The ADS-B system that is the cornerstone of the FAA’s NextGen ATC modernization plan is at risk of serious security breaches, according to Brad Haines, a hacker and network security consultant who is worried about ADS-B vulnerabilities. Haines first outlined his concerns during a presentation he gave at the Def Con 20 hacker conference in Las Vegas in July. Automatic Dependent Surveillance-Broadcast (ADS-B) is on track to replace radar with a system that broadcasts GPS-based position data to controllers and other ADS-B-equipped aircraft as part of the NextGen system. Yet according to Haines–aka RenderMan–ADS-B signals are unauthenticated and unencrypted, and “spoofing” or inserting a fake aircraft into the ADS-B system is easy.
Haines and another hacker named Nick Foster demonstrated this by spoofing a fake aircraft into the simulated busy airspace over San Francisco, using the open source Flight Gear flight simulator program. Spoofing a target into the real ADS-B system would be a simple matter of transmitting the signal on the ADS-B frequencies (978 and 1090 MHz).
The FAA told AIN that the ADS-B system is secure. “We have ways of validating the data that shows up on a controller’s screen so that spoofed targets are filtered out,” an FAA spokeswoman said. “An FAA ADS-B security action plan identified and mitigated risks and monitors the progress of corrective action. These risks are security sensitive and are not publicly available. The air traffic system is based on redundancies to ensure safe operations. The FAA plans to maintain about half of the current network of secondary radars as a backup to ADS-B in the unlikely event it is needed.”
According to Haines, the FAA’s method for filtering spoofed targets relies on multilateration, which is a technique for identifying a target using ground stations that detect transmissions from the target (usually transponder signals). But such filtering, he pointed out, would remove spoofed targets only from the FAA’s TIS-B feed, which sends ADS-B data to aircraft from ADS-B ground stations. “The spoofing threat can be mitigated with multilateration,” Haines noted. “However, an airplane receiving ADS-B [air-to-air] data has no way to do that.” In other words, an ADS-B in receiver on an aircraft will have no way of telling whether the ADS-B signal that it is receiving is from another aircraft or from a spoofed target transmitted on the ADS-B frequencies.
Longstanding Concerns about ADS-B Security
Concerns about ADS-B security aren’t new. In a 2009 graduate research project at the Air Force Institute of Technology at Wright-Patterson Air Force Base in Dayton, Ohio, Air Force Major Donald McCallie identified ADS-B vulnerabilities. “As early as 2006, concerns were raised about the ability of hackers to introduce as many as 50 false targets onto controllers’ radar screens. With open broadcast and no encryption there is no confidentiality; a lack of any authentication provides no integrity; and the ability to jam signals brings into question availability. The ADS-B infrastructure requires that all surveillance be open, and therefore non-secure, communications. As ADS-B is implemented, the potential exists for an attacker to exploit the inherent vulnerabilities of such an open system,” according to the paper.
McCallie’s paper outlines six key ways that attackers could harm the ADS-B system, ranging from relatively easy disruptions using jamming equipment to more difficult target ghost inject (spoofing) to flood denial, which means disrupting the ADS-B frequencies. While McCallie characterizes airborne target spoofing as a medium-high difficulty operation, he wrote, “Because there is no data correlation like that which may occur in a ground station, it may be somewhat easier to inject a ghost target into an aircraft; although, physical access may offset that advantage.”
Looking even farther back, a paper dated Sept. 18, 2001, and written by the FAA’s Ron Jones raised the issue of ADS-B security in relation to the 9/11 terrorist attacks that had taken place a week earlier. Jones raised two issues: “Probably the most fundamental security issue with ADS-B is the core idea of broadcasting the identity and precise location of each aircraft. This would open the door for a terrorist to attack specific aircraft or aircraft of a specific airline or corporation. While some people have suggested some form of encryption might be applied, I do not see any way in which this could be effective without fully undermining the basic ADS-B concept and associated benefits.” The second issue foreshadowed the current concern with fake targets. “As already briefly noted in DO-242 [RTCA standards] some applications may require independent validation of the ADS-B information. This has two aspects. One is simply to detect failures that result in errors in the reported aircraft location. The second is to detect spoofing and this is the aspect where the security concerns are raised.”
Haines is pleased that his bringing up the issue of ADS-B security has ignited some discussion of the subject, although he told AIN that no authorities have contacted him seeking advice on the system’s vulnerabilities. He also worries that other countries implementing ADS-B are not addressing these security issues. If it were up to him, he said, he would focus on “training, policies and procedures. [And] understanding the risks and that one needs to ask questions like ‘what happens if this thing that is supposed not to fail fails.’ Ifa way for multilateration to be spoofed is found, what then? If our [fake target] attack is actually possible, how does that undermine the reliability?How quickly can the industry adapt? I would also build in more capacity for outside testing. The tools and techniques to screw with this stuff are at a maturity level that make it accessible to most people.Are the FAA et al thinking they have covered every possibility? Just remember how many ‘secure’ systems were compromised by teenagers in their parents’ basements.”