Wireless Attacks on Aircraft Instrument Landing Systems

Harshad Sathaye, Domien Schepers, Aanjhan Ranganathan, and Guevara NoubirKhoury College of Computer Sciences

Northeastern University, Boston, MA, USA

AbstractModern aircraft heavily rely on several wireless technolo-gies for communications, control, and navigation. Re-searchers demonstrated vulnerabilities in many aviation sys-tems. However, the resilience of the aircraft landing systemsto adversarial wireless attacks have not yet been studied inthe open literature, despite their criticality and the increas-ing availability of low-cost software-defined radio (SDR)platforms. In this paper, we investigate and demonstratethe vulnerability of aircraft instrument landing systems towireless attacks. We analyze the instrument landing sys-tem (ILS) waveforms’ and show the feasibility of spoofingsuch radio signals using commercially-available SDR, caus-ing last-minute go around decisions, and even missing thelanding zone in low-visibility scenarios. We first show thatit is possible to fully and in fine-grain control the course de-viation indicator, as displayed by the ILS receiver, in real-time, and demonstrate it on aviation-grade ILS receivers. Weanalyze the potential of both an overshadowing attack, anda lower-power single-tone attack. In order to evaluate thecomplete attack, we develop a tightly-controlled closed-loopILS spoofer. It adjusts the adversary’s transmitted signals asa function of the aircraft GPS location, maintaining powerand deviation consistent with the adversary’s target position,causing an undetected off-runway landing. We demonstratethe integrated attack on an FAA certified flight-simulator (X-Plane)incorporating a spoofing region detection mechanism,that triggers the controlled spoofing on entering the landingzone to reduce detectability. We systematically evaluate theperformance of the attack against X-Plane’s AI-based au-toland feature, and demonstrate systematic success rate withoffset touchdowns of 18 meters to over 50 meters. Finally,we discuss approaches towards secure and efficient aircraftlanding systems

1 IntroductionToday, the aviation industry is experiencing significantgrowth in air traffic with more than 5000 flights [16] inthe sky at any given time. It is today typical for air traf-

fic control towers to handle more than a thousand takeoffsand landings every day. For example, Atlanta’s Hartsfield-Jackson International airport handles around 2500 takeoffsand landings every day. Boston’s Logan airport which is notone of the busiest airports in the world managed an aver-age of 1100 flights every day in August 2018. The mod-ern aviation ecosystem heavily relies on a plethora of wire-less technologies for their safe and efficient operation. Forinstance, air traffic controllers verbally communicate withthe pilots over the VHF (30 to 300 MHz) radio frequencychannels. The airplanes continuously broadcast their posi-tion, velocity, callsigns, altitude,etc. using the automatic de-pendent surveillance-broadcast (ADS-B) wireless communi-cation protocol. Primary and secondary surveillance radarsenable aircraft localization and provide relevant target infor-mation to the air traffic controllers. Traffic Alert and Colli-sion Avoidance System (TCAS), an airborne wireless systemindependent of the air traffic controller enables the aircraftto detect potential collisions and alert the pilots. Air trafficinformation, flight information and other operational con-trol messages between the aircraft and ground stations aretransferred using the Aircraft Communications Addressingand Reporting System (ACARS) which uses the VHF andHF radio frequency channels for communication. Similarly,many radio navigation aids such as GPS, VHF Omnidirec-tional Radio Range (VOR), Non-directional radio beacons(NDB), Distance Measuring Equipment (DME), and Instru-ment Landing System (ILS) play crucial roles during differ-ent phases of an airplane’s flight.

Many studies have already demonstrated that a number ofthe above-mentioned aviation systems are vulnerable to at-tacks. For example, researchers [21] injected non-existingaircraft in the sky by merely spoofing ADS-B messages.Some other attacks [36] modified the route of an airplane byjamming and replacing the ADS-B signals of specific vic-tim aircraft. ACARS, the data link communications systembetween aircraft and ground stations was found to leak a sig-nificant amount of private data [49], e.g., passenger infor-mation, medical data and sometimes even credit card details

1

were transferred. GPS, one of the essential navigation aidsis also vulnerable to signal spoofing attacks [30]. Further-more, an attacker can spoof TCAS messages [41] creatingfalse resolution advisories and forcing the pilot to initiateavoidance maneuvers. Given the dependence on wirelesstechnologies, the threats described above are real and showsthe importance of building secure aviation control, commu-nication and navigation systems.

One of the most critical phases of an airplane’s flight planis the final approach or landing phase as the plane descendstowards the ground actively maneuvered by the pilot. Forexample, 59% of the fatal accidents documented by Boe-ing [17]1 occurred during descent, approach and landing.Several technologies and systems such as GPS, VOR, DMEassist the pilot in landing the aircraft safely. The InstrumentLanding System (ILS) [1] is today the de-facto approach sys-tem used by planes at a majority of the airports as it is themost precise system capable of providing accurate horizontaland vertical guidance. At Boston’s Logan International Air-port, 405,822 [2] flight plans were filed in 2017. Out of these405,822 flight plans, 95% were instrument flight rule (IFR)plans. Instrument flight rules are a set of instructions estab-lished by the FAA to govern flight under conditions in whichflying by visual reference is either unsafe or just not allowed.Also, several European airports [13] prohibit aircraft fromlanding using visual flight rules during the night. ILS incor-porates radio technology to provide all-weather guidance topilots which ensures safe travel and any interference can becatastrophic.

As recently as September 2018, the pilots of Air Indiaflight AI-101 reported an instrument landing system (ILS)malfunction and were forced to do an emergency landing.Even worse, TCAS, ACARS, and a majority of other sys-tems that aid a smooth landing were unusable. Furthermore,NASA’s Aviation Safety Reporting System [25] indicate over300 ILS related incidents where pilots reported the erraticbehavior of the localizer and glideslope–two critical compo-nents of ILS. ILS also plays a significant role in autolandsystems that are capable of landing aircraft even in the mostadverse conditions without manual interference. Autolandsystems have significantly advanced over the years sinceits first deployment in De Havilland’s DH121 Trident, thefirst airliner to be fitted with an autoland system [5]. How-ever, several near-catastrophic events [8, 12, 15] have beenreported due to the failure or erratic behavior of these au-toland systems with ILS interference as one of the princi-pal causes. With increasing reliance on auto-pilot systemsand widespread availability of low-cost software-defined ra-dio hardware platforms, adversarial wireless interference tocritical infrastructure systems such as the ILS cannot be ruledout.

In this work, we investigate the security of aircraft instru-ment landing system against wireless attacks. To the best ofour knowledge, there has been no prior study on the security

Localizer

Provides horizontal

guidance to an

approaching aircraft.

Glideslope

Provides vertical

guidance to an

approaching aircraft.

Glideslope Tx Antenna

Localizer Tx Antenna

Extended Runway Centerline

Attacker

75-400m

1050m 150m+-

+-6.5km to 11km

Outer Marker

Inner Marker

Middle Marker

Inner Marker

Figure 1: Overview of ILS sub-systems. The ILS consists of threesubsystems: i) Localizer, ii) glideslope, and (iii) marker beacons.

guarantees of the instrument landing system. Specifically,our contributions are as follows.

• We analyze the ILS localizer and glideslope waveforms,the transmitters and receivers, and show that ILS is vul-nerable to signal spoofing attacks. We devise two typesof wireless attacks i) overshadow, and ii) single-tone at-tacks.

• For both the attacks, we generate specially crafted ra-dio signals similar to the legitimate ILS signals usinglow-cost software-defined radio hardware platform andsuccessfully induce aviation-grade ILS receivers, in re-altime, to lock and display arbitrary alignment to bothhorizontal and vertical approach path. This demon-strates the potential for an adversary to the least be ableto trigger multiple aborted landings causing air trafficdisruption, and in the worst case, cause the aircraft toovershoot the landing zone or miss the runway entirely.

• In order to evaluate the complete attack, we develop atightly-controlled closed-loop ILS spoofer. It adjuststhe the adversary’s transmitted signals as a function ofthe aircraft GPS location, maintaining power and de-viation consistent with the adversary’s target position,causing an undetected off-runway landing. We demon-strate the integrated attack on an FAA certified flight-simulator (X-Plane), incorporating a spoofing regiondetection mechanism, that triggers the controlled spoof-ing on entering the landing zone to reduce detectability.

• We systematically evaluate the performance of the at-tack against X-Plane’s AI-based autoland feature, anddemonstrate the systematic success rate with offsettouchdowns of 18 meters to over 50 meters.

