ATC to ignore the false transmission and take no action.
The departing pilots to accept a new voice and a clearly inferior/weak radio clearance as fact without verifying.
The departing pilots to not have situational awareness of an aircraft previously cleared to land on their runway.
The departing pilots to still not check final approach on the just-falsely-cleared runway before taxiing into position.
The landing pilots to have ignored the false transmission (also from a weak/inferior radio and new voice) clearing an aircraft onto their intended runway.
The landing pilots to not be watching the runway when they break out at minimums. (assuming your foggy day is a worst-case scenario)
The departing aircraft to have already started a takeoff roll and be more than 1,000' down the runway. (aircraft "touchdown zone" is not at the beginning of the runway)
Possible? Yes. Not in my top ten fears as a pilot. Much of ATC is a collaboration between professionals, not a dictatorship. It's really an amazing thing to participate in.
I prefer the crowd-sourcing safety of a completely open channel. Everyone is listening to everyone and can intercede if something weird is happening, including other pilots. Having a completely private channel but stolen credentials (we are all aware this happens all the time) means that you have to completely trust the voice on the other line.
> If I understand correctly, a foggy day + “cleared for takeoff” is all that’s needed for a malicious actor to kill hundreds of people
Only if the real ATC really, really drops the ball.
It's happened a few times, and leads to an immediate "who the fuck was that on this frequency?", and that's likely to result in the pilots in the area treating it like a comms outage.
It clearly hasn’t become too much of a problem yet, but I feel pretty concerned that, given my understanding, it appears there’s only one layer of defense against this type of attack. The response requires 1) the ATC to figure out what happened, 2) the ATC to promptly cancel the takeoff clearance, and 3) the pilot receiving+responding to the cancelled clearance with enough time.
Too many things in that chain can go wrong, especially so given this would all need to happen in just a few seconds. A sophisticated attacker might even be able to jam the signal right after they give the fake clearance or (not entirely certain this is possible) use a highly directional transmitter that would allow the targeted plane to receive the message but not others.
I’m definitely not an expert in this area, so I wouldn’t be surprised if I missed something, but if I didn’t, this appears to be an astonishingly large vulnerability.
It’s just simply something that isn’t as big of a deal as you’re thinking. Hell, we have problems today with idiots on frequency that are technically qualified to be there but are gumming up the works.
When was the last time you authenticated that construction worker directing traffic on the ground?
Pilots fly without a control tower all the time. They’re also the final authority to the safe operation of that aircraft. If anything is amiss, we’ll do something else. Maybe that’ll mean contacting a different facility on a different frequency, or declare lost comms via transponder and go to our filed alternate while things are worked out.
Try listening to LiveATC for an uncontrolled field on a nice weekend day. (Or even a towered airport like KCMA on a Saturday at noon.) It’s controlled chaos and yet we all make it work.
A completely different situation, but a Las Vegas controller had a stroke while on duty not long ago. You can hear in the transmissions that as the situation goes on the pilots stop obeying and begin verifying instructions -https://youtube.com/watch?reload=9&v=Jv1kmuFOhWk.
Not much, but I suspect building and running a crypto infrastructure in a secure way for everything from tiny privately owned aircraft to international carriers isn't easy.
If I understand correctly, a foggy day + “cleared for takeoff” is all that’s needed for a malicious actor to kill hundreds of people