Aviation attacks based on ILS and VOR vulnerabilities

Aim: As the aviation industry grows more digital and reliant on wireless technology, it has grown more appealing to cyber criminals, including nation-state actors and terrorists. Vulnerabilities in a wide range of networked devices and (sub)systems, as well as their implementations and design defects, can be used to carry out malicious operations. The purpose of this study is to provide a comprehensive survey threats on aviation communication models. Methods We describe an overview of aviation threat model and attacks.


INTRODUCTION
An aircraft ecology is complicated, with several components. Air traffic management (ATM), which includes various communication, navigation, and surveillance (CNS) systems, is an example of critical infrastructural components of the aviation ecosystem. To aid navigation, communication systems typically consist of devices that permit the flow of information among devices, systems, and users [e.g., air traffic control (ATC) and pilot]. Surveillance is made easier by data from communication and navigation systems (such as onboard devices and radars), as well as supporting infrastructure. The amount of air travel adds to the difficulty of guaranteeing aviation cybersecurity [1] . A lot of effort has been made in envisioning better and safer systems that not only serve as a minor upgrade but significantly improve upon the existing state of the art. The aviation security market was worth USD 10.78 billion in 2019 and is expected to reach USD 11.45 billion by 2027 at a CAGR of 7.62% [2] . Aircraft manufacturers have not yet fully adopted the practice of proactively redesigning communication systems within the aircraft. More secure aviation communication systems have been long overdue, arguing that cases of existing vulnerabilities being exploited historically are sparse. The absence of worldwide standards and regulations within the aviation sector has also been a point of contention in the implementation of stronger security standards.
Researchers have explored security flaws in widely adopted methods such as automatic dependent surveillancebroadcast (ADS-B) and proposed changes that enhance security while maintaining an acceptable efficiency and latency trade-off. They cover a range of sub-domains: • Judiciary challenges in enforcing new security models. • Technical challenges in implementing new methods while ensuring backward compatibility. • Threat and attack analysis of widely adopted methods and technologies. • Behavioral analysis of different stakeholders.
While these works add tremendous value to the field, a few concerning patterns are observed. There has been very little testing on real aircraft, and the majority of findings have been obtained by running simulations in a sandbox or by reverse engineering proprietary hardware and constructing prototypes. Methods with strict security constraints are seen to be less efficient and, as a result, introduce latency in the process. The list of air traffic control technologies is shown in Table 1.

Problem statement and our contributions
The aviation sector is the most prominent candidate in the emerging civilian and military activities market. In the aviation system, instead of a wired system, wireless technology is used; thus, these systems have maximum possibilities of attacks. Many departments lie under the aviation sector and still have vulnerabilities to attacks. The existing technology of aviation is not using hiding techniques and still uses Morse code techniques. The frequency-dependent devices are more vulnerable because most devices are open source. nication. 2. It also identifies new variants of threats and security vulnerabilities and discusses the possible countermeasures to these attacks. 3. A detailed taxonomy predicated on security vulnerability is also discussed. Further, this paper discusses the research aspects and challenges to be taken care of in aviation security and communication.
The purpose of this work is to examine threats in aviation system, as well as to give a taxonomy and demonstration of attack. Furthermore, we examine the vulnerabilities and recent assaults on the aviation sector, as well as their future trends.
The paper is organized as follows. In Section 2, the related work is presented. In Section 3, aviation communication technologies are discussed. Section 4 provides a state-of-the-art overview of the current and upcoming aviation attack vectors. The current technical issues in ILS and VOR are discussed in Section 5. Finally, Section 6 concludes the paper.

