How did old communication technology become a tool in the hands of hackers?
Yemeni Houthis attempted a cyberattack on an Israeli passenger airliner operated by El Al Airlines, en route Phuket-Tel Aviv, in order to intercept control of the plane. The pilots noticed the suspicious route change in time and prevented the incident, but the new method of cyberattack tested by the Houthis may become widespread due to its relative simplicity.
Initially, communication between pilots and dispatchers was carried out exclusively through voice radio communication. With the increasing intensity of air traffic, this method has become less convenient due to the duration of information transmission and the queue for transmitting messages due to a single radio frequency.
In the late 70s, the ACARS system (AOSAC) was developed to automate crew time tracking, equipped with sensors on the doors, brakes and landing gear to accurately determine the time of arrival, departure clearance and take-off/landing of the aircraft. This data is automatically sent to the central computer.
Later, data transmission began to be used for other purposes, in particular, transmitting up – to – date weather data, as well as changes in the flight plan and other parameters, even instrument calibration parameters-this is called CPDLC (DPLPD) - "dispatcher-pilot communication via data transmission line". At the same time, the updated flight plan can be received directly from the airline's MCC, moreover, it will immediately be automatically uploaded to the aircraft's on-board computer.
The ACARS system does not have reliable protection against hacking, since data transmission takes place without encryption over the VHF band, the principle is approximately the same as that of a pager: all messages for all aircraft are broadcast on the air, but each board has its own identifier, thanks to which the on-board equipment "filters" messages transmitted to it. However, any amateur radio operator using a radio receiver and demodulator can read all messages transmitted on the air. And if you take a transmitter, you can easily broadcast the "left" data.
But not everything is so simple: the CPDLC system has a basic authorization mechanism that allows the aircraft to receive commands only from a pre-known ATSU server, whose ID is entered before departure. But at the same time, communication can be maintained with several ATSU, and each of the servers does not have information about which other servers a particular board supports connecting to. This is where an attacker can simulate an ATSU to transmit an incorrect flight plan on its behalf, then mute the broadcast so that the real ATSU does not receive confirmation from the aircraft that the flight plan has been changed.
Equipment for such an attack costs less than $900, but the consequences can be significant, including changing the routes of many aircraft.
Satellite communications can be used as an alternative to ACARS. The simplest way to deal with the attack is to automatically switch to voice communication when the ACARS signal is blocked, which was used by El Al pilots who found a suspicious route in their on-board computer.
Yemeni Houthis attempted a cyberattack on an Israeli passenger airliner operated by El Al Airlines, en route Phuket-Tel Aviv, in order to intercept control of the plane. The pilots noticed the suspicious route change in time and prevented the incident, but the new method of cyberattack tested by the Houthis may become widespread due to its relative simplicity.
Initially, communication between pilots and dispatchers was carried out exclusively through voice radio communication. With the increasing intensity of air traffic, this method has become less convenient due to the duration of information transmission and the queue for transmitting messages due to a single radio frequency.
In the late 70s, the ACARS system (AOSAC) was developed to automate crew time tracking, equipped with sensors on the doors, brakes and landing gear to accurately determine the time of arrival, departure clearance and take-off/landing of the aircraft. This data is automatically sent to the central computer.
Later, data transmission began to be used for other purposes, in particular, transmitting up – to – date weather data, as well as changes in the flight plan and other parameters, even instrument calibration parameters-this is called CPDLC (DPLPD) - "dispatcher-pilot communication via data transmission line". At the same time, the updated flight plan can be received directly from the airline's MCC, moreover, it will immediately be automatically uploaded to the aircraft's on-board computer.
The ACARS system does not have reliable protection against hacking, since data transmission takes place without encryption over the VHF band, the principle is approximately the same as that of a pager: all messages for all aircraft are broadcast on the air, but each board has its own identifier, thanks to which the on-board equipment "filters" messages transmitted to it. However, any amateur radio operator using a radio receiver and demodulator can read all messages transmitted on the air. And if you take a transmitter, you can easily broadcast the "left" data.
But not everything is so simple: the CPDLC system has a basic authorization mechanism that allows the aircraft to receive commands only from a pre-known ATSU server, whose ID is entered before departure. But at the same time, communication can be maintained with several ATSU, and each of the servers does not have information about which other servers a particular board supports connecting to. This is where an attacker can simulate an ATSU to transmit an incorrect flight plan on its behalf, then mute the broadcast so that the real ATSU does not receive confirmation from the aircraft that the flight plan has been changed.
Equipment for such an attack costs less than $900, but the consequences can be significant, including changing the routes of many aircraft.
Satellite communications can be used as an alternative to ACARS. The simplest way to deal with the attack is to automatically switch to voice communication when the ACARS signal is blocked, which was used by El Al pilots who found a suspicious route in their on-board computer.
