Wake-up call: You’re more vulnerable than you realize
Navigation technologies including GPS make planes vulnerable to cyberattacks and put them at risk of accidents. Josh Lospinoso of cybersecurity firm Shift5 assesses the challenges and possible solutions.
BY JOSH LOSPINOSO
A common aviation security concern is that attackers will hack into an airplane’s flight system and cause a mid-air collision or a crash. That hasn’t happened yet, but the truth is that there are other aviation security weaknesses that should be of more concern. The navigation technologies pilots depend on to safely fly airplanes are vulnerable to attacks that could interfere with the flight altimeter and location information. Attackers could, for instance, send false location data into the air that overpowers the real signals from space. Such an attack would leave pilots with false information about their location and surroundings, and increase the chances of a mid-air collision or a crash.
The problem is that the navigation protocols, the standard set of rules that allow electronic devices to communicate with each other, predate the encryption and authentication security technologies that today safeguard all kinds of communications, from online financial transactions to text messages and emails. To address this, the U.S. government needs to prioritize development of new protocols for positioning, navigation and time that will serve as alternatives to older ones, and in the meantime turn to commercial technologies that use stronger broadcast signals. The commercial aviation industry, meanwhile, should adopt the higher-level security techniques that protect U.S. military aircraft and in foreign commercial planes.
A key to defense in both the short and long term is observability: You cannot defend what you cannot see. Observability is a core modern cybersecurity tenet for very good reason. Despite all the cybersecurity controls you might put into place, determined attackers can always find a way in. By decreasing time to detection through observability, cybersecurity professionals can respond to intrusions quickly, mitigate damage, and potentially prevent intrusions from happening in the future. Fortunately, increasing observability does not need to be expensive or onerous, and the technology exists to upgrade decades-old aircraft to support modern cybersecurity principles.
There are a variety of signals from today’s aircraft creating vulnerabilities to spoofing and jamming that the Biden administration and U.S. Congress must address.
Aircraft rely on these satellite-based radio signals that form the basis for location and time services used in online maps and Wall Street trading transactions, among other areas, to precisely calculate their locations at any given point in time. Because the distance the signals have to travel is so vast, the signals are weak when they arrive and thus vulnerable to interference. Someone wishing to confuse a pilot could jam the GPS signal by broadcasting strong signals that drown out the GPS signals with noise, basically leaving the pilot in the dark as to the airplane’s location. Or someone could cause a pilot to go off course by overpowering the GPS signals with falsified location data in a spoofing attack.
Spoofing is a growing problem for GPS. A 2019 report from the Center for Advanced Defense Studies in Washington, D.C., counted nearly 10,000 state-sponsored GPS spoofing incidents affecting at least 1,300 commercial air and sea vessels. The spoofing originated out of Russia, Crimea and Syria and was used in active Russian combat zones and specific areas where President Vladimir Putin happened to be traveling. Last year, Russia reportedly tried to jam GPS signals of a Royal Air Force transport plane carrying troops out of Cyprus. And there have been a number of spoofing cases involving ships, including one involving a British warship off the coast of Crimea last year and several possible cases involving a Swedish tanker and U.S. naval boats seized by Iran for allegedly straying into Iranian territory in the Gulf.
The Automatic Dependent Surveillance-Broadcast radio signals used by airplanes to broadcast their GPS position, altitude and speed via onboard transponders to air traffic control towers and other aircraft with ADS-B receivers are also vulnerable to spoofing and jamming. Security researchers were able to spoof ADS-B systems and even create fake ghost planes in 2012 that could have shown up on maps and displays in airports and on the displays of other airplanes.
The Traffic Collision Avoidance System software that uses radio signals to broadcast an aircraft’s location information to transponders on nearby aircraft would pose a more dangerous threat if compromised than GPS and ADS-B vulnerabilities because hackers could have access to the onboard avionics of a plane. If that were to happen, they could knock critical systems offline or otherwise interfere with the operations of the aircraft and cause direct physical impact.
The Aircraft Communications Addressing and Reporting System is another common protocol used to transmit short messages between aircraft and ground stations via radio or satellite. The onboard electronic system provides route information to pilots for fuel efficiency and weather avoidance purposes and to air traffic control for providing departure clearances. Because it is also linked directly to the avionics, hackers would be able to remotely interfere with aircraft operations. If even one of the dozens of sensors or actuators reading such messages doesn’t properly sanitize the input, a whole host of potential, well-known attacks using malware that exploit software vulnerabilities become possible.
