FAA Denies Vulnerabilities In New Air Traffic Control System 141
bingbong writes "The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."
Bad FAA! (Score:5, Insightful)
[smacks FAA on the nose with rolled newspaper]
Bad! Bad FAA! We encrypt and authenticate our CRITICAL systems!
[smacks FAA on the nose with rolled newspaper]
Re: (Score:2)
We encrypt and authenticate our CRITICAL systems
the FAA payroll system may well be encrypted
Re:Bad FAA! (Score:5, Funny)
But it was certified! CERRRRRRRRTIFIED! AND it was accredited! Both! At once! What more do you people WANT from us? Geez!
Re: (Score:2)
Re: (Score:1)
As someone who is often involved in the Certification and Accreditation of sensitive systems, I can certify that this is mostly a paperwork drill for paper shufflers.
It's all about accountability (Score:1)
There is a very real difference between being compliant with a standard (or certified,) and having actual useful security.
And this very fact seems to be willfully overlooked by organizations more and more. If you are certified and accredited, then when something goes horribly wrong you can point the blame at those who told you that you were doing a great job with your system. How would you know it was a problem when some important experts came in to check everything out? It doesn't seem to matter anymore
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Who wants to bet that the company doing the certification has a friend at the company building the computers?
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Naw, they are using "sub-space communicators" instead.
It is a reasonable thing you are pointing out, where "wireless" and "physically secure" simply can't be compatible. I have heard of missiles that spool out wire for guidance or control during flight, so I presume that is another way to secure communications. I'm sure that works out real well for commercial aircraft though. A physical data link still seems vulnerable to some kinds of attacks, so your original point is justified.
Re: (Score:2)
Re: (Score:2)
Maybe they should also move the tower onto private land so they can stop bothering with those pesky locks on the door.
Re: (Score:2)
Re: (Score:2)
[rolls up newspaper] [smacks FAA on the nose with rolled newspaper] Bad! Bad FAA! We encrypt and authenticate our CRITICAL systems! [smacks FAA on the nose with rolled newspaper]
Obviously, the FAA is too big to fail. I'll believe that when planes stop falling out of the sky.
Re: (Score:2)
It's easy to be concerned about encryption and authentication in a general sense, but no solutions are being offered that would make any sense.
For encryption, who holds which keys? At best, you have thousands of planes flying around with public keys, and hundreds of airports with the private keys? Leaks are bound to happen. Or you use lots of individual keys -- at which point you're likely to have leaks AND synchronization issues, where a tower can't read data from a plane because the key's not in the syste
Re: (Score:2)
For encryption, the FAA holds the keys. It's not a perfect system, it won't stop all attacks. But it allows you to recognize unsigned packets, and it allows you to determine which issued key sent the invalid packets. (Only afterwards, unfortunately.) But you can pull key authentication if there's cause...like a plane being stolen. There *might* be too much time lag for that to be effective, but that depends on the attack vector. Actually, forget encryption. that doesn't buy you much, and it's expensiv
The Setec Astronomy box can get the past codes (Score:4, Interesting)
The Setec Astronomy box can get the past codes used in the certified and accredited system.
Re: (Score:3)
The Setec Astronomy box can get the past codes used in the certified and accredited system.
So can an Arduino.
I'm so glad (Score:1)
I'm so glad that their system has been certified and accredited. That should mitigate all of the risk there.
Re:I'm so glad (Score:4, Insightful)
Make an Air Traffic Control system so vulnerable nobody will want to fly...
Re: (Score:3)
I thought it was grocery store checkout lines and phone booths, once they ban cell phones as dangerous terrorist devices (due to the ability to use them to trigger a bomb).
Re: (Score:2)
maybe they don't use ruggedOS? (Score:5, Funny)
maybe they don't use ruggedOS?
Re: (Score:1)
maybe they don't use ruggedOS?
I'm pretty sure they are running HollywoodOS http://c2.com/cgi/wiki?HollywoodOs [c2.com] http://nand.net/~demaria/hollywood.txt [nand.net]
Re: (Score:3, Funny)
I'm sure they secured the back panel with the more obscure Torx screws, too.
