 Hi, everyone. I'm Lilo Granger, an undergraduate student at the ETIHA and EPFL in Switzerland. And I have the honor to present you my semester project for your last sit-back evaluation in a cyber Avionics Lab. So first, to do an overview of my presentation, I will firstly tell you about our motivation for the Avionics Lab and also a bit of background. Then I will briefly tell you about the general Avionics systems and their security. So a bit of theory before diving into the results and finally a little conclusion. So the motivation for DPS and modus spoofing, we first need to know that you may have seen this picture a lot of time now. But this is an overview of communication technologies in aviation and our focus lies in DPS and transponders that is modus messages between aircraft. And as you can see on the right, those are used during almost all flight phases. So our first motivation was that until now there has been over two decades of research, so several spoofing techniques and simulation have been done, but also detection and counter measures have been thought of. But when we come to practice, actually very few practical attacks have been publicly shown, most of them being military events. So our main motivation was to show in practice what was done in theory until now. And as a security magazine says, the only way to really draw attention and for vulnerabilities to be taken seriously is to show them in practice. Other motivation were that GPS and modus spoofing are a threat to critical avionics systems, especially because of our heavy reliance and GNSS data nowadays. But also because ADSB, for example, will be even more integrated in next generation programs and the idea to work in an avionics lab. So I had the chance to work with real avionics hardware. This on the left is our navigator and something I had to mention is that this is a manufacturer independent standard issue, especially because this device manufacturer told us that they actually implemented only the MAPS, so minimum operational performance standards, and nothing more, nothing less. I also had the chance to test different types of receiver, of transmitters. So a more professional one, the laptop, and a more accessible and cheaper one, a software defined radio or USRP. We also had a smaller receiver, which you can see here, that allowed us to test everything before moving them to the navigator. So this is a novel view of our setup. Both transmitting and receiving antennas were put into a fire leakage. And both sides were connected to a computer to monitor and control the signals. So then a little bit of theory for those who are very familiar with it, please bear with me for a few minutes until we get to the real stuff. So first the global navigation satellite systems, we generally speak about constellations. There are several of them, the most famous unused one being the GPS from the USA, but there exists also others such as Galileo in Europe, for example. The GPS signal can be decomposed in different parts. One of them being the navigation message, which allows the receiver to compute its position, velocity and time, but also transmits. Almanac and fMRI data, that is the approximate position of satellite in the constellation. And the precise location of the satellite sending the signal. The signal is also kind of timestamp, which allows the receiver to compute the pseudo range. So it's distance from itself to the satellite transmitting the signal. Considering its security, surprisingly or not, it is also, it is almost in existence. So it has no encryption for civilian use and no education from now. And its main weakness is that it is a very weak signal. So an analogy that I really like is that its strength is similar to a light bulb seen from 16,000 kilometers away. So it is very open to jamming and spoofing, which is what we focus on. So it is transponders. It is part of the secondary surveillance radar. And it is, it has multiple uplink and downlink formats, UF and DF. Some of them allowing the automatic dependent surveillance broadcast service or EDSP and the traffic collision avoidance system or TICS. Considering its security, apart from the strict formatting and the transmission rate. It has no encryption or authentication. So it depends on GNSS data and on internal systems of an aircraft. It provides additional info to ground station and other aircraft in the vicinity, such as position, altitude, speed, and so on, which can be distinguished within a message. Thanks to its type code. The traffic collision avoidance system was designed to reduce risk of collision between aircraft. And it defined the protected volume of airspace, which is itself defined with thresholds with respect to the closest point of approach or CPA. And to detect an intruder, it will first listen to TF-11 and EDSP messages. Then when the intruder is within surveillance range, it will start interrogated with UF-0. And finally, when it's within resolution adversary range or area range, it will declare it as a threat. Something worth mentioning is that the closer the intruder is, the faster the interrogation rate will be. So now that we have everything we need, let's get to the results. First, about GPS proofing. So as mentioned earlier, we had this smaller receiver, which served as an entry-level target, and allow this to test a lot of parameters. Too much for me to tell you all about now, but what I can briefly tell you about is, for example, the comparison between USRP and the LAPSET. So on the right, the yellow bars represent the time for the receiver to walk onto the signal. And as you can see, the LAPSET is much more stable and less volatile than the USRP. Otherwise, it gives pretty much similar results, even though the USRP transmitted only GPS signal and not other considerations as the LAPSET could do. And also didn't transmit any almanac data. Then moving on to the navigator. After a few experiments, we discovered that actually the only parameter that matters was time. And so the only thing that was needed was patience. And with that in mind, we were able to study location. I'm waiting for my point there. We're able to do for static location, but also flight simulation or even takeover. And as a little reminder, we are based in Switzerland, so a plane, a map showing us in the United States of America isn't really normal. Then a few interesting remarks I wanted to tell you about. The first there is the timing and synchronization of the signal. So actually by sending a synchronized signal to the receiver's clock, we were able to speed up the acquisition process. Then the navigator had actually no dead recording. So by sending a first signal locating us somewhere and then sending a second synchronized signal, locating us at a complete different place, the navigator was still accepting it. As you can see here with the Eastern and Western coordinates. And then finally, we had a comparison between the USRP and the LAPSET. And as earlier, it gave the same results except for maybe the stability of the signals. As you can see here on the left with the LAPSET, it is much more stable by the USRP on the right, but also very much more suspicious. Then moving on to mode spoofing. So first with EDSB only messages. And again, on the smaller receiver. Actually this receiver was accepting pretty much everything we sent. So it was quite easy to spoof a single aircraft or to flood it with several random ones. So attacking the navigator was a bit trickier, but we succeeded in doing so too. First we had to spoof it TPS to activate EDSB. And also it needed actually enough messages to track the intruder. But otherwise, as you can see, we were able to spoof a single aircraft or several random ones concerning non EDSB messages. So attacking the ticket. First we had to to activate it. We had to feed a radio altitude. This was done with the computer directly connected to the navigator and the software co pilot. So basically with the time at our disposal, we weren't able to successfully spoof the ticket. The reason why remains at large. Maybe it was a question of expected messages and content or most likely the timing and such as for example, then there are round trip times of the messages. This is something that is actually worked on now. So why does this work matter? Well, first we clearly proved that we have any hardware is as vulnerable as theory says, and we just need a little bit more engineering to understand the remaining black boxes, such as for the ticket. And to conclude, DPS and moded spoofing are serious and accessible threat. First, because it targets critical avionics systems, but also because it is feasible with with a software defined radius. And as we showed, we actually use very few resources. Then also, this is a manufacturer independent issue, and we really need more independent security research to verify industry claim and the state of the art. Thank you for listening to me, and I am open to every question you may have.