Navigating Planes in a Hostile Radio World

Right now we have David Robinson with Navigating Planes in a Hostile Radio World. So, thank you very much.

Yeah. Um, yeah, good afternoon everyone. I'm David. I'm here to talk about navigating planes or hostile radio space. For those who don't know me, I also go by Carrot. I do security stuff back in Wellington. Also run Kakon before Kawaion. So, if you're over for that, be good to see you there. also make a bunch of stickers which I sort of left around the place over the weekend and yeah so what are we going to look at today going to look at how sort of planes navigate some attacks on sort of navigation and have a look at a bit of the pilot's perspective and what air traffic controls perspective would be and some things we could do about it and

yeah we'll sort of go from there so a little bit of terminology up front uh there's GN GNSS the global navigation satellite systems so these are satellites that provide time so you can get a location. The most common of those which most people would have heard about is GPS. The US system, the global positioning system. Sometimes I'll say GPS when I actually mean GNS because GPS has sort of also become the generic term for GNSS as well. Um Russia's also got Gloness, China's got BU, Europe's got Galileo. Those are the ones with sort of worldwide coverage and Japan and India also have some local satellite systems as well. The other term I sure use a bit

is ATC, air traffic control. Think about people looking at radar screens and in towers and in dark rooms and stuff making sure planes don't hit each other. So how do planes know where they are? So way back when we had dead wreck need. So if you knew what time you left and how long you'd been flying for, you know, your direction, your speed, you could figure out where you are. And also a little bit later we started doing some radio technologies of ADF4s Lauren and things like that. So we moved away from them because things like dead reckoning it didn't factor in sort of wind. So headwinds, tailwinds, crosswinds which should blow you off course and factor that in. Radio

it's sort of costly to run. Vors are still used but the no one's really installing new ones and decommissioning them when they break because it's cheaper to decommission them than to actually fix them. And it also has a failing that doesn't really cover oceans particularly well because it's hard to build a big radio transmitter in the middle of the ocean and keep it in one spot. So, and how are planes navigating today? So, there's the global navigation satellite systems in sort of the western countries. still predominantly GPS because no one sort of certified say Galileo or anything like that from Europe because aviation's sort of change windows are sort of decades rather than that to get things certified because

pretty much in aviation if something's currently safe and not causing incidences. You leave it as it is. You don't to rock the boat too much unless something's bad happening. Um there's also inertial navigation system. So think like your phone, you have accelerometers and gyroscopes and from that you could sort of if you know where you started and from how much you accelerated for how long and what you roll rolls and pitch you could figure out where you are. And there's also instrument landing systems to think about landing on the runway. You'll see those little orange aerials at the end of the runways and beside the runways. So the inertial navigation systems have some limitations depending on the age in

the model. they'll drift by about half to one nautical mile. So that's sort of fine for making sure across a big oceanic voyage that you get to North America. Um it's not so good for actually getting to the actual airport after sort of 14 hours or something. Uh you have to know the starting location. So before each flight you've got to reset the location correctly. And some of the systems will also reset from GPS or the other satellite systems during the flight. But you have to trust that GPS is still actually giving you an accurate location if you're going to reset your initial navigation off that. Um, instrument land systems, they're only sort of useful for landing. They're

quite expensive to set up, but they are very accurate when they are sort of calibrated and stuff that with the CAT 3B systems, you can land with zero visibility and the first you know that you're on the ground is when you feel the bump. The pilots won't actually see the runway before that happens. So they can be calibrated quite well, but because of their expense and how they work, they're only good for landing, not sort of for getting to the airport. You've got to be at the airport really. And then so those are sort of how planes can know where they are. Also, air traffic control and other things need to know where the planes are to make them

so they can instruct them so they don't bump into each other. Um there's primary radar. So if you think of a radar dish, those spinny things, yeah, that's primary radar. sends out a radio wave, bounces off the plane, comes back, you know where a little dot is. Additionally, that plane seen the broadcasting sort of digital signals, there is multilateralation, which basically if you look at when the first bit arrives at three or more receivers and you do some math and from that you can actually figure out where the plane is. It's basically if you think triangulation but reverse. So you know where the receivers are but you don't know where the plane is. It sort of

