Planes are pretty cool! – Food for thought #3.

Just a little unstructured rambling today from me, I’m sure someone will enjoy the read…

I have begun reading through a 2016 thesis on Security in next-gen Air Traffic communication networks by Martin Strohmeier, it was brought to my attention regarding discussions about a possible use case for software defined radio. This isn’t anything new, the first proof of concept I saw of such methods was I believe from DEF CON 17 in 2009 but I can’t remember the date off the top of my head.

We can discuss some cool hacking stuff in a second, but first you need to understand how aircraft work. I’m going to briefly discuss this presentation from Usenix and their demonstrations of attacking an aircraft’s Instrument Landing System. Firstly, how this is supposed to work is done with multiple Tx (This means transmit, commonly receive and transmit are abbreviated to Rx and Tx respectively.) antennas. The localizer has the purpose of aligning the aircraft with the runway, the glideslope is responsible for controlling the rate of descent for the aircraft. The signals transmitted from these antennas are transmitted in a specific way that corresponds to the metrics the aircraft needs to measure. If you know enough about radio and security concepts then I highly recommend you read the presentation this is regarding, I’m not qualified to discuss it in too much detail but will be trying to learn more about this when I can.

So we discussed how the ILS systems are responsible for navigation during landing and very basically how they go about doing that, the presentation takes advantage of some of the behaviours of the aircraft ILS receivers. For example, they are designed to “lock on” to the strongest signal, which is brilliant when you think some airports have multiple runways and therefore multiple ILS systems so a way to figure out what one you need is required. But with what is called an “overshadow attack” an attacker can simply overpower the signals if they have enough information to carry out the attack, which is assumed due to things like FlightRadar24 allowing people to track flight paths and lots of information being already in the public domain regarding these systems. There is another called a “single-tone attack” but this is a little less straightforward than simply overpowering a signal, nevertheless I will touch on it at some point in the future after more reading.

Above, we went over a high-level explanation of one of these wireless attack types that could be orchestrated on an ILS system, just to add one of the biggest concerns I see mentioned is the relative affordability and availability of SDR modules. Now more people can carry out these attacks with less equipment than was required before, even carrying out an attack on board the aircraft… With demonstrated offsets of up to 50 metres and the added concealment an SDR may provide, this represents a serious attack vector that could be exploited to cause devastation and mass casualties.

Ok, so let’s get to some of the hacker stuff, what even brought this to my attention?

Ukrainian cyber forces have been hard at work, I was discussing this topic with some other hackers and a Ukrainian national given a “free pass” to hit Russia, whilst the topic at first was messing with these systems onboard the aircraft. Someone raised the idea of instead transmitting signals that would be expected to come from an aircraft, whilst this again isn’t a new idea… It’s been tested and even with notification and preparation caused an absolute nightmare for air traffic control. Furthermore, the opening for a denial-of-service attack is certainly worth highlighting. Nearly every system operated by a human is vulnerable to operator overload, that’s certainly not exclusive to human operators either. Just sending lots of signals could be all it takes to shut down a section of civilian airspace. It certainly would give Russian airspace controllers a hard time if it was done, however such an attack would be indiscriminate and by nature of naughty things… hard to control.

I will be looking into more of this topic in my spare time, also having just started getting competent with the cloud myself I will be looking to move this site onto an IaaS platform. However, there are many things to weigh up and I might not switch this site itself over but also need to explore the options available to me regarding things like subdomains. WordPress is fantastic and not something I want to leave for any reason, but as we move forward aacyber aspires to officially set up and be able to actively assist in keeping everyone in cyber space safe.

ALDIs DIY soldering iron is a decent buy for £9.99, even comes with 7 grams of solder. Sure, it’s not the best in the world but I’m not selling anything I make yet…