The problem, like the problem with PLCs in the industrial sector, is that these wireless communications are not secured. Crucial instruments like Traffic Alert and Collision Avoidance Systems(TCAS) and Instrument-Landing Systems(ILS) rely on wireless communication that affect the safety of a flight.
According to the researchers, in an overshadow attack, the attacker “transmits pre-crafted ILS signals of higher signal strength; thus overpowering the legitimate ILS signals.” And in a single tone attack, attackers only need to “transmit a single frequency tone signal at a specific signal strength (lower than the legitimate ILS signal strength) to interfere and control the deflections of the course deviation indicator needle.”
In the flight simulations the researchers performed, their planes landed as far as 800 meters beyond the safe landing zone.
Forinstance, air traffic controllers verbally communicate withthe pilots over the VHF (30 to 300 MHz) radio frequencychannels. The airplanes continuously broadcast their posi-tion, velocity, callsigns, altitude,etc. using the automatic de-pendent surveillance-broadcast (ADS-B) wireless communi-cation protocol.
many radio navigation aids such as GPS, VHF Omnidirec-tional Radio Range (VOR), Non-directional radio beacons(NDB), Distance Measuring Equipment (DME), and Instru-ment Landing System (ILS) play crucial roles during differ-ent phases of an airplane’s fligh
Many studies have already demonstrated that a number ofthe above-mentioned aviation systems are vulnerable to at-tacks. For example, researchers [21] injected non-existingaircraft in the sky by merely spoofing ADS-B messages.Some other attacks [36] modified the route of an airplane byjamming and replacing the ADS-B signals of specific vic-tim aircraft. ACARS, the data link communications systembetween aircraft and ground stations was found to leak a sig-nificant amount of private data [49], e.g., passenger infor-mation, medical data and sometimes even credit card details
One of the most critical phases of an airplane’s flight planis the final approach or landing phase as the plane descendstowards the ground actively maneuvered by the pilot.
Several technologies and systems such as GPS, VOR, DMEassist the pilot in landing the aircraft safely. The InstrumentLanding System (ILS) [1] is today the de-facto approach sys-tem used by planes at a majority of the airports as it is themost precise system capable of providing accurate horizontaland vertical guidance.
Out of these405,822 flight plans, 95% were instrument flight rule (IFR)plans. Instrument flight rules are a set of instructions estab-lished by the FAA to govern flight under conditions in whichflying by visual reference is either unsafe or just not allowed.Also, several European airports [13] prohibit aircraft fromlanding using visual flight rules during the night. ILS incor-porates radio technology to provide all-weather guidance topilots which ensures safe travel and any interference can becatastrophic
As recently as September 2018, the pilots of Air Indiaflight AI-101 reported an instrument landing system (ILS)malfunction and were forced to do an emergency landing.Even worse, TCAS, ACARS, and a majority of other sys-tems that aid a smooth landing were unusable.
In order to evaluate the complete attack, we develop atightly-controlled closed-loop ILS spoofer. It adjuststhe the adversary’s transmitted signals as a function ofthe aircraft GPS location, maintaining power and de-viation consistent with the adversary’s target position,causing an undetected off-runway landing. We demon-strate the integrated attack on an FAA certified flight-simulator (X-Plane), incorporating a spoofing regiondetection mechanism, that triggers the controlled spoof-ing on entering the landing zone to reduce detectability.
The first fully operational ILS was deployed in 1932 at theBerlin Tempelhof Central Airport, Germany.
ITU defines ILS [56] as“a radio navigation system which provides aircraft with hor-izontal and vertical guidance just before and during landingand at certain fixed points, indicates the distance to the refer-ence point of landing”. Autopilot systems on some modernaircraft [48] use ILS signals to execute a fully autonomousapproach and landing, especially in low visibility settings
ILS signals are generated and transmitted such that the wavesform a specific radio frequency signal pattern in space to cre-ate guidance information related to the horizontal and verti-cal positioning. ILS signal generators leveragespace mod-ulation
Localizer.The localizer subsystem consists of an array ofmultiple antennas that emit the CSB and SBO signals suchthat the 150 Hz modulation predominates to the right of therunway centerline and the 90 Hz signal prevails to the left.