works like that. So you got, you know, three receivers, the P's, and then you got A and B are the two possible positions for the plane. And inferring from some other things, you can actually figure out which one the plane is cuz you know where it's been traveling previously, so which one is more likely to be. Uh, also plane, modern planes are broadcasting the location. So if you ever been to flight radar 24 or something, this is what it's working off. ADSB automated dependence surveillance broadcast. So twice a second uh the planes will broadcast sort of half a message and you combine them to get the and that includes location head velocity altitude some weather

crosswinds all this sort of stuff and pretty much so any sort of in landing at big airports there is a requirement to have it if you want to land at a big airport. Similarly, if you're over 26,000 ft, you've also got to have ADSB. And additionally, a lot of ground vehicles will also broadcast their locations as well because air traffic control when you're navigating things around the airport on the taxi ways, you also want to know where all the ground vehicles are. So, again, making sure things don't touch. And ADSB can use multiple different locations for the where it gets the location. It can either be GPS or it can also be the initial navigation system as a little

flag in the message saying how confident it is in its location. So, what could go wrong with us? We use GPS every day on our phones. It's all good, right? Um, yeah, but you know, there's been a lot of jamming happening around sort of Russia, the Black Sea, Iran, and stuff. And, you know, it's affected flights. There's lots of newspaper articles about it. So flight radar 24 as said before there's that navigation integrity category value that comes off says of how quitted it is in its location. Flight radar 24 maps this. So if it's green the planes think they know are fairly confident where they are and where you get to red the planes are

going hey the location I I think the location's not particularly good. And then we've got the gray the gray zones which are either flight radar doesn't have a receiver or there are no planes flying there. So things like over Ukraine and stuff, there are no sort of planes flying at the moment. And you can see that a lot of around the sort of the Black Sea um up in the Nordic sort of area and sort of down around Iran and the the Gulfs. So how could planes tell that sort of been a GPS sort of attack? Uh if there's a sudden jump in location, so you know roughly what your speed is, so you know

where you should be in 5 seconds, 10 seconds. an a minute's time, you should know roughly where you are if it jumps outside of that. So like impossible travel for your lo on systems, the planes can also do a short value impossible travel. Also you sometimes see time jumps because GPS's broadcast the time you do some math of the time in that. So if you're doing an attack quite often the time will jump as well. Um and there's sort of three main categories of sort of GPC attacks. There's jamming which you just send about a lot of noise interference and basically blocks the GPS signal because the GPS signals are 20,000ish kilometers away. The actual

signal is lower than the noise floor. So actually GPS is having to find the signal in amongst all the noise and that's why GPS uses so much battery on your phone cuz having to you can't just sort of ignore all the noise floor. It's actually got to look inside the noise in the floor. Um there's replay. So if you capture a GPS signal, you can replay it later. This is quite handy because you can also capture the encrypted signals, not just the clear text signals and replay them. But the fact is is because of it's a replay, you don't have so much control over what you can do. And there's spoofing, which is when you send

a valid but wrong signal, you actually are doing all the generation and pretending to be the satellites and you generate what the satellites will be broadcasting. though this only works on the non- encrypted signals. So basically only on GPS only the military can get their encrypted signals. Civilians cannot um because we don't have any of the key material. And this has been happening for a while. I talked about this a few years back at Bides Camber and also over at Defcon. Uh so what does this mean? You know, planes don't know where they are. So which means hey, they can't possibly fly in some areas. they're going to potentially have to use less optimal routes because they want to stay in a

good coverage area and that uses more fuel, puts prices up, all that sort of stuff which is bad for the airlines, bad for the passengers. And sort of the worst situation is we think back to sort of 1983. There was the Korean air flight 007 which was from Anchorage down to Seoul. It had an its initial navigation system drifted because of some crosswinds I think it was and it ended up in Russian airspace. The Russian airspace thought it was covering for some US spy mission and they shot it down and the outcome of that was at the they were developing GPS at the time and at the time it was only going to be a military service. there wasn't

