 Hello. In the previous talk, we saw a demonstration of ILS goofing and ADSP de-cast goofing. In this talk, I'll be going over the fundamental principles and security issues of these systems. The ILS work was done in collaboration with Damian Sherpas and my advisors, Professor Anjan Ranganathan and Professor Kivara Novir from Northeastern University. Well, yes, the ILS part is very similar to what the bad guys did in Die Hard 2. Actually, that was one of the motivation factors behind this research. Sometimes fiction does turn into reality. In the recent years, aviation industry has seen a significant rise with approximately 15,000 flights in the sky at any given time. Of course, with the onset of COVID-19, this has drastically changed, but nevertheless. Atlanta's Hartfield International Airport is considered to be the busiest airport. It itself caters to over 2,500 takeoffs and landings every single day. Right from taxing to the runway for takeoff to arriving and taxing back to destination gate, these flights rely on the plethora of wireless navigation aids. Pilots continuously interact with ATC using RF channels. Controllers use surveillance radar for aircraft localization. Automatic dependent surveillance broadcast enables aircraft tracking. Traffic and collision avoidance systems like ACAS and TCAS also relies on these ADSB packets. Flights use satellite systems for general point-to-point navigation. At the end, instrument landing system gets you safely back on ground even in extreme weather conditions. In recent years, systems like ADSB and navigation aids like GPS have been found to be vulnerable by the researchers. It is possible to include ghost aircrafts by spoofing ADSB packets. In the previous stock, we witnessed the effects of spoofing ADSB packets to disrupt collision avoidance systems. It has been shown multiple times how GPS is vulnerable to spoofing attacks. With the advent of real inexpensive software-defined radio platforms, it has become much easier to fabricate such disturbances. Let's take a look at instrument landing system in detail. Final approach or landing phase is one of the most critical phases. According to a Boeing report, about 59% of all fatal accidents have occurred during the final approach phase. ILS is the de facto landing system used all over the world. It provides precise guidance even in extreme weather conditions. It has three subsystems. First is a localizer. It's a component which provides lateral guidance. Glide slope provides vertical guidance and marker beacons act as checkpoints during the approach. Let's look at the localizer in detail. Localizer enables the receiver to calculate its location with respect to the runway centerline. The instrument guides the pilot to properly align itself. Antenna array installed at the end of the runway transmits a 25 watt signal. Transmission pattern creates a loop on each side of the runway. 90 hertz tone dominates the region on the left side of the runway and 150 hertz tone dominates the region on the right side of the runway. The receiver is configured to interpret the power levels of the tones and guide the pilot. For example, if the aircraft is on the left side of the runway, the needle will point right, indicating that the pilot has to fly right to intercept the centerline. The glide slope helps the pilot to align the aircraft with the prescribed glide path. Usually it is a 3 degree path, but it depends on the environment. An antenna array located near the dust town zone transmits an 8 watt signal. A transmitter is similar to that of the localizer. However, it results in a slightly different pattern. 90 hertz tone dominates the region above the glide path angle and 150 hertz tone dominates the region below the glide path. The receiver is configured to interpret the power levels of the tones and guides the pilot. For example, if the aircraft is above the glide path, the needle will point down, indicating that the pilot has to fly down to intercept the glide path angle. In ILS, the localizer uses a VHF carrier and the glide slope uses a UHF carrier. There are two main components of the ILS signal, a 90 hertz tone and a 150 hertz tone. The unique transmission pattern is a result of elegant analog radio engineering. This unique pattern results in two zones on either side of the runway. This is achieved by implementing space modulation technique. In this technique, the characteristics of a received signal are determined by how two signals add up in space. Thus, they change with respect to the receiver's position. As a direct result, 90 hertz tone dominates the region on the left and 150 hertz tone dominates the region on the right. Amplitude of these tones is equal on the runway centerline. The signal modulator uses two distinct signals called carrier sideband signal CSP and sideband only signal SBO. For generating the CSP signal, 90 hertz tone and 150 hertz tones are added. And for generating the SB tones, these are added in a slightly different way. Here, 150 hertz tone is inverted. That is, it undergoes