 Hi, thanks for going to my talk. My name is Matt Smith. I'm a postdoc from the University of Oxford and today I'm going to talk to you about some research that we did recently where we tried to understand how pilots might react when faced with realistic attacks on their systems So, who are we? Well, we're a team of researchers from the University of Oxford and Arma Swiss Arma Swiss is the research and development part of the Swiss Ministry of Defence and we've been involved in security research now for about eight years covering topics such as ADSB and A-cars more recently broadening some other areas as well We've also been involved in Founding Open Sky, which is a really great project I really recommend you check it out, especially if you're involved in aviation It is a research focused ADSB and MODES collection network. So really would recommend checking that out So the past 10 years has really seen a rise in research from a wide range of groups all around the world publishing at top-tier conferences in much more practical security venues like Black Iron Death Con, Master's Theses, all sorts of different bits of research and often these these papers have proposed really interesting attacks that really, you know, propose something new and focus on the part between the transmission of the signal and getting this onto the aircraft and obviously you can kind of predict some effects that this might have on how the aircraft is flown But it really just raised the question of how well do pilots handle these kind of attacks So we think this is a really interesting question because pilots are often assessed on how they handle faults and they usually do this in a flight simulator and this is a full motion one on the right-hand side here and they're sort of a last line of defense against these faults because they have this really well-defined procedure it's part of their training and you know some really key part of their job And we started to think about how this fault handling skill might translate to mitigating attacks and also whether you can use flight simulation to actually understand the impact of attacks like you can use it to understand the impact of faults So something we really want to focus on at this point and just highlight is the fact that this piece of work is actually interested in the effects of attacks rather than Say the technical detail of the attacks themselves. So as we all know normally the kind of chain of signal to action is there's some sort of legitimate signal from air traffic control or whatever it might be It gets to the aircraft and it's printed to present to the pilots somehow the pilots Act on that and then there's some sort of behavior that comes out of it. That's normal As we know many of these aviation communications are unencrypted. So You know, we have this part that I've just talked about where there's been a lot of research this creation of signals that are transmitted to the aircraft But what we're interested in this piece of work is what happens when those signals arrive at the aircraft and are presented to the pilots How do they perceive them? What do they do with them? Does it affect how the aircraft is float? So to do this, we invited dirty, tight rated Airbus A320 pilots to come and fly in our little simulator that we built in our building and Within that simulator we implemented some attacks on collision avoidance systems, ground proximity warning systems and landing systems And we're only going to cover two of those today just to keep it focused But we do have some more info if people are interested in the other one We used X-plane 11, which is a high quality aircraft model And we had a single pilot set up So the experiment had provided some basic flying support in terms of pushing buttons and enabling modes, but nothing more than that They didn't actually contribute to decisions made In terms of how we actually carried this out We had a familiarization flight first so the pilots could get used to the route and the controls And then we had a simulator flight for each of the attacks that implemented the attack And after they'd flown it, the pilots debriefed with us to tell us a little bit about what they observed And what they thought had gone on We had quite a spread of experience actually, all the way from fairly newly qualified pilots through to people who'd spent pretty much their entire professional career flying And so before we carry on, we need to think about what our attacker looks like What might they want to achieve? And obviously the first thing you think about in this situation is do they want to cause a crash? And in our kind of experiment, we weren't that interested in that Because we had a simulator with some limits, we only had a single pilot in And the situations in which an attacker would need to be involved In order to cause this kind of kinetic effect would be very extreme right at the edge of the pilot's capabilities and that wouldn't be a fair situation for the pilots in But it also wouldn't really allow us to actually assess anything because They do have some limits in how the interface would simulate them So instead we're looking at softer effects but ones that really do have an impact So things like triggering go-arounds where the aircraft can't land And so they have to go and take another go at the landing Forcing unexpected maneuvers This could be any sort of maneuver really outside of the intended profile of the aircraft Or it could also be to push crew to switch the systems off that they rely on Which is particularly bad when some of these systems are really quite tightly related to safety And all of these can have a range of sort of second order effective You will things like causing delay or costing money And obviously the worst of these is actually reducing Safety if that's what happens The equipment needed for these attacks is fairly typical for this kind of This kind of experiment or this kind of Attack if you will and Basically here we're looking at a scientific grade software defined radio A high gain amplifier and a directional antenna Obviously this will vary a little bit depending on the type of attack And exactly where the attacker is positioned But fairly standard for this kind of research So the first system that I'm going to talk about is TCAS There will be other talks that go into much more detail on TCAS So I'm not really going to get into the technical detail and specifics But really what TCAS is trying to do is Stop aircraft colliding into each other by stepping in before they get too close And moving them apart if needs be So let's say we have some sort of aircraft that's flying along Now TCAS uses mode S which you may know about This is an air traffic control technology that allows Air traffic control on the ground to interrogate the intruder in this case And the intruder will respond with some information So this is continuously happening And in the process of an aircraft responding Obviously other aircraft