The unexpected effects of GPS spoofing on aviation safety

GPS is one service in the Global Navigation Satellite System (GNSS). Others include Russia’s GLONASS and the EU’s Galileo constellations. These are all used to provide Position, Navigation, and Timing (PNT) to civilian users including commercial aircraft.

GPS was actually designed to have military users as a separate class with encrypted signals which are also more resistant to jamming than the civilian ones. It was clearly a design thought that the military would want to disable GPS in an adversary’s area but leave it functional for themselves.

GPS signals are sent from satellites thousands of miles away from the receiver and as such are extremely weak by the time they arrive. It is therefore relatively easy to overwhelm the noise floor and prevent legitimate signals from being heard by the antenna.

GPS jamming is actually a relatively regular occurrence in many parts of the world to the extent it is considered unreliable in parts of the Black Sea and eastern Baltic [https://gpsjam.org] for perhaps relatively obvious reasons.

Spoofing is a more complex endeavour, especially if individual aircraft need to be targeted, but it is still within the reach of an amateur with the right hardware. It should be said of course that doing this is likely to attract the very swift attention of local authorities and is highly illegal!

I’m not so interested in the how, as it’s clearly happening. I’m more interested in the effects.

IRS poisoning

When flying, before we had GPS we had inertial reference systems. This brought unheard of precision when we were previously navigating with long range radio beacons such as LORAN.

Even the latest laser IRS drifts a little, perhaps a mile or more after a 3000 mile trip across the Atlantic. So it’s automatically updated using a more accurate source of position: it’s continually updated from the GPS position to the ADIRUs which serve as a definitive source of PNT data on the aircraft. In actuality if ground based radio navigation beacons are available (VOR and DME) the ADIRU will automatically tune to them and update aircraft position but only if GPS is unavailable.

See the problem? We have a system (IRS) that we use as a backup, now being updated with a system (GPS) that is now reporting the wrong data. So our backup system is also now reporting bad position data.

MMR issues

So once out of an area of position spoofing, it’s all over right?

Here’s the next problem: we use a multi mode receiver(MMR) to aggregate various signals, including GPS. After a coarse spoofing incident, some MMRs will not reset their GPS position.

The reason for this is that the ‘almanac’ that the GPS receiver needs to acquire the satellites is now incorrect. It thinks the satellite positions are where they were prior to the spoofing event.

Hence, the MMR can’t work out where the satellites are supposed to be. In many cases the MMR can only be reset when on the ground and stationary, allowing the almanac to re-sync.

One is now flying with no inertial reference and no GPS. In some cases pilots have had to resort to asking ATC for radar vectors in order to avoid flying in to hostile airspace.

However, whilst flying short haul just before Chrismas, chatting to the pilots they indicated that a new ‘soft reset’ in-flight method had just been relesed to them, allowing an MMR to re-acquire where it had previously been unable. This is good news, though is only for certain MMR types.

Fallback to VHF

Obtaining directions from ATC (aka ‘radar vectors’) is fine, but this creates a significant overhead on the controller. Multiple planes requesting vectors in a short time, as would be experienced in a localised spoofing event, will quickly overwhelm that controller. There’s a risk of safety being affected.

Recent research indicated that the workload for a controller increases by up to five times when radar vectors are requested for en-route flights.

Clock poisoning

This is where things get really interesting. We think of GPS in aviation as a source of position. I remember using early GPS receivers in light aircraft when I was training for my commercial licence. It was awesome seeing the simple precision on position that previously took two time-consuming VOR radial cross cuts.

But that’s not the worrying bit. GPS is time. Connected aviation systems need a precise source of time in order to operate.

We expect digital communications with an airplane to be secure. Of course we do. We need to know that the data that pilots act on is secure. Most modern aircraft now use Loadable Software Aircraft Parts (LSAPs) that are digitally signed using a vendor’s certificates. To validate a certificate you need to know what time it is, and that needs an accurate source of time.

A small number of reports have been made where not only was GPS position was spoofed, but also the GPS time.

Certificate invalidity

In many cases, GPS is the trusted source of time for digital communications. Without a trusted source of time, it can be hard to establish encrypted comms.

An incident has been seen where time was spoofed a significant period into the future. This caused various digital certificates on systems that used GPS time to become invalid. They had done the opposite of expiring, which we are more familiar with; they were simply not even valid yet!

One of the first systems to be affected was the passenger Wi-Fi. Digital certificates are required to protect communications from the plane to the ground station (be it over satellite or downward facing beam forming LTE). Now that the digital certs were invalid, the service failed.  This prevented passengers from accessing the internet, but it also took down some cabin crew services.

The cockpit crew also use satellite comms in areas where ACARS is not accessible over VHF. Increasingly, digital cockpit communications are being migrated to satcom for efficiency and cost reasons.

One such system is CPDLC, or controller-pilot datalink communications. If the plane and controller time is out of sync by more than a second, the connection will fail. This increases controller workload and increases the chance of an error as communications are moved to voice over radio.

Almost every LRU and piece of software running in common compute workloads (Airbus’ CPIOM and Boeing’s GPM) depend on valid time.

Whist there is always the backup of voice, workload is increased for pilot and controller and the safety benefits of digital communications are lost.

Recovery challenges

Many GPS receivers are protected against rollback. That’s pretty sensible, as why would time change? However, they can deal with roll forward, to handle the addition of leap seconds for example.

This creates a problem: time can be spoofed forward in the future, but not backwards. The challenge therefore after a time spoofing event is resetting the GPS clocks on board.

In one occasion, this has resulted in a complex engineering effort to reflash multiple systems on board, taking the plane out of service for two weeks.

Depending on the age and avionics fit of an airplane, the source of time for different systems may vary. The resistance of various receivers to spoofing and ability to recover also varies. There is significant effort going in to identifying the spoofing and recovery resistance of each. Even outwardly identical planes may have different resistance to spoofing.

Challenges

We are increasingly reliant on GPS; many ground based navigation and approach aids are being retired for reasons of cost, in favour of GPS. A great example of this would be an instrument landing system. These are expensive to maintain and are being retired and replaced by GPS approaches. This is fine, except when GPS can no longer be relied upon. An incident occurred at Tartu airport in Estonia where GPS interference resulted in some commercial airlines not being able to land there for a month or so.

In the meantime, we have to rely on pilots acting swiftly and safely, which they invariably do. The Quick Reference Handbooks we uses generally specify that a pilot should switch to local time if they suspect spoofing, or expect it to occur based on reports. This places too much reliance on the pilot in my view; we have to develop better ways to address spoofing.

Solutions

The solution appears to be using hybrid GPS. This involves correlation from GPS and multiple other sources, including ground-based radio navigation aids. Galileo also contains message authenticity but is not in as widespread usage yet.

My concern is that many of these navaids are being retired on the grounds of cost. If we remove these aids before we have fully addressed the issues of spoofing, then we may not have any additional points to cross check our GPS position with.