Fancy that: Hacking airliner systems doesn't make them magically fall out of the sky

Study finds most A320 pilots shrug, ignore dodgy systems and land safely

Airline pilots faced with hacked or spoofed safety systems tend to ignore them – but could cost their airlines big sums of money, an infosec study has found.

An Oxford University research team put 30 Airbus A320-rated pilots in front of a desktop flight simulator before manipulating three safety systems: the Instrument Landing System (ILS), the Ground Proximity Warning System (GPWS) and the Traffic Collision Avoidance System (TCAS).

The team, who presented their paper at the NDSS infosec symposium, found that while their attacks against these systems "created significant control impact and disruption through missed approaches", all pilots in the study were able to cope and land their simulated aircraft safely.

Pilots in the study were exposed to false warnings from each of the systems to see what their reactions were. Most of them carried out missed approaches at first and tended to ignore or distrust the "hacked" system while going around to carry out a safe landing.

A go-around is expensive, with airlines racking up bills for extra landings, fuel and delay penalties.

Commenting on their findings, the researchers said in their paper: "Pilots are extensively trained to deal with the many faults which can emerge when flying an aircraft, and this was reflected in the results. However, the attacks generated situations which shared some features with faults but largely were different; they lacked indication of failure."

They added:

Whilst alarms force action they are quickly turned off or ignored if considered spurious.

Lead researcher Matt Smith, explaining the reasoning behind the study, told The Register: "We know these attacks exist but we don't know what would happen if they occurred," adding that there is existing research demonstrating attacks against aeroplanes but little analysing their potential effects in this way.

Terrain ahead. Pull up!

Each of the 30 pilots in the study was put in front of a desktop simulation of an Airbus A330, which Smith explained was because there weren't any good enough representations of the A320 available for the X-Plane simulator used in the experiments. After a familiarisation flight, helped by the fact the A330 is very similar to its short-haul sister aircraft, the experiments began with three simulated flights onto runway 33 at the UK's Birmingham Airport.

For the GPWS phase, Smith's team simulated a false aural alarm, where the system plays the message "Terrain, pull up!" over the cockpit loudspeakers. Pilots are trained to react to the warning so they don't fly into the ground.

On the first approach, two-thirds of pilots went around, while on the second try just over half of those who didn't land the first time round disabled GPWS before trying again, successfully. Those who went around largely did so between 20 and 30 seconds after the false alarm.

Traffic, traffic! Climb now!

Next was the TCAS attack. TCAS works by sensing the location of nearby aircraft fitted with TCAS gear and ordering pilots to climb or descend if algorithms calculate that the two aeroplanes will come too close for safety. Critically, TCAS can cause pilots to ignore air traffic control (ATC) instructions: pilots can bust an ATC-imposed altitude restriction (for example, "maintain 3,000ft") if their TCAS equipment orders them to do so.

On the A320, TCAS has three pilot-selected modes: TA/RA, meaning it gives a visual and audio warning before telling the pilot to "climb now" or "descend now", TA only (audio warnings only without the RA, Resolution Advisory, part – meaning the system does not order pilots to climb or descend) and standby (off). Due to limitations of the simulator, Smith's team were not able to simulate the visual warning on the airliner's cockpit screens.

By triggering a false TCAS RA, the researchers looked to see what the pilots would do, with the experiment including a "descend" RA shortly after takeoff among other activations, which Smith said was not unheard of in some crowded airspace such as the departure routes from Heathrow.

All but one of the pilots obeyed the false TCAS orders at first. On average, pilots "complied with over four RAs before reducing sensitivity", something Smith's team said "shows that there is no straightforward response."

Most of the pilots switched from TA/RA to TA only after false activations, with some turning it off altogether over worries about the "additional workload" and distraction caused by false alarms. Two also diverted their flights back to the origin airport.

Glideslope. Pull up!

For the ILS scenario, Smith's research team moved the position of the glideslope, the radio beam that guides aeroplanes down to safe landings. An ILS system consists of a glideslope, an angled beam that controls how far along the runway the aircraft touches down, and a localiser, which tells it where the middle of the runway is. All experiments were carried out in simulated good weather so pilots could use other visual references to double-check the ILS.

Four of the 30 pilots in the study chose to continue with their landing anyway despite the simulated glideslope having been moved to a point several thousand metres down the runway. A landing too far along the runway would risk the airliner running off the far end into the grass, potentially causing the runway to be closed.

Of the rest, 30 per cent fell back to using the aeroplane's internal GPS system to carry out an area navigation (RNAV) approach, using onboard systems to calculate a glideslope and localiser path without needing the external radio beams. A fifth of the pilots went for a visual approach; landing by looking out of the window and flying accordingly, while a quarter used the localiser beam but judged the touchdown point visually. Two pilots asked for a Surveillance Radar Approach, where ATC does all the hard work of lining the aeroplane up with the runway by looking at the radar screen and giving the pilot course corrections. This depends solely on the airport's own radar and radio equipment being available.

The pilots in the study ranged from captains with more than two decades' flying experience to newly qualified first officers with two or fewer years in their logbooks, giving a reasonably wide cross-section of aviation experience.

Smith mused to El Reg: "If industry engaged with penetration testing on these systems and tried to fully map out what the attacks might be, what they presented to the pilots as, they should at least be able to give a list of situations that might come about as a result of an attack." He added that this could be used to develop situation-specific checklists, much as pilots already have standardised checklist responses for instrument failures.

The full study is on the NDSS website for free download. ®

Similar topics

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022