DEF CON 28: ILS and TCAS Spoofing

This post is a companion to the DEF CON 28 video available here https://www.youtube.com/embed/VbCzABE6jec

The purpose here is to give some practical demonstrations of two kinds of radio frequency spoofing attack against two different types of cockpit instruments that are found in virtually every single commercial aircraft flying today.

That is me on the left there flying. What I hope you might notice is that it’s a pretty perfect ILS approach 🙂:

Harshad Sathaye (@harshadsathaye) gave a separate companion talk right after this one in the DEF CON 28 schedule, and that goes into a lot more depth on the physics and practicalities involved in generating these types of spoofing so you should definitely check that out too.

Unfortunately though we’re not going to be doing this against a real airframe as that would be super illegal.

What we do have is our Airbus 320 simulator at Pen Test Partners that does a pretty good job at being able simulate the aircraft’s flight characteristics and avionics. It’s the same flight model as used in professional simulators but it’s obviously not certified to that same standard.

So we can emulate and test things against most major systems including ILS and TCAS.

What is TCAS?

TCAS is the Traffic Collision Avoidance System, and does pretty much what it says. It provides both audio and visual cues to a pilot about other aircraft, or traffic, that might come within two protective bubbles – the TA and RA regions.

Traffic advisories are labelled orange and are aircraft that don’t pose an immediate threat but might then become a resolution advisory – this means the pilot needs to take immediate action to avoid that conflict. The TCAS system will give these RAs in the form of “climb” or “descend” but never a turn.

Aircraft equipped with TCAS transponders (and that’s most passenger aircraft, but not general aviation) will emit interrogation signals and listen for replies, and use this time of flight to compute distance many times a second.

As not all aircraft are equipped with TCAS a hybrid mode can use inputs from ADS-B, which you might be familiar with from services such as Flightradar24, to add these other aircraft into the picture.

Resolution advisories must, in theory, be obeyed over any air traffic control instructions. Not doing so was the cause of the 2002 Uberlingen incident between a Tu-154 and a DHL cargo flight.

In busy airspace, and Los Angeles is often cited as one such area, traffic alerts can become almost constant to the point that it can become a significant pilot workload. We’ve heard anecdotally that TCAS is sometimes turned off in such situations.

Automatically following RAs

In our Airbus simulator, with the autopilot engaged, the aircraft will actually fly resolution advisories automatically, moving away from the preset altitude and then returning after the conflict has passed. This is an aircraft and airline option and not always enabled however.

In the demonstration that follows we have the aircraft flying straight and level with a wall of spoofed aircraft coming directly towards us. The TCAS system will issue TAs then RAs and then take control to move us out of conflict if we do nothing.

We are at just over 5000 feet, and our spoofed aircraft are introduced ahead of us.

They turn from orange to red quite quickly on the right hand navigation display, and the vertical speed strip on the left hand display now shows a red “unsafe” and a green “safe” band and at the same time calling out to descend. Ideally the pilot would now pitch down to obtain that safe vertical speed of 2000 feet / minute.

Choosing to ignore this, the aircraft will automatically take control and put the aircraft into a safe descent allowing our intruder aircraft to pass above us.

Once clear of conflict, the aircraft pitches back up, and increases thrust, to return us back to 5000ft.

What is ILS?

Our next system is the Instrument Landing System which provides lateral and vertical guidance to a pilot when approaching a runway. This is typically most useful in poor weather conditions but is often used even in clear and fine weather.

For a specific runway, a VHF ILS frequency is given which includes both a glideslope (vertical) portion and a localiser beam (lateral). Each beam has two lobes at different frequencies, and the receiver works out the signal strength of each and when each is the same, that means you’re in the centre. It’s fairly simple and basic tech.

The pilot then centres some magenta bars, or more likely the autopilot follows them automagically, and that will get you to the touchdown point of the runway.

Our situation in the simulator is that we have selected and tuned into the ILS for runway 28 Right at San Francisco, that’s the red one here.

We will be initially flying in cloud so cannot see the airport, runway lights, or ground, but unknown to us, the localiser signal is being spoofed from a location off to the left of our aircraft.

What will happen is that we will pop out from the cloud at quite a low level and find ourselves nowhere near where we expected to be.

The aircraft is established on the ILS for runway 28 Right as we can see at the top of the right hand navigation display.

The magenta pips on the left hand primary flight display are both centred horizontally and vertically so we believe ourselves to be flying down the correct path to the runway.

In the bottom right we see the outside world, as such, but we’re in cloud so it’s just grey.

At 400ft the aircraft believes itself to be in landing mode and ground proximity and traffic alerts are inhibited at this point.

At 300ft we break out of the cloud and find ourselves well left of the runway even though our instruments are still indicating we are on the centreline.

A pilot would go around and retry the landing if faced with this situation, if they had sufficient visibility.

Is this all realistic?

I will leave Harshad to go into more of the detail in his talk, but I feel that ILS spoofing is unlikely, given you would need a powerful antenna in very close proximity to the airport. This is likely to get you spotted by the police pretty quickly. It is also likely that the pilot would see intermittent “NAV” error flags in their displays telling them the ILS system was unreliable.

TCAS itself uses time of flight and so would be more difficult to spoof, but ADS-B is relatively straightforward to generate from the ground and might be enough of a distraction to lead pilots to switch off the system.

Please watch Harshad’s talk which goes into a much deeper dive into the theory and practicalities.

A special thank you to my colleague Phil Eveleigh  (@Yekki_1)  who managed to get the simulator video sorted at very short notice, thanks Phil!