Radio Altimeter Spoofing: Tricking the Autopilot
Updated: Jun 7, 2020
What happens if an autopilot system thinks a plane is lower than it actually is? What happens if it thinks it is higher than it actually is? These are the key questions I am trying to answer as part of a team led by Dr. Kirill Levchenko in order to advance the cybersecurity of commercial aircraft.
The spoofing of radio signals is not a new concept. GPS spoofing is one of the most well-known attacks, and in fact it has been proposed as a method to confuse phasor measurement units (PMUs) on a power grid. Spoofing a radio signal comes down to matching the frequency and phasor angle of the sent signal and delaying by the right amount to convey that the ground is a certain distance from the receiver. Radio altimeters, used for the most accurate height measurements under 1500ft, use the measured delay between sending and receiving a radio signal to determine the height off the ground. Spoofing the signal requires measuring the current signal, imitating it, then changing the delay of the signal that you are sending to change the receiver's perceived distance from the ground.
My contribution to this project is to analyze what will happen if a signal is spoofed. If a pilot is flying in purely visual conditions, not relying to heavily on instruments, any spoofed signal is unlikely to be noticed, and the pilot is more likely to trust his experience. However, in cloudy conditions (Category II or III landing), the pilot must rely on instrumentation and autopilot systems. I am studying how all of the relevant instruments and control systems are connected, and predicting how the aircraft will react in different scenarios and configurations.
I am combing through pilot's operating handbooks, communications specifications, pilot's forums, flight simulator training manuals, and other resources to put together a full picture of how the system operates. I am drawing diagrams that describe the conditions for certain landing actions to be taken. I am listing potential alerts, alarms, or notifications that might be set off by the spoofed signal. And I am trying to gain an understanding of how pilot's might react in this scenario. The goal is to gain an initial understanding of the system so that we can develop intelligent tests to perform in simulators, and potentially actual aircraft.
Ultimately the goal of this project is to motivate good defense by showing the worst case scenarios that are possible. Changes to aircraft designs and policies aren't going to be made in academia, but academia can shine the light on some of the potential weaknesses in current systems in order to encourage the industry to make changes before attacks like this are carried out against passenger-carrying planes.