Each runway operates its lo-calizer at a specific carrier frequency (between 108.1 MHz to111.95 MHz) and the ILS receiver automatically tunes to thisfrequency
runway identifieris transmitted using a 1020 Hz morse code
The glideslope subsystem uses two antennas
The mixing of the CSB and SBO signals re-sults in a pattern in which the 90 Hz component of the signalpredominates in the region above the glide-path while the150 Hz prevails below the glide-path. The glideslope usescarrier frequencies between 329.15 MHz and 335.0 MHz,
The combined signals received at the aircraft are amplified,demodulated, and filtered to recover the 90 Hz and 150 Hzcomponents.
For example, an aircraft that is on-course will receive both90 and 150 Hz signals with the same amplitude
3 Wireless Attacks on ILSWe demonstrate two types of wireless attacks: i) Over-shadow attack and ii) Single-tone attack.In the over-shadow attack, the attacker transmits pre-crafted ILS signalsof higher signal strength; thus overpowering the legitimateILS signals. The single-tone attack is a special attack whereit is sufficient for the attacker to transmit a single frequencytone signal at a specific signal strength (lower than the legit-imate ILS signal strength) to interfere and control the deflec-tions of the course deviation indicator needle.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
3 Comments
Tomi Engdahl says:
Attackers can Hack Airplane Landing Instruments, According to Researchers
https://codesmithdev.com/attackers-can-hack-airplane-landing-instruments-according-to-researchers/
https://codesmithdev.com/attackers-can-hack-airplane-landing-instruments-according-to-researchers/
The problem, like the problem with PLCs in the industrial sector, is that these wireless communications are not secured. Crucial instruments like Traffic Alert and Collision Avoidance Systems(TCAS) and Instrument-Landing Systems(ILS) rely on wireless communication that affect the safety of a flight.
According to the researchers, in an overshadow attack, the attacker “transmits pre-crafted ILS signals of higher signal strength; thus overpowering the legitimate ILS signals.” And in a single tone attack, attackers only need to “transmit a single frequency tone signal at a specific signal strength (lower than the legitimate ILS signal strength) to interfere and control the deflections of the course deviation indicator needle.”
In the flight simulations the researchers performed, their planes landed as far as 800 meters beyond the safe landing zone.
Wireless Attacks on Aircraft Instrument Landing Systems
https://aanjhan.com/assets/ils_usenix2019.pdf
Forinstance, air traffic controllers verbally communicate withthe pilots over the VHF (30 to 300 MHz) radio frequencychannels. The airplanes continuously broadcast their posi-tion, velocity, callsigns, altitude,etc. using the automatic de-pendent surveillance-broadcast (ADS-B) wireless communi-cation protocol.
many radio navigation aids such as GPS, VHF Omnidirec-tional Radio Range (VOR), Non-directional radio beacons(NDB), Distance Measuring Equipment (DME), and Instru-ment Landing System (ILS) play crucial roles during differ-ent phases of an airplane’s fligh
Many studies have already demonstrated that a number ofthe above-mentioned aviation systems are vulnerable to at-tacks. For example, researchers [21] injected non-existingaircraft in the sky by merely spoofing ADS-B messages.Some other attacks [36] modified the route of an airplane byjamming and replacing the ADS-B signals of specific vic-tim aircraft. ACARS, the data link communications systembetween aircraft and ground stations was found to leak a sig-nificant amount of private data [49], e.g., passenger infor-mation, medical data and sometimes even credit card details
One of the most critical phases of an airplane’s flight planis the final approach or landing phase as the plane descendstowards the ground actively maneuvered by the pilot.