RELATED WORK
Attacks on aviation systems and their different subsystems are unlikely to go away in the near future. This emphasizes the significance of cybersecurity in the aviation business. Security researchers are trying to make air travel more secure. Ashdown [3] discussed judiciary challenges in designing better security models for aviation systems, especially in an international context, such as the lack of enforcement power held by aviation laws to hold attackers accountable. Suggestions are further made on how organizations such as the International Civil Aviation Organization (ICAO) should handle attacks that are likely to happen as aviation systems transition from legacy communication infrastructure based on radar and ground-based air traffic control to modern communication technologies that tap into the Internet.
The accelerated advancement of unmanned aerial vehicles (UAVs), because of their decreasing price, inflated aerial moveables, and broad scope of implementations, put forward the latest prospects for a line of work in public and private applications. The residing UTM' s range is relevant to VLL airspaces that reinforce BV-LOS indefinite levels; nonetheless, in the future, UTM will focus on higher airspace levels together with PAVs and CAVs. The faultless BVLOS functioning in both VLL and higher altitudes is indispensable since it accomplishes manned/unmanned airspace integration and collaboration in the middle of them. The aDAA should utilize 360-degree radial computer vision-based spotting mechanics that acknowledge reliable as well as shielded BVLOS functioning. The instantaneous DAA could be accomplished by utilizing conglomerate transmission mechanics such as broadcasting location, V2X communication, satellite, optical, and wireless communication [4][5][6] .
WID is a wireless communication structure that makes use of drones as infrastructure that propounds aerial wireless following appliances where ground connectivity is not effortlessly attainable. The definite principle upper hand of WID is the popular wireless network investiture. NR-U WID authorizes wireless technologies to be executed at a low price and with high certainty. The utilization of an unauthorized band has a power ordinance that limits NR-U to be constricted within the compact range region. This is a crucial pitfall for the terrestrial NR-U as the signal, for the most part, agonizes from trail deprivation attenuation, in addition to fading effects [7,8] . The trade for making use of compact unmanned aerial systems (sUAS) to examine the profitability of transmission plus distribution infrastructure is anticipated to extend to 4.1B dollars annually by 2024. Given the fact of diminutive measurement along with the heaviness limitations, sUAS cannot be provided with supplementary assets for security, which makes sUAS uncomplicated to attack set side by side with military UAS, but military UAS are more susceptible to attack due to the way they are utilized. Major (6 attacks) and minor UAS (5 attacks) attacks are equitably endangered; however, small materialistically available  [14][15][16][17] SSR Y Y Y Y [18,19] PSR Y [20][21][22] MLAT Y Y [23,24] VHF Y Y Y Y [25][26][27] ACARS Y Y Y [19,28] CPDLC Y Y Y Y Y Y [29][30][31][32] [14,15,17] VHF Y Y [26] CPDLC Y Y Y [19,33] ACARS Y Y Y Y [29][30][31][32] Secure-ACARS Y Y [34] UAS might be more at risk than large UAS. There has been a narrowly single openly announced authentic attack on sUAS, and it was a GPS Jamming attack. A questionable GPS jamming along with a GPS spoofing attack was implemented on RQ-170, an enormous fastened wing UAV by Lockheed Martin, ensuring the apprehension of the UAV with slight destruction on its left wing [9,10] .
Nguyen et al. [11] proposed the utilization of phase-shift keying modulation to increase the payload of current automatic dependent surveillance-broadcast (ADS-B) and use this extra space as a digital signature to authenticate messages in aviation systems. This method requires no additional modifications to integrate with existing systems (as the resultant modulation on combining standard pulse-position modulation and phase-shift keying modulation is compatible with ADS-B In/Out and can operate along with ADS-B. While this study was performed in the laboratory using hardware-in-the-loop (HIL) simulations and actual flights, tests in commercial airlines are yet to be conducted, which would be a more vital testament to the method' s effectiveness. Santamarta. [12,13] uncovered vulnerabilities within SATCOM systems that would allow unauthenticated malicious actors to abuse and remotely take control of devices within the system by exploiting backdoors, hardcoded credentials, undocumented and insecure protocols, and weak encryption algorithms. They detailed several methods to exploit vulnerabilities within the system in question, ranging from methods as simple as sending a specially crafted SMS message to gaining access to credentials concealed within the system. While the implications of this study are wide-reaching, it is to be noted that all testing was done without physical access to the equipment. Instead, research was performed by reverse engineering all the devices. The possible attacks concerning technologies are shown in Table 2, while security issues concerning technologies are shown in Table 3.

