Spoofing in aviation: Security threats on GPS and ADS-B systems

: Introduction/purpose: The paper provides a review of recent research in the field of GPS and ADS-B spoofing. Systems that rely on satellite positioning technology can be targeted by spoofing in order to generate incorrect positioning/timing, which is accomplished by inserting false signals into the "victim's" receiver. Attackers try to insert false positioning information into systems that, for example, provide navigation of airplanes or drones for the purpose of hijacking or distracting security/safety in airspace surveillance. New concepts of navigation and ATC will thus be necessary. Methods: Using a scientific approach, the paper gives an evaluation of GPS and ADS-B spoofing/antispoof-ing and how spoofing affects the cyber security of aviation systems. Results: Based on the methodological analysis used, the importance of studying spoofing/anti-spoofing in aviation is shown. Conclusion: Although spoofing in aviation is only a potential threat, its technical feasibility is realistic and its potential is considerable; it becomes more flexible and cheaper due to very rapid advancement of SDR technologies. The real risk, in the time to come, are potential spoofing attacks that could occur from the air, using drones. However, aircraft systems are not exposed to spoofing without any defense; receivers can detect it by applying various anti-spufing techniques. Also, pilots are able to detect and solve problems at every stage of the flight. However, due to a possibility of more sophisticated spoofing attacks, international organizations such as ICAO are proactively working to increase GPS and ADS-B systems robustness on spoofing.


INTRODUCTION
The modern aerospace system relies heavily on the use of a number of wireless technologies necessary for the safe and secure operation of this very complex system.Thus, communication between air traffic controllers (ATC) and pilots is realized via VHF (30-300 MHz) radio frequency (RF) channels.The use of the ADS-B (Automatic Dependent Surveillance-Broadcast) wireless communication protocol or the GNSS (Global Navigation Satellite System), as an integral part of the ADS-B, allows the broadcasting of status data (aircraft position, speed, call sign, etc.), while Primary Surveillance Radar and Secondary Surveillance Radar allow locating aircraft and provide relevant information to air traffic controllers.The TCAS (Traffic Alert and Collision Avoidance System), independent of the air traffic control system, enables the detection and warning of potential collisions of aircraft with other aircraft in the air.In addition to the possibility of verbal communication, aircraft usually have the ACARS system (Aircraft Communications, Addressing and Reporting System) which uses RF communication channels, enabling the sending of automated messages in both directions, by aircraft as well as aircraft and other aircraft entities.Also, many radio navigation systems, such as the GPS (Global Position System), the VOR (VHF Omnidirectional Radio Range), the DME (Distance Measuring Equipment) and the ILS (Instrument Landing System), play key roles in different phases of aircraft flight.
Systems based on satellite positioning techniques, such as the GPS and the ADS-B, can be the target of various attacks, including the socalled spoofing attacks -a sophisticated form of RF interference (RFI) which makes the receiver believe it is at a false location.During a spoofing attack, a radio transmitter, a SDR (Software Defined Radio) for example, located nearby, sends fake GPS signals (which mimic authentic satellite signals, but with higher power and different time delay compared to authentic signals) into the target receiver.Thus, "a cheap SDR can make a smartphone believe it's on Mount Everest" (Simsky, 2019).Regarded as a "hoax", "trick", or "deceive" in the IT world, the term, spoof/spoofing has also been used in the aviation field, in recent studies.Related to the structure of the GPS signal (it is public and unlike military GPS signal, this is not encrypted/authenticated), it would not be difficult/expensive for an adversary to build a system that creates signals that would appear to a receiver to be from GPS satellites.Transmitting these false signals to receivers may cause them to lock onto the false signals instead of the authentic satellite signals.Thus, in 2001, the U.S. Department of Transportation assessed the U.S. transportation infrastructure's vulnerability to civil GPS disruption (John A. Volpe National Transportation Systems Center, 2001).Their report known as the Volpe report, considers civil GPS spoofing, a dangerous type of intentional interference whereby a GPS receiver is fooled into tracking counterfeit GPS signals.Spoofing is more sinister than intentional jamming because the targeted receiver cannot detect a spoofing attack and therefore cannot warn users that its navigation solution is untrustworthy.Moreover, even if not fully successful, spoofing usually will inject hazardously misleading information and create significant PVT (Position, Velocity, Time) errors.Ever since, civil GPS receivers remain as vulnerable as ever to this threat.