a 180 degree phase shift. These waveforms are passed on to a modulator which generates the final CSP and SBO waveforms. This is the design of the signal modulator which is responsible for ILS's unique transmission pattern. The CSP modulating tone is modulated with a VHF carrier. To get the desired amplitude modulation form, the carrier is added back to the modulated signal. This results in a conventional amplitude modulated signal with a full carrier and sideband. Similarly, SBO modulating tone is modulated. Note that the carrier is not added back to the modulated signal. This results in a double sideband suppressed carrier signal. Before feeding these signals to the antenna elements, the SBO signal undergoes specific phase shifts. This is done in order to achieve the desired space modulation. Alternatively, there is a provision of adding more score or voice to the CSP signal. It contains a four character run identifier which can be used by the pilots to identify and verify the runway. As compared to the transmitter, the receiver has a rather simple design. At the receiver, the signal undergoes amplification before it is demodulated. The demodulated signal is passed to a 90 hertz filter and a 150 hertz filter. The difference in DC voltage of 90 hertz and 150 hertz tone is the difference in depth of modulation. This TDM value is used to calculate the deflection of the instrument's needle. Radio engineering involved in the pure analog instrument landing system is quite remarkable. However, simplistic nature of the system also makes it very vulnerable to attacks. Before software-defined radios came into picture, executing these attacks was extremely difficult, not to mention expensive. Thus, only state actors had the means to carry out such an attack. However, nowadays, even you and I can execute such attacks and can potentially cause quite some damage with the cheap pocket-sized radios. A deeper analysis of the receiver design reveals that the needle deflection is solely based on the power levels of the received tones. In the past, there have been instances of ILS showing weird deflections as a result of an aircraft taxiing near the localizer antenna. Thus, an attacker simply has to transmit a signal which is similar to the real signal. That is, the attacker need not implement complex features. This is very similar to a not so widely used landing system called TLS or Transponder Landing System, where the landing system relies on modest transmissions to find the aircraft's position and transmit an ILS-like signal specifically crafted for that aircraft at that particular location. In these attacks, attacker's goal is to force the aircraft to overshoot the runway or completely miss the approach. Given the simplistic nature of the systems, the attacker can manipulate DDN calculations by simply altering the power levels of the received signals. In our work last year, we discussed two attacks. First is the Overshadow attack, which involves signals with fabricated power levels and Singleton attack, which involves low-power signals to achieve the objectives. With minor changes, the attacks work for the localizer as well as the light slope. ILS implements basic principles of space modulation, that is how to signals add up in space. Being a simplex broadcast system, it possesses a fundamental challenge to implement any type of security mechanism, thus making attacks on these systems quite trivial. In Overshadow attack, the attacker transmits a high-power pre-crafted ILS signal equivalent to what will be received at a specific location. One important aspect, characteristic of a typical wireless receiver is that it will always lock on to the stronger signal. This property is exploited in this attack. Since the receiver has a very simple design, the attacker has to transmit a signal similar to the received signal, even though the legitimate transmitter has quite a complex design. Hence, the attacker needs to only craft the signals with specific amplitude. For example, in this case, this signal represents the signal that will be received at the wireless interline. Hence, if the attacker wants to cause a deflection, the attacker simply transmits a signal with altered power levels of 90Hz and 150Hz. In this case, 90Hz is dominant, thus the needle ratio will give a fly-right indication. The advantage of this attack is that the attacker has granular control over needle deflections. Even though the Overshadow attack requires just a few watts of transmission power, we wanted to find if the attack can be made more efficient and stealthy by reducing the energy footprint. For this, we came up with a single tone attack. Since the needle deflections depend directly on power levels of the tones, it is enough to transmit just one of the two tones that make up the ILS signal. In this way, the attacker can manipulate the power levels without having to transmit the entire ILS signal. The attacker signal is similar to a double-sideband suppressed carrier signal, which is very well known to be spectrally efficient. In this