systems e.g., injecting ghost aircraft into airspace, spoof locations and manipulate key communication messages. However, the resilience of the aircraft landing systems to adversarial wireless attacks have not been studied in the open literature, despite their criticality and the increasing availability of low-cost SDR platforms. In this work, we investigate and demonstrate the vulnerability of aircraft instrument landing systems (ILS) to wireless attacks. In majority of airports today, commercial traffic is typically assigned some type of instrument approach into the landing phase to maintain smooth flow of traffic in and out of the airport environment. The demonstrated attacks can cause last-minute go around decisions, missing the landing zone in low visibility, and even cause crash landings depending on the level of automation in the future. We analyze the ILS waveforms and show the feasibility of spoofing such radio signals using commercially-available SDR. We show that it is possible to fully and in fine-grain control the course deviation indicator, as displayed by the ILS receiver, in real-time, and demonstrate it on aviation-grade ILS receivers. Additionally, we introduce a novel attack called the single-tone attack that significantly reduces the power requirements of the attack. We develop a tightly-controlled closed-loop ILS spoofer that autonomously adjusts the adversary’s transmitted signals based on the aircraft’s GPS location to cause an undetected off-runway landing. We demonstrate the integrated attack on an FAA certified flight-simulator’s (X-Plane) AI-based auto-land feature and show success rate with offset touchdowns of 18 meters to over 50 meters. We discuss potential countermeasures and show that unlike other aviation security issues that can be fixed with conventional crypto, they are ineffective against the demonstrated attack and securing ILS poses unique challenges.