Mehdi Ziazi, ETH Zurich; Khalid Aleem, Independent; Harshad Sathaye, ETH Zurich; Martin Strohmeier, Cyber-Defence Campus, armasuisse Science + Technology
The Controller–Pilot Data Link Communications (CPDLC) system has become integral to modern air traffic management, particularly in high-density or oceanic airspace where voice communication is limited or unavailable. Designed to increase operational efficiency, CPDLC is an alternative to traditional VHF voice communication with standardized digital messages for altitude changes, heading adjustments, free-text messages, and frequency handovers. However, CPDLC does not implement encryption and relies primarily on protocol complexity and obscurity as a barrier to misuse.
In this work, we present a full-stack security analysis of CPDLC and showcase several vulnerabilities that allow hijacking ATC-Pilot link with rogue ground station attacks and large-scale denial of service attacks that are capable of disabling CPDLC services for all aircraft in radio range. As a proof-of-concept, we also introduce cpdlc-gs, a first SDR based full-stack CPDLC ground-station implementation capable of injecting uplink messages to issue fake CPDLC flight instructions and effective denial of service attacks.
Furthermore, to evaluate cpdlc-gs, together with air navigation service providers and avionics manufacturers, we develop a novel, fully-functional test environment with real, certifiable hardware from Universal Avionics. Through such a setup we conceptualize and validate several attacks and demonstrate that even isolated rogue stations can pose a substantial threat, especially when pilots are under high workload or in degraded communication scenarios. Overall, we argue that the heavy reliance and global adoption of CPDLC make it a high value target, and that the lagging aviation datalink security standard- ization process needs to be urgently addressed