going to be this public decrypt um unencrypted service and because of this I decided oh actually for the good of the world we should actually provide some accurate navigation to everyone because we don't want this situation happening again and it's quite easy to do you know I've done it with sort of a just some $500 SDR Raspberry Pi some code off GitHub so actually to do it at a small range it's quite easy sure if you want to do it over a bigger range, you're going to need a bigger transmitter with more power. But it's actually quite simple cuz all the code is available on GitHub. You can also just buy jammers off the shelf, but

they're rather crude. They're not sort of as fun as the spoofing. Um, and so one of the reasons that we are sort of in the situation is the air traffic control, the air navigation systems, they're all trying to save money because, you know, everyone has to save money. So things like the vors, so the radio based land stuff, the prime radars are expensive. They're installed to maintain. So as things break, they've been decommissioned. They're not putting new ones in to the point of New Zealand only has two primary radars for commercial aviation. So most of New Zealand doesn't actually have radar coverage. So So how does air traffic control still know where they are? Well, there's the

ADSB, so the planes can tell ATC where they are, the planes have to have ADSB out, which is most of the commercial aviation. But if the plane doesn't know where it is, you're going to have that failing. There's also, as I said before, there's EMLAT. You know, the coverage isn't there in New Zealand. They've only sort of covered the Queenstown area because primary didn't work there because there's hills and there's mountains. But the plane still needs to have at least modes which was the generation of transponders before we had full ADSB. So modes was still a digital message that include a plane identifier in it. So there's still the it was still additional signal. So you could still

have that first bit so you could do the timing amongst multiple sites but yeah the coverage isn't as good sort of from the air traffic controls perspective and that sorry the New Zealand coverage there. Um, so what what other methods sort of come up and coming could we start looking at? So there's direction finding. So the Kraken SDR, some people may have done this. This is basically a software defined radio that has five different radios in it. You put the antennas out in a particular pattern based on the frequency and by how the signals arrive, the phasing and the time differences, you can infer a direction. So you can see here um is that working? Um you can see here

that this one here that's sort of obviously the direction that the signal that the transmitter is because the rest of it is a lot lower. Uh so how it works is you space the five antennas out in a circle different phasing and times you calculate the direction. Uh older forms of direction finding you actually had a sweeping antenna that would sweep around. You'd look for when it was strongest. you go backwards and forwards. You hunted it at the strongest point that was either it was either that way or 180 degrees behind you. So you needed to spin round again and figure out which of the two was stronger. Um so direction finding it's sort of

similar to MAT is that you could track down a location. Uh the benefit of sort of the direction finding is it's not just doesn't have to be a digital message because you can do it off say the voice audio you can do it off other message types like a cars ADSB mods but when you're doing it on things like audio and a cars there is no sort of plane identifier in a standard format so you can't actually you need some other method to actually match it up with a particular plane so the cost you know less than US $1,000 but Hey, it's aviation. So that $1,000 becomes sort of a h 100,000 a million dollars per site because it's aviation.

Um and then plus all the backend systems to collate and display it out to air traffic control. So hey, but if planes started to have direction finding on them, they could also start locating fact. So if you had a database of where particular TV and radio transmitters are, you could actually lock onto those and you could if you could look at say couple of TV towers or some different radio towers, you could start to triangulate where you were based on the directions and you can cross reference your location that you're getting from GPS or things or your inertial navigation systems and you can also track where other planes are if they're broadcasted as well. So there's

the TCAST which is the traffic uh which is the system that when planes are going to crash into each other they can detect the other plane and give the pilots instructions. These can also validate that the plane which says it's out to the left is actually out to the left. It's not a malicious tech message as well. So there's actually some benefits and tied up with other systems on the plane as well. And some of the pros is TV and FM ground stations. They're highowered. They're difficult to jam because they're sort of in the kilowatt or tens of kilowatt sort of transmitter classes. That's you're going to need a big generator or big power feed if you

