A hacker attack that leads to planes dropping from the sky is the stuff of every cyberwar doomsday prophesy. But some security researchers imagine a less sensational, if equally troubling possibility: Hundreds or thousands of aircraft radioing their approach to an air traffic control tower, and no way to sort through which are real and which are ghost plane signals crafted by a malicious hacker.
At the Black Hat and Defcon security conference this week in Las Vegas, two security researchers plan to give separate talks on the same troubling issue: By 2020, a new system known as Automated Dependent Surveillance-Broadcast or ADS-B will be required as the primary mode of aircraft tracking and control for commercial aircraft in the U.S.–earlier in other countries such as Australia. And both researchers say that ADS-B lacks both the encryption necessary to keep those communications private and the authentication necessary to prevent spoofed communications from mixing with real ones, potentially allowing hackers to fabricate messages and even entire aircraft with radio tools that are cheaper and more accessible than ever before.
“Anyone can technically transmit these messages,” says Andrei Costin, a Ph.D. candidate at the French security institute Eurecom who plans to give a talk called “Ghosts In The Air (Traffic)” at Black Hat. “It’s practically possible for a medium-technical savvy person to mount an attack and impersonate a plane that’s not there.”
ADS-B promises to make air traffic control easier, cheaper and in many ways safer by allowing planes to transmit their locations by radio frequency instead of depending on towers to use radar to track and coordinate them. But without encryption or authentication, ADS-B both exposes flyers to more potential tracking and fails to provide a trusted authority for planes’ location to the same degree as radar, says Costin.
Anyone with a radio tuned to the system’s 1090 megaherz frequency can listen in and track planes. That’s a notion that may disturb some privacy-conscious flyers, but it’s hardly a new phenomenon—sites and apps like FlightAware and PlaneTracker already make that data available from the FAA’s databases.
More troubling is the ability to fabricate fake signals that are indistinguishable from real ones. Using a software-defined radio, a PC-based receiver and transmitter that’s far more versatile than the average consumer radio, anyone from a prankster to a determined attacker could create a message alerting a tower or a plane to an oncoming jet that doesn’t exist.
“This is the most important problem,” says Costin. “You can put out a method that looks valid in the ether, and they can’t verify whether it’s real or malicious.”
Pilots and air traffic controllers wouldn’t be entirely helpless against that kind of spoofing attack; They could still check the purported messages against radar signals and against their database of flight plans. But the trick could be scaled up to hundreds or thousands of fake signals, much like a denial-of-service attack that uses thousands of computers to choke a website with a flood of fraudulent requests for information, Costin says.
“Imagine 100,000 fake airplanes targeted at a specific air control tower, and it has to manually check them. It’s almost impossible to do,” says Costin. In some cases, the spoofed signals could trigger a so-called ”short term conflict alert” that forces air traffic controllers to attempt space out the non-existent planes at regulated intervals, causing mayhem in the control room and potentially in the sky.
I reached out to the FAA for comment, and a spokesperson responded in a statement that “The FAA has a thorough process in place to identify and mitigate possible risks to ADS-B, such as intentional jamming, ” and “ conducts ongoing assessments of ADS-B signal vulnerabilities. The contract for the ADS-B ground station network requires continual independent validation of the accuracy and reliability of ADS-B and aircraft avionics signals. An FAA ADS-B security action plan identified and mitigated risks and monitors the progress of corrective action. These risks are security sensitive and are not publicly available.”
Perhaps the most comforting part of the FAA’s response was its assurance of ”redundancies to ensure safe operations.” The agency says it plans to maintain half its current network of radar systems “as a backup to ADS-B in the unlikely event it is needed.”
While it’s unlikely the spoofing attack could cause a collision–as the FAA says, the planes could be checked against radar or visual cues–it it might cause momentary panic for pilots or air traffic controllers and even scare them into rash, unpredictable actions, says Dustin Hoffman, a pilot and security who plans to give a talk on air traffic control privacy at the hacker conference Defcon following Black Hat. “If a pilot sees a plane suddenly coming at him from half a mile away, he might yank the hell out of the yoke before looking out the window. Or he could cause the plane to dive erratically and without warning,” says Hoffman. “It’s illegal. But how would you track down the transmtter? The possibility for chaos is substantial…I’m surprised no one has done it yet.”
The air traffic control warnings will be a recurring theme at this year’s back-to-back Vegas hacker conferences. Another hacker and security researcher named Brad “Renderman” Haines plans to point out similar vulnerabilities at the Defcon hacker conference following Black Hat. (Though I didn’t manage to reach him for an interview, the slides from an earlier version of his talk are available here.)
Despite the growing attention to ADS-B’s problems from the hacker community, they’re not new. Last year a group of Air Force analysts published a paper in the International Journal of Critical Infrastructure Protection that warned about systemic flaws in ADS-B that “could have disastrous consequences including confusion, aircraft groundings, even plane crashes if exploited by adversaries.”
As with so many technologies, the tools to exploit ADS-B are becoming cheaper and more accessible all the time. A popular and powerful software-defined radio called the Phi now sells for $750, for instance.
Meanwhile, the Federal Aviation Administration continues to spend hundreds of millions of dollars on ADS-B. Costin argues that the the protocol needs to be fixed now, before more money is poured into its implementation, or before its security vulnerabilities lead to real-world problems. “The presentation aims to raise awareness that such a system can’t carry on until 2020, when software-defined radios will be many levels more advanced,” he says. “This isn’t going away.”