case, the attacker just transmits the 150Hz tone. As a result, the amplitude of 150Hz is greater than that of 90Hz tone. Thus, the instrument shows a fly-left indication. This attack, as compared to an Overshadow attack, has low power requirements. However, this attack is sensitive to a face difference between attacker tone and legitimate tone, which makes it quite complicated. The two attacks may seem quite simple and straightforward. However, there are certain challenges associated with executing these attacks. The first is that the aircraft can intercept the localizer from multiple directions. If the attacker is not careful while starting the spoofer, it may result in certain needle jumps. This results in detection. The second challenge is with a naive Overshadow attack. If the attacker simply starts transmitting a pre-crafted signal, it results in a fixed, unreactive offset. This will make it super easy for the pilot to notice something is off and will totally forego ILS or may use some other system to land. To overcome these challenges, we developed two mechanisms. Offset correction algorithm and a spoofing zone detector. Let's look at them one by one. The offset correction algorithm provides signal corrections in real time. The attacker's signal is adjusted as a function of aircraft's current GPS location. This provides seamless takeover of the onboard instrument. The algorithm calculates the difference between the angle with the legitimate path and the spoof path. This offset is then used to calculate the required amplitude levels of the tones. The spoofing zone detector is responsible for timely and automated triggering of the attack. The aircraft can be vectored in on the final approach in multiple ways. Hence, to prevent any sudden needle jumps, we developed the spoofing zone detector which uses even our algorithm to check if the target aircraft has entered the spoofing region. The zone powers 17.5 degrees on either side of the center line and extends 35 kilometers beyond the touchdown zone. The attacker starts transmitting as soon as the aircraft enters this region. Alright, now let's take a look at ADSP. Automatic Dependence Surveillance Podcast is a reporting technology where an aircraft repeatedly transmits position, velocity and aircraft identification information. These packets can be received and decoded by MODES receivers. ADSP is similar to MODES except it doesn't require specific interrogation messages. As of January 2020, ADSP transponders are made mandatory for aircraft operating under certain conditions in the US airspace. ADSP greatly improves safety and efficiency by providing better situational awareness. It is also spectrally efficient and costs much less than MODES setups. Collision avoidance systems like ACAS and TCAS leverage ADSP packets. These are the signal characteristics. ADSP uses a carrier frequency of 1090 megahertz. The bandwidth is 50 kilohertz and it uses a simple pulse position modulation technique. Data rate for ADSP data is 1 megabit per second and two packets are transmitted for every second. Polarization of the transmission antenna is vertical and transmission has a transmission power of about 20 watts. All this is good about ADSP. It improves overall safety by increasing situational awareness, decreases load on the controllers by automating tracking of aircrafts. Overall decreases operational cost and all. But what about security? Well, nothing does absolutely run. The only thing close to security it has is a checksum. There is no way to know whether a packet is really from the aircraft that it says it is from. Moreover, everything is in clear text, which means any person with $30 to spare and effectively set up a so-called air traffic monitoring center in their homes. This has led to a lot of serious privacy concerns and equal number of poofs moments. For example, when the Air Force One was spotted on one of the flight tracking websites. But that's not it. The security community has taken one step ahead and has actually managed to put ghost planes in the sky, which is quite concerning. Think of a scenario where on a busy day, ATC screen is flooded with thousands of aircrafts. What's even more concerning is the fact that the same insecure system is used in critical avoidance systems. For example, a demonstration of this was witnessed in the previous talk. These are some notable prior works which have addressed security and privacy issues associated with ADSP. The research community is now actively looking into security and critical next generation navigation technologies. OpenStand Network founded by Stormer et al. is a crowdsource network of ADSP sensors located all over the world. This is a key resource in air traffic research. Following issues have been identified by the security research community. ADSP lacks any kind of authentication. It lacks integrity checks against intentional tampering of messages. Sure, CRC checks can correct errors, but what if the messages including the CRC checks are carefully manipulated over the air? It