Recent efforts to modernize ATC have mandated the gradual replacement of the existing analogue radar system with a nextgeneration (NextGen) digital one.Part of this NextGen system is the ADS-B standard.The ADS-B aims at improving aviation safety by enabling aircraft to broadcast navigation information.However, the current ADS-B standard does not provide mechanisms for verifying the integrity of navigation broadcasts.Consequently, the ADS-B system is extremely vulnerable to various spoofing attacks (Schäfer et al, 2013).Therefore, concerns about its safety will continue to increase with the development of ATC and the further popularization and application of the ADS-B.
It should be emphasized that, unlike spoofing attacks from the ground, potential attacks that could be carried out from the air (the attacker is in the air) are still insufficiently investigated (Costin & Francillon, 2012), but they represent a real threat.These attacks can be realized with the use of drones, i.e.UAV (Unmanned Aerial Vehicle), and special attention must be paid to this type of potential attacks.Because of all this, the OpenSky Network research project collects ADS-B reports and makes them available for security/safety analysis and development of spoofing attack detection concepts, as well as locating spoofing devices/sources.Also, the increasing use of UAV/drones and the GPS for their navigation makes these systems interesting targets for the purpose of hijacking or distracting safety/security in airspace surveillance.Thus, the normal navigation performance of drones may be limited due to natural signal noise or intentional RFI, jamming and spoofing.In particular, as for the spoofing of GPS, military GPS signals are encrypted and thus cannot be changed (Spilker et al, 1996), but civilian GPS signals are unencrypted/unauthenticated, and thus a user can arbitrarily generate or change signals.Namely, by using arbitrarily manipulated signals, it is possible to make a UAV target deviate from the existing path and lead the UAV to a target point designated by the spoofer.In recent years, the Federal Aviation Administration (FAA) announced a plan that the entrance of civilian UAV into the airspace of the US would be permitted by September 2015, and Amazon has been trying to implement a delivery system using drones.In this situation, spoofing could be a serious problem for the operation of UAV.In a hypothetical combat situation, manipulating the enemy's GPS receiver would mean taking control of the drone or devices that rely on GPS positioning.For example, in 2018, Russia accused the US of spoofing a drone and redirecting it to attack a Russian air base in Syria (Simsky, 2019).Also, in the last few years, numerous spoofing incidents have been recorded in the seas near the Russian border, and it is assumed that the drones were "transported" to nearby airports.This type of spoofing may have been a defense mechanism for landing spy drones.Namely, most semiprofessional UAV on the market have a built-in geo-fencing mechanism, which automatically lowers them to the ground if they approach airports or other areas with restrictive access.
Modernization and strengthening of aircraft systems through improvements and innovations in design, technology and efficiency is opposed by fragility in the field of cyber security.Cyber security threats are not only an assumption, but some have been realized.An overview of published cyber incidents and potential vulnerabilities of aircraft systems observed by aviation organizations and researchers/hacker community (from 1997 to 2019) is given in the paper (Kožović & Đurđević, 2019).For example, the weaknesses of the ATC system, by introducing a "ghost-plane" into a flight control system, by mimicking the ADS-B signal, by using low-cost technology devices, and software, have been pointed out (Costin & Francillon, 2012).Then, it was shown that radio navigation systems such as the GPS and the ILS (Sathaye et al, 2019) are susceptible to spoofing attacks, and that by spoofing TCAS messages, false messages can create resolution advisories, which forces pilots to resort to collision avoidance maneuvers.
