Digital Forensics at 32000 Feet Above Sea Level

If you’re an aircraft buff, chances are good that you’ve wondered what all those antennas were. How do the pilots communicate with people on the ground? Where does aircraft Wi-Fi come from? Which antennas do they use for what? Some of these questions have some interesting answers, but none of them are complicated or difficult to understand.

On a recent return flight from Cape Town, I was thinking of the possibilities of collecting evidence from a typical Boeing 747, not only the available “Black Box” data, but more about the devices providing information and data to the Black Box.

I have successfully collected evidence from various devices for forensic purposes, among but not limited to mobile phones, computers, wrist watches, motor vehicles, motorcycles, drones and many different IoT devices. Airborne and Sea going vessels are two categories which requires some exploring.

Not knowing much about aircraft, I started to think about the areas which I had some knowledge about. On any aircraft, often on its belly, you will find dozens of antennas that are used, each for a different purpose. Called aerials by a lot of pilots who have been in the business for a while, these antennas are there mostly to help the pilots communicate with other people, and most of them look like lightning rods or other interesting protrusions.

Aircraft antennas can have many different shapes and sizes, which are determined by the manufacturer itself. Antennas, however, are formed more for their function than anything else, and their shape and placement are usually determined by their directional qualities and the frequencies they use to operate. Essentially, these antennas need to be certain shapes and placed in certain spots on the aircraft to operate correctly.

Thinking of so many antennas on an aircraft, they must be connected to some intelligent devices that provide crucial information and are exploitable. The first antennas that come to mind were the common radio communications antennas. They are there for effective communication, mounted on either the top or bottom of the aircraft.

The way they work is simple, and their placement is crucial to them being efficient in their purpose. For example, the radio feeding the top antenna usually works best for communicating while the aircraft is still on the ground, while the one feeding the antenna on the bottom of the aircraft will usually work best when the aircraft is in the air. All aircraft would have a HF, VHF radio with the capabilities of AM and SSB transmissions. Primary use is for voice communications. Low exploitable risk unless another transmitter is transmitting on some frequency close to the receiver. (Jamming communications). The using of SDR is becoming more popular in aircrafts due to the small size, multiply features and intelligence in the radio. This also brings new risks and the introduction of added software vulnerabilities.

The next common antenna that come to mind was the GPS transmitting less than five watts of power, GPS antennas result in signals that are usually very weak. Because of this, most GPS antennas consist of built-in amplifiers that are designed to boost the signal for the receiver. In addition, the GPS frequency is very high, usually in the gigahertz band, which requires that the GPS antenna be attached to the very top portion of the fuselage. For decades, the Global Positioning System (GPS) constellation has reigned supreme as the world’s go-to navigation tool, guiding everything from aircraft carriers to Uber drivers.

Other communication antennas can cause interference with GPS antennas, which means that the two antennas should be placed as far away from each other as possible. More than likely one of the most important communication devices used on an aircraft, can be exploited by spoofing the IP. Malicious actors can deliberately disrupt or manipulate the signals, leading to inaccurate or misleading positioning information.

When it comes to landing the Marker Beacon, antennas come to mind. The antenna is on the bottom of the aircraft because, to receive any signal, the antennas must be almost directly over the transmitting ground station. The outer marker, which normally identifies the final approach, is located on the same course/track as the localizer and runway centreline. The antenna is highly directional and is pointed straight forward towards four to seven nautical miles. The beacon frequency is a low powered transmitter and could be jammed by a nearby transmitter by using the same frequency to exploit the marker beacon.

Next up is the Nav Antennas, almost always found on the vertical tail. Nav antennas come in three main types. The cat whisker has several rods jutting out from each side of the stabiliser at 45- degree angles. It is a good antenna to have when you’re flying low because it cannot receive signals from the side. A second type, the dual blade, has antennas on either side of the tail. A third type of Nav antenna, the towel bar, is a balanced loop antenna that can easily receive signals from all directions. Towel bar antennas are found on both sides of the tail of the aircraft and are often required for area navigation (RNAV) systems. While those early VOR/DME RNAV systems are very rare these days, the location coding of phantom waypoints is still used throughout aviation. Today, the RNAV umbrella encompasses many different technologies, from GPS/GNSS satellite- based systems to VOR or DME ground-based systems. Since different technologies have different accuracy levels, some standardisation has been introduced to clarify what RNAV technologies can be used, and when. This is especially important for IFR operations. GNSS is being introduced throughout the world: Potentially to meet performance requirements for all phases of flight, improvement of safety and efficiency of air navigation. Identified vulnerabilities of this system are mostly GNSS interference events which have been traced to onboard systems, unintentional interference (e.g. spurious emissions) or harmonics of VHF communications equipment and the out-of-band and spurious emissions from satellite communications equipment. Portable electronic devices can also cause interference to GNSS and other navigation systems and spoofing to the intentional corruption of the navigation signals to cause aircraft to deviate and follow a false flight path. Because of the low power of GNSS signals, it is possible for low power transmitters to jam the GNSS signal. While there have been no recorded instances of intentional jamming directed at civil aircraft, the possibility of intentional interference must be considered and evaluated as a threat.

The Radio Altimeters antennas, which looks like 150mm-square plates, are placed on the bottom of the aircraft. They are usually either a single- or dual-antenna system, and the radar signal is transmitted straight down and literally bounces off the ground. Radio Altimeters include high frequencies and, therefore, require a secure electrical bond with the skin of the aircraft.