nearby can see that response And in this case the ownership can actually use that information To estimate roughly speaking where the intruders or the nearby aircraft might be This is presented in the cockpit to the pilots And you can see an example on the right-hand side here This is what it might look like in an airbus With the red dot there being a much higher risk of collision All the way through to the kind of no threat right at the top there And obviously some other information is presented such as altitude difference And whether that aircraft is climbing or descending So let's say these aircraft continue to fly towards each other At some point just passively listening isn't enough And we move into a phase called active surveillance Now at this point the ownership in this case is directly interrogating the intruder As if it's air traffic control And if the system is thinking that these aircraft are starting to be too close Something called a traffic advisory will be issued And this in the cockpit is basically just an annunciation of traffic traffic And the pilots will then have to kind of get hands on controls And be ready in case there are further instructions they need to follow So the aircraft continue to get closer even after a traffic alert It looks like at this point they're going to end up with something called a resolution advisory And this involves the aircraft actually doing something to move them apart from each other So they'll use a form of mode s called coordination messages to Communicate what they're planning to do and this helps maximize the separation And once that's been decided the RAs will be announced in the cockpit And these are compulsory instructions and they must be followed usually within about five seconds So let's say in this case the intruder has to climb and the ownership has to descend Now importantly TKAS sort of depends on the fact that these aircraft are cooperative And actually don't want to crash into each other And so that's something to bear in mind for the attack And the attack is really quite simple at least at a high level So mode s has been shown to be insecure and vulnerable to injection By what by Costin and Schaefer and many others as well over the years So if we have some aircraft that's flying along and is issuing a mode s interrogation We have an attacker who is injecting mode s responses to create a sort of false intruder And this false intruder will appear to be flying towards the target aircraft Which will eventually cause a TA and then an RA and require avoiding action So in our simulated scenario we saw this happen multiple times And the aim was to see sort of how many resolution advisories pilots would fly And we found generally speaking that pilots actually after A handful of these resolution advisories started to think something was open So then weird was going on So we found that 26 of our pilots ended up turning the sensitivity of TKAS down So it only issues traffic advisories And a further 11 of those actually turned the system to standby So at that point they received no TKAS announcements at all And this typically happened the first stage was after about 45 arrays And the further switched down to standby was after another two to three So it took a little while but eventually it got there So the important thing to remember here is that Switching to standby actually causes the loss of TKAS And it means that you then shift the burden of keeping your aircraft away from others On to air traffic control And this was often done because the pilots felt they had no choice but to do it There was something going on with TKAS but this then means that air traffic control Have to keep you further apart from other aircraft They also have an extra bit of workload on their part In making sure that you're always further away On top of that there was also excess fuel burn by following RAs You don't really have a choice in that but you have to do these maneuvers And that really does use some of your fuel We found that most of the pilots continued on the route But some of them felt that they needed to make extra maneuvers So maybe to climb above clouds or to get out of cloud in some way or other So they could see whether there was an intruder nearby Or in some cases actually go back to the departure airport And this was just because they felt like they couldn't really Fly with TKAS in an operative state So generally speaking this suggests that attackers can push pilots to fly these unnecessary RAs Or reduce TKAS sensitivity And if we look at some of the participant responses in a bit more detail We found that many participants noted that RAs were actually really rare And so this many RAs in close succession suggests something weird was going on On top of that one pilot who had had 17 years of flying experience had only Had 10 RAs in his career or less than 10 RAs even And so it really gives you an idea of how rare these really are Something that the participants told us was that weather would make attack identification much harder Because you can't just look out the window and see whether anything's flying towards you And they also suggested that these sudden repeated RAs might actually affect other aircraft as well So 28 of our participants felt that this attack lowered the safety of the aircraft because of this But also because of things like it moving the passengers about on board And finally for this attack pilots were reduced to Had to reduce sensitivity of a key safety system because of this distraction One participant put this really well. They said that it was a sort of crying wolf effect where You know, they're trained to listen to the system do what it tells them to do And that it's a really important safety system But they had to doubt that system and it's my impact how they respond to TCAS in the future So the next system I'll talk about is the instrument landing system Again, there's going to be some much more detailed talks on how this works and some technical discussion of attacks on on the system But for this we're just going to talk about the glideslope So the idea here is that the instrument landing system provides a method to do precision approaches that can be done in a wide range of weather conditions And it's really useful for busy air spaces where you need to land a lot of aircraft very accurately for example So generally speaking the aircraft will Follow a glide path down to the touchdown zone on the runway The autopilot will help in following this glide path and the way it does this is there are two Lobes two signal lobes one of them is modulated at 150 hertz and one is modulated at 90 hertz And the aircraft will measure the relative signal strength of these two lobes and When the signal strength is equal it is on the correct glide path The glide path itself will depend a little bit on the airport and the approach where usually it's about three degrees So the attack is fairly simple because this system is fairly simple