In addition, until recently, the attitude of civil aviation regarding GNSS spoofing was simple (Berz, 2018): "This is not our problem", and this issue was considered to be within the scope of military structures.However, as more attention is paid to common RFI, the approach to spoofing is changing, which was partly initiated by the incident at Hanover Airport in 2010 (Steindl et al, 2013), and which was caused by the interference of GPS repeaters and thus inadequate positioning of the GNSS system.Today, it is known that there is a whole range of intermediate stages of spoofing, from incorrectly tuned repeaters, all the way to what a skilled, but unreasonable person could do by using cheap and widely available spoofing devices.
Although different parts of the aircraft system are exposed to various attacks, and potentially to spoofing, there are certain security solutions and protocols while different working groups, conferences and organizations, such as ICAO (International Civil Aviation Organization), RTCA (Radio Technical Commission for Aeronautics) and EUROCAE (European Organization for Civil Aviation Equipment), continuously analyze and monitor the development of effective antispoofing detection methods, as well as their integration into flight control, communication and navigation systems.For example, RTCA has set as a goal for nextgeneration aeronautical equipment, increasing the security of GNSS to risks in the presence of threats, including spoofing.Current directions in solving spoofing by RTCA and EUROCAE primarily relate to the introduction of new requirements for the detection of spoofing GNSS systems, which allows the use of alternative navigation equipment, without significant safety risks (Hegarty et al, 2018).

GPS: a fundamental concept
The Global Positioning System (GPS) is satellite navigation, i.e. constellation of satellites that emit RF waves in order to accurately determine the position on/near the Earth's surface.They were first used for military purposes (since 1950s), and later (in 1980s) they were made available for wide, civilian use.A common term for different types of globally used satellite navigation systems is GNSS, such as GPS (USA), GLONASS (Russia), BEIDOW (China), etc. GNSS is a system that gives pilots, as well as aircraft systems, precise information about the position of the aircraft, as well as the reference time.
Although the GPS is the only fully operational GNSS "first generation", GLONASS, which covers Russia and neighboring countries, is also available, while Europe is developing a "second generation" GNSS, called the Galileo program, which in 2003 was also signed by China.Today, in addition to GNSS, there are several additional satellite systems, generically called Space Based Augmentation Systems (SBAS) (Sabatini et al, 2017), because they emit additional signals that a particular receiver can decode and use (along with global GNSS signals) in order to improve positioning performance.
The GPS consists of three segments: space 1 , control 2 and user.
The GPS uses satellite transmitters whose locations L i S (coordinates, are known (x i S , y i S and z i S ) are known (Tippenhauer et al, 2011).Each transmitter is equipped with a very precise synchronized clock for measuring the exact system time, t S and emits a navigation signal S i (t), (low auto-/cross-correlation) which contains timestamps and deviations of the satellite from the predicted trajectory.The signal is transmitted at speed .
A receiver , located at the coordinates  (to be determined) and using an omnidirectional antenna, will receive the combined signal of all satellites in the range: ( Where A i is the attenuation that the signal is undergoing on its way from L i S to L, | L i S − L | denotes the Euclidean distance between L i S and , and n(L, t) is background noise.
Due to the properties of the signals S i (t), the receiver can separate the individual terms of sum (equation ( 1)) and extract the relative spreading code phase, the satellite ID, and data content using a replica of the used spreading code.Given the data and relative phase offsets, the receiver can identify the time delay for each satelite, i.e. "ranges": d i = L i S − L, from where, knowing the positions of the transmitter, L i S , one can find the 3-dimensional position,  of the receiver.
However, the receiver clock is delayed, i.e. has a time offset, δ relative to the exact system time, t S , so that the receiver gives "pseudoranges": ( By measuring the distance from each satellite (at least four) and solving the system of nonlinear equations (2) for both  and δ, precise data (position and time) are obtained and then used used for navigation, positioning and accurate time distribution.
Today, GNSS receivers are very cheap and compact devices, and are widely used in various systems (e.g.SCADA), in mobile phones and in many widely used products.The GNSS design allows three basic messages to be broadcasted, namely: • positioning, velocity and time signal, • precise ephemeris data, which determine the exact location of an individual satellite, • an almanac, which determines the locations and orbits of all satellites in the constellation, together with information on the status of the selected tracking satellite.