• We discuss potential countermeasures including failsafesystems such as GPS and show that these systems also

2

AmplifierAM

Demod

90 Hz

Filter

Bridge

Rectifier

Bridge

Rectifier

150 Hz

Filter

Instrument

Mechanics

CDI Needle Positions

RF Carrier

Source

RF Power

Amplifier

90 Hz

Mod 20%CSB

SBO150 Hz

Mod 20%

ILS Transmitter ILS Receiver

Flag

DDM = 0

Antenna Array #1

Antenna Array #2

V90

V150

DDM 0

>

<

DDM 0

DDM = V90 - V150

fc-90

Fc

f (Hz)

f (Hz)

20% Modulation Depth

20% Modulation Depth fc+90

fc-150 fc+150

fc+150fc-150

fc-90 fc+90

Figure 2: Block diagram of ILS transmitter and receiver describing the process of generation and reception of ILS signal along withwaveforms at each stage.

do not provide sufficient security guarantees. We high-light that implementing cryptographic authentication onILS signals is not enough as the the system would stillbe vulnerable to record and replay attacks. Therefore,through this research, we highlight an open researchchallenge of building secure, scalable and efficient air-craft landing systems.

2 BackgroundApproach systems enable pilots to land airplanes even inextreme weather conditions and are classified into non-precision and precision approach systems based on the ac-curacy and type of approach guidance provided to an air-craft. Non-precision approach systems provide only hori-zontal or lateral guidance (heading/bearing). Examples ofnon-precision approach systems are VHF OmnidirectionalRange (VOR) [40], Non-Directional Beacon (NDB) [39],and satellite systems such as GPS. With the developmentof precision approach systems, the use of non-precision ap-proach systems such as VOR and NDB has significantlydecreased today. Precision approach systems provide bothhorizontal (heading/bearing) as well as vertical (glide path)guidance to an approaching aircraft. The Instrument Land-ing System (ILS) is the most commonly deployed precisionapproach system in use today. Other examples of preci-sion approach systems include Microwave Landing System(MLS), Transponder Landing System (TLS), Ground BasedAugmentation Landing System (GLS), and Joint PrecisionApproach and Landing System (JPALS). It is important tonote that these alternate landing systems fundamentally stilluse existing ILS concepts and equipment mostly in scenarioswhere ILS is unavailable. For example, TLS enables preci-sion landing guidance in places where the terrain is uneven,and the ILS signal reflections off the ground cause undesir-able needle deflections by emulating the ILS signals using

only one base tower (in contrast to two for ILS) whose place-ment allows more flexibility. However, TLS still leveragesthe same fundamental concepts of ILS. In short, ILS plays akey, de-facto role in providing precision landing guidance atthe majority of airports today and it is, therefore, essential toevaluate its resilience to modern-day cyber-physical attacks.

2.1 Instrument Landing System (ILS)The first fully operational ILS was deployed in 1932 at theBerlin Tempelhof Central Airport, Germany. ILS enables thepilot to align the aircraft with the centerline of the runwayand maintain a safe descent rate. ITU defines ILS [56] as“a radio navigation system which provides aircraft with hor-izontal and vertical guidance just before and during landingand at certain fixed points, indicates the distance to the refer-ence point of landing”. Autopilot systems on some modernaircraft [48] use ILS signals to execute a fully autonomousapproach and landing, especially in low visibility settings.ILS (Figure 1) comprises of three independent subsystems:i) localizer, (ii) glideslope and iii) marker beacons. The lo-calizer and the glideslope guide the aircraft in the horizontaland vertical plane respectively. The marker beacons act ascheckpoints that enable the pilot to determine the aircraft’sdistance to the runway. ILS has three operational categories:i) CAT I, ii) CAT II and, iii) CAT III. CAT III further hasthree sub-standards IIIa, IIIb and, IIIc. These operationalcategories are decided based on very specific ILS installa-tion and required precision1. For a receiver, it’s all the same.With the advent of GPS and other localization technologies,the marker beacons are less important today and increasinglyobsolete. However, the localizer and the glideslope play amajor role in an aircraft’s safe landing today and is expected

1Procedures for the Evaluation and Approval of Facilities for SpecialAuthorization Category I Operations and All Category II and III Operationshttp://fsims.faa.gov/wdocs/Orders/8400_13.htm

3

to remain so for many years.

2.1.1 ILS Signal Generation

ILS signals are generated and transmitted such that the wavesform a specific radio frequency signal pattern in space to cre-ate guidance information related to the horizontal and verti-cal positioning. ILS signal generators leverage space mod-ulation i.e., use multiple antennas to transmit an amplitudemodulated radio frequency signals with various powers andphases. The transmitted signals combine in the airspace toform signals with different depths of modulation (DDM) atvarious points within the 3D airspace. Each DDM value di-rectly indicates a specific deviation of the aircraft from thecorrect touchdown position. For example, the signals com-bine in space to produce a signal with zero difference in thedepth of modulation (DDM) along the center-line of the run-way. It is important to note that unlike traditional modulationtechniques where the modulation occurs within the modulat-ing hardware, in space modulation, the signals mix withinthe airspace.

The process of generating the localizer and glideslope sig-nals (See Figure 2) are similar with differences mainly in thecarrier frequency used and how they are combined in spaceto provide the relevant guidance information. The carriersignal is amplitude modulated with 90 Hz and 150 Hz tonesto a certain depth of modulation. The depth of modulationor modulation index is the measure of the extent of ampli-tude variation about an un-modulated carrier. The depth ofmodulation is set at 20% and 40% respectively for localizerand glideslope signals. The output of both the 90 Hz and 150Hz modulator is then combined to yield two radio frequencysignals: a carrier-plus-sidebands (CSB) and a sidebands-only(SBO) signal. The names of the signal directly reflect theirspectral energy configuration with the CSB containing boththe sideband energy and the assigned carrier frequency whilein the SBO signal the carrier frequency component is sup-pressed. The CSB and SBO signals are subjected to specificphase shifts before being transmitted. The phase shifts arecarefully chosen such that when the CSB and SBO signalscombine in space, the resulting signal enables the aircraft todetermine its horizontal and vertical alignment with the ap-proach path.

Localizer. The localizer subsystem consists of an array ofmultiple antennas that emit the CSB and SBO signals suchthat the 150 Hz modulation predominates to the right of therunway centerline and the 90 Hz signal prevails to the left.In other words, if the flight is aligned to the right of the run-way during the approach, the 150 Hz dominant signal willindicate the pilot to steer left and vice versa. The antennaarray of the localizer is located at the opposite end (from theapproach side) of the runway. Each runway operates its lo-calizer at a specific carrier frequency (between 108.1MHz to111.95MHz) and the ILS receiver automatically tunes to thisfrequency as soon as pilot inputs the runway identifier in the

cockpit receiver module. Additionally, the runway identifieris transmitted using a 1020 Hz morse code signal over thelocalizer’s carrier frequency.

Glideslope. The glideslope subsystem uses two antennasto create a signal pattern similar to that of the localizer ex-cept on a vertical plane. The two antennas are mounted ona tower at specific heights defined by the glide-path anglesuitable for that particular airport’s runway. In contrast tothe localizer, the glideslope produces the signal pattern inthe airspace based on the sum of the signals received fromeach antenna via the direct line-of-sight path and the re-flected path. The mixing of the CSB and SBO signals re-sults in a pattern in which the 90 Hz component of the signalpredominates in the region above the glide-path while the150 Hz prevails below the glide-path. The glideslope usescarrier frequencies between 329.15 MHz and 335.0 MHz,and the antenna tower is located near the touchdown zone ofthe runway. Typically, the center of the glide-slope definesa glide path angle of approximately 3◦. For every localizerfrequency, the corresponding glideslope frequency is hard-coded i.e., the localizer-glideslope frequencies occur in pairsand the instrument automatically tunes to the right glides-lope frequency when the pilot tunes to a specific runway’slocalizer frequency.

2.1.2 ILS Receiver

The combined signals received at the aircraft are amplified,demodulated, and filtered to recover the 90 Hz and 150 Hzcomponents. A bridge rectifier is used to convert the ampli-tude of the recovered tones to DC voltage levels. The DCvoltage output is directly proportional to the depth of themodulation of the 90 Hz and 150 Hz tones–a direct measureof the dominating frequency signal. The DC voltage causesthe course deviation indicator needle to deflect based on thedifference in the depth of the modulation of the two tonesthereby precisely indicating the aircraft’s lateral and verticaldeviation from approach path.

For example, an aircraft that is on-course will receive both90 and 150 Hz signals with the same amplitude, i.e., equaldepth of modulation and will result in zero difference inthe depth of modulation and therefore cause no needle de-flections. However, an aircraft that is off-course and notaligned with the approach path will receive signals with anon-zero difference in the depth of modulation resulting ina corresponding deflection of the needle. The instrumentsare calibrated to show full scale deflection if DDM > 0.155or DDM < −0.155 for localizer and if DDM > 0.175 orDDM < −0.175 for glideslope [37]. These values corre-spond to 2.5◦ offset on the left side of the runway, 2.5◦ offseton the right side of the runway, 0.7◦ offset above the glidepath angle and 0.7◦ below the glide path angle respectively.

