Tagged: instrument landing system

Spoofing Aircraft Instrument Landing Systems with an SDR

Recently Arstechnica ran an in depth story about how a $600 USRP software defined radio could be used to trick an aircraft that is making use of the Instrument Landing System (ILS). ILS is a radio based system that has been used as far back as 1938 and earlier. It's a very simple system consisting of an array of transmitter antennas at the end of a runway and a radio receiver in the aircraft. Depending on the horizontal and vertical position of the aircraft, the ILS system can help the pilot to center the aircraft on the runway, and descend at the correct rate. Although it is an old technology, it is still in use to this day as a key instrument to help pilots land especially when optical visibility is poor such as at night or during bad weather/fog.

Researchers from Northeastern University in Boston have pointed out in their latest research that due to their age, ILS systems are inherently insecure and can easily be spoofed by anyone with a TX capable radio. Such a spoofing attack could be used to cause a plane to land incorrectly. In the past ILS failures involving distorted signals have already caused near catastrophic incidents.

However, to carry out the attack the attacker would require a fairly strong power amplifier and directional antenna lined up with the runway. Also as most airports monitor for interference the attack would probably be discovered. They write that the attack could also be carried out from within the aircraft, but the requirements for a strong signal and thus large power amplifier and directional antenna would still be required, making the operation too suspicious to carry out onboard.

Wireless Attacks on Aircraft Landing Systems

Showing what VOR and ILS Aviation Signals Look like in SDR#

Over on YouTube user RedWhiteandPew has uploaded two videos showing what VOR and ILS signals look like in SDR# with an RTL-SDR dongle. VOR and ILS are both radio signals used for navigation in aviation. 

VOR stands for VHF Omnidirectional Range and is a way to help aircraft navigate by using fixed ground based beacons. The beacons are specially designed in such a way that the aircraft can use the beacon to determine a bearing towards the VOR transmitter. VOR beacons are found between 108 MHz and 117.95 MHz.

RedWhiteandPew writes:

Here I am picking up the VOR beacon from KSJC. The coolest part is at the end of the video. I believe the signal moving back and forth is caused by the Doppler effect, because VORs transmit their signals in a circular pattern. The VOR wiki article has a GIF that shows how it works here https://en.wikipedia.org/wiki/VHF_omn…. If you play and pause the video at different points before I zoom in, you can see that the two signals on the side are the opposite phase.

Listening to a VOR on a Scanner || RTL-SDR Dongle

ILS stands for Instrument Landing System and is a radio system that enables aircraft to land on a runway safely even without visual contact. It works by using highly directional antennas to create four directional lobes (two in the horizontal plane, two in the vertical) that are used to try and ensure the aircraft is centered and leveled on the approach correctly. The ILS frequencies are at 108.1 – 111.95 MHz for the horizontal ‘localizer’, and at 329.15-335.0 MHz for the vertical ‘glide slope’.

RedWhiteandPew writes:

Here I have tuned into one of KSJC’s ILS frequencies. You are able to hear the faint identifier beeping transmitting its ISL ID code which is ISJC. For comparison, I used to morse code translator website.

The reason I am hearing ISJC and not ISLV even though they are on the same frequency is because the localizers transmitting the signal are directional along the length of the runway. Since I am located to the south east of the airport, and I am within its transmitting beam, I am able to listen to it on a scanner.

Listening to an ILS Localizer (RTL-SDR Dongle)

If you’re interested in these signals then this previous post about actually decoding them might be of interest to you.

Decoding Aviation VOR and ILS Signals with RTL-SDR

Previously we’ve posted about how hpux735 (aka William) was able to use an RTL-SDR to decode an aviation VOR navigation signal using GNU Radio and an RTL-SDR. VOR is an acronym for VHF Omni Directional Radio Range and is an older method of navigation used by aircraft.

Now over on YouTube William has uploaded a new video that continues his series on decoding VOR and navigation radio signals. This time he focuses on ILS or Instrument Landing System signals. The ILS is a radio system that is used to help aircraft find and land on the runway safely even in reduced visibility situations such as rain and fog. William’s video explains how ILS works and also shows how he is able to make use of the ILS signal in GNU Radio to extract navigation information.

William has also uploaded some supplemental material to his blog including the GNU Radio grc file and the baseband ILS signal data he collected whilst flying.

VORs and SDRs Part 3: ILS