All types of GNSS satellites broadcast on at least 2 bands: on the frequency L1-encrypted military code, the so-called P(Y) and unencrypted civil code (C/A), as well as frequency L2 (repeat P(Y) code).So, all satellites broadcast on 2 frequencies: 1575.42MHz and 1227.6 MHz.As the GPS uses a wide range of techniques, the so-called multiple code-sharing approach, low-pass message data is encoded by a highlevel pseudo-random sequence which is different for each satellite.Thus, the receiver can distinguish signals (PRN codes) coming from different satellites and message data is transmitted at a speed of 50 bit/s.
Two different encodings are used (Figure 1) (Warner & Johnston, 2002), i.e. two PRN codes: Coarse/Acquisition (C/A) code (so-called gold code) on 1.023 MHz and precision (P(Y)) on 10.23 MHz.The signals are modulated to a carrier signal, L1 and L2, by the binary phase shift keying method which encodes 1 bit per phase shift (Betz, 2002).Carrier L1 is modulated with both C/A and P codes, while L2 is modulated only with P code; the C/A code is public and used by civilian GPS receivers, while the P code can be encrypted, and is only available to military equipment with the appropriate description key.Each L1 signal is composed of a navigation message which provides detailed data on the ephemeris (orbit data) of the satellite.

GPS SPOOFING BASICS
GNSS vulnerabilities (Morales-Ferre et al, 2020) in connection with RFI cause concern and special attention in the field of aviation, i.e. incidents of disappearance of GPS signals in civilian aircraft (especially in areas with political tensions, e.g., Southeast Mediterranean, Black Sea-Caspian Sea axes and Mideast-Canada and the USA via North Pole through Russian airspace) or nearby airports.The reasons for this can be different, such as solar storms, military exercises, etc., but also intentionally provoked RFI, i.e. jamming (EUROCONTROL, 2019).Near airports, uninformed personal privacy devices could also be the cause of GPS jamming.Consequently, jamming can be considered as a realistic and threatening kind of interference.On the other hand, spoofing is a more subtle and potentially even more dangerous threat, where an ensemble of counterfeit GNSS-like signals are injected into a victim receiver with the purpose of inducing a wrong positioning or timing provision of measure (Nicola et al, 2020).Hence, a much more subtle and dangerous form of a GNSS threat is spoofing, in which false signals are inserted/planted into the "victim's" receiver for the purpose of mispositioning or timing.
Although GNSS spoofing is a potential threat (there are still a few confirmed reports of their exploitation in civil aviation), the technical feasibility of spoofing is realistic, and its potential is great.A noticeable difference between legitimate satellite signals and a spoofing signal can be a discrepancy in time, signal direction, intensity, Doppler shift, or the magnitude of the signal-to-noise ratio.However, most receivers are not equipped to detect these differences.Research in this area (Horton & Ranganathan, 2018) shows that almost every device that uses a civilian GPS signal is vulnerable to spoofing, and the application of spoofing becomes more flexible and cheaper due to the very rapid progress of SDR technologies.
The case of interference at Hanover Airport (in 2010), is an example of real "unintentional" spoofing (Steindl et al, 2013), which shows that the detection/immediate warning of GNSS spoofing is a necessary countermeasure to ensure airport safety and security.Namely, a plane which was located near the threshold of the runway of Hanover Airport, and whose aircraft systems functioned according to the repertoire signals for testing the avionics of business planes in the hangar near the threshold of the runway, had the wrong GPS position during the taxiing and takeoff phase.This scenario, although simple, can be used as a starting point for testing a GNSS receiver or any hardware that depends on precise positioning or time data provided by the receiver.Then, during the FAA's installation of a new GPSbased aircraft landing system at Newark International Airport in 2010, it was observed that groundbased GPS receivers (used to assist GPS receivers on the approaching aircraft) also had several interruptions, almost every day.Also, it was previously reported to the FAA (July, 2003) that the switchedon mobile phone simultaneously affected the operation of three different aircraft GPS receivers, causing a complete signal loss; all three GPS receivers used three different antennas, installed on a small plane, and a mobile phone was turned on (without making the call), during the incident, as well as subsequent testing (Nguyen, 2004).