4

+

Filter 150Hz

Filter 90Hz

ILS Receiver

SAT90

SAT150

VAT90

BridgeRectifier

BridgeRectifier

DDM =

OffsetAT = 0.5

OffsetLOC = 0SLOC+AT

SAT

SLOC

-VAT150VAT90

VAT150

VAT150

VAT90

Demod

Figure 3: Schematic of the overshadow attack. The attacker’s signal has a preset DDM corresponding to 0.5◦ to the right of the runway.Attacker’s signal overshadows the legitimate signal. The blue line represents the needle position without attack.

2.2 Typical Approach SequencePilots use aeronautical charts containing vital informationabout the terrain, available facilities and their usage guide-lines throughout a flight. Approach plates are a type of nav-igation chart used for flying based on instrument readings.Every pilot is required to abide by the routes and rules de-fined in an approach plate unless ordered otherwise by theair traffic controller. The approach plate contains informa-tion like active localizer frequency of the runway, the run-way identifier in Morse code, glideslope interception alti-tude, ATC tower frequencies, and other information crucialfor a safe landing.

Once the pilot receives the clearance to land at an assignedrunway, the pilot enters the localizer frequency associatedwith the designated runway and enters the course of the run-way into the auto-pilot. Note that the localizer and glides-lope frequencies occur in pairs and therefore the pilot doesnot have to manually enter the corresponding glideslope fre-quency. When the pilot intercepts the localizer, the coursedeviation indicator needle is displayed on the cockpit. Thepilot then verifies whether the receiver is tuned to the rightlocalizer by confirming the runway identifier which is trans-mitted as morse code on the localizer frequency. For ex-ample, for landing on runway 4R (Runway Ident - IBOS)at Logan International Airport, Boston, the pilot will tuneto 110.3 MHz and will verify this by confirming the Morsecode: .. / --... / --- / ... Based on the deviation of the aircraftfrom the runway and the approach angle, the indicator willguide the pilot to appropriately maneuver the aircraft. Mod-ern autopilot systems are capable of receiving inputs fromILS receivers and autonomously land the aircraft without hu-man intervention.

In fact, pilots are trained and instructed to trust the instru-ments more than their intuition. If the instruments ask themto fly right, the pilots will fly right. This is true specificallywhen flying in weather conditions that force the pilots to fol-low the instruments. Detecting and recovering from any in-strument failures during crucial landing procedures is one ofthe toughest challenges in modern aviation. Given the heavy

reliance on ILS and instruments in general, malfunctions andadversarial interference can be catastrophic especially in au-tonomous approaches and flights. In this paper, we demon-strate vulnerabilities of ILS and further raise awareness to-wards the challenges of building secure aircraft landing sys-tems.

3 Wireless Attacks on ILSWe demonstrate two types of wireless attacks: i) Over-shadow attack and ii) Single-tone attack. In the over-shadow attack, the attacker transmits pre-crafted ILS signalsof higher signal strength; thus overpowering the legitimateILS signals. The single-tone attack is a special attack whereit is sufficient for the attacker to transmit a single frequencytone signal at a specific signal strength (lower than the legit-imate ILS signal strength) to interfere and control the deflec-tions of the course deviation indicator needle.

Attacker model. We make the following assumptions re-garding the attacker. Given that the technical details of ILSare in the public domain, we assume that the attacker hascomplete knowledge of the physical characteristics of ILSsignals e.g., frequencies, modulation index etc. We also as-sume that the attacker is capable of transmitting these radiofrequency signals over the air. The widespread availability oflow-cost (less than a few hundred dollars) software-definedradio platforms has put radio transmitters and receivers inthe hands of the masses. Although not a necessary condi-tion, in the case of single-tone, the knowledge of the flight’sapproach path, the airplane’s manufacturer and model willallow the attacker to significantly optimize their attack sig-nal. We do not restrict the location of the attacker and dis-cuss pros and cons of both an on-board attacker as well as aattacker on the ground.

3.1 Overshadow attackThe overshadow attack is an attack where the attacker trans-mits specially crafted ILS signals at a power level suchthat the legitimate signals get overpowered by the attacker’ssignal at the receiver. The main reason why such an at-

5

Localizer Tx

+

SBO Signal

Fc

CSB Signal

Fc

Fc

Fc

On the center-line

On the left side

On the right side

f (Hz)

f (Hz)

f (Hz)

fc-90

fc-90

fc+90

fc+150

fc-150

fc+90

fc-150 fc+150

fc-90 fc+90

fc-150

fc+150

fc+150

fc+90fc-90

fc-150

fc+150

fc+90fc-90

fc-150

Figure 4: Frequency domain representation of the received sig-nal showing the amplitudes of the sidebands as observed at variouslateral offsets

tack works is that the receivers “lock” and process only thestrongest received signal. Figure 3 shows how the attacker’sfake ILS signal completely overshadows the legitimate ILSsignal resulting in the deflection of the CDI needle. Wenote that the attacker signal can be specially crafted to forcethe CDI needle to indicate a specific offset as demonstratedin Section 4.2.

Attack Signal Generation. Recall that the ILS receiveron-board receives a mix of the transmitted CSB and SBOsignals that contain the 90 and 150 Hz tones (Figure 2). Theamplitude of received 90 and 150 Hz tones depends on theposition of the aircraft relative to the runway and its approachpath angle. For example, as shown in Figure 4, the 90 Hztone will dominate if the aircraft is offset to the left of therunway and the 150 Hz dominates to the right. Similarly,for glideslope, the 90 Hz tone dominates glide angles steeperthan the recommended angle, and the 150 Hz tone dominatesotherwise. Both 90 and 150 Hz will have equal amplitudesfor a perfectly aligned approach. Therefore, to execute anovershadow attack, it is sufficient to generate signals similarto the received legitimate ILS signals and transmit at a muchhigher power as compared to legitimate ILS signals. In otherwords, the attacker need not generate CSB and SBO signalsseparately; instead can directly transmit the combined sig-nal with appropriate amplitude differences between the 90and 150 Hz tones. The amplitude differences are calculatedbased on the offset the attacker intends to introduce at theaircraft. The attacker’s signal (Figure 5) is generated as fol-lows. There are two tone generators for generating the 90 andthe 150 Hz signals. It is important to enable configurationof each individual tone’s amplitude to construct signals witha preset difference in the depth of modulation correspond-ing to the required deviation to spoof. The tones are thenadded and amplitude modulated using the runway’s specificlocalizer or glideslope frequency. Recall that the amplitude

Amplitude

Modulator

RF Source

90 Hz

RF Source

150 Hz

+

f (Hz)

Fc

RF Source

Carrier

108.1-111.95MHz

fc+150

fc+90fc-90

fc-150

Figure 5: Signal generator used for generating the required attacksignal with specific amplitudes of the 90 Hz and 150 Hz compo-nents

differences i.e., difference in depth of modulation (DDM)between the two tones directly corresponds to the requiredoffset to spoof. In the absence of the adversarial signals theestimated DDM = VLOC90−VLOC150. In the presence of theattacker’s spoofing signals, the estimated DDM = [VLOC90 +VAT 90]− [VLOC150 +VAT 150]. Since VAT 90 >> VLOC90 andVAT 150 >> VLOC150, the resulting DDM = VAT 90 −VAT 150.Thus by manipulating the amplitude differences between thetransmitted 90 Hz and 150 Hz tones, the attacker can acquireprecise control of the aircraft’s course deviation indicator andthe aircraft’s approach path itself.

3.2 Single-tone attackSingle-tone attack is an attack where the attacker transmitsonly one of the sideband tones (either the 90 Hz or the150 Hz) to cause deflections in the course deviation indi-cator needle. In contrast to the overshadow attack, single-tone attack does not require high powered spoofing signals.Recall that the aircraft’s horizontal and vertical offset is esti-mated based on the difference in the depth of the modulationof the 90 Hz and the 150 Hz tones. As indicated in Fig-ure 4, depending on the offset either of the frequency tonesdominates. In the case of an overshadow attack, the spoof-ing signal was constructed with all the necessary frequencycomponents. However, in the single-tone attack, the attackeraims to interfere with only one of the two sideband frequen-cies directly affecting the estimated offset.