The FAA , another broken government organization. (Score:3, Interesting)
I'm glad updates must be accredited. (Score:3)
Cowboy coding is the absolute last thing you want in these systems. Rushing out the latest bug fixes is a terrible model for software that puts life at risk. Yes, this version might be hackable and that could cause problems if someone has malicious intent. Fixing the issue without a LOT of QA and bureaucracy to make sure proper testing procedures are followed is far more likely to kill people.
Re: (Score:2)
Re: (Score:2)
I don't know if you can judge their real opinions and intent by their public statements. Lying to the public isn't only practiced by politicians.
Re: (Score:2)
"Rushing out the latest bug fixes is a terrible model for software that puts life at risk."
Not if you have adequate code tests in place. But of course, if you did, you probably wouldn't have the bugs in the first place...
Re: (Score:2)
No. The absolute last thing you want in these systems is cowboy system architects, which alas, is clearly what they had in this case. As far as the cowboy coding, it varies greatly with the cowboy.
Re: (Score:2)
"But the point is that there are a ton of bugs in these systems because of the difficulty and cost of releasing bug fixes" Name one bug free software system that does more than render "Hello World!". And even that better not be on a machine connected to the Internet or other public network. I you want security you need to isolate the entire system from any and all remote network accessibility. Then you need to secure the physical accessibility points which is easier and cheaper than continuously waiting fo
Re: (Score:2)
"Name one bug free software system that does more than render 'Hello World!'."
That's completely beside the point. The issue here is that there are very OBVIOUS flaws that should never have been there, and they don't plan to fix them anytime soon.
Re: (Score:2)
Re:The FAA , another broken government organizatio (Score:5, Informative)
Mod parent up (Score:2)
Ran out of points - mod parent up
Re: (Score:3)
Oh sure, blame the messenger. It is now his fault that FAA has a shitty insecure system, and it is his fault for not telling FAA, except that, hey, he did tell them.
In fact, after he told them, the FAA said - no, we're secure.
In fact, after he showed them, the FAA said - no, we're secure because we can filter it out.
Bah, humbug. The faults lies with exactly one entity. The one that is pushing out the insecure shit. Not someone who found it insecure. For you or anyone else to blame him is fucking bullsh
Re: (Score:2)
Considering that it's the government I'm surprised they didn't simply try to classify and bury it.
Re: (Score:2)
Re: (Score:2)
As always, it's the government (except the NSA) not being attractive enough or not paying enough to get some real experts on board.
There are many government-paid university researchers around. Why was there no academic project to evaluate the quality of the system?
Face-palm stupidity orthogonal to private/public (Score:2)
As always, it's the government (except the NSA) not being attractive enough or not paying enough to get some real experts on board.
Private industry is just as bad. The big bucks on on perception management, and anything technical is generally approached with a "don't bother me" attitude. This works in private industry, because perception management is actually more important to making money. Kinda like politics.
It depends on the organisation that you are working for. I have worked in excellent and poor government departments, and I have worked in excellent and poor private companies.
Face-palm stupidity is orthogonal the private/p
Re:The FAA , another broken government organizatio (Score:5, Informative)
This is totally incorrect.
Flaws and vulnerabilities discovered during the C&A process result in POA&Ms (Plan of Action and milestones) for each flaw and vulnerability. Each of those POA&Ms is tracked, and there is timeframe that the issue must be resolved, depending on the severity. Once flaw remediation is complete, the POA&M is closed.
No recertification required. The only time recertification is required is when a certain percentage of the system is changed, not updated or fixed.
Re: (Score:2)
The troubling part of many government organizations is it is more important to have a "certified and accredited", than to have system that works correctly and securely.
That is absolutely a problem with private industry as well. And if you raise questions -- the messenger will be shot. If you demonstrate that something is wrong, you may well be shown the door.