The use of the GNSS in aircraft landing and take-off procedures causes the aircraft system to be vulnerable to spoofing.Most commercial aircraft still primarily use the ILS, but there is also a noticeable increase in interest in using the fully automatic landing system, the GBAS (Ground Based Augmentation System), especially in Europe and Russia.However, the introduction of this system, as an international standard, has been slowed down due to the fact that the GBAS system is not authenticated and can be spoofed.As most GNSS receivers used for the GBAS are positioned on the ground (airports), the height of each aircraft can be spoofed, which can potentially lead to an accident.Also, interfering (accidentally or intentionally) with the aircraft's GNSS receiver in approach or departure would be relatively simple and could lead to significant loss of life.
The use of AGC (Automatic Gain Control) to amplify the GNSS signal, which compensates for the strength of the fluctuating signal, also leads to the vulnerability of the receiver to spoofing (Borowski et al, 2012).It is also very important to consider that the receiver does not have the ability to determine where the signal is coming from (from a locally generated false or legitimate source) since the receiver antenna is usually located at one point in space: if the receiver is not protected, the spoofing signal can be inputed directly via the spoofing source.Or, if the spoofer knows the exact location of the target receiver, then the spoofer signals can be superimposed on the authentic signals.Alternatively, stronger asynchronous signals can be used, but this way of spoofing is effective only when the receiver is in the initial phase of operation (reception) or in case it is "forcibly unlocked" by an interfering signal.
There are different forms of GPS signal spoofing, and they can be classified in different ways, such as according to the level of complexation (Humphreys et al, 2008), to simplified, intermediate and sophisticated, or based on their characteristics, to synchronized (spoofing attack in which the false signal is synchronized with authentic GNSS signals) and unsynchronized.
Thus, in the simplest form of spoofing attacks, the receiver (in tracking mode) can receive a false signal when it loses the reception of the signal from the satellite, so that it can be "locked", i.e. swished to the mode of receiving the spoofing signal.The signals are usually not synchronized with the original signals, which allows the use of simple commercial (COTS) components.Detection of this type of spoofing is relatively simple -the lack of signal synchronization would cause a sudden jump in output signals related to the position of the receiver and time.Also, if the spoofing signals are high, then the monitoring receiver could potentially detect increased activity in the GNSS frequency bands.In a medium-strength (intermediate) spoofing attack, a kind of GNSS simulator is used to produce counterfeit GNSS signals, but they are synchronized with GNSS signals coming from the satellite.Such an attack includes the known location (and path) of the "attacked" receiver, relative to the receiver antenna, to ensure that the false, pseudo-signal band is "aligned" with the authentic codes at the position of the attacked receiver.When the receiver is in the tracking mode, and at the beginning of the attack, the false signals are well enough aligned with the authentic ones, so that the spoofer can take control by gradually increasing the power and successively adjusting the signal.Detection on the target receiver is almost impossible, except when a large number of antennas are used to estimate the signal arrival direction.
A more complex version of intermediate spoofing is sophisticated spoofing in which multiple coordinated "intermediate spoofers" could be used to replicate the content and "align" GNSS signals, as well as their spatial distribution, making this form of attack more difficult to detect.However, in this type of attack, the receiver for monitoring at another location (allocated) is likely to have a sharp increase in the value of the output signals related to the position of the receiver and time, since its position differs from the position of the target receiver.Also, if the spoofing signals are high, then the allocated monitoring receiver could potentially detect increased activity in the GNSS frequency bands.
Numerous methods of spoofing detection and mitigation of spoofing attacks on GNSS (Magiera & Katulski, 2015) are proposed such as AGC surveillance, SNR (signal to noise ratio) monitoring, consistency checking of PVT, cryptographic methods (Hegarty et al, 2018), and monitoring of the correlation function of signals and multiple peaks (Turner et al, 2020).For example, one of the suggested methods is based on checking whether the received signals are modulated with the military P(Y) code, which is usually absent in spoofing signals (Psiaki et al, 2011).Despite being effective, this solution uses two receivers and requires that one of them be protected from spoofing, which is not always possible.