Attack Signal Generation. The working of the single-tone attack is shown in Figure 6. The legitimate localizersignal’s spectrum contains the carrier and both the sidebandtones of 90 Hz and 150 Hz. As described previously, theamplitudes of the sideband tones depend on the true offsetof the aircraft. In a single-tone attack, the attacker generatesonly one of the two sideband tones i.e., fc± 90 or fc± 150with appropriate amplitude levels depending on the spoof-ing offset (e.g., left or right off the runway) introduced at theaircraft. For example, consider the scenario where the at-tacker intends to force the aircraft to land on the left of therunway with an offset of 0.5◦. The legitimate difference indepth of modulation will be zero as the aircraft is centered

6

>

DemodFilter 150Hz

Filter 90Hz

ILS Receiver

SAT90

SAT150

VLOC90

VAT150

BridgeRectifier

BridgeRectifier

DDM =

DDMAT -0.155

DDMLOC = 0SLOC+AT

SLOC

+

SAT

t

-VAT150VLOC90

VAT90

VAT150

f (Hz)

f (Hz)

Fc fc+150

fc+90fc-90

fc-150

fc+150fc-150

Figure 6: Schematic of the single-tone attack. Attacker constructs a DSB-SC signal without the 90 Hz component and the carrier. The blueline represents the needle position without the attack

RF Source

90 Hz or 150 Hz

DSB-SC

Modulator

90 Hz 90 Hz

f (Hz)

fc+90/150fc-90/150

RF Source

Carrier

108.1-111.95MHz

Figure 7: Single-tone attack signal generator with a DSB-SC mod-ulator

over the runway. To cause the aircraft to go left, the attackermust transmit signals that will spoof the current offset to beat the right side of the runway. As shown in Figure 4, the150 Hz component dominates in the right side of the run-way approach and therefore the attacker needs to transmitthe fc±150 signal with an appropriate amplitude to force theaircraft to turn left. For the specific example of 0.5◦ offset,the amplitude of the fc±150 component should be such thatthe difference in the depth of modulation equals 0.03 [37].

Notice that the single-tone attack signal is similar to adouble-sideband suppressed-carrier signal which is well-known to be spectrally efficient than the normal amplitudemodulation signal. Specifically, it is possible for the at-tacker to reduce the required power to almost 50% of theovershadow attack as there is no need to transmit the carriersignal and one of the sideband signals. One of the importantlimitations of the single-tone is the effect of the attacker’ssynchronization with the legitimate signal. To precisely con-trol the spoofing offset, the attacker needs to coarsely con-trol the spoofing signal such that the phase difference be-tween the attacker and the legitimate signals remain constantthroughout the attack. We evaluate and show in Section 4.3.1the effect of phase synchronization on this attack. Addition-ally, the spectral efficiency of the single-tone attack can beexploited to execute a low-power last-minute denial of ser-vice on the ILS system. This is specifically dangerous whilean aircraft is executing an auto-pilot assisted approach. Theblock diagram of the single-tone attack signal generator is

Handheld

Aviation

Receiver

USRP 2

USRP 1

LOC

GS

LOCAT

GSAT

Location Data

Instrument

values

Spoofing

zone

detector

Legitimate

signal

generator

Attacker

signal

generator

Offset

correction

algorithm

Attacker control unit

Figure 8: Schematic of the experiment setup used for evaluat-ing the attacks on ILS. The attacker control unit interfaces withthe simulator and USRP B210s. A flight yoke and throttle systemis connected to the machine running X-Plane flight simulator soft-ware. Attacker control unit interfaces with the flight simulator overa UDP/IP network.

shown in Figure 7.

4 Implementation and Evaluation of AttacksIn this section, we demonstrate the feasibility and evaluatethe effectiveness of the attack with the help of both sim-ulations and actual experiments conducted using commer-cial aviation-grade receivers and an advanced flight simula-tor qualified for FAA certification.

4.1 Experimental SetupOur experimental setup is shown in Figure 8 and Figure 9.The setup consists of four main components: i) X-Plane 11flight simulator, ii) attacker control unit, iii) software-definedradio hardware platforms (USRP B210s) and iv) commercialaviation grade handheld navigation receiver. We use X-Plane11 flight simulator to test the effects of spoofing attack onthe ILS. X-Plane is a professional flight simulator capable ofsimulating several commercial, military, and other aircraft.X-Plane can also simulate various visibility conditions andimplements advanced aerodynamic models to predict an air-craft’s performance in abnormal conditions. It is important tonote that X-Plane qualifies for FAA-certified flight traininghours when used with computer systems that meet the FAA’s

7

USRP 1

USRP 2

Handheld

Rx

X-Plane flight SimulatorAttacker control unit

Figure 9: Photo of the experiment setup.

minimum frame rate requirements. The certified versions ofthe software are used in numerous pilot training schools. X-Plane allows interaction with the simulator and instrumentsthrough a variety of mobile apps and UDP/IP networks. Thisfeature allowed us to manipulate the instrument readings forevaluating our ILS attacks. Additionally, X-Plane has au-topilot and AI-based autoland features which we leverage inour experiments. In other words, X-Plane contains all thefeatures and flexibility to evaluate our proposed attacks ina close to the real-world setting. The second component ofour setup is the attacker control unit module which takes thelocation of the aircraft as input from X-Plane and generatessignals for the attack. The module is also responsible formanipulating X-Plane’s instrument panel based on the effectof the spoofing signal on the receiver. The attacker controlunit module is a laptop running Ubuntu and contains foursubmodules: spoofing zone detector, offset correction algo-rithm, legitimate signal generator, and attacker signal gener-ator. The spoofing zone detector identifies whether an air-craft is entering its first waypoint of the final approach andtriggers the start of spoofing. The spoofing zone detectorplays an important role in timely starting of the spoofing at-tack so as to prevent any abrupt changes in the instrumentpanel and therefore avoid suspicion. The offset correctionalgorithm uses the current location of the aircraft to contin-uously correct its spoofing signals taking into considerationaircraft’s corrective actions. Note that the location data re-ceived from X-Plane can be analogous to receiving the lo-cation data through ADS-B signals [24] in the real world.The output of the offset correction algorithm is used to gen-erate fake ILS signals. We also generate legitimate signalsto evaluate the effect of overshadow and single-tone attacks.We use two USRP B210s [3], one each for transmitting le-gitimate ILS signals and attacker signals. We conducted theexperiments in both wired and wireless settings. For the ex-periments conducted in wireless settings, the receiver wasplaced at a distance of 2 meters from the transmitter. North-

A

B

C

E

D

22km

NABBOMILTT WINNI

37km

F

9.45km 9.45km 9.45km

Figure 10: The spoofing zone is defined by points B, C, D, andE. WINNI, NABBO, and MILTT are the waypoints for the finalapproach as published for a mid-sized airport. The spoofing zonehas a wide aperture as the air-traffic controller can vector in theaircraft onto the final approach in multiple ways.

eastern University has access to a Department of HomelandSecurity laboratory which provides RF shielding thus pre-venting signal leakage. This is necessary as it is illegal totransmit ILS signals over the air. We use two different ILSreceivers, a Yaesu FTA-750L [14] and a Sporty’s SP-400Handheld NAV/COM Aviation [6] to evaluate the attacks.

4.1.1 Spoofing Zone Detection

The spoofing zone detection algorithm enables automatedand timely triggering of the spoofing signal. One of the keyrequirements of the zone detector is to trigger the spoofingsignals without causing any abrupt changes to the instru-ment readings; thereby avoiding detection by the pilots. Thespoofing region is shaped like a triangle following the cover-age of the localizer and glideslope signals. For example, thelocalizer covers 17.5◦ on either side of the extended runwaycenterline and extends for about 35 km beyond the touch-down zone. Figure 10 shows the zone measurements. Theattacker signals are triggered when the aircraft approachesthe shaded region. The shaded region is decided based on thefinal approach patterns for a specific runway. We used even-odd algorithm [27] for detecting the presence of the aircraftwithin this spoofing zone. Absolute locations cannot be usedas aircraft enter the final approach path in many differentways based on their arrival direction and air traffic controllerinstructions. The even-odd algorithm is extensively used ingraphics software for region detection and has low computa-tional overhead. The attacker automatically starts transmit-ting the signals as soon as the aircraft enters the spoofingregion from the sides and the needle is yet to be centered.This prevents any sudden noticeable jumps thus allowing aseamless takeover.

