Aviation leaders will meet this month to tackle safety concerns arising from cyberattacks that spoof GPS systems, as reported by Reuters. These attacks have steered commercial aircraft off course, and the surge in GPS interference poses a threat to aviation security. To help explain this critical issue, this report will discuss general security challenges in civilian aviation without disclosing specific vulnerabilities.
To understand GPS safety concerns, the difference between GPS spoofing and GPS jamming must be noted. Spoofing is the practice of transmitting counterfeit signals to devices in order to deceive them into miscalculating locations. Jamming, on the other hand, uses radio frequency interference to overwhelm receivers with noise, rendering them unable to discern genuine satellite signals. Both issues pose problems but in different ways–one through manipulation, the other through confusion with interference.
GPS Spoofing in West Asia
Since September, OPSGROUP, an organization of pilots, dispatchers, and aviation experts, has been documenting instances of GPS spoofing directed at business and commercial aircraft in the Iraq-Iran region. By September 28, OPSGROUP had collected 20 incident reports, with some citing complete aircraft navigational system failure in airliners and business jets. Todd Humphreys, a prominent researcher in the field of GPS security, speaking for his team at the University of Texas at Austin told Forbes that “what we’ve seen since late September is unprecedented. We have never seen commercial aircraft captured by GPS spoofing before.”
GPS Jamming in the Asia-Pacific
Last March, Australian news sources reported that Qantas, the country’s largest commercial airline, issued a warning to their pilots about GPS jamming caused by Chinese warships in the western Pacific and South China Sea after Qantas aircraft had been subjected to jamming. Furthermore, the International Federation of Airline Pilots’ Associations issued a safety advisory addressing communication disturbances originating from military warships in the Pacific Region. These incidents occurred after China expressed discontent over an agreement between Australia and the United States involving nuclear-powered submarines.
Vulnerabilities in Aviation
GPS was created by the U.S. military and was originally designed with encryption. However, GPS underwent significant changes after the tragedy of Korean Air Flight 007 (KAL 007). In 1983, KAL 007 experienced navigational failure and flew into Soviet airspace. The Soviets mistook KAL 007 for U.S. military aircraft and shot the plane down, killing all 269 people on board. Recognizing the potential for GPS to prevent such tragedies, President Ronald Reagan ordered GPS to be made unencrypted in order to enhance the safety of civilian navigation. To this day, civilian GPS receivers remain unencrypted.
The aviation industry faces additional navigation vulnerabilities that could jeopardize security. Jeff Wise, a pilot and aviation journalist, highlights three aircraft systems in his report for New York Magazine: 1) ACARS, 2) ADS-B systems, and 3) EFBs. ACARS facilitates communication between pilots and airlines, handling various types of data. A compromise in the ACARS system could potentially lead to navigation errors and flight risks. ADS-Bs provide details about a plane’s location and are susceptible to cyberattacks that could manipulate vital information. EFBs are electronic devices, such as an iPad or an Android tablet, that pilots use to interact with a plane’s avionics. Some airlines allow pilots to use EFBs for non-flight related tasks, such as checking emails and downloading personally preferred apps. A scenario of an EFB compromise due to phishing or a malicious backdoor attack raises concerns about potential consequences, such as EFB data related to critical airspace information being manipulated.
Ken Munro, a pilot, ethical hacker, and founder of British cybersecurity firm Pen Test Partners, tested a Boeing 747 for vulnerabilities that could be exploited by attackers. Munro’s team reportedly discovered vulnerabilities where, if numbers were manipulated, a plane could crash. Pen Test Partners and Boeing have been collaborating to enhance aviation security. Regarding ADS-Bs, Jeff Wise stated, “it would be a simple matter to make a plane heading into a restricted area appear as though it were going somewhere else, and vice versa. This kind of thing has already been seen with the equivalent system used by ships.” The system used by ships, referred to by Wise, is called AIS and in 2017, a mass spoofing incident involving more than 20 ships occurred in the Black Sea.
To conclude, the recent incidents involving commercial airplanes emphasize the urgency of addressing evolving cybersecurity threats in civilian aviation. Ongoing geopolitical tensions further underscore a need for proactive measures to safeguard civilian aircraft against evolving risks.
