Why Air Traffic Control is Vulnerable to AI Voice Cloning

TLDR: Modern air traffic control relies on unencrypted, simplex VHF radio communications that are trivial to intercept and spoof. By using ElevenLabs to clone the voice of a controller, an attacker can issue fraudulent instructions to pilots, creating a high-stakes risk of runway incursions. This research highlights a critical failure in OWASP A07:2021-Identification and Authentication Failures within legacy aviation infrastructure.

Aviation security is often viewed through the lens of hardened, proprietary systems, but the reality of air-to-ground communication is surprisingly fragile. At the core of the problem is the reliance on analog, unencrypted VHF radio. This is not a new vulnerability, but the barrier to entry for exploitation has collapsed. Where an attacker once needed specialized hardware and a convincing human impersonator, they now only need a few seconds of audio and a subscription to a voice synthesis platform.

The Mechanics of the Spoof

The attack flow is straightforward because the medium itself lacks any form of cryptographic authentication. VHF radio is a simplex system, meaning all parties on a frequency hear the same transmission. If an attacker knows the frequency and the call sign of a target aircraft, they can transmit a command that the pilot will treat as legitimate.

The research presented at DEF CON 2025 demonstrates how an attacker can use ElevenLabs to generate a high-fidelity clone of an air traffic controller. By feeding the model just ten seconds of audio from previous communications, the system produces a voice that is indistinguishable from the real controller to the human ear.

When an attacker transmits this cloned audio, they are effectively performing an adversary-in-the-middle attack. Because the system is simplex, the controller also hears their own voice being played back, which creates immediate confusion. In high-stress environments, such as during adverse weather or heavy traffic, this confusion is a force multiplier for the attacker.

Technical Vulnerabilities in Aviation Protocols

The vulnerability is compounded by the lack of modern digital standards in widespread use. While systems like ACARS and CPDLC exist, they are often used as supplements rather than replacements for voice. The primary fallback remains the analog radio, which is inherently susceptible to T1557-Adversary-in-the-Middle and T1498-Network Denial of Service.

The technical risk is best illustrated by the "stop bar" failure. Stop bars are embedded runway lights that act as a physical stop sign for pilots. They are designed to be observed even if a controller issues a clearance. However, these systems are often radio-controlled. If an attacker can spoof the controller's voice, they can potentially manipulate the pilot's perception of the runway status while simultaneously interfering with the ground-based safety systems.

Real-World Applicability for Researchers

For a pentester or security researcher, the takeaway is that the "air gap" in critical infrastructure is often an illusion. You do not need to compromise a server to cause a physical-world impact; you only need to compromise the communication channel.

During an engagement, the focus should be on the lack of secondary verification. In aviation, the "Swiss Cheese" model of safety relies on multiple layers of protection. When an attacker removes the layer of authentication by spoofing the controller, they are poking holes through every slice of cheese at once. If you are assessing systems that rely on voice-based authorization, you should be testing for the absence of out-of-band verification. If the system accepts a voice command without a secondary digital handshake, it is vulnerable.

The Defensive Reality

Defending against this requires a shift toward encrypted, authenticated digital links. The industry is moving toward LDACS, which provides the necessary bandwidth and encryption to prevent spoofing. However, the transition is slow. Until these systems are universal, the only defense is increased situational awareness and the strict adherence to visual cues like stop bars, even when a voice command suggests otherwise.

The most effective immediate mitigation is the implementation of secondary, non-voice verification for critical instructions. If a pilot receives a command to cross a runway, the system should require a digital confirmation that is cryptographically signed. This would render voice cloning useless, as the attacker would be unable to generate the required digital signature.

We are currently in a period where the capability to spoof has outpaced the security of our legacy infrastructure. The next time you look at a system that relies on "trusting the voice on the other end," remember that the voice is now just another data point that can be synthesized, manipulated, and weaponized. The challenge for the security community is to build systems that assume the communication channel is compromised from the start. Stop trusting the medium and start verifying the message.