print preview Back News

Cyber-Defence Campus researchers receive Best Paper Award

Scientists at the Cyber-Defence (CYD) Campus of armasuisse Science and Technology receive the Best Paper Award of the 7th Cyber-Physical System Security Workshop for their research contribution on the security vulnerabilities in communications between air traffic control operators and the crew in aircraft. The paper’s authors explain how an attacker can manipulate the connection between air traffic controllers and the crew of aircraft by using a message injection to give false instructions to the aircraft in the airspace. The CYD Campus employees developed three possible countermeasures to overcome these security risks in airspace.

23.07.2021 | Sarah Frei, Cyber-Defence Campus, armasuisse Science and Technology

Hand on the joystick of a plane cockpit

The Cyber-Physical System Security Workshop brings together experts from academia, the government and industry to discuss new methods for coping with the ubiquitous security challenges of cyber-physical systems (CPS). CPS consists of complex, interconnected systems with various components which interact with their physical environment. Many CPS devices and applications perform critical functions in our life, which is why security is an important aspect of such systems.

Problem for air traffic control in civilian airspace

The aviation industry is in constant operation worldwide and transports a large number of passengers. Smooth operation in this sector depends on a high level of certainty while minimising delays. Air traffic control is essential for the safe and efficient flow of air traffic. The civilian* airspace is subdivided into regions which are managed by different air traffic control operators. These operators guide the aircraft within their region to ensure that the airspace is used efficiently, that aircraft keep sufficient distance from each other and inclement weather can be avoided. 

However, existing civilian* air traffic control systems face capacity problems that can cause delays and conflicts when exchanging important information. In order to overcome these problems, the aviation authorities have developed modernisation programmes to cope with the increasing demand and to reduce delays and emissions to a minimum. For air traffic control communication, this means converting from analogue voice communication to digital data link communication. This enables air traffic controllers to interact within a certain period of time with far more aircraft than before. However, digital communication is only as secure as its underlying data connection, in which the paper’s authors were able to prove a lack of security mechanisms. Thus none of the usual procedures for authenticating those involved and the safeguarding of message integrity are used. This can be particularly dangerous as pilots trust the information provided by air traffic control and must follow instructions according to their best judgement. Trust is fundamental to airspace security. 

Award letter on Best Paper Award
Award letter on Best Paper Award

Attack simulation and identification of countermeasures

In the research paper, the CYD Campus scientists demonstrate how an attacker can carry out an attack on the communication between air traffic controllers and the crew of the aircraft. They show that by hijacking the connection, the attacker can pretend to be a legitimate air traffic controller and then give false instructions to the target aircraft. In addition, the authors go on to show that such attacks are indeed a serious threat. They argue that the vulnerability can pose a significant security risk to aircraft, as the attacks can be carried out by a single motivated attacker.

In a further step, the work identifies and recommends the possible countermeasures for effectively confronting these threats in airspace and dealing with such attacks. These measures range from plausibility checks and alerts to the use of message signatures and encryption. For example, the authors suggest that aircraft use distance alignment to refrain from communicating with senders that are outside their radio horizon, as this indicates an attack. In addition, there are currently a number of situations where erroneous messages are not made known to the receivers. However, in order to inform the crew of a possible attack, it would be useful to warn air traffic control and the flight crew when such faults occur. A more ambitious but long-term solution would be to set up a system that assigns a key pair to each aircraft and each air traffic controller which would be used for signing messages, thus exposing attackers by the absence of a signature. 

* Updated on 4/8/2021 to clarify that only civilian airspace and civilian air traffic are concerned. The technology mentioned in this article (together with its security vulnerabilities) is related exclusively to the civilian sector of aviation.