COMMUNICATIONS, NAVIGATION, AND SURVEILLANCE
The Air Route Traffic Control Center is responsible for controlling the air traffic traveling at and above 18,000 feet within designated control sectors. Terminal Radar Approach Control (TRACON) Facility controls aircraft within a 30 nautical mile radius of the larger airports within the ATC system. Airport control towers are responsible for controlling aircraft within a five nautical mile radius of the airport [35] . An exemplary view of aviation communication technologies is shown in Figure 1.
The National Airways System (NAS) has three techniques to track aircraft: procedural ATC, primary surveillance radar (PSR), and secondary surveillance radar (SSR). Procedural ATC is a dependent surveillance tech- Figure 1. An exemplary scenario of aviation communication technologies [36] .
nique; it depends on input from individual aircraft. Pilots are required to report their position using radio communications periodically. It is predominately used in little or no radar coverage areas such as the ocean and remote area flight operations. PSR is an independent and non-cooperative surveillance radar system; it does not depend on any input from the aircraft. TRACON is used in busy terminal areas. SSR is a partially independent and cooperative surveillance radar system; it determines the aircraft' s position by combining radar target return and aircraft transponder reply when interrogated by a ground station. It is used for route tracking.
ATC has been in service for more than half a century. Its installation, operation, and maintenance are challenging and costly, especially the ground-based SSR and PSR radar systems. With increased air traffic and aging equipment, although the air transportation system performs adequately, it is reaching its limit. The expected growth in air traffic will likely create costly flight delays and increased flight safety hazards unless a new system is launched. The FAA began working on the Next Generation Air Transportation System (NextGen) in response to these concerns. NextGen is primarily focused on significantly increasing the safety and capacity of air transportation operations. The upgrade requires the actual conversion of the entire NAS, including incorporating satellite-based technologies for surveillance operations and the shutdown of many ground-based systems currently in use. The critical component of NextGen is a position reporting and tracking technology called automatic dependent surveillance-broadcast (ADS-B).

Air traffic control
ATC is the major body in the air traffic management system that connects with both planes and satellites. ATC connects ground networks and data centers, whereas data centers link to the Internet. Satellite and other components, such as aircraft networks, are handled by ground networks. Air traffic controllers use radar to  track the position of aircraft in their allotted zone and communicate with pilots through radio. ATC employs the VOR (VHF omnidirectional range) system for aircraft location. The conventional navigation system that operates over VHF is VOR. It transmits VHF radio beacons that provide the station' s name as well as the angle to its position relative to the directional signals. Because of the radial character of the received signal, the aircraft can compute the direction it is traveling from the VOR system. The frequency range of the VOR is 112-118 MHz. Doppler VOR (DVOR), a type of VOR consisting of circular installed antennas, is shown in Figure 2.

ADS-B
ADS-B (automatic dependent surveillance-broadcast) technology allows the aircraft to identify its location using satellite navigation and broadcast it on a regular basis; surveillance technology allows the aircraft to be followed.
The lack of security in the ADS-B protocol has been highlighted by security experts and hackers [14] . The research demonstrates the physical restrictions necessary to manage the 1090 MHz ADS-B channel, such as distance and transmitting power [15,16] . Although no security problems have been documented thus far, exploit kits for faking ADS-B signals are widely accessible online, implying that assaults are simply a matter of time [17] .
As authorities make the use of ADS-B mandatory in all flights under instrument flight rules, with no exceptions for military, government, or business flights, tracking sensitive aircraft data has become easier. There have been instances of classified military operations being disclosed as a result of the use of ADS-B data [37] .