Certified and accredited: By Whom? (Score:5, Insightful)
NextGen has been a huge boondoggle up to this point, and I wouldn't be surprised at all if an insecure system crept through the approval process because all of the alternatives kept failing. Encrypting the traffic would not be trivial either, because you have issues with key management and the fact that anybody can buy transponders and reverse engineer keys out of them. This equipment ultimately has to be available to every Tom, Dick, and Harry small aircraft pilot to be useful, and it's impossible to vet all of them. Even if you did, light aircraft aren't secure storage facilities, and it only takes one theft to render a naive system broken.
Re: (Score:1)
Re: (Score:3)
All aircraft in US airspace have to be registered. They have a unique identifying code. Standard public key crypto would allow the system to authenticate messages are really from the transponder they claim to be from, preventing spoofing. Someone could, as you say, copy one transponder's keys but it would be easy to simply blacklist that key and issue the real aircraft with a new one.
The real problem is what do you do when you receive an unauthenticated message. Potentially it represents an aircraft experie
Re: (Score:2)
Oh, if only I read this before I responded earlier. I would have gladly saved my mod points for this...
I'm confused (Score:5, Insightful)
So, let me get this straight. We have to grope old women wearing diapers and four year olds for safety reasons, but there is no need to worry about the software because it is "certified"?
Re: (Score:1)
Re: (Score:1)
Both are excellent examples of security theater.
Re:I'm confused (Score:5, Insightful)
Doesn't know much about the system (Score:5, Informative)
explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy.
He doesn't know much about the system. OK. go ahead... try to break it.... what'll happen? Nothing.
Spraying junk into the system is irrelevant. Being unauth and unencrypted its simpler and cheaper just to build a raw RF jammer than to feed in formatted junk reports. That works really well until the .mil shows up to train their jamming countermeasures equipment against your jammer. Whoops. DF work isn't all that complicated and the higher the frequency the easier it is. Radar jamming has been an option for what, 70 years now, and nothing really ever comes of it? ATC/pilots already have procedures to survive radar outages. Happens all the time. Send a nice thunderstorm thru, send in the backhoes (lots of remote radar units connected by fiber). So jamming/spamming/forcing it out of service is useless. Nothing an attacker can send will break anything.
I know about the ADS-B data structure. This stuff is small and simple. We're not talking about radar and jetliner sending sandboxed java applets to each other, its incredibly simpler than that. Its like declaring you can hack buffer overflows over a morse code telegraph. There's not enough "stuff" in the protocol to be turing complete.
The attack vector is incredibly narrow. I know a lot more about piloting and radar RF and microcontrollers, and frankly pretty much everything in the system compared to this guy and I can't figure out how to actually bust it.
Look at the guy's presentation. notes as I scan thru the slides. 1) He's cooler than you, crendentialism means he's correct (LOL) 2) he drinks vodka, very impressive proof 3) he admits he knows nothing about ATC and radar 4) He doesn't know much about RF or comms (pulse per second modulated, wtf is this star trek technobabble) 5) Other people are looking and no one has come up with anything 6) his threats are not serious and/or not realistic and/or already exist 7) I love this quote "some threats are total unknowns" yeah I think thats an excellent summary of the ADS-B "security hole". 8) the pretend made up scandal about the FAA not releasing "sensitive security information" is about skin painting radar coverage for smuggler detection, thats why they claim it has no impact on passenger aircraft... its not all space alien coverup unless your passenger craft is 50 feet off the ocean and full of coke I think you're OK. 9) "Not trying to spew FUD" LOL ok dude I hope the audience laughed at that. 10 ) Dude calls a homemade SDR RX an "exploit" LOL 11) he hopes they don't unplug primary radar... well duh how would they catch smugglers if all they had to do was flick a circuit breaker to disappear...
Look I know the guys not an idiot in general. But this is the kind of thing that happens when someone who doesn't know anything about any individual components of a big system, or anything about the big system itself, gets all FUDdy and self promotional. If you don't know anything about the terrain you're fighting in or the tools you have, you'll lose, no matter how smart you are.
TLDR is don't worry its not an issue. FUD FUD FUD self promotion thats all.
Re: (Score:1)
What's funny is that he can't even prove he can really do it. To demonstrate this supposed vulnerability ihe used a flight sim and then said 'just trust us that it'll work in real life'.