lacks encryption and temporal identities. As it raises a measure of privacy concern and is a heaven for EU stoppers. And finally, it lacks a secure handshake protocol for verification, authentication and validation of data. So with all these issues, what are the threats that current aviation ecosystem faces? Well, all these issues give rise to a number of threats which includes jamming and denial of service attacks. As discussed earlier, flooding the radar screens with thousands of aircrafts. Well, intelligence gathering. There have been researches or there have been incidences where people have inferred or predicted business dealings by simply monitoring flight data, which was again made available through services like flight at 24 and OpenStand Network. Well, it also, there's also threat of message injection and manipulation disruption of situational awareness, which is very specific to ACAS and TCAS buffing demonstration of which, which we saw in the previous talk. And trust me, you really did not want a pissed off air traffic controller when you fly next. Let's look at the ADSP transmitter ADSP transmits position velocity and aircraft identification information. The preamble is used for synchronizing the receiver and for indicating that an ADSP packet is arriving. The downlink format field is an indication of the type of message that is being transmitted. Capability field defines the subtype of the message being transmitted. Next are 24 bits, which are for aircraft's IKO address. This is followed by actual ADSP data, which includes altitude, latitude and longitude. At the end, 24 parity bits are transmitted, which helps the receiver to detect errors. Raw message bits of the prepared frame undergo Manchester encoding. This is a line encoding scheme, which is very similar to binary phase shift key. The encoded data is then modulated using pulse position modulation technique before being transmitted using the radio frequency front end at 1019 megahertz. ADSP follows a very basic insecure protocol that encoding and modulation scheme that is used is easy to implement. Actually, there are straightforward functions in MATLAB that can perform the encoding and modulation, thus making it quite trivial to build a transmitter with a couple of hundred dollars worth of equipment. Even better, there are open source tools out there which can do the heavy lifting for you. Lack of security measures and simple design makes the system vulnerable to spoofing attacks, especially with cheap over the shelf equipment like low cost software defined radios, amplifiers and antennas makes it rather easy to generate and transmit malicious ADSP packets. Well, once you have a transmitter design ready and understood, you can simply code everything and boom, a transmitter is now a fully functional ADSP spoofer. This is a small spoofing example. Imagine being a controller and seeing this on your display. That would really piss you off. Now that we have seen the security issues associated with ILS and ADSP, let's go over some potential counter measures. Recently GPS based landing systems are being introduced. They are not yet cleared for CAT2 and CAT3 approaches. However, they will be replacing good old ILS sometime in future. But we all know how vulnerable GPS is. Signal strength monitoring can be implemented for detecting overshadow attacks. Most of the ILS attacks can be executed from within the aircraft cabin while it is on the final approach. Hence, detecting transmissions from within the cabin may prove to be useful in detecting these attacks. Given the simple analog nature of ILS, it is extremely challenging to develop a feasible counter measure as it is impossible to encrypt physical characteristics of a signal. Over the years, various counter measures have been proposed for ADSP. These include cryptographic solutions which involves message encryption, message authentication codes and use of public infrastructure. However, given the widespread use of ADSP, it is a logistical nightmare to deploy cryptographic solutions as they require overhaul of the entire ADSP ecosystem. Multilateration uses a network of ground stations which share information. Ghost aircrafts can be easily detected using this technique. ADSP data can be combined with primary radar for identifying ghost aircrafts as they won't have a radar signature. For preventing ACAS and TCAS spoofing, onboard receivers can deploy distance-bounding protocols which can verify the distance between the receiver and the transmitter without relying on position data received from the ADSP packets. There is widespread use of machine learning and AI for anomaly detection and traffic analysis for detecting spoofed ADSP packets. Given the simplex broadcast nature or implementation of these systems, it is not trivial to develop counter measures which can safeguard against a variety of attacks. Finally, the most important counter measure is effective pilot training. Pilots should be trained to detect and counter such attacks using instruments at their disposal. Thank you.