New York: Air Travel Is Not Ready for Electronic Warfare

Airway UM688 cuts an invisible path through the air from Samsun, Turkey, on the Black Sea coast down through Basra, Iraq, on the Persian Gulf and is used heavily by airliners traveling from Europe to the Gulf States. One stretch in particular, a 280-mile-long section in northeastern Iraq, has become a hot topic in pilot forums online. Planes passing through experience all kinds of strange system malfunctions.

“What’s happening is that the plane is flying along normally, everything is very chill, very relaxed, you probably have a foot up on the pedestal and you’re doing your crossword. And then, suddenly, either the plane will start to turn or you’ll get a whole bunch of warnings: terrain failure, navigation error, position error,” says Mark Zee, the founder of OpsGroup, an online forum that collects pilots’ reports. “For the crews, the initial reaction is What the hell is going on?” In at least 15 cases, pilots became so confused that they had to ask air-traffic control to tell them which direction to take. In one incident, a business jet nearly passed into Iranian airspace.

Someone, it seems, has been confusing the planes’ navigation systems by transmitting false GPS signals, a technique called “spoofing.” “Commercial aircraft are having their GPS units captured and taken fully under the control of the spoofer,” says Todd Humphreys, a professor of aerospace engineering at the University of Texas at Austin. “It’s eye-opening and unprecedented.”

The problem has been cropping up not only along UM688 but also in three other hot spots across the Middle East. In all likelihood, the planes affected aren’t being targeted specifically but are suffering the collateral effects of spoofing undertaken for some other purpose. So far, none of the incidents has caused any damage or loss of life, but they shine a light on how susceptible airplanes are to tampering.

Experts say airplanes’ potential security vulnerability isn’t limited to GPS but extends to a wide range of electronic systems. Researchers have known about some of these weaknesses for years, but the potential for their exploitation has remained abstract. Now, the outbreak of spoofing over the past four months is showing the aviation industry what happens when systems get screwed with for real. “It is showing a huge series of vulnerabilities that could be in the future directed at airplanes,” Zee says.

To make matters worse, many of the systems are built upon legacy technologies that were engineered without cybersecurity protection, so it will be difficult or impossible to safeguard them now; it’s like building a house with dozens of windows and then realizing none of them locks. “The level of cybersecurity most aircraft have is not commensurate with the current risks they face,” says John Sheehy, senior vice-president of research and strategy at IOActive, a computer-security firm.

THE VULNERABILITY of the airline industry to malicious hacking is, ironically, a consequence of just how transformative modern computer technology has been in enabling safe, reliable flight. Sophisticated electronics are much more powerful and dependable than the older systems they replaced and have gone a long way toward allowing U.S. carriers to maintain a zero-fatality accident rate over the past decade. But the complexity of these systems creates the potential for multiple avenues of attack.

In the past, ships and aircraft used a combination of not very accurate technologies, like gyroscopes, compasses, and radio beacons, and a technology called inertial navigation that works by adding together small changes in acceleration to determine location and speed. GPS, in contrast, uses a constellation of satellites that sends signals to users on the ground or in the air. By decoding the data in these signals, GPS receivers can determine their location within an error of just a foot.

Invented by the U.S. military, the Global Positioning System was originally encrypted to prevent an enemy from taking advantage of these capabilities. Then came Korean Air Lines Flight 007, a Boeing 747 flying from New York to Seoul in 1983. After crossing the Arctic, a problem with its inertial guidance system sent it veering into Soviet airspace, where a fighter jet — apparently mistaking it for a U.S. military plane — shot it down, killing all 269 aboard. In response, President Reagan ordered an unencrypted version of GPS to be made available to the public so that civilian aircraft would have a reliable form of navigation. At the time, no one apparently foresaw any motive or incentive for tampering with GPS signals, so no provision was made to protect them.

The more useful GPS became — being incorporated into everything from cell phones to wildlife tags — the more potential benefit could be derived from disrupting it. (The technology is so crucial for so many industries that the Department of Homeland Security has called GPS “a single point of failure for critical infrastructure.”) The first kind of attack to occur was called “jamming,” which works by swamping a receiver with noise so it can’t detect the satellite signal. During the second Gulf War, Iraqi forces placed Russian-made GPS jammers near strategically important assets to protect them from GPS-guided precision munitions. “Jamming in even a really relatively localized area can make the difference between a hit or a miss, especially on a reinforced target,” notes Sheehy.