Several technologies and systems such as GPS, VOR, DMEassist the pilot in landing the aircraft safely. The InstrumentLanding System (ILS) [1] is today the de-facto approach sys-tem used by planes at a majority of the airports as it is themost precise system capable of providing accurate horizontaland vertical guidance.
Out of these405,822 flight plans, 95% were instrument flight rule (IFR)plans. Instrument flight rules are a set of instructions estab-lished by the FAA to govern flight under conditions in whichflying by visual reference is either unsafe or just not allowed.Also, several European airports [13] prohibit aircraft fromlanding using visual flight rules during the night. ILS incor-porates radio technology to provide all-weather guidance topilots which ensures safe travel and any interference can becatastrophic
As recently as September 2018, the pilots of Air Indiaflight AI-101 reported an instrument landing system (ILS)malfunction and were forced to do an emergency landing.Even worse, TCAS, ACARS, and a majority of other sys-tems that aid a smooth landing were unusable.
In order to evaluate the complete attack, we develop atightly-controlled closed-loop ILS spoofer. It adjuststhe the adversary’s transmitted signals as a function ofthe aircraft GPS location, maintaining power and de-viation consistent with the adversary’s target position,causing an undetected off-runway landing. We demon-strate the integrated attack on an FAA certified flight-simulator (X-Plane), incorporating a spoofing regiondetection mechanism, that triggers the controlled spoof-ing on entering the landing zone to reduce detectability.
The first fully operational ILS was deployed in 1932 at theBerlin Tempelhof Central Airport, Germany.
ITU defines ILS [56] as“a radio navigation system which provides aircraft with hor-izontal and vertical guidance just before and during landingand at certain fixed points, indicates the distance to the refer-ence point of landing”. Autopilot systems on some modernaircraft [48] use ILS signals to execute a fully autonomousapproach and landing, especially in low visibility settings
ILS signals are generated and transmitted such that the wavesform a specific radio frequency signal pattern in space to cre-ate guidance information related to the horizontal and verti-cal positioning. ILS signal generators leveragespace mod-ulation
Localizer.The localizer subsystem consists of an array ofmultiple antennas that emit the CSB and SBO signals suchthat the 150 Hz modulation predominates to the right of therunway centerline and the 90 Hz signal prevails to the left.
Each runway operates its lo-calizer at a specific carrier frequency (between 108.1 MHz to111.95 MHz) and the ILS receiver automatically tunes to thisfrequency
runway identifieris transmitted using a 1020 Hz morse code
The glideslope subsystem uses two antennas
The mixing of the CSB and SBO signals re-sults in a pattern in which the 90 Hz component of the signalpredominates in the region above the glide-path while the150 Hz prevails below the glide-path. The glideslope usescarrier frequencies between 329.15 MHz and 335.0 MHz,
The combined signals received at the aircraft are amplified,demodulated, and filtered to recover the 90 Hz and 150 Hzcomponents.
For example, an aircraft that is on-course will receive both90 and 150 Hz signals with the same amplitude
3 Wireless Attacks on ILSWe demonstrate two types of wireless attacks: i) Over-shadow attack and ii) Single-tone attack.In the over-shadow attack, the attacker transmits pre-crafted ILS signalsof higher signal strength; thus overpowering the legitimateILS signals. The single-tone attack is a special attack whereit is sufficient for the attacker to transmit a single frequencytone signal at a specific signal strength (lower than the legit-imate ILS signal strength) to interfere and control the deflec-tions of the course deviation indicator needle.
Tomi Engdahl says:
Hakkerit häiritsivät lentokoneen kriittisiä laskeutumis- ja törmäyksenestojärjestelmiä
https://www.tivi.fi/uutiset/tv/3d2ca0f4-f266-45c7-92ad-459f2e8699f6
Tietoturvaongelmat ovat vakava asia, varsinkin silloin, kun ne vaarantavat ihmishenkiä.
Tomi Engdahl says:
https://codesmithdev.com/attackers-can-hack-airplane-landing-instruments-according-to-researchers/