8

4.1.2 Offset correction algorithm

The attacker’s signals are pre-crafted to cause the aircraft toland with a specific offset without being detected. The pi-lot or the autopilot system will perform course correctionmaneuvers to align with the runway centerline based on theinstrument readings. At this point, the instruments will con-tinuously indicate the spoofed offset irrespective of the air-craft’s location and maneuvers raising suspicion of an in-strument failure. To prevent this, we developed a real-timeoffset correction and signal generation algorithm that craftsthe spoofing signals based on the aircraft’s current locationin real-time. The attacker can use the GPS coordinates ifpresent inside the aircraft or leverage the ADS-B packetscontaining location information on the ground. We explainthe offset correction algorithm using Figure 11. Consider anaircraft at point B, cleared to land and entering the spoof-ing zone. The air-traffic controller instructs the aircraft tointercept point C on the extended runway centerline. As-suming that the attacker’s spoofing signal contains a pre-crafted offset to the left of the runway forcing the aircraftto follow path DA instead of CA. The offset correction mod-ule computes the current offset of the aircraft with respectto the centerline and subtracts the current offset from thespoofed offset to estimate the desired change in the course.Thus, the correction ∆ required to be introduced is the dif-ference between required offset angle ∠DAC and the currentoffset angle ∠BAC. Note that offsets to the left of center-line are considered negative offsets and offsets to the rightare considered positive offsets. The current offset θ can beestimated using θ = tan−1[(mCA−mBA)/(1+mBA ∗mCA)],where m is the slope. mCA is typically hardcoded and is spe-cific for each runway. mBA can be estimated using the lon-gitude and latitudes of the touchdown point and the currentlocation of the aircraft. Now, the correction ∆ is converted tothe respective difference in depth of modulation value usingthe formula DDM = (DDM f ullscale ∗∆)/2.5, where 2.5 is theangle that results in full-scale deviation and DDM f ullscale isthe difference in depth of modulation that causes full-scaledeviation. The amplitude of the individual 90 and 150 Hzcomponents is estimated using the formula 0.2+(DDM/2)and sent to the signal generator module which then transmitsthe required signal. Note that the value 0.2 comes from thelegitimate signal’s depth of modulation. The algorithm wasimplemented on a laptop running Ubuntu and took less than5 ms on average to compute the offsets. The complete algo-rithm is shown in Algorithm 1.

4.1.3 Setup Validation

We verified the working of our experimental setup as fol-lows. First, we ensure consistency between the CDI needledisplayed on the flight simulator and the handheld receiver.To this extent, we disabled the attacker signal and outputonly the legitimate signal to the handheld receiver based onthe aircraft’s location obtained from X-Plane. We manually

A

B

C

D

Figure 11: Offset correction algorithm takes into account aircraft’scurrent position to calculate the difference in the spoofed offset andthe current offset.

Algorithm 1 Offset correction algorithm.1: procedure GETANGLEDIFFERENCE2: ∠DAC← TargetedLocalizerO f f set3: ∠BAC← GetAngle(location)4: di f f erence← ∠DAC−∠BAC5: return di f f erence6: procedure CALCULATEDDM7: di f f erence← GetAngleDi f f erence8: ddm← (0.155∗di f f erence)/2.59: AT 90← 0.2+(ddm)/2

10: AT 150← 0.2− (ddm)/211: ChangeAmplitude(AT 90,AT 150)

validated that the alignment shown on the handheld receiveris the same as that of the flight simulator throughout the fi-nal approach. The uploaded attack demonstration video 2

also contains this validation for reference. We conducted thesame experiment over the air in a controlled environment andverified consistency between the handheld receiver and theflight simulator cockpit. Second, we test our offset correc-tion algorithm by maneuvering (swaying) the aircraft duringits final approach. During this experiment, the offset correc-tion algorithm should account for the maneuvers and gener-ate corresponding ILS signals to the handheld receiver. Weensure the correctness of the algorithm by validating the con-sistency between the handheld receiver’s CDI needle and theflight simulator cockpit. Note that we do not update the flightsimulator’s instrument readings for this experiment and thereadings displayed in the simulator cockpit are only becauseof the simulator software engine. Finally, we validate thespoofing zone detector algorithm by entering the final ap-proach from various directions and checking the trigger forbeginning the spoofing attack. We are now ready to performour attack evaluations.

2Video demonstration of the attack https://youtu.be/Wp4CpyxYJq4

9

4R

40 20 0 20 40Touchdown offset (meters)

1.5

1.0

0.5

0.0

0.5

1.0

1.5

Sp

oofe

d loca

lizer

off

set

(deg

rees)

-51.7

-33.9

-17.9

0.0

17.3

35.2

52.1

0

Figure 12: Results of localizer spoofing. 5 automated landings perspoofed localizer offset were executed and the touchdown offset inmeters from the runway centerline was recorded.

4.2 Evaluation of Overshadow AttackWe evaluate the effectiveness of overshadow attack as fol-lows. We leverage the autopilot and autoland feature of X-Plane to analyze the attack’s effects avoiding any inconsis-tency that might arise due to human error. We configuredX-Plane to land on the runway of a midsized airport in theUS. This configuration is analogous to the pilot followingapproach instructions from the air-traffic controller. As soonas the aircraft entered the spoofing zone, the spoofing sig-nals were transmitted along with the legitimate signals. Thespoofing signals were generated to fake various vertical andhorizontal offsets. Note that the spoofing signals were gen-erated in real-time based on the current position of the air-craft. For the localizer (horizontal offset), spoofing signalscorresponding to 0.5, 1.0, and 1.5◦ offset on both sides ofthe runway were generated. The spoofing glideslope angleswere between 2.8◦ and 3.3◦. For each spoofing angle andoffset, we performed five automated landings and the resultsare shown in Figure 12 and Figure 13. Throughout the at-tack, we continuously monitored the path of the aircraft us-ing Foreflight 3, a popular app used both by aviation enthu-siasts and commercial pilots as well as X-Plane’s own inter-faces. We did not observe any abrupt changes in the readingsand observed a smooth takeover. The aircraft landed with an18 m offset from the runway centerline for a spoofing offsetof just 0.5◦. Note that this is already close to the edge of therunway and potentially go undetected by both the air-trafficcontrollers as well as pilots onboard, especially in low visi-bility conditions. In the case of glideslope, a shift in the glidepath angle by 0.1◦ i.e., 2.9◦ glide path angle instead of therecommended 3◦, caused the aircraft to land almost 800 mbeyond the safe touchdown zone of the runway. We haveuploaded a video demonstration of the attack for reference( https://youtu.be/Wp4CpyxYJq4 ).

3Advanced Flight Planner https://www.foreflight.com

Spoofed glide path angle (degrees)

Touchdown offset (meters)

400 200 0 200 400 600 800 1000

3.3 3.2 3.1 3.0 2.9 2.8

Touchdown zone

Figure 13: Results of glideslope spoofing. 5 automated landingsper spoofed glideslope angle offset were executed and the touch-down offset in meters beyond the touchdown zone was recorded.

4.3 Evaluation of Single-tone AttackWe evaluate the effectiveness and feasibility of the proposedsingle-tone attack using the experimental setup describedin Section 4.1. Recall that in the single-tone attack, the at-tacker transmits only one of the sideband tones (either thefc±90 or the fc±150 Hz) to cause deflections in the coursedeviation indicator needle. We implemented the attack byconfiguring one of the USRPs (attacker) to transmit the side-band signals and observed its effect on the handheld naviga-tion receiver. We observed that the spoofing signal causedthe needle to deflect to the configured offset. However, theneedle was not as stable as in the overshadow attack and dis-played minor oscillations. This is because the specific attackis sensitive to carrier phase oscillations and therefore must beaccounted for to avoid detection. A significant advantage ofthis attack is the power required to cause needle deflectionsas the attacker only transmits one of the sideband compo-nents without the carrier. This gives an almost 50% increasein power efficiency and therefore can act as a low-power last-minute denial of service attack in case the attacker is unableto establish full synchronization with the legitimate signal.In the following sections, we evaluate the effect of phasesynchronization on the single-tone attack and develop a real-time amplitude scaling algorithm that can counter the phaseoscillations.