Spoofing is a more sophisticated form of attack. Instead of merely swamping a receiver’s GPS signal with noise, an attacker transmits what appears to be a real GPS signal but with false values swapped in. It’s basically telling the receiver a plausible lie. If jamming is like chopping down a signpost to confuse an invading army, spoofing is like replacing the sign with a fake one. The idea of spoofing was explored by researchers for years before anyone tried it in the real world. In 2013, Humphreys used altered GPS signals to capture a yacht’s autopilot and move it off course.

The first actual GPS spoofing attacks happened a few years later. In June 2017, several dozen ships traveling through the Black Sea found that their GPS units were telling them they were several miles inland, at the location of an airport. Such incidents proliferated rapidly. A 2019 report from the Center for Advanced Defense Studies found that more than 1,311 civilian vessels had been affected in ten locations in Russia, Crimea, and Syria. In each case, the perpetrator appeared to be the Russian government, which was using the technique either to protect high-ranking officials or to assist in the air defense of military assets. That same year, hundreds of ships in the Port of Shanghai found that their GPS units showed them clustered in a ring onshore. When researchers checked data from GPS-enabled fitness trackers in the area, they found the same pattern of spoofing. To this day, no one understands what the purpose of the spoof was or who exactly carried it out — though presumably the Chinese government gave at least tacit consent.

There’s no guarantee that new players in the spoofing game are necessarily state actors. “You can build a GPS spoofing device using publicly available software and commercial off-the-shelf technology for the price of a nice dinner for two,” says one security expert who asked not to be identified.

But even as maritime GPS spoofing spread, aviation remained unaffected. Then came the reports of strange phenomena in the skies over Iraq and elsewhere in the region, where several militaries were all playing. By December 2023, aircraft GPS were getting spoofed to four separate locations, all airports: Ben Gurion in Israel, Baghdad in Iraq, Beirut in Lebanon, and Crimea’s Sevastopol, where Russia’s Black Sea Fleet has come under attack by Ukranian missiles. “I’m sure there’s a geopolitical aspect to it,” says OpsGroup’s Zee. “You have Iraq, you have Iran, you have Kurdistan, you have Turkey involved, you have the United States involved in some way. You need a real geopolitical expert to figure out exactly who is doing what, targeted at whom.”

WHY IS ALL THIS spoofing happening now? One key factor is the emergence of another new technology: cheap, off-the-shelf drones guided by GPS. These became a nuisance to airports around the world when hobbyists started to fly them dangerously close to landing and departing aircraft. In response, drone-makers started incorporating “geofencing” technology that would cause a drone to turn itself off if its GPS indicated it was within the boundaries of a listed airport.

Another important development was Russia’s invasion of Ukraine in February 2022. Vastly outnumbered in jets and tanks, Ukrainians quickly jury-rigged a miniature air force out of off-the-shelf drones carrying improvised munitions — social media were soon flooded with drone-camera footage of Russians getting blasted by bomblets dropped by drones and artillery guided by them. Russia responded in kind, and soon both sides found themselves struggling to defeat swarms of enemy drones. So they turned to what’s known as “electronic warfare,” or EW.

One of the most effective countermeasures was spoofing. By convincing a drone that it’s within an airport geofence, for instance, you can get it to switch off and drift down to the ground. It has been said that drones and EW are to Russia’s war in Ukraine what the tank and the airplane were to World War I, revolutionizing how armies fight. “I really think that this is here to stay,” says Humphreys. “Electronic warfare and small, cheap, attritable drones. They go hand in hand.”

The doctrine has apparently spread. U.S. troops have recently been attacked by Iranian-backed drones in Iraq, as have Israeli troops stationed near Hezbollah-controlled areas of Lebanon. It’s no coincidence that these are the same areas where aircraft have experienced GPS spoofing. Indeed, Israel has already admitted it uses GPS spoofing as a defense against Hezbollah rockets and drones.