A Radio Altimeter can determine the distance above the ground by measuring the time between the transmission of the signal and when the signal is received. Again, the secure bond of the antenna is a must; otherwise, the system talks to itself and causes false readings. Large aircraft are often fitted with radar or Radio Altimeters which measure height AGL when near the ground. These are often connected to callout systems and coupled to Autoland and other automation systems. Standard callouts in the cockpit of radio altimeter equipped aircraft include 2,500 feet, 1,000 feet, 500, 100, 50, 40, 30, 20, and 10 feet. Radio Altimeters are a great help when over the runway at an airport and help cue the pilot for their landing flare.

Most civil and military aircraft use Radio Altimeters to measure the aircraft’s altitude and feed this information to other aircraft systems such as landing and collision avoidance systems. The Radio Altimeter is instantaneous and accurate but gives no indication of high ground ahead. It is not possible, within the frequency allocation (4200-4400 MHz), to change the frequency (FM) indefinitely. Radar altimeter interference from 5G signals can take the form of loss of radar altitude information or, worse, incorrect radar altitude information unknowingly being generated. Altitude information derived from radar altimeters has been deeply integrated into aircraft systems and automation, with the latest aircraft using it to change aircraft handling qualities and prepare systems such as ground spoilers and thrust reversers for deployment prior to touchdown. This is in addition to radio altimeter use for Autoland.

The UHF antennas are utilized mostly for distance-measuring equipment (DME) and transponders. UHF aircraft antennas are only around four inches long and are always found on the bottom of the aircraft. They can be used for both DMEs and transponders, and their two main types are blade and spike antennas. Spike antennas should only be used for transponders, while blade antennas work best with DMEs. As an example, DME frequencies are paired to VOR frequencies and a DME interrogator is designed to automatically tune to the corresponding DME frequency when the associated VOR frequency is selected.

An aircraft's DME interrogator uses frequencies from 1025 to 1150 MHz. DME transponders transmit on a channel in the 962 to 1213 MHz range and receive on a corresponding channel between 1025 and 1150 MHz. The likely vulnerability is time base attacks, DOSS attacks, GPS jamming, Spoofing and RAIM attacks. Aviation communication technologies being wireless, make access control mechanisms challenging. In addition, the broadcast nature of radiofrequency makes the system prone to various attacks. These attacks have become practical and easily accessible due to the escalation of software-developed radios (SDRs).

Aircraft communication is a critical aspect of aviation that ensures the safe and efficient operation of aircraft. The International Telecommunication Union (ITU) has assigned aircraft analogue voice dialogue in the High Frequency (HF) band between 3–30MHz and in the Very High Frequency (VHF) band at 118–137 Mhz. VHF signals are only line-of-sight but offer much better audio quality. This makes them ideal for aircraft communication where clear and immediate transmission is vital. In this context, VHF is often preferred despite its shorter range.

Advances in networking and semiconductor technologies, along with the ever-widening grid of interconnected and computationally capable products, have promoted the development of the Internet of Things (IoT) used in modern day aircraft. This development naturally poses more and more complex security challenges. One of the key attributes of IoT is that it makes heavy use of wireless communications to allow for mobility and ease of installation. It is important to note this is not just Wi-Fi, but all manner of other Radio Frequency (RF) protocols: Bluetooth, BTLE, ZigBee, Z-Wave, etc. The increasing ubiquity of such devices and networks promises to make life easier (smart locks, smart bulb, smart home appliances...). However, manufacturers often overlook the security in the implementation of these RF communication systems. This brought to mind the uses of the Software Defined Radio (SDR) vulnerabilities in IoT devices using an unknown RF protocol as the analysing frequency, demodulation and decoding RF signals used in the wireless IoT devices, jamming the target and replaying radio packets.

As wireless systems are becoming more complex, there is a shift towards implementing these systems completely in software and firmware rather than hardware. Software defined radios allow for quickly prototyping, testing, and deployment of flexible systems that can be upgraded in the field. However, since these systems are implemented in software, common coding mistakes in the signal processing modules can leave these systems vulnerable to traditional cyber-security attacks.

Utilizing Internet of Things (IoT) sensors, it collects essential data related to navigation, flight control, and communication systems. The data is constantly updated and made readily available to both pilots and ground control, allowing them to make well-informed decisions.

As software radios become more prevalent in the industry, the risk of these vulnerabilities existing and being exploited in production systems increases significantly. In many cases, wireless security research is focused on the security of specific protocols rather than vulnerabilities in the radios themselves.

Radio communications are used by many different devices to convey and receive data. Since wireless technology has been employed in recent terrorist acts and there are an expanding variety of attack vectors in the radio sector, spectrum forensics are crucial to obtaining intelligence, particularly while the crime is still being investigated and the attackers are still at large.

Most of the wireless acquisition tools on the market work either on Wi-Fi or Bluetooth protocols. Using software defined radio technology or SDR can allow to capture signals regardless of the protocol or modulation. The tools and methods presented by a digital forensic analyst provide the specification and experimental validation of the SDR technology for forensic investigation of potentially vulnerable wireless devices. The case studies reported used radio controls to simulate intruder attacks and walkie-talkies to simulate intelligence gathering during a monk terrorist attack.