Haines and hacker Nick Foster demonstrated this by spoofing a fake aircraft into simulated San Francisco airspace, using the Flight Gear simulator program. He said spoofing a target into the real ADS-B system would be a simple matter of transmitting the signal on the ADS-Bfrequencies.
Re:Doesn't know much about the system (Score:5, Insightful)
I'm one of the authors.
Unfortunately, transmitting live spoofed data into the real ATC system is Guantanamo fodder, and I'm trying to avoid becoming a domestic terrorist if at all possible.
That said, this wasn't merely a simulation: real ADS-B frames were transmitted by a low-cost SDR (into a dummy load) based on the position of a simulated aircraft flying in FlightGear. Those transmitted frames were received by the same SDR (alongside real frames from real aircraft), and the resulting tracks plotted in Google Earth.
See my comment here: http://tech.slashdot.org/comments.pl?sid=3065807&cid=41088873 [slashdot.org] for more information.
Re: (Score:2)
transmitting live spoofed data into the real ATC system
If you want to tx live unspoofed data talk to a avionics tech / aircraft mechanic or a guy who develops this stuff for a living. Its not that much of an accomplishment. Like saying you "hacked FM broadcasting" because you built a kit FM transmitter.
If you want to generate spoofed data because you're good or bad a cheap aviation transponder and an imaginary NMEA stream will do quite well. No need to "build" stuff just go appliance operator...
Re: (Score:2)
A "cheap" aviation transponder that understands Mode-S/ADS-B? Which one is that?
Re: (Score:2)
Re:Doesn't know much about the system (Score:5, Interesting)
Are there ways to handle this? Yes, old school "strips," and greater separation manually... But what if the controllers can't find the real targets? In VFR conditions everyone must see and avoid anyway, and IFR flights would probably have to revert to VFR if in VMC. But what of a bunch of IFR flights in actual IMC? TCAS you say? What if said bad guy could spoof TCAS as well? TCAS would likely handle the huge amount of targets even worse than the TRACON software (might even crash... in the software sense). Add a power stuck mic to jam up all the COMM frequencies and you cause a lot of trouble indeed. Pilots must follow a discreet set up rules in this case, but they are not perfect in that they cannot help a jetliner that has had a headwind the whole way, and is low on fuel with now opportunities to make it to a VMC field.
I'm just saying I believe with enough resources it could be done. Create a ton of fake targets near a busy airport in bad weather. Jam all COM frequencies. Jam GPS, Jam the ILS/MLS. Jam the VOR signals, and any remaining NDBs. It may not lead to loss of life if the bad weather was not too far widespread (such that IFR flights could proceed to VMC and land VFR), but either way it would cause a lot of monetary damage, and a lot of terror in the flying public...
Encryption would be a very good thing for ADS-B. As we update the system from old school mode C, we might as well be countering these things.
Re:Doesn't know much about the system (Score:5, Interesting)
And if you did all that, it would be damn close to, if not actually (GPS is military), an act of war. Want to see just how fast the government can respond to an incident? Try the above. I'd give you about 15 minutes before you had military on your ass. They have smart missiles that can automatically target GPS and radar jammers [wikipedia.org], if they get desperate enough to get rid of your interference. And as you note, there's already procedures for going "old-school" and not relying on radar or TCAS or ILS. Even in "hard" IMC you should be able to use your instruments to stay in the air and away from other planes, and you should have enough fuel (you did your fuel calculation correctly, right?) to circle around a bit waiting for the situation to be resolved.
Re: (Score:1)
Re: (Score:2)
If you're going to go to all that trouble, use robot jammers (i.e., no operator required, so no loss to speak of when they get blown up) and booby trap them you you can't move them without them exploding. No need to hide them, just superglue them to the pavement in various unobtrusive places, and set them to start on a timer. Or on a wi-fi signal, but timer is probably better.
It's probably do-able, but I think the result would be more inconvenience than anything else. Everybody is just redirected to an a
Re: (Score:2)
Well then, it's a damn good thing that nobody would ever want to take that risk [wikipedia.org]!