actually want to sort of overpower that sort of signal. And because people are going to notice when TV or FM radio stops, the spectrum management people in the relevant countries are going to be quite good at tracking it down and finding out where you are. Uh some of the cons for planes is you're going to need a set of radios per frequency what to monitor. It's you're going to need that. It's going to be hard to have the relevant antenna array that sort of tuned for the frequencies and it's only going to work over land and coastal regions cuz there's no TV out at the ocean. Some of the pros for ADC sort of using direction

finding is how you can direction find and cross reference your ADSB signals. You can also do it off audio signals but it's not going to be a continuous location. And if you have a few different sites, you can actually sort of triangulate and you don't need the sort of the low latency of timing which you need for your MLAT sites, which makes it a bit easier to implement your system. Another pro for air traffic control is when people decide that it's really fun to get a radio transmitter and pretend to be planes or to pretend to be ATC, you could track them down really quickly and send the police to go and deal with those people.

Um, what's some of the cons is it sort of works in the horizontal plane. It doesn't work so well in the particularly at a distance in the vertical plane. And you'd also need a second set of arrays for to do the vertical plane opposed to just the horizontal direction. And it's going to need more equipment per site compared with MLAT cuz an MLA's just a singular receiver per site compared to five. And hey, with voice radio, you sort of don't get an ID. So other technology there's passive radar. So again this is sort of using their existing FM TV cell base stations. You need something that has a constant carrier wave and you need to know and

you need a fixed location for the receiver. So it's only going to be helpful for air traffic control. And basically what it does is it does some really cool physics and maths. It benchmarks the spectrum and as planes and other objects move through the air and through the radio waves they reflect it change the wavelength change the polarization change the frequency slightly and from that you can infer direction location and all this other cool stuff and it's quite easy to do say you can get a couple of hack RFS you need two of them one sort of monitoring that base frequency and the other one sort of looking either side of the base frequency for the changes and you need

some wires between them so you can actually get the clocks in sync And is this video going to play? No, it's not. Come on.

Why isn't that working? Okay. Um, and okay, what you can see here is on the bottom here, you can see how that series of dots is getting closer and closer to the the bottom axes. And that's because that plane is moving across. So it's getting closer to the bottom. And that line across in the middle there, that's that's just the actual TV transmitter that I was monitoring at the time. So hey, from Pros from ATC, you can from one location, you get a fix. Needs less radios. It's only going to be two instead of five compared to direction finding the TV and radio and cell companies. They're paying for their expensive broadcast. They're paying paying for all the power bill. So that's

quite cool. someone else is paying for their expensive part and if you have multiple sites, multiple frequencies, you can really start tying things together, get some cross referencing going. Some of the cons, unfortunately, there is ITAR restrictions on it. So, all the publications and all the mass for passive radar is all public, but implementations are restricted by ARMS regulations, which is a bit of a pain. and Kraken SDR which was that direct fire showed you earlier had some passive radar code on GitHub but was pulled after some lawyers from some government agencies told them that it wasn't such a good idea but hey other people put it on GitHub and they haven't been told to

take it down yet so if you look carefully you can find passive radar code on GitHub as well so what other ones there's sort of Euran so I mean back in the day there was Lauran which was a naval system uh location it sort of got decommissioned as GPS came in. But then with some of this GPS jamming sort of happening in the late teens, people decided, hey, maybe we need a sec a new version for enhanced Lauren. And that sort of works is it's quite similar to how the satellites work. You have a series of towers that are all in time sync and based on the time and the phase you can fer a location. It's sort

of only going to be less than 10 m accuracy. So quite good for finding the airport, not so good for landing. Um yeah and it sort of started in 2017 2018 when we started discussing the Black Sea and the North Korean GPS interference. Hey planes because it's now a ground signal opposed to a satellite signal. It's going to be strong. It's hard to drown out. You know 10 m is good for navigation but not landing. Hey but unfortunately there's been a lot of talk about it. Nothing's actually been implemented. No towers have been built. No one's bought built the avionics yet. No one's actually, I think, finalized the standard and it's only going to work