4.3.1 Effect of Phase Synchronization

Recall that the single-tone attack signal is similar to a con-ventional double-sideband suppressed-carrier (DSB-SC) sig-nal. It is well known that one of the drawbacks of a DSB-SCcommunication system is the complexity of recovering thecarrier signal during demodulation. If the carrier signal usedat the receiver is not synchronized with the carrier wave usedin the generation of the DSB-SC signal, the demodulated sig-nal will be distorted. In the scenario of the single-tone attack,this distortion can potentially result in changes in the differ-ence in the depth of modulation estimates causing the needleto oscillate. We simulated the effect of phase synchroniza-tion on the single-tone attack effectiveness and present ourresults in Figure 14 and Figure 15. We generated the single-tone attack signal to cause full-scale deviation i.e., & 2.5◦

for localizer and & 2.5◦ for the glideslope while perfectly in

10

0 50 100 150 200 250 300 350Phase difference in degrees

3

2

1

0

1

2

3

Resu

ltant

off

set

Localizer 150 Hz tone

Localizer 90 Hz tone

100 150 200 250 300

Figure 14: Comparison of calculated offset and the phasedifference for localizer

0 50 100 150 200 250 300 350Phase difference (degrees)

2.2

2.4

2.6

2.8

3.0

3.2

3.4

3.6

3.8

Resu

ltant

glid

e p

ath

an

gle

Glideslope 150 Hz toneGlideslope 90 Hz tone

Figure 15: Comparison of calculated offset and the phasedifference for glideslope

sync with the legitimate carrier signal. We observe that thephase difference causes the resultant offset to change. Wealso noted an uncertainty region around the 90◦ and 270◦

phase difference region. This is due to the dependency ina DSB-SC system [26] between the carrier phase differenceφ and the resulting distortion at the output which is directlyproportional to the cosφ . Therefore, at angles around 90◦ and270◦, there is an uncertainty region for the resulting offset.However, in our experiments on the handheld receiver, wenoticed that although the needle oscillated, it was not as pro-nounced as the simulation results indicate. One of the rea-sons is the rate at which the sensor measurements are beingcalculated and displayed on the screen. Additionally, the air-craft is in motion, therefore, causing the phase differences tocycle more rapidly than the display’s refresh rate. A knowl-edgeable attacker can potentially leverage these propertiesto generate controlled spoofing signals and succeed with anoptimized transmission power.

4.3.2 Real-time Amplitude Scaling

In the following, we propose and evaluate a strategy tocounter the effect of phase synchronization on the single-

tone attack. It is clear that the phase differences cause theoutput to be distorted. Besides the uncertainty region aroundthe 90◦ and 270◦, it is possible to predict the phase givensufficient knowledge such as aircraft speed, current location,and antenna positions. We assume such a motivated attackerfor the single-tone attack evaluation in this section. It is alsowell known that tightly controlling the phase of a signal isnot trivial and therefore our algorithm proposes to manipu-late the amplitude of the attacker signal instead of the phase.Changing the amplitude of the attacker signal will compen-sate for the effect of phase on the signal at the receiver andwe call this “real-time amplitude scaling” algorithm. The al-gorithm itself is inspired from prior works on amplitude scal-ing for DSB-SC systems [26]. We use the distance betweenthe transmitter and the receiver to estimate the received phaseof the signal by measuring complete and incomplete wave-cycles. In the simulation, we then create an ILS signal withthe necessary phase shift. We also create the attacker’s sig-nal and add it to the legitimate signal to estimate the DDM.This allows us to assess the impact of phase on the transmit-ted signal and use this information to calculate the amplitudethat will be required to counter the effects of phase. For ex-ample, if the predicted phase offset is zero, then to spoof acertain offset, the attacker needs to reduce the amplitude ofits signal. We present the results of our amplitude scalingexperiment in Figure 16 and Figure 17.

4.4 Comparison of Power RequirementsOne of the major advantages of the single-tone attack is theimprovement over the power required to execute the attack,given sufficient knowledge and environmental conditions. Inthis section, we evaluate and compare the power require-ments of the overshadow and the single-tone attacks. Wenote that the absolute power profiles are specific for the hand-held receivers used in the experiments. The goal of the powercomparison is to verify whether there is indeed an improve-ment in terms of attacker’s required transmission power. Wepresent our results in Figure 18 and Figure 19. Our evalua-tions show the required signal strength to successfully cause0.5◦ and 0.1◦ deviation in localizer and glideslope respec-tively. The received signal strength profile is shown in blueacts as a reference for the attacker based on which the at-tacker can compute its required power to transmit the spoof-ing signals. We performed the experiment by transmittingthe signals to the handheld receiver and observing the suc-cess of the attack (needle indicating the intended offset). Thevalues are a result of over 400 trials with 95% confidence in-terval and we find that on an average the difference in powerrequired reaches close to 20.53 dB and 27.47 dB for the lo-calizer and the glideslope respectively. Thus, given sufficientknowledge of the scenario, a motivated attacker can executethe single-tone attack successfully and with less power thanthe overshadow attack. We acknowledge that the single-toneattack has its drawbacks as described previously, however,

11

0 50 100 150 200 250 300 350Phase difference (degrees)

0.0

0.2

0.4

0.6

0.8

1.0C

orr

ect

ed

90

Hz

am

plit

ude

Offset 0.5

Offset 1.0

Offset 1.5

Offset 2.0

Offset 2.5

Figure 16: Amplitude scaling algorithm evaluation localizer.Amplitude required to compensate for the effect of phase

0 50 100 150 200 250 300 350Phase difference (degrees)

0.0

0.2

0.4

0.6

0.8

1.0

Corr

ect

ed 9

0 H

z am

plit

ude

Offset 0.1

Offset 0.2

Offset 0.3

Offset 0.4

Offset 0.5

Offset 0.6

Offset 0.7

Figure 17: Amplitude scaling algorithm evaluation glides-lope. Amplitude required to compensate for the effect ofphase

we note that given the low power requirements, an attackercan exploit the single-tone attack to cause a low-power denialof service attack. Such an attack, especially in an aircraft’sfinal moments before landing can be disastrous.

5 DiscussionReceiving antenna characteristics and location of the at-tacker. The receiver hardware and its characteristics4 varydepending on the type of aircraft it is mounted on. For ex-ample, Cessna aircraft have their ILS antennas on the tail-finor the vertical stabilizer. We note that the same antenna istypically used for a number of systems such as VOR, ILS,and DME; each signal arriving from a different direction.For commercial aircraft, the antennas are typically locatedon the nose of the plane with a forward-looking single broadlobe receiving beam pattern. Certain large aircraft, specif-ically those capable of landing with high nose attitude, theantennas are located either on the underside or on the landing

4https://www.easa.europa.eu/certification-specifications/

cs-23-normal-utility-aerobatic-and-commuter-aeroplanes

0 1 2 3 4 5 6 7 8 9 10Distance from Touchdown (Km)

35

30

25

20

15

10

5

0

Sig

nal S

treng

th (

dB

m)

Received Signal Strength

Req Tx Power: Overshadow

Req Tx Power: Single-tone Attack

Figure 18: Comparison of required received signal strengthfor attack methodologies for the localizer

0 1 2 3 4 5 6 7 8 9Distance from Touchdown (Km)

50

40

30

20

10

0

Sig

nal S

treng

th (

dB

m)

Received Signal Strength

Req Tx Power: Overshadow

Req Tx Power: Single-tone Attack

Figure 19: Comparison of required received signal strengthfor attack methodologies for glideslope

gear of the aircraft itself 5. The antenna equipment onboardplays an important role in determining the optimum locationof the attacker to execute the attack. The ideal location of anon-ground attacker is at a point along the centerline of therunway that falls within the receiving lobe of the onboardantennas. Attackers inside the plane will have to deal withsignal attenuation caused by the body of the aircraft itselfand position the spoofing signal transmitter accordingly. Athorough investigation is required to fully understand the im-plications and feasibility of an on-board attacker and we in-tend to pursue the experiments as future work. The locationof the attacker plays a more significant role in the scenarioof the single-tone attacker since the attacker has to carefullypredict the phase and accordingly manipulate the amplitudeof the spoofing signal. The problem of identifying optimumlocations for the attack is an open problem very similar to thegroup spoofing problem [55] proposed as a countermeasure

5https://www.casa.gov.au/sites/g/files/net351/f/

_assets/main/pilots/download/ils.pdf

12

for GPS spoofing attacks. In our context, the attacker has toidentify locations on the ground such that the phase differ-ence between the legitimate signal and the spoofing signalremains a constant along the line of approach. Recall thatin the single-tone attack, the offset indicated by the cockpitis sensitive to phase changes and therefore locations that al-low constant phase differences can result in a fixed spoofingoffset and therefore minimal oscillations in the readings.

ILS Categories. The main advantage of ILS is that the pi-lot need not have visuals of the runway during the final ap-proach as the ILS system is intended to guide the aircraft toa safe landing. The ILS categories are classified based onthe maximum decision height at which a missed approachmust be initiated if the pilot does not have a visual refer-ence to continue the approach. In CAT I the decision heightis at 60 m above the ground i.e., if the pilot does not havea visual reference at this height, a missed approach or goaround must be initiated. The decision height for CAT IIIis as low as 15 m above the ground. The demonstrated at-tacks can cause severe consequences in CAT III systems dueto the low decision height. It might potentially be too late toexecute a missed approach in case of an attack. The conse-quences of the attack on CAT I and CAT II systems are lesscatastrophic. However, they can still cause major air traf-fic disruptions. Note that CAT I approach is mostly used bysmaller flights. Commercial flights typically fly a CAT II orCAT III approach.

