 Hello, and welcome to this talk on demonstrating ILS and TCAS spoofing attacks. My name's Alex, I'm an aero risk engineer pilot and hacker PENTAAS partners in the UK, and I laid up our aerospace work and research program. I've had the honor of working all sorts of environments at PCP from government networks and consumer IoT through to plane strains and automobiles. This is me on the left there flying. And what I hope you might notice is that it's a pretty perfect ILS approach for later. So what we're going to be showing in this talk is to give some practical demonstrations of two kinds of radio frequencies spoofing attack against two different types of cockpit instruments that are found in virtually every single commercial aircraft flying today. Hashad Shatih is giving a separate companion talk right after this one in the schedule, and that goes into a lot more depth from the physics and practicalities involved in generating these types of spoofing. So you should definitely check out that too. Unfortunately, though, we're not going to be sharing this against a real airframe as that would be super illegal. What we do have though is our ever say 320 simulator at PENTAAS partners, and that does a pretty good job of being able to simulate the aircraft's flight characteristics and its avionics. It's the same flying model that's used in professional simulators, but it's obviously not certified to the same standard. So we can emulate and test things against most major systems including ILS and TCAS. So TCAS is the traffic collision avoidance system and does pretty much what it says. It provides both audio and visual cues to a pilot about other aircraft or traffic that come within two protective bubbles, the TA and RA regions. Traffic advisories are labeled orange, and our aircraft that don't pose an immediate threat but might then become a resolution advisory. So while it needs to take immediate action to avoid that conflict, the TCAS system will give these RA's in the form of climb or descent, but never return its vertical movement only. Aircraft equips with TCAS transponders, and that's most passenger aircraft, but not general aviation in small things with propellers and will emit interrogation signals and listen for replies. And the transponders then use this time of flight to compute distance between aircraft many times a second. As not all aircraft are equipped with TCAS, a hybrid mode can use inputs from ADS-B, and you might be familiar with that from services such as Flight Radar 24, and it uses this to add these other aircraft into the picture as well. The resolution advisories, in theory, must be obeyed over any air traffic control instructions, and not doing so was the cause of the sad 2002 Uberlingen incident between a TU-154 and a DHL cargo flight. In the busy airspace, and Los Angeles is often cited as one such area, traffic alerts can become almost constant to the point that it can become a significant pilot workload, and we've heard anecdotally that TCAS is sometimes send off in such situations. In whatever simulator with the autopilot engaged, the aircraft will actually fly resolution advisories automatically, moving away from a preset altitude, and then returning to that after the conflict has passed. This is an aircraft and airline option, and it's not always enabled however. So in the demonstration that follows, we have the aircraft flying straight and level with the wall of spoofed aircraft coming directly towards us. The system will issue TAs, then RAs, and then take control to move us out of conflict if we do nothing. So we are just over 5,000 feet and our spoofed aircraft are introduced ahead of us. They turn from orange to red quite quickly on the right hand navigation display, and the vertical speedstrip on the left hand display now shows a red unsafe and a green safe band, at the same time calling out to descend. Ideally the pilot would now pitch down to obtain that safe vertical speed of about 2,000 feet per minute. Choosing to ignore this, the aircraft will automatically take control and put the aircraft into a safe descent, allowing our intruder aircraft to pass above us. Once we're clear of any conflict, the aircraft will pitch back up, increase thrust, and return us back to 5,000 feet. So our next system is the Intranet Landing System, which provides lateral and vertical guidance for pilot when approaching a runway. This is typically most useful in poor weather conditions, but is often used even in clear and fine weather. So for a specific runway, a VHF ILS frequency is given, which includes both a glide slope, the vertical portion, and a localiser beam, the lateral. Each beam has two loaves at different frequencies, and the receiver works out the signal strength of each, and when each is the same, that means you're in the centre. It's a pretty simple and basic technology that's been around for quite a long time. The pilot then centres some magenta bars on a display instrument, or more likely the autopilot then follows them automagically, and that will get you to the touchdown point of the runway. So our situation in the simulator is that we have selected and tuned to the ILS runway 28 right here at San Francisco, and that's the red one marked here. We will initially be flying in cloud, so we can't see the airport runway lights or ground, but unknown to us, the localiser signal is being spoofed from a location off to the left of our aircraft. And what will happen is that we will pop out from the cloud at quite a low level and find ourselves nowhere near where we expected to be. So the aircraft is established on the ILS for runway 28 right, as we can see at the top of the right-hand navigation display. The magenta pips on the left-hand primary flight display are both centred horizontally and vertically, so we believe ourselves to be flying down the correct path to the runway. In the bottom right, we see the outside world, as such it is, but we're in cloud, so of course it's just great. We have selected flap and gear down at this point as well. At 400 feet, the aircraft believes itself to be in landing mode, and ground proximity and traffic alerts will be inhibited beyond this point. At 300 feet, we break out of the cloud and find ourselves well left of the runway, even though our instruments are still indicating we're on the centreline. A pilot will go around and retry the landing if faced with a situation if they had sufficient visibility to make that decision. So I will leave Hoshan to go into more of the detail in his talk, but I personally feel that ILS briefing is unlikely. Even you would need a pretty powerful antenna in very close proximity to the airport. This is likely to get us spotted by the police pretty quickly, I would suggest. It's also fairly likely that the pilot would see intermittent nav error flags in their displays telling them the ILS system was unreliable. Our T-CAS, given it uses time-of-flight, would be more difficult to spoof unless you had some kind of drone floating around in the airspace. But ADS-B is relatively straightforward to generate from the ground, and that might be enough of a distraction to lead pilots to switching off the system altogether. Please do watch Hoshan's talk, which goes into a much deeper dive on the theory and practicalities. And lastly, a special thank you to my colleague Phil Eberle, who managed to get the simulator video at really short notice, so thanks Phil. Thank you for listening, and I really look forward to hearing your comments and thoughts in the chat.