In general, the effectiveness of the proposed antispoofing method depends on the level of sophistication of the device for generating false signals, i.e. scenarios of spoofing attacks, and tests in this area are performed to find sensitive, fast, robust, and reliable methods for detecting spoofing.As most spoofing scenarios use a single antenna to transmit counterfeit signals, the spatial characteristics of false signals differ from the characteristics of authentic GPS signals.Therefore, anti-spoofing techniques based on spatial signal processing can be used as generics, and simulations and tests show that they are very effective in detecting spoofing (Jafarnia-Jahromi et al, 2012).
In aviation, specific requirements for recording all GNSS data relevant to GNSS operations are detailed in the ICAO Guidelines (ICAO, 2006).The State is the lead authority for approving GNSS-based operations and should ensure that GNSS data relevant to those operations are recorded, as well as support periodic confirmation that accuracy, integrity, continuity, and availability are maintained within the limits required for approved operations.Airport control towers and units providing access control services must have data/information on the operational status of airport radio navigation systems, which is essential for the approach, landing and take-off of aircraft.The performance of all navigation systems must be in accordance with the requirements of the ICAO GNSS Signal in Space Performance Requirements (ICAO, 2006).

ADS-B: a fundamental concept
The Automatic Dependent Surveillance -Broadcast (ADS-B) is a modern technological system which combines the existing technical solutions in the field of telecommunications, navigation, and airspace surveillance (Ali, 2016).It is an integral part of the FAA project NextGen and Eurocontrol CASCADE program which should improve the air traffic system in terms of safety, economy, automation, ecology, etc.The special importance of ADS-B technology is emphasized by the allocation of a special category 21 ASTERIX protocol for the exchange of information on aircraft (EUROCONTROL, 2011).
The ADS-B system automatically delivers the necessary data to users (both on the ground and in the air).Its integral part is the GNSS, so that the ADS-B system depends on the accuracy of the positioning system.The ADS-B standard regulates the exchange of broadcast messages between aircraft and ATC ground stations.It can work as a transmitter (ADS-B Out) or a receiver (ADS-B In).The ADS-B In allows the aircraft to receive data which is displayed on the CDTI (Cockpit Display of Traffic Information) interfaces (most often, MFD 3 and EFB 4 devices), and which are emitted by other aircraft positioned in a relatively close environment.The same information is used for TCAS systems.Within the ADS-B Out system, the status information of the aircraft is handed over.
The ADS-B system consists of three interdependent components: • ground infrastructure (GBT stations 5 and antenna system), • aircraft equipment (ADS-B specialized transponder, GPS, receiver, altimeter, CDTI 6 , etc.), • operational procedures (regulatory basis for the implementation and use of the ADS-B system).
Communication within the ADS-B is realized by using the radio system according to standardized communication protocols, such as 1090 MHz extended squitter (1090-ES), 987 MHz Universal Access Transceiver (UAT) and VHF Datalink Mode 4 (VDL-M4), which will be used depends on the type of aircraft (in accordance with the FAA guidelines).Each ADS-B message contains an 8 µs preamble for synchronization and a 56-bit (short) or 112-bit (extended) data block.Thus, an extended ADS-B message has 112 bits which are transmitted using 1090 MHz ("extended squat") data links (FAA, 2010).The ADS-B protocol format with a 112-bit message frames contain a preamble (8.0 µs), which is used to synchronize transmitters and receivers and 112-bit payload which consists of five segments.The first, 5-bit segment contains telecommunication transmission data and refers to the downlink format used to encode broadcast messages, the second, 3-bit segment is the field of choice, while the third, 24-bit segment contains a unique aircraft address.The next 56 bits (ADS-B data) refer to sub-segment data such as flight identification (call sign), position (latitude/longitude), position accuracy, barometric and geometric height, vertical velocity, trajectory angle, and ground spead (Ghose & Lazos, 2015).ADS-B messages are not encrypted: the last 24 bits include a parity check that detects and corrects transmission errors in the messages.ADS-B frames are modulated by pulse modulation with a pulse length of 1 µs.As the ADS-B protocol transmits data at a speed of 1 Mbit/s, the total duration of the ADS-B extended message is 120 µs (including the preamble).

