Hackers, FAA Disagree Over ADS-B Vulnerability

 - August 21, 2012, 4:15 PM

The ADS-B system that is the cornerstone of the FAA’s NextGen ATC modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan), a hacker and network security consultant who is worried about ADS-B vulnerabilities. Haines outlined his concerns during a presentation he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and “spoofing” or inserting a fake aircraft into the ADS-B system is easy.

Haines and hacker Nick Foster demonstrated this by spoofing a fake aircraft into simulated San Francisco airspace, using the Flight Gear simulator program. He said spoofing a target into the real ADS-B system would be a simple matter of transmitting the signal on the ADS-B frequencies.

The FAA said that the ADS-B system is secure and that fake ADS-B targets will be filtered from controllers’ displays. “An FAA ADS-B security action plan identified and mitigated risks and monitors the progress of corrective action,” an FAA spokeswoman told AIN.

A spokeswoman for key ADS-B contractor ITT Exelis explained, “The system has received the FAA information security certification and accreditation. The accreditation recognizes that the system has substantial information security features built in, including features to protect against…spoofing attacks. [This] is provided through multiple means of independent validation that a target is where it is reported to be.”


I think the FAA is right about this particular issue. If RenderMan attempts to pull this stunt for real, (instead of as a magic trick at DefCon 20) the next presentation he'll be making will be in front of an audience of any-inmate-who-cares at the federal penal institution he's assigned to.

wonder if this comment will get removed too. Admin must not want real debate. No one believes the FAA. Show us the technical specs.. GPS is hijacked in ia similar manner.

None of the comments to this story have been deleted by moderators, so I’m puzzled as to why you just said that.

They are most certainly not right. Would they find him and arrest him? Likely. Would this cause mass chaos and the crashing of planes? Likely.
Catching the guy afterwards doesn't prevent the act from being committed.

Your relying on common sense to prevail.. The FAA has already got issues with idiots intruding on ATC voice comms and using lasers on aircraft. Truth is you could easily spoof ADS-B and as such some idiot will do it at some point. Potential mitigation measures are far from ineffective but they are far from good as well. For instance using a P2P network of transmitters (2+) you could overcome (or at least seriously confuse) most of the mitigation measures that come to mind. Remember that Aircraft will also have receivers and they will be much harder to secure. The fact is that un-encrypted over the air comms are very delicate and its very difficult to keep them secure.

The guys who attack planes don't care about prison. That's why this has to be air tight. If you noticed, that 911 attackers didn't even think about prison. Give your head a shake.

While I understand that if he was to do it for 'real' and was to get caught (key part here) he would probably be serving jail time, I'd suggest that the simple threat of jail time as a security deterrent alone is naive. A group or individual wanting to attack a system such as this, is likely not worried about jail time -- terrorist groups, unstable individuals.
As for the comment about a 'magic trick' -- if it is truely a magic trick, then there would be no need to threaten jail time because it wouldn't really be possible as the FAA is indicating -- that is just unnecessary attitude.


More "trust us - it's safe!" with no technical detail to back up the statement. Show us the proof and we'll believe you!

totally... why would anyone believe an established Liar ever..makes no sense to me.

Because sharing the technical details of the security measures to detect or prevent spoofing really makes it all so much safer ...

A system like this is a composite of a lot of separate software products and protocols - unlike with open source code, full visibility into the details does NOT increase the security of the system. In his place, there's no way I'd share that kind of info.

Security through obscurity is not security. Go read Kerckhoffs Principle.
If the FAA is using security through obscurity the problem they will have is that when that process or software is released their security will be broken. They will then need to change it. If their system is truly secure then they should be able to release the details, without it actually affecting it's security.

Ken..that has to be the stupidest statement ever. If you go with the US Govt track record of TRUTH and accountability....ill take renderman any day of the week. You right, we should just accept what the FAA says is fact, and even if it kicks us in the face our govt is occupied by moronic fools who dont know what they are talking about half the time..and are lying the other half....wow, and we wonder why the country is in such disarray..How about the FAA produce some technical specifications...all i hear is a toddler saying 'no its not'. Freaking GPS can be spoofed easy as hell because the signals are not designed with repudiation....so we are to believe this one is? Why?

Ken, your comment doesn't address the reality of the threat, only the assumed legality. Render demonstrated this, and he is one of the good guys. Even if, as the FAA claims, this has already been mitigated, I would much prefer people like Render challenge these systems (and the FAA) than blindly assume air travel is safe. Next I suppose you'll blindly accept what the TSA tells you?