The fact that the disruption experienced by airplanes along UM688 and elsewhere has been caused merely as an unintended consequence of electronic warfare being waged elsewhere raises an uncomfortable question: What kind of effects might be seen if someone wanted to target aircraft directly? “In the future, international conflict is going to be fought in the economic domain as much as in the kinetic domain,” says Humphreys. “So bringing another country’s aviation sector to its knees in a conflict is the kind of approach that will be on the table.”

While so far there has been no known example of a plane being maliciously hacked in-flight, a number of cyberattacks have targeted airline operations on the ground. A ransomware attack on the maintenance system of Ravn Alaska forced the airline to cancel so many flights that it went bankrupt. Earlier this month, Boeing admitted that ransomware hackers had breached its defenses and stolen sensitive data, though the company said the hack did not threaten public safety.

Cybersecurity experts warn that it may be possible to maliciously tamper with a plane’s navigation system and lead it off course without the flight crew even being aware. Modern planes still rely on the kind of inertial navigation systems that went wrong on KAL 007, but today they use GPS signals to automatically correct for the system’s drift. If you spoof a signal that tells the plane’s navigation system it’s a small distance away from its actual location, it will accept the false data as plausible, and if you keep doing this over and over, you can gradually lead a plane off course. Such an approach is believed to have been used by Iran when it jammed the GPS system of an advanced U.S. drone flying near Iranian airspace in 2011, then spoofed the signal such that the drone was fooled into landing in Iran. Applied to a commercial aircraft, it could lead an unsuspecting flight crew into hostile airspace, where the plane could be shot down, or into the side of a mountain when descending into a fogbound airport.

ALTHOUGH GPS vulnerabilities have gotten the most attention in recent years, numerous systems aboard modern aircraft are potentially vulnerable to electronic attack. One of them is ADS-B, the system aircraft use to report their position to air-traffic control by transmitting its GPS location, as well as an identifier tag and other information, so air-traffic controllers and other airplanes know where it is at all times. Since the entire system is unsecured, there’s nothing to prevent an ADS-B terminal from lying about its location. It would be a simple matter to make a plane heading into a restricted area appear as though it were going somewhere else, and vice versa. This kind of thing has already been seen with the equivalent system used by ships.

Ken Munro, a partner at the U.K.-based cybersecurity firm Pen Test Partners, says there are numerous other systems attackers could potentially exploit. But it can often be hard for researchers to identify weaknesses in aircraft systems because, unlike consumer electronics, you can’t just pick one up at a store and test it. To get around that problem, he worked out a way to borrow a 747 that had ended up in an aircraft graveyard during the pandemic. “We rang them up and said, ‘Hey, if we pay you for the ground power, can we come and play?’” he says. “And they said ‘yes.’”

Munro’s team was able to hack into the plane through an app called an electronic flight bag, which flight crew use to interact with a plane’s avionics from a mobile device. These are used, for instance, to calculate a plane’s takeoff speed and roll distance. “Through the vulnerabilities we found, we could actually make the calculator spit out the wrong information,” Munro says. “That could cause a plane to crash.” An incorrect figure entered accidentally into a Singapore Airlines 747 in 2003 caused the plane to roll off the end of the runway.

Another system Munro says could easily be compromised is ACARS, which provides text messaging between pilots and their airlines, including updated flight clearances. “Dispatchers will often send a new flight plan to an airplane over ACARS when they’re in the air. And the pilots will click a button on the instrument panel to accept,” Munro says. “There have been a few cases when planes have accidentally been sent the wrong information and they only realized it when they flew west instead of east. If the error was small enough that you didn’t notice, you could get yourself in real trouble.”

Because there are so many aviation regulatory agencies and so many aircraft operators, shoring up the cybersecurity of the entire system will be a tall order, even if there were a sense of urgency about the issue, which so far there isn’t. “The FAA has known about the spoofing threat for over 20 years,” says Humphreys. “Nothing it has done in that time has really addressed the problem. I think it’s disgraceful.”

For Zee and the pilots who turn to OpsGroup for guidance, the issue isn’t what the authorities will do to prevent future security exploits but what they should do right now.

“Pilots have been getting very, very little guidance on what to do from manufacturers of avionics equipment in the past couple of months,” Zee says. “My guess would be that they realize the enormity of the problem and they’re not really keen to kind of go, ‘Yeah, it’s a problem. We should have designed it differently. We didn’t. And now we’ve got to figure out what to do.’”