Cyber attacks on the ADS-B
The risks faced by the ADS-B system are essentially related to communications realized by RF waves, i.e. they are related to the fact that messages are transmitted as text and have no encryption.Because of that, they are the main targets of malicious hackers (Kožović & Đurđević, 2019).Thus, the security risks faced by the ADS-B relate to ATC-aircraft connections, and if they are not secure, ADS-B messages may be hacked by authorized/unauthorized persons, especially when messages containing sensitive information are interrupted or eavesdropped.
Attacks on the ADS-B, which can have different levels of impact on aircraft systems, include eavesdropping, jamming, message insertion, message deletion, and message modification (Table 1) (Wang et al, 2020).

Attack type
Purpose of attack Way of attack

Eavesdropping
Eavesdrop operating status information of aircraft (aircraft reconnaissance) Obtain ADS-B data of the corresponding airspace through ADS-B In Jamming Jam the transmission of an ADS-B message in a specific airspace By using an ADS-B transmitting device with sufficient high transmit power in the relevant frequency band

Message injection
Inject fake aircraft into a specific flight scenario, confusing ATC systems (aircraft target ghost injection/flooding) By using a transmitting device with sufficient high transmit power in the relevant frequency band and capable of generating correct modulation and conforming to the ADS-B message format

Message deletion
Delete some or all of the information contained in a message (aircraft disapperance) By implementation at the physical layer through constructive/destructive interference

Message modification
Modifify the information contained in a message (virtual trajectory modification) Realized by overshadowing and bit-flipping at the physical layer of the system and can also be achieved by combining two attack methods Thus, eavesdropping causes minimal damage, because it does not directly damage the ATC system, while deleting messages affects the aircraft surveillance system (the aircraft temporarily disappears from the ATC map), but the aircraft can be identified by radar or multilateral systems.Message modification is a typical "spoofing" attack and has a major impact on the ATC system.For example, a spoofing attack, the so-called "boiled frog" (Chan-Tin et al, 2011), refers to a situation in which an attacker continuously, but to a small extent, changes the information about the position of the aircraft in the CSDP messages.In this case, it is difficult for surveillance technologies such as radar surveillance systems and positioning, to detect small differences which are within the accuracy of adjustment, resulting in inaccurate control of aircraft by air traffic control, as well as delayed system response to prevent collision in the air.

ADS-B spoofing
A spoofing attack on the ADS-B refers to an attack by modifying ADS-B messages, which is realized by inserting fake/falsified messages.It can be considered as an attack from both the ground and the air.An illustration of two different types of spoofing attacks on the ADS-B is given in Figure 2; namely, a spoofing attack by inserting messages and a spoofing attack on the ground station.In the first type of attack, the attacker uses a cheap SDR to re-broadcast a previously recorded message (so-called repeat attacks) or to transmit a newly generated and correctly modulated fake message (attack by introducing a ghost plane).The main goal of the attack is to falsify the presence of the non-existent, i.e. aircraftghost and to cause confusion of the ATC system.In the second type of attack, the attacker modifies the ICAO address in the ADS-B messages using the ADS-B transponder in the air posing as a known/reliable aircraft, thus bypassing surveillance.