Alternative technologies and potential countermeasures.Many navigation technologies such as HF OmnidirectionalRange, Non-directional Beacons, Distance MeasurementEquipment and GPS provide guidance to the pilot during thedifferent phases of an aircraft’s flight. All the mentioned nav-igation aids use unauthenticated wireless signals and there-fore vulnerable to some form of a spoofing attack. Further-more, it is worth mentioning that only ILS and GPS are ca-pable of providing precision guidance during the final ap-proach. Also, ILS is the only technology today that providesboth lateral and vertical approach guidance and is suitablefor CAT III ILS approaches.

Most security issues faced by aviation technologies likeADS-B, ACARS and TCAS can be fixed by implement-ing cryptographic solutions [49] [51]. However, crypto-graphic solutions are not sufficient to prevent localizationattacks. For example, cryptographically securing GPS sig-nals [23, 31] similar to military navigation can only preventspoofing attacks to an extent. It would still be possible for anattacker to relay the GPS signals with appropriate timing de-lays and succeed in a GPS location or time spoofing attack.One can derive inspiration from existing literature on miti-gating GPS spoofing attacks [28, 29, 32, 34, 45, 55] and buildsimilar systems that are deployed at the receiver end. Analternative is to implement a wide-area secure localizationsystem based on distance bounding [19] and secure proxim-

ity verification techniques [44]. However, this would requirebidirectional communication and warrant further investiga-tion with respect to scalability, deployability etc.

Experiment Limitations. Our experimental setup de-scribed in Section 4 was carefully constructed in consulta-tion with aviation experts. Since we use an FAA accreditedflight simulator, we sent our configuration files and scriptsto a licensed pilot for them to perform final approaches us-ing the instruments and give us feedback. We were mainlyconcerned whether there was any other indicator on the cock-pit that raises suspicion about the attack. We conducted ourattack evaluations in both wired and controlled wireless set-tings. Note that it is illegal to transmit ILS signals over theair in a public space. Effects due to aircraft’s motion suchas Doppler shift do not affect the attacker signal as these arereceiver end problems and the receiver hardware already ac-counts for such effects for the legitimate signal. Note that theattacker closely imitates the legitimate signals in frequencyand amplitude. In short, we made the best effort to repli-cate a real-world approach. However our setup has its lim-itations. We did not perform the experiments on a real air-craft which would give us more insights on the effects ofaircraft’s construction, antenna placements, cockpit displaysensitivity, etc. One of the factors that will get affected is thepower required by the attacker. Note that commercial ILStransmitters use a 25 watts transmitter for localizer signalsand a 5 W power for the glideslope signals. To put thingsin perspective, a standard 12 V 10 Ah battery can power a24 Watts amplifier for about 5 hours. Furthermore, we arein touch with a leading aircraft manufacturer for access tosuch an experiment. We also note that we are in the processof acquiring IRB approval to recruit commercial pilots andstudying their response to the attack proposed in this paper.

6 Related WorkOver the years, the aviation industry has largely invested andsucceeded in making flying safer. Security was never con-sidered by design as historically the ability to transmit andreceive wireless signals required considerable resources andknowledge. However, the widespread availability of pow-erful and low-cost software-defined radio platforms has al-tered the threat landscape. In fact, today the majority ofwireless systems employed in modern aviation have beenshown to be vulnerable to some form of cyber-physical at-tacks. In this section, we will briefly describe the variousattacks demonstrated in prior work. Strohmeier et al. [52]provide a comprehensive analysis of the vulnerabilities andattacks against the various wireless technologies that mod-ern aviation depends on. Voice communication over VHF isprimarily used to transfer information between the air traf-fic controller and the aircraft. There have already been in-cidents [50] related to spoofed VHF communications andseveral efforts [22] to design a secure radio communica-tion system. Primary surveillance radars have been shown

13

to be vulnerable to signal jamming attacks [20]. Secondarysurveillance radars [10] leverage the ability of the aircraft torespond to ground-based interrogations for aircraft localiza-tion. Due to the unauthenticated nature of these messages,it is possible for an attacker to use publicly available im-plementations for software-defined radio platforms to mod-ify, inject and jam messages creating a false picture of theairspace. The ADS-B protocol used by aircraft to transmitkey information such as position, velocity and any emer-gency codes also face the same challenges of active andpassive attacks due to the unauthenticated nature of the sig-nals. Several works have repeatedly demonstrated the vul-nerabilities of ADS-B signals [11,18,21,33,46,47,51,53,57].ACARS [9], the data link communications system betweenaircraft and ground stations was found to leak a significantamount of private data [35, 49, 54] e.g., passenger informa-tion, medical data and sometimes even credit card detailswere transferred. Furthermore, an attacker can spoof TCASmessages [41, 47] creating false resolution advisories andforcing the pilot to initiate avoidance maneuvers. For navi-gation, the aviation industry relies on a number of systemssuch as ILS, GPS, VOR, and DME. Although the use ofVOR and DME are rapidly decreasing, ILS and GPS willbe in use for a very long time and are the only technologiesavailable today for enabling autonomous landing. It is alsowell established that GPS is vulnerable to signal spoofingattacks [4, 7, 30, 38, 55, 58]. Researchers have also demon-strated [42, 43] the feasibility of signal manipulation in thecontext of data communication systems. However, there hasbeen no prior work on the security guarantees of ILS and thispaper is a work in that direction. It is important to note thatalthough many of the security issues in the aviation indus-try can be fixed by implementing some sort of cryptographicauthentication, they are ineffective against the ILS attacksdemonstrated in this paper.

7 Conclusion

In this work, we presented a first security evaluation ofaircraft instrument landing system against wireless attacks.Through both simulations and experiments using aviationgrade commercial ILS receivers and FAA recommendedflight simulator, we showed that an attacker can preciselycontrol the approach path of an aircraft without alerting thepilots, especially during low-visibility conditions. We dis-cussed potential countermeasures including failsafe systemssuch as GPS and showed that these systems do not providesufficient security guarantees and there are unique challengesto realizing a scalable and secure aircraft landing system.

Acknowledgements

This work was partially supported by NSF grant 1850264.We thank civil air patrol volunteer Vaibhav Sharma for hisvaluable feedback.

References[1] Aeronautical Telecommunications - Radio Naviga-

tional Aids, Volume 1. https://store.icao.int/.

[2] Air Traffic Activity System (ATADS). https://

aspm.faa.gov/opsnet/sys/Airport.asp.

[3] Ettus research llc. http://www.ettus.com/.

[4] Hacking A Phone’s GPS May Have Just Got Easier.http://www.forbes.com/sites/parmyolson/

2015/08/07/gps-spoofing-hackers-defcon/.

[5] Hawker Siddeley HS121 Trident. https:

//www.baesystems.com/en/heritage/

hawker-siddeley-hs121-trident.

[6] Sporty’s SP-400 Handheld NAV/COM Aviation Radio.

[7] UT Austin Researchers SuccessfullySpoof an $80 million Yacht at Sea.http://news.utexas.edu/2013/07/29/ut-austin-researchers-successfully-spoof-an-80-million-yacht-at-sea.

[8] Aircraft serious incident report occurrence number00/2518 b767-319er zk-ncj, Civil Aviation Authorityof New Zealand, 2002.

[9] Introduction to ACARS Messaging Services,International Communications Group, April2006. https://www.icao.int/safety/acp/

inactive%20working%20groups%20library/

acp-wg-m-iridium-7/ird-swg07-wp08%20-%

20acars%20app%20note.pdf.

[10] Aeronautical Telecommunications - Surveillance andCollision Avoidance Systems, International Civil Avia-tion Organization, July 2007. https://store.icao.int/.

[11] Forget any security concern and welcome Air ForceOne on Flightradar24!, Nov 2011. https://

theaviationist.com/2011/11/24/af1-adsb.

[12] Status report bfu ex010-11, german federal bureau ofaircraft accident investigation, 2011.

[13] Acceptable Means of Compliance and Guidance Mate-rial to Part-SERA, European Aviation Safety Agency,Sep 2012. https://www.easa.europa.eu/sites/

default/files/dfu/NPA%202012-14.pdf.

[14] Yaesu FTA-750L, 2012. https://www.yaesu.com/

airband/indexVS.cfm?cmd=DisplayProducts&

DivisionID=2&ProdCatID=204&ProdID=1777.

14

[15] Stick shaker warning on ILS final, June 2014. https://www.onderzoeksraad.nl/en/onderzoek/

1949/stick-shaker-warning-on-ils-final.

[16] Air Traffic By The Numbers, Nov 2017. https://

www.faa.gov/air_traffic/by_the_numbers.

[17] Statistical summary of commercial jet airplane acci-dents worldwide operations — 1959 – 2016, boeing,2017. www.boeing.com/news/techissues/pdf/

statsum.pdf.