In 2020, the U.S. Government Accountability Office recommended that FAA strengthen its oversight of airplane cybersecurity and listed flight data spoofing and outdated equipment as risks. Specifically, the report noted that ACARS transmissions are unauthenticated and could be spoofed and manipulated to send false messages, “such as incorrect positioning information or bogus flight plans.”
Finally, there are also security issues with the Instrument Landing Systems that rely on a combination of onboard instruments and two different radio signals for vertical and lateral position data transmitted from antennas near runways to guide aircraft in via a glide slope. Security researchers have been able to spoof airport signals to trick navigation instruments and make it seem as if the plane was off course.
Old protocols, weak security
The problem stems from the fact that most of these technologies were established decades ago before the advent of modern cybersecurity. They rely on obscurity rather than strong encryption and authentication. Fortunately, the picture is less bleak for U.S. military aircraft, which employ their own encryption-protected GPS system and anti-spoofing techniques. However, if the Defense Department needed to activate the commercial reserve fleet, they would be subject to the lesser security controls of the commercial aircraft.
Spoofing and jamming attacks aren’t just within reach of nation-states. The equipment is very inexpensive and widely available. All that’s needed to spoof these five insecure protocols is a portable radio transmitter running open source software.
Cryptographic techniques could prevent spoofing these protocols, but it’s not a feasible option for these protocols. Authentication and encryption would require a key management infrastructure and brand new avionics. Then we’d have to wait several decades for the insecure systems to age out.
There are a number of commercial technologies under consideration in the United States for use as a backup to GPS, including eLoran, antenna towers that would broadcast low-frequency radio signals that are about 1.3 million times stronger than the ultra-high frequency signals used by GPS. The technology is being used in many countries, including the U.K., Russia and China, but the U.S. is far behind on its adoption. It will take years to build and even longer for new devices that are compatible to be brought to market. Plus, eLoran only works in two dimensions (no altitude data) and only works regionally.
While the location data interference threats won’t be solved anytime soon, there’s software called Received Autonomous Integrity Monitoring that prevents a malfunctioning GPS satellite from transmitting bad data to airplanes by cross-checking it against other satellite data. While this system is designed to protect against accidental errors, it should make practical GPS spoofing more difficult to carry out in practice.
Congress has tried to address the navigation protocol security issues, but there have been hurdles. The National Timing Resilience and Security Act of 2018 required the Transportation Department to establish a plan for a “land-based, resilient and reliable alternative timing system” to GPS within two years, but the deadline passed in 2020. However, the concept is not dead. In a January 2021 report to Congress, DoT provided a roadmap to achieving a GPS alternative. A companion report issued at the same time said DoT had been working with the Defense Department and the Department of Homeland Security on a plan for a GPS backup and new positioning and navigation technologies for several years and detailed 11 technologies that government researchers had studied, including eLoran.
However, the fiscal 2022 U.S. budget includes a proposal to repeal the GPS backup act. It’s time for Congress to make it a priority to get a more secure GPS adopted.
The issue of airplane safety is of increasing importance right now in the face of wireless technology advancements and heightened geopolitical concerns. Wireless carriers in January delayed their 5G rollouts near airports by a few weeks because of worries that it could interfere with airplane radio altimeters. Meanwhile, the crisis in Ukraine prompted U.S. government warnings about the potential for Russian-sponsored cyberattacks on U.S. critical infrastructure, including transportation.
Given the intensity of alarm around cyberattacks related to the crisis in Ukraine and the January ransomware attack on a Belarus railway system by pro-democracy Belarusian hackers, concerns about potential spoofing, jamming or other attacks on airplanes are not overblown. Attackers could use a spoofing attack to plant a false flag and make it seem like an adversary has entered a country’s no-fly zone, or disrupt air travel around an airport and demand a ransom payment to open it back up. We shouldn’t wait for a nation-state attack or catastrophic accident to happen before we act on addressing the security weaknesses that put aircraft navigation systems at risk. The vulnerabilities have been around for a long time, security researchers have proven they are real, attackers are exploiting them and more incidents will happen.