You talkin' to me? Exploring Practical Attacks on Controller Pilot Data Link Communications

Worldwide, voice-based Air Traffic Control (ATC) communications are gradually being replaced with data link-based equivalents, namely the Controller Pilot Data Link Communications (CPDLC) system. This helps to manage the high levels of congestion on voice-based ATC---under modern traffic levels these analog voice channels are extremely busy, especially at times of peak traffic. CPDLC offers the ability to conduct most ATC actions in the form of digital text-based messages. As with voice-based ATC, CPDLC has no built-in security mechanisms. Furthermore, the links which carry CPDLC do not have security mechanisms either. In this paper, we analyze the susceptibility of CPDLC to attacks by a software-defined radio (SDR)-equipped attacker. Crucially, this is different to attacks on aviation surveillance systems, as it requires the attacker to comply with a larger authentication protocol. We identify attacks on CPDLC, including a man-in-the-middle attack on the protocol. This attack enables a take-over of an aircraft's communication on an attacker-specified frequency, after which arbitrary CPDLC commands can be transmitted to the target without alerting the legitimate controller. We empirically assess the likely effectiveness of this attack through a data collection and analysis exercise. In order to counteract this type of attack, we propose three countermeasures of different complexities, including logical checks and a public key infrastructure approach. We also estimate to what extent these countermeasures can be implemented without altering the underlying protocol.