Thus, depending on the way the spoofed messages are generated, ADS-B spoofing attacks can be divided into three types (Ying et al, 2019): • message or IQ data 7 replay attack, • ghost aircraft injection attack, and • aircraft spoofing attack.In a message/IQ data replay attack, an attacker from the ground records the content of the messages/IQ data of the received authentic ADS-B messages using an SDR, and then transmits the same messages at a later time without changing the message content.This attack is very sophisticated, because the recorded IQ data contains a lot of information, such as those related to the Doppler effect, the transmitter characteristics, and the channel characteristics, which is difficult to mimic otherwise.In a ghost aircraft injection attack, a ground-based attacker, using an SDR device, transmits fake ADS-B messages with arbitrary content of its choice.In particular, an attacker can simulate the trajectories of non-existent aircraft ("ghosts") and generate appropriate ADS-B messages by carefully selecting Doppler displacements, thus making these "aircrafts-ghosts" visible to earth stations.In an aircraft spoofing attack, an aircraft-based attacker (malicious aircraft) attempts to masquerade as a known or trusted aircraft by spoofing the ICAO address and hide its true identity.Since the aircraft is physically present, the masquerading attack will not be detected even if the secondary radar surveillance system is deployed To detect spoofing, i.e. for the protection of wireless ADS-B communication, various security methods have been proposed, based on the existing cryptographic techniques (Finke et al, 2013;Alghamdi et al, 2018).An alternative to this are necryptographic approaches which are based on signal separation (PHY-layer signal separation) (Leonardi et al, 2017), time and position verification (Schäfer et al, 2015), Doppler shift (Schäfer et al, 2016), etc.The most recently developed methods for ADS-B system spoofing detection are based on the predictions of mathematically set models and network analysis.One of these is the method based on a SODA-DNN (Deep Neural Network) spoofing detector (Ying et al, 2019), whose application allows the detection of spoofing attacks with a very high probability and a very small proportion of false alarms, which is a significant improvement over other state-of-the-art detectors.

CONCLUSION
Systems based on satellite positioning techniques, such as the GNSS and the ADS-B, can be targets of various attacks, including the so-called spoofing attacks -a sophisticated form of attack in which false signals (which imitate authentic satellite signals, but with higher power and different time delay in relation to authentic signals) are emitted.As a result, aircraft will send incorrect information about their position.
One of the most important steps in the modernization of ATC is the transition to the ADS-B wireless communication protocol, of which the GNSS is an integral part.In addition to its advantages, the ADS-B system also has several very important disadvantages, such as dependence on the satellite navigation system (which can be physically damaged, corrupt, or subject to interference) and a very simple protocol, which does not provide full authentication and encryption.All this increases the vulnerability of the ADS-B system to various types of cyber attacks, such as RFI, including spoofing, i.e. deliberately inducing RFI.
Also, the role of GPS/GNSS is constantly increasing, due to the increase in the use of UAV/drones, which is why new concepts of navigation and ATC will be necessary in a "crowded sky" situation, where many unmanned aerial vehicles will share airspace with crews.On the other hand, the increasing use of drones and the GPS for their navigation makes these systems interesting targets for the purpose of hijacking or distracting security/safety in airspace surveillance.
Although the spoofing of the GNSS system is a potential threat -there are still no confirmed reports of their exploitation in civil aviation, the technical feasibility of spoofing is realistic and the potential is great.Research in this area shows that almost every device that uses L1 civilian GPS is vulnerable to spoofing, and the application of spoofing is becoming more flexible and cheaper due to the very rapid advancement of SDR technology.Therefore, the issues of detection and prevention of spoofing attract the attention of researchers in the field of cyber security, and due to possible more sophisticated spoofing terrorist attacks on the aircraft system, ICAO, RTCA and EUROCAE are proactive in improving the robustness of GPS/GNSS to RFI.
However, the aircraft system is not helplessly exposed to spoofing attacks without any defense; by applying various anti-spoofing methods, GNSS receivers can detect spoofing by looking for signal anomalies or using signals designed to prevent spoofing, and advanced interference mitigation technologies use signal processing algorithms.Certainly, the effectiveness of the proposed antispooffing method depends on the level of sophistication of the device for generating false signals, i.e. scenarios of spoofing attacks, and tests in this area are performed in order to find sensitive, fast, as well as robust and reliable methods for detecting and mitigating spoofing.Control Center (the main checkpoint is Shriver Military Base, Colorado) checks the satellite condition, position, speed and altitude.The precise trajectory of the satellite isupdated on average every 4 hours and the data on the updated orbits are sent to the satellites via terrestrial radio antennas.