Now that wireless devices are so widespread, hackers have the ability to impact almost every sector imaginable. The aviation industry in particular has been on high alert for almost two decades now, looking out for immediate threats. However, according to a paper written by researchers at Northeastern University, the modern threat to planes can come from a spoofed wireless signal; hackers can attack an aircraft’s instrument landing systems with wireless attacks, they warn.
The problem, like the problem with PLCs in the industrial sector, is that these wireless communications are not secured. Crucial instruments like Traffic Alert and Collision Avoidance Systems(TCAS) and Instrument-Landing Systems(ILS) rely on wireless communication that affect the safety of a flight. The paper cites instances where other researchers were able to compromise some of these instruments:
“…researchers  injected non-existing aircraft in the sky by merely spoofing ADS-B messages. Some other attacks  modified the route of an airplane by jamming and replacing the ADS-B signals of specific victim aircraft. ACARS, the data link communications system between aircraft and ground stations was found to leak a significant amount of private data , e.g., passenger information, medical data and sometimes even credit card details were transferred. GPS, one of the essential navigation aids is also vulnerable to signal spoofing attacks . Furthermore, an attacker can spoof TCAS messages  creating false resolution advisories and forcing the pilot to initiate avoidance maneuvers.”
In the case of an ILS, the researchers found that you can spoof radio signals by using commercially available SDRs, which can result in last minute flight abortions and missed landing zones in poor weather. The potential wireless attacks are of two kinds: an overshadow attack and single-tone attack.
According to the researchers, in an overshadow attack, the attacker “transmits pre-crafted ILS signals of higher signal strength; thus overpowering the legitimate ILS signals.” And in a single tone attack, attackers only need to “transmit a single frequency tone signal at a specific signal strength (lower than the legitimate ILS signal strength) to interfere and control the deflections of the course deviation indicator needle.”
When you dig further into the experiment, you’ll find that when the researchers “hijacked” ILS with an overshadow attack, there was an imperceptible change in the flight instruments, which means pilots would not be able to sense that their instruments have been taken over. In the flight simulations the researchers performed, their planes landed as far as 800 meters beyond the safe landing zone. Here’s a video demonstrating the effects of the overshadow attack:
The single tone attack wasn’t as undetectable as the overshadow attack, but the advantage gained by a single tone attack is in the minimal power required to achieve some sort of result. A worst case scenario for an attacker is a denial of service variation that may force the pilot to abort the landing.
These attacks are feasible, in one sense, because technical information about ILS is open to the public and radio platforms are relatively cheap. This means that a lone actor can achieve the same results. However, based on the researchers experiment, the hack requires the attacker to be present. The researchers mark the ideal location of an attacker to be: “at a point along the centerline of the runway that falls within the receiving lobe of the onboard antennas.” They don’t rule out the possibility of an onboard attacker either, though the experiment didn’t account for the attacker’s location. Still, the amount of equipment needed to pull off the attack before being spotted greatly mitigates the risk.
But that was the same attitude that birthed Stuxnet, when the feasibility of hacking PLCs were debated, leading to little to no countermeasures. We don’t know what the future will hold, if new innovations will allow attackers to remotely maneuver small drones that can spoof signals.
The researchers also propose a couple of countermeasures:
- Implementation of cryptographic solutions in some cases: ADS-B, ACARS, and TCAS
- Implementation of a “wide-area secure localization system based on distance bounding  and secure proximity verification techniques.”
In the end, they concluded that, “an attacker can precisely control the approach path of an aircraft without alerting the pilots, especially during low-visibility conditions.”