There's no security in place So we have this idea that an attacker transmits a false glide slope from the other side of the far end of the runway Maybe you know off to the side and in some private land rather than actually on the airport And they don't introduce a huge difference, you know, it's 350 feet 100 meters But that's big enough to me to really make a huge difference in where the aircraft would touch down if it followed it and the concept is that the aircraft will intercept Either from above or the attacker might be able to overpower the real glide slope And this will cause them to follow the false glides up all the way to the ground So as I mentioned, uh, it's very similar to harsh ads attack on On the localizer So I really encourage you to check that talk out for much more technical detail And the kind of overall idea of this attack is to get the the aircraft to overshoot the runway and abort the approach or land deep Generally speaking, we found that uh, participants had to abort their approach So they would arrive at the final stability check around the 1000 feet in altitude mark And they would realize that they were really on the wrong glide slope and had to have another go However, in the following attempts participants really avoided the glide slope They used a wide range of different approach methods some Just still using some ILS tools, but not glideslope a lot DME some using arnav and some using a visual approach Generally speaking the Decision to go around was made about as I mentioned the kind of 1000 feet mark about One mile to go so just over a minute before landing. So this seems quite late But it is fairly safe and kind of well within and the normal kind of checks if you will But some pilots did choose to land anyway when they did they really had to make a very steep correction It was often at the limit of the kind of correction they could make so it wouldn't always be possible It really would depend on the conditions on the day So again, this suggests that you know Attackers can push pilots to miss an approach in this case and even abandon using the glideslope completely And if we go back to the participant comments on this They all identified an issue, but they very quickly lost confidence in the glideslope So it really this attack really wouldn't work beyond one approach And it might not work for multiple aircraft because they would realize something weird was going on very quickly They also commented that it was really a lot harder to manage this in low fuel situations If you only have the fuel to do a one more approach and a diversion You've got a lot of stress and a lot of workload trying to figure out what's going on and make sure that it doesn't happen again Something that we didn't really think about when we were devising this attack is how they might detect something was going on And one of the key factors in this was actually the precision path approach indicators of the pappies So these are some lights to the side of the runway and if you have two red and two white lights you're on the correct glideslope And pilots used this they they said that it was important They could see very quickly that they were off the glideslope But they didn't know that in poor weather this would be a bit harder to spot because you obviously have the pappies But you might not be able to see the ground very well. So you would lose that visual reference Also experience with glideslope behaving weirdly helps and hinders Pilots commented that glideslopes can bend a little bit sometimes they can behave in weird ways But that also kind of held them back because it meant that they They sort of allowed the deviation to to run for a little while. They weren't sure if it was just a quirk of the glideslope Also, the the wide range of secondary approach methods really suggested uncertainty. There wasn't one clear way of how to Actually handle this attack, which is a problem in trying to advise pilots in how to manage this kind of thing There was also some concern about this short glideslopes as the diehard approach if you will and where the The glideslope would actually be shifted short of the threshold And it followed would lead the aircraft to land Not on the wrong way at all That's not something we chose to look at in this case for reasons we discussed earlier earlier, but it is a really interesting variant of this attack So what did we find overall? Well We saw that if attacks can cause spurious alarms, then the system often will just be turned off or ignored And this sort of means that attackers are effectively forcing pilots away from systems by attacking them On top of that attacks have real potential for the disruption though. It's not always easy to see How that disruption will pan out. It can be quite hard to predict so This also means in a way that it can have a wider more unpredictable system impact Participants were very quick to identify unusual behavior. And this was really encouraging to see that procedure really Helped carry them through and get them to a point where they could figure out something wasn't quite working properly And they could act on it And on top of that the attack success partly depends on wider system effects So we touched on this a little bit but things like traffic weather How busy air traffic control are how many legs the pilot has flown that day really has a big impact on whether Some of the more obvious attacks might fly under the radar or not So where do we go from here? Well, we've shown the iris and t-casts both have attacks that That can have an impact on how the aircraft is flown And these really do have A disruptive effect, you know, they they aren't just a bit of an annoyance. They Cause the aircraft to do something that it really wouldn't normally do Larger impacts though, it really remains to be seen how likely they are whether it's possible to cause them whether You know under some sort of very specific circumstances this could work Our view of the moment is it's very hard to predict what the larger impact might be And It would be very hard to cause any sort of collision risk or multi aircraft effect Just because of the numerous kind of circumstantial bits that would need to be pieced together for that to happen The encouraging thing from this though is the existing procedure really is an ideal starting point for how to handle these attacks So when I started from scratch regulators are already talking about how to incorporate awareness training And the pilots did really well already already. So there's something really encouraging to build on that If you find this talk interesting and you'd like to learn more We had a full paper on this published earlier this year and dss 2020 We also have another attack in there on the ground proximity warning system and a lot more detail on All sorts of different responses. So do check that out. The link is just there on the slide And thanks for listening. I'd be really happy to answer any questions in the chat