about 1,200 km away from the coast because that's where the transmitters are. But then again, when you're out in the middle of the oceans, from what we've seen, there's less GPS spoofing because there's no sort of reason to spoof in those in the middle of the oceans and the Pacific, but it's normally happening close to that. And another cool technology which particularly we've seen on drones and other sort of last mile delivery options is earth fingerprinting. So basically you build up a fingerprint of what the Earth looks like. You have a camera looking down and you match it up. So in the bottom there, bottom right, we can sort of see what Google satellite view

looks like sort of invisible. And then this is sort of a digital fingerprint of what the Earth looks like. You know, some of the pros for sort of navigating a plane. It is fairly difficult to change the terrain at scale. people are going to notice you bulldozing a mountain or building another hill over there. People are it's pretty difficult to do. Um, some of the cons, you actually need to be able to see the ground. So, it doesn't work well on clouds. Not going to work so well at night potentially depending exactly if you use a ladar. It might work well at night if you're the low enough altitude. and it's only going to work over land

because the ocean looks very similar and is forever changing with the waves and swells. So, sort of wrapping up is there's sort of no easy options. Hey, just like security generally and what we sort of say with a lot of security systems is you need multiple different controls. So, if one control fails, there's another one to pick it up. So you have multiple methods that are ideally redundant and sort of doing it in the land and coastal areas is easier because there's less jamming happening out of the oceans. So what's next is sort of hey it's really up to the aviation regulators and the manufacturers and the part suppliers to do their part. So hey hopefully I've

covered how planes navigate some attacks on sort of the system pilots and air traffic control subet what we can do about it. So yeah, thanks to the Kylie and Sylvio and all the volunteers for putting together a great conference. Thank you for all you coming and listening. You know, I know it's the sort of last day, last afternoon of the conference. Everyone's getting a little bit tired, little bit overwhelmed by a lot of content in your brains now. So yeah, thank you all for turning up and yeah, it's been great talking to you. Thank you.

[applause] >> Awesome. Thank you for that, David. Does anyone have question? We've got time for maybe one or two.

>> You're all right, mate. >> Thanks. With the uh with the low Earth orbit stuff with Kiper and SpaceX as Starlink, do you think there's some mechanisms that could be tapped into them? They're a bit more jamming resistant, I would hope, because they're 600ks away rather than 20,000. >> Uh yeah. Well, with those low with those those are predominantly baked around they're doing internet service. They none of them are providing they none of them as far as I'm aware have atomic clocks on them and broadcasting accurate time signal which you could then use for um navigation purposes. So they just don't have that kit on them because they're trying to get them as small and

as possible so they could do more per launch. So I don't think it's something they haven't optimized for cuz the the fact you need a GPS clock uh sorry atomic clock and a lot of infrastructure to keep all that in sync I don't think it'll be productive with those sort of constellations to have that sort of system. >> Yeah. Hey, uh this might be an ignorant question, but similar to earth terrain fingerprinting, can you do radio fingerprinting? Like so like if a city gives a certain radio fingerprint, could you kind of map uh using that? >> Well, that's kind of what the passive radar is doing that you get the fingerprint and you can see things

moving through it. Um, but you've got to have you've got to know your location to monitor the tower cuz there's so many things like the weather and other things moving through the air. Actually, there is going to be no continual fingerprint. The fingerprints always changing. So, you can't really benchmark it in that same way. >> Hi, just a a quick question about the uh methodology you mentioned which had the uh fixed stations with common clocking. Um I understand some of them may use a GPS as a common clock source. If that timing source was compromised, how would uh geographically diverse uh receivers that should share a common common clock be uh synchronized? So that Elen stuff I

sus I think they're putting in some protections that they'll have a good either an atomic clock on site or some other highquality clock that they can actually do their internal time themselves rather than having to continuously rely on GPS or another satellite system. Yeah. >> Excellent. Thank you again, David. Another round of applause, please. Thank you.