Primary surveillance radar (PSR)
PSR is the conventional radar sensor that sends an electromagnetic wave and receives back the reflected wave from the target (aircraft) to calculate its latitude, altitude, etc. As the detection is based on the reflection of its signal, it is not possible to modify or inject any message. The jamming attack can be performed, but the requirements to carry out the attack makes it infeasible. Secondary surveillance radar (SSR) SSR is a radar system that responds to interrogation signals from aircraft equipped with radar transponders by delivering encoded data such as the aircraft' s identifying code, altitude, etc. Because SSR/Mode S share the same underlying protocol as ADS-B, they are also vulnerable [17] . Further investigation reveals the possibility of radio frequency interference, which might result in ghost aircraft, jamming, or transponder lockouts [19] .
In June 2014, a real-world event involving SSR jamming and over-interrogation caused multiple airplanes to vanish from controllers' radar screens in Central Europe on two different occasions [18] . The European Aviation Safety Agency inquiry, however, was unable to identify the perpetrator and declared the attack to be non-malicious. Security experts emphasize that such hostile assaults are feasible [18] . Software-defined radio (SDR) tools play an integral part in attack execution. A comparison of popular SDRs is presented in Table 4.

MLAT
Multilateration is a technique for establishing the position of a target (aircraft) by measuring the "time of arrival"(TOA) of energy waves whose speed is known. MLAT is a verification mechanism for unauthenticated wireless networks that works in tandem with ADS-B. If the ADS-B message received is incorrect, the sender' s position can still be determined. Despite the fact that MLAT provides security through physical layer attributes and is difficult to manipulate, real-world MLAT systems rely on combining location and message contents to validate a target' s identity and altitude. Because of the reliability of MLAT over ADS-B, the entire system is open to exploits such as Mode A/C/S or ADS-B. A well-coordinated and synchronized attacker might influence the time of arrival of a message to an MLAT system' s dispersed receivers and hence fabricate location data [23] .

Very high frequency (VHF)
The primary mode of communication utilized to send ATC commands to the aircraft and the pilot' s requests to the ATC is voice communication. While VHF remains the primary ATC communication channel to this day, the analog nature of the channel, as well as the fact that broadcasts are not encrypted, allow nearly anybody to listen in on local voice communication and identify aircraft registration numbers. An investigation showed that speech recognition algorithms could be used to automate and scale a tracking strategy, even if blocking measures were utilized to prevent public websites from obtaining the data [38] . Real-world instances of air traffic controller impersonation in Turkish airspace [25] and at Melbourne airport created concern for controllers.

Controlled pilot data link communication (CPDLC)
CPDLC is a two-way data-link technology that allows controllers to send non-urgent strategic signals to an aircraft instead of using voice communications. CPDLC has no authentication or confidentiality and is vulnerable to a variety of attack vectors. The German Aerospace Center has described how CPDLC technology may be deceived and spammed [19] . While there have been no public allegations of malicious tampering, CPDLC' s resistance to outside manipulation is unclear. Several investigations have been undertaken for duplicate, delayed, or missing CPDLC communications and unauthenticated ground station logins.

Information services
Technology that provides the pilot with information to improve their situational awareness is known as information services. A list of information services technologies is presented in Table 5.

ACARS
ACARS is a digital communication system that allows messages to be sent between aircraft and ground stations. ACARS may be classified into three kinds based on their contents: air traffic control (ATC), aeronautical operation control (AOC), and airline administrative control (AAC). ACARS flaws can allow for falsified ATC certifications via unauthenticated data transfers. Hugo Teso demonstrated the possibilities of exploiting ACARS to remotely attack a flight management system (FMS) using second-hand gear in 2013. The authors of [32] investigated the insertion of external ACARS signals into FMS.

AVIATION ATTACK VECTORS
Aviation communication technologies being wireless makes access control mechanisms challenging. In addition, the broadcast nature of radiofrequency makes the system prone to various attacks. These attacks have become practical and easily accessible due to the escalation of software-developed radios (SDRs).