If you have data, please correct me.

Answer one question Ken Shapero, Director, U.S. Programs at GE Aviation - Performance-based Navigation Services (Naverus, Inc.)

Question: Are ADS-B signals are unauthenticated and unencrypted?

Not according to the FAQs.

Q: Will the information broadcast by ADS-B Out be encrypted for security purposes?

A: ADS-B data can be received by any aircraft, vehicle, or ground station equipped to receive ADS-B. No specific encryption is specified.

awesome catch!! naaa...he doesn't have a stake in the game at all......

awesome catch!! naaa...he doesn't have a stake in the game at all......

So we should take the FAA's word that everything is fine, nothing to see here? I saw the presentation live - the FAA needs to step up and open up to the information security community when potential vulnerabilities like this are found. Putting your head in the sand doesn't help anyone.

Allow me to remind you that attackers don't fear prison terms. If they want to cause chaos in the air, they'll take advantage of any vulnerability available. You want to be a passenger or crew on a plane when controllers systems are under attack?

Good luck with that.

But, like you said, everything is fine. Nothing to see here.

I somehow doubt that Renderman getting in trouble is the point. The point is that if he can do this, anyone can do this, and someone who is out to actually do harm would probably not really care about jail.

As far as I can determine, there are NO standards and NO certification that ADS-B transeivers, either on airplanes or on the ground, will be resistant to jamming or spoofing. There has been at least one test where someone was able to spoof GPS signals such that they were able to take control of the path of a UAV. RAIM capability to detect errors in avionic GPS systems was not able to detect the spoofing. Any aircraft that is in an autopilot mode dependent on GPS would be similarly vulnerable. The US Navy was running tests on a ship in San Diego harbor and accidentally wiped out GPS reception all across San Diego. (This even affected seemingly unrelated systems such as medical pagers, which relied on GPS signals for timing.) And as the LightSquared debacle showed, it's easy to jam GPS with easy-to-make moderate power transmitters up to 20 miles away. And ADS-B relies on GPS. This is in addition to the spoofing of the ADS-B signal itself, such as demonstrated by RenderMan et al. Until the FAA produces rules that require certain levels of detection and resistance to jamming and spoofing of both GPS and ADS-B for all avionics and ground-based hardware, and adds authentication to the ADS-B signal content, these FAA statements by are pure BS.

The ADS-B message is a very simple message. UAT's are on 970MHz, 1090ES transponders are on 1090MHz. The Mode-S code for all aircraft is published on http://FAA.gov.

To spoof, is quite easy. Pick an aircraft that seems mostly not flown, and use that code in the messages. The GPS data, you can calculate lat/lon based on a reasonable speed.

Maybe the FAA will ignore based on some criteria, but will the other aircraft that have ASD-B in? If they all get RA's people will be flying all over creation, making the controllers need to manage random tracks.

This somehow reminds me of 1998, 1999, 2000, ... there was a DMCA in the 1970s, and RC aircraft before the 1930s... where is "Lone Gunmen" when you need them, Leahy? Eating Nerds-Candy?

I wrote about ADS-B homing drones last year and why jetliners (high value targets) should avoid beacon accuracy of Navigation Accuracy Category (NAC) level 7 (less than 93 meter accuracy) or better. It would be relatively easy to fly a piston powered model plane controlled by an iPod Touch connected to a GPS with 3-meter accuracy in front of the path of a jetliner carrying a small payload. The model plane wouldn't need to be fast because it would be the jetliner that runs into the model plane. http://www.hightechforum.org/new-airline-navigation-system-easy-target-f...

What's even worse - All Aviation Voice Comms execpt military are AM Radio Frequencies.

You might want to read my paper "Automatic Dependent Surveillance - Broadcast" at http://www.airsport-corp.com/adsb2.htm It was written more than a year before 9/11 at a time when nobody thought airplanes could be used for such destruction. The opinion is still valid today, 16 years later. It is a wonder someone hasn't used ADS-B to cause death and destruction before now.

I have talked personally to three FAA Administrators on this matter. Here's the problem: The Administrator will only serve a few years and is a political person, not a technical guru. (And usually not a pilot either). The must depend on their top subordinates and those guys are nearing retirement, that's how they got to be top subordinates. All they really want is to make it to retirement without upsetting anything.

So, at most, they check with RTCA or MITRE or Lincoln Labs or some of the other consultants who dreamed the thing up in the first place. Those guys and gals aren't pilots either but they make good money dreaming things up. So they tell FAA that everything is fine. Which it is not.