[18] BERTHIER, P., FERNANDEZ, J. M., ROBERT, J.-M.,BERTHIER, P., FERNANDEZ, J. M., AND ROBERT,J.-M. SAT : Security in the air using Tesla. 2017IEEE/AIAA 36th Digital Avionics Systems Conference(DASC) (Sep 2017), 1–10.

[19] BRANDS, S., AND CHAUM, D. Distance-boundingprotocols. In Workshop on the theory and applicationof cryptographic techniques on Advances in cryptology(1993).

[20] CENTER, N. A. W. Electronic warfare andradar systems engineering handbook, Oct 2013.http://www.navair.navy.mil/nawcwd/ewssa/

downloads/nawcwd%20tp%208347.pdf.

[21] COSTIN, A., AND FRANCILLON, A. Ghost in the air(traffic): On insecurity of ads-b protocol and practicalattacks on ads-b devices.

[22] FANTACCI, R., MENCI, S., MICCIULLO, L., ANDPIERUCCI, L. A secure radio communication systembased on an efficient speech watermarking approach.Security and Communication Networks 2, 4, 305–314.

[23] FERNANDEZ-HERNANDEZ, I., RIJMEN, V., SECO-GRANADOS, G., SIMON, J., RODRIGUEZ, I., ANDCALLE, J. D. A Navigation Message AuthenticationProposal for the Galileo Open Service. Navigation(2016).

[24] FOR ITU, I.-R. R. S. Reception of automatic depen-dent surveillance broadcast via satellite and compati-bility studies with incumbent systems in the frequencyband 1 087.7-1 092.3 mhz.

[25] HAMILTON, B. A. ASRS - Aviation Safety ReportingSystem. https://asrs.arc.nasa.gov.

[26] HAYKIN, S. Communication systems. 2008.

[27] HORMANN, K., AND AGATHOS, A. The point in poly-gon problem for arbitrary polygons. ComputationalGeometry (2001).

[28] JANSEN, K., SCHAFER, M., MOSER, D., LENDERS,V., POPPER, C., AND SCHMITT, J. Crowd-gps-sec:Leveraging crowdsourcing to detect and localize gpsspoofing attacks. In 2018 IEEE Symposium on Securityand Privacy (SP) (2018).

[29] JANSEN, K., TIPPENHAUER, N. O., AND POPPER,C. Multi-receiver gps spoofing detection: error mod-els and realization. In Proceedings of the 32nd AnnualConference on Computer Security Applications (2016).

[30] JON S. WARNER, R. G. J. A simple demon-stration that the global positioning system (gps)is vulnerable to spoofing, Feb 2003. https:

//permalink.lanl.gov/object/tr?what=info:

lanl-repo/lareport/LA-UR-03-2384.

[31] KERNS, A. J., WESSON, K. D., AND HUMPHREYS,T. E. A blueprint for civil GPS navigation message au-thentication. In Proceedings of the IEEE/ION Sympo-sium on Position, Location and Navigation Symposium(PLANS) (2014).

[32] KHANAFSEH, S., ROSHAN, N., LANGEL, S., CHAN,F.-C., JOERGER, M., AND PERVAN, B. Gps spoofingdetection using raim with ins coupling. In Proceed-ings of the Position, Location and Navigation Sympo-sium—PLANS (2014).

[33] L. MCCALLIE, D. Exploring potential ads-b vulner-abilites in the faa’s nextgen air transportation system.56.

[34] LEDVINA, B. M., BENCZE, W. J., GALUSHA, B.,AND MILLER, I. An in-line anti-spoofing device forlegacy civil GPS receivers. In Proceedings of the Inter-national Technical Meeting of the Institute of Naviga-tion (2010).

[35] LEIPOLD, D. F. Session 5: Views of airlines and pilotslufthansa airlines 2014-05-27, May 2014.

[36] MAGAZU III, D. Exploiting the automatic depen-dent surveillance-broadcast system via false target in-jection. Tech. rep., AIR FORCE INST OF TECHWRIGHT-PATTERSON AFB OH DEPT OF ELEC-TRICAL AND COMPUTER ENGINEERING, 2012.

[37] MCCOLLUM, C. D. M. Evaluation of instrument land-ing system ddm calibration accuracies, 1983.

[38] NIGHSWANDER, T., LEDVINA, B. M., DIAMOND, J.,BRUMLEY, R., AND BRUMLEY, D. GPS software at-tacks. In Proceedings of the ACM Conference on Com-puter and Communications Security (2012).

[39] OF TRANSPORTATION, U. D. Nondirectional Beacon(NDB) Installation Standards Handbook. FAA, 1981,ch. General Information.

15

[40] OF TRANSPORTATION, U. D. Instrument FlyingHandbook. FAA, 2012, ch. Navigation Systems.

[41] PIERPAOLI, P., EGERSTEDT, M., AND RAHMANI,A. Altering UAV flight path by threatening collision.In Digital Avionics Systems Conference (DASC), 2015IEEE/AIAA 34th (2015), IEEE, pp. 4A4–1.

[42] POPPER, C., TIPPENHAUER, N. O., DANEV, B., ANDCAPKUN, S. Investigation of signal and message ma-nipulations on the wireless channel. In European Sym-posium on Research in Computer Security (2011).

[43] QIAO, H., LIU, Y., YANG, A., AND HANCKE, G. Pre-venting overshadowing attacks in self-jamming audiochannels. IEEE Transactions on Dependable and Se-cure Computing (2018).

[44] RANGANATHAN, A., AND CAPKUN, S. Are we reallyclose? verifying proximity in wireless systems. IEEESecurity & Privacy (2017).

[45] RANGANATHAN, A., OLAFSDOTTIR, H., AND CAP-KUN, S. SPREE: A spoofing resistant gps receiver.In Proceedings of the 22nd Annual International Con-ference on Mobile Computing and Networking (2016),ACM, pp. 348–360.

[46] SAMPIGETHAYA, K., POOVENDRAN, R., AND BUSH-NELL, L. Assessment and mitigation of cyber exploitsin future aircraft surveillance. 1–10.

[47] SCHAFER, M., LENDERS, V., AND MARTINOVIC, I.Experimental analysis of attacks on next generation airtraffic communication. In International Conference onApplied Cryptography and Network Security (2013),Springer, pp. 253–271.

[48] SIEGEL, D., AND HANSMAN, R. J. Development ofan autoland system for general aviation aircraft. Tech.rep., 2011.

[49] SMITH, M., STROHMEIER, M., LENDERS, V., ANDMARTINOVIC, I. On the security and privacy of acars.In 2016 Integrated Communications Navigation andSurveillance (ICNS) (April 2016), pp. 1–27.

[50] STELKENS-KOBSCH, T. H., HASSELBERG, A.,MUHLHAUSEN, T., CARSTENGERDES, N., FINKE,

M., AND NEETESON, C. Towards a more secure atcvoice communications system. In 2015 IEEE/AIAA34th Digital Avionics Systems Conference (DASC)(Sept 2015), pp. 4C1–1–4C1–9.

[51] STROHMEIER, M., LENDERS, V., AND MARTI-NOVIC, I. On the security of the automatic depen-dent surveillance-broadcast protocol. IEEE Communi-cations Surveys Tutorials 17, 2 (Secondquarter 2015),1066–1087.

[52] STROHMEIER, M., SCHAFER, M., PINHEIRO, R.,LENDERS, V., AND MARTINOVIC, I. On perceptionand reality in wireless air traffic communication secu-rity. IEEE transactions on intelligent transportationsystems 18, 6 (2017), 1338–1357.

[53] TART, A., AND TRUMP, T. Addressing security issuesin ads-b with robust two dimensional generalized side-lobe canceller. In 2017 22nd International Conferenceon Digital Signal Processing (DSP) (Aug 2017), pp. 1–5.

[54] TESO, H. Aircraft hacking: Practical aero series. InHITB Security Conference (2013).

[55] TIPPENHAUER, N. O., POPPER, C., RASMUSSEN,K. B., AND CAPKUN, S. On the requirements for suc-cessful GPS spoofing attacks. In Proceedings of the18th ACM Conference on Computer and communica-tions security (2011).

[56] UNION, I. T. Radio Regulations. 2012, ch. Terminol-ogy and technical characteristics.

[57] YUSUPOV, L. ADSB-Out. https://github.com/

lyusupov/ADSB-Out.

[58] ZENG, K. C., LIU, S., SHU, Y., WANG, D., LI, H.,DOU, Y., WANG, G., AND YANG, Y. All your GPSare belong to us: Towards stealthy manipulation of roadnavigation systems. In 27th USENIX Security Sympo-sium (2018).

Notes1https://www.boeing.com/resources/boeingdotcom/

company/about_bca/pdf/statsum.pdf

16