Message injection
Because the data connection layer lacks any authentication measures, it is simple for an attacker to construct a transmitter capable of producing appropriately modulated and structured signals. Schafer et al. [15] used an example to demonstrate how ADS-B may be attacked with minimum knowledge and easily available basic technological tools. Other implications of failing to authenticate include denying that a node transmitted any data or claiming to have received contradictory data, making accountability difficult.

Message deletion
Using destructive or constructive interference, attackers can physically destroy genuine communications. Constructive interference can induce bit errors into a message making it unreadable. Due to the necessity of precise and complex timing requirements, destructive interference can be quite difficult. If the conditions are satisfied, the attacker can send the inverse of the signal broadcast by the genuine sender. Because of superposition, the signal may be attenuated or eliminated.

Message modification
Messages can be modified during transmission using techniques such as overshadowing and bit-flipping. During overshadowing, the attacker sends a powerful signal to replace all or part of the target message. The attacker uses bit-flipping to superimpose the signal, altering any number of bits from 1 to 0 or 0 to 1. The authors of [39,40] discussed the feasibility of message manipulation.

Eavesdropping
Listening in on an unsecured broadcast transmission is referred to as eavesdropping. When the protocol broadcasts unsecured communications, attackers may easily eavesdrop. It can be used as a reconnaissance medium for other strikes. It is practically impossible to detect and presents privacy issues. The authors of [41,42] provided a way for users to monitor and track the aircraft' s present position, trip trajectory, and other details, thus posing concerns.

Jamming
The attacker uses a sufficiently high-power frequency to prevent a single node or numerous participants from transmitting or receiving messages. Because of the critical nature of data, the impact of jamming in aviation communication technology is significantly greater than in other wireless technologies. Jamming of ATC frequencies is illegal, and while it is feasible to track down the perpetrator, it is insufficient to preserve the ATC system. Wilhelm et al. [43] discussed the viability of jamming.

Defense methods
It is fair to assume that wireless networks always include listeners; hence, the traditional attacker-defender concept would be limited. The cyber-physical method focuses on threat detection and only deploys extra protection if considered essential. Physical layer security ensures confidentiality by utilizing the physical layer features of the communication [44] . Time differences of arrival [23,45] , Doppler shifts [46] , direction of arrival [47] , and angle of arrival [48] are different ways to identify spoofing attack. Methods of watermarking/fingerprinting are used to identify and authenticate wireless devices and their users. Watermarking entails inserting indicators throughout the communication stream that authentication algorithms can exploit. Fingerprinting works by taking advantage of technological flaws in the hardware and software that enable the connection. Researchers investigated the possibility of watermarking VHF communication [49,50] , exploiting differences in transponder implementations on the data-link layer [51] .
The application of machine learning to identify intrusion in the wireless aviation system may be handled in two ways. The first is classification, in which the characteristics of a specific valid user are discovered and confirmed against saved patterns. The use of behavioral biometric speech data from pilots conversing over VHF radio is presented in [25,52] . Second, there is anomaly detection, in which the characteristics of the system' s normal state are learned over time, and any divergence from these patterns is alerted for security issues. The authors of [25,52] identified aberrant stress levels and anxiety in the pilot' s speech through VHF radio, thereby attempting to discover abnormalities. To avoid false-positives, careful calibration and engineering are necessary.
The authors of [53] discussed the changes in the user experience that occur with the introduction of formal security requirements into an ATC system and investigated whether ADS-B position reports should be utilized as an aircraft' s main location source. The authors of [54] summarized the risk and requirement analysis carried out via the ATM system utilizing VHF communication. Creating rules and procedures aids in the enhancement of aviation communication security; they are far easier to implement in practice than implementing new systems and technological adjustments to existing technology. The authors of [55] comprehensively reviewed aviation security activities undertaken by aviation authorities and industry. Flight simulators should simulate cyber attacks [56,57] and release test-run data and mitigation options [58,59] Aviation professionals and passengers should be educated about the ADS-B security vulnerabilities [58] .
SATCOM is used in aviation, maritime, and military sections. The military department is secured, but aviation is not as secured as others. The malware used to attack the aviation SATCOM is the "Mirai BOT". It is a very effective malware, and it is associated with IoT devices. This bot is used to attack the antenna control unit, which is essential for aviation SATCOM. On a recent international flight, two unexpected things were observed: the IP address assigned to the passenger is routable, and something else is a network scanning the routable IPs by an external host. The security analyst has a crucial role in aviation [74] . After landing, the security analyst scanned the internal network and said that the FTP, TELNET, and WWW were available for specific IPs. He discovered that the backdoor on the plane' s satellite modern data unit (MDU) and the public IP are trying to connect to the telnet service. Further analysis discovered that the compromised router is a part of the IoT botnet, and it is collateral damage. The security analyst finally concluded that the attacker was trying to "brute force attack" SATCOM. The IT infrastructure of the aviation industry is a segment commonly attacked using malwares [75] . The most prominent of them being malicious hacking (ransomware, phishing and DDoS) with intent to gain unauthorised access [76][77][78][79] . Block diagram depicting working of SDR in operation is given in Table 6. The existing and new security vulnerabilities of ATC protocols Channel Protocols [36] Vulnerabilities [36]

CURRENT TECHNICAL ISSUES
Current ATC Communication systems such as ADS-B, primarily being broadcast based, are prone to eavesdropping and are limited because they need to balance elements of the CIA (confidentiality, integrity, and availability) triad. Stronger encryption processes mean lower real-time relaying of messages. Relying on a fixed range of frequencies also means that it is prone to jamming and does not offer HA capabilities. Current systems are also not designed for redundancy. Aircraft fallback to legacy systems when primary systems fail, but this process is inherently flawed, as falling back to previous generation technologies leads to a significant degradation in the quality of service. This means that an attacker could lead an aircraft into losing several navigational capabilities effortlessly. FAA' s NextGen model bypasses the challenges of being a broadcast-based system by routing data over the Internet. While it removes many challenges associated with broadcasting to all listeners in proximity, it has to tackle a whole new range of cybersecurity challenges that any service operating through the Internet would face.
Components within ATC systems could take up to two decades to go from development to full deployment. In a world where new software updates are shipped daily, such an elongated development lifecycle is a significant setback that massively slows down the adoption of newer technologies. The slow certification process is a substantial component of this challenge, adding many years between development and deployment phases. Compatibility requirements enforced by law are another judicial component that slows down the development of new and better technologies within the ATC system. While it might seem pragmatic to reuse existing hardware components and delay significant redesigns, the cost of clearing technological backlogs in the long term is immense.

CONCLUSION
Technological advancements were made to meet the requirement of cheaper and more precise air communication. Safety and security factors in the development did not meet the required level of perfection; although no major attacks have been publicly reported, the threats remain unchanged. People need to be aware of the existing issues in the communication system and work to find a better, safer solution. Different approaches are made to advance existing technologies by integrating security aspects into them. The emphasis on domainspecific knowledge and aviation requirements should be placed on the whole system rather than isolated problems for future security developments. Security threats might not be limited to misuse of easily accessible software-defined radios; unforeseen disruptions are bound to happen in the future. Hence, aviation authorities need to understand the current developments and issues regarding them and work on developing processes that can adapt to the changes and challenges of the future.

Authors' contributions
Made substantial contributions to the conception and design of the survey and analysis of the research, performed data curation: Shristi G, Choudhary G, Sihag V Performed data acquisition, as well as provided administrative, technical, and material support: Shandilya SK

Availability of data and materials
Not applicable.

Financial support and sponsorship
None.

Conflicts of interest
All authors declared that there are no conflicts of interest.

Ethical approval and consent to participate
Not applicable.

Consent for publication
Not applicable.