Re: (Score:2)
I'd give you about 15 minutes before you had military on your ass.
Considering that the military didn't really manage to do anything useful in the 34 minutes that elapsed between the second plane hitting the WTC and the Pentagon being struck on 9/11, I have my doubts about that estimate.
Re: (Score:2)
nd IFR flights would probably have to revert to VFR if in VMC. But what of a bunch of IFR flights in actual IMC?
If tcas is going off you're doin it wrong. Old fashioned separation rules. By altitude.
Some non pilots think aviation is handled like a video game where you dodge dodge dodge like a WWI biplane dogfight. Not so.
You rarely navigate by radar because its extremely embarassing to tell ATC you're lost and need a vector... you nav using GPS and VORs and NBDs
Re: (Score:1)
Re: (Score:2)
While the most effective bank robbers in history have been MBAs (Lehman Bros.), that doesn't mean an MBA is a requirement for robbing a bank.
Renderman certainly isn't an idiot. His qualifications are: hacker. We have ample instances where a hacker is able to make a system perform in an unexpected fashion, yielding profit, mayhem, or both. And he is very much an expert in that field.
7) I love this quote "some threats are total unknowns" yeah I think thats an excellent summary of the ADS-B "security hole".
You mocked him without refuting the point. Yes, the known problems are addressed. Sure, the attacks you can think of are cover
Re: (Score:1)
Except he hasn't even shown he can do what he claims. He just says that based on what he could do in a flight sim that reality would be the exact same.
Re: (Score:2)
As a fellow engineer who has worked on traffic systems and transponders that use ADS-B, thank you a thousand times for bringing some sense into this conversation.
Re:Doesn't know much about the system (Score:4, Insightful)
Re: (Score:2)
You only have to worry about keys in US Air space, or maybe you didn't know that it is called the Federal Aviation Administration for a reason.
Worst case scenario: you turn encryption off and do things the way they are being done now.
Right. Not free the way those body scanners that are mere securi
Re: (Score:1)
> ...works really well until .mil shows up [at your jammer]
By that time half a dozen planes have crashed. 9/11 was a can-happen-only-once event, too.
Re: (Score:2)
I'd mode you up, but you're already +5.
Re:Doesn't know much about the system (Score:4, Interesting)
Hi, I'm one of the authors.
The demonstration used a COTS SDR to transmit ADS-B squitters from positions derived from an aircraft flying in FlightGear. The same SDR was simultaneously receiving ADS-B frames from real aircraft, *including* the spoofed frames being transmitted locally. The combined frames were brought into the Google Earth display for viewing. Criticism suggesting that "it's just a flight simulator, it's not real" is incorrect: these are valid, correct ADS-B frames, transmitted (into a dummy load), which will be received and decoded by ADS-B IN hardware. There is a spec (DO-260B), and the transmissions meet that spec.
The purpose of the demonstration was to show that valid ADS-B frames can be generated and transmitted by low-cost SDR hardware. This capability raises a number of interesting possible attack vectors, which were discussed in the presentation. The secondary purpose of the presentation was to get the FAA to clarify the countermeasures they plan on using to detect, identify, and eliminate spoofed transmissions from the data which controllers see. Specifically, there are two other sources of data they can use: multilateration, which depends on time-difference-of-arrival to calculate the originating position of a transmission (same principle as GPS); and maintaining a network of primary surveillance radar. Prior to this week (Steve Henn of NPR was the first to get the memo from the FAA), the FAA had not stated that they planned to maintain a full radar network, or to use multilateration to vet reports. In fact, reading older documentation, explicit mention is made of *shutting down* PSR to save money after ADS-B implementation is complete. So, you understand our concern.
Additionally, ADS-B IN implementation aboard aircraft (rather than ground stations) provides no facility for validating reports via TDOA; this means that you can inject false reports into aircraft which are listening to other ADS-B reports. Currently few aircraft support this capability, but for those that do, you can squit fake aircraft right into their traffic display.
Lastly, the last couple of slides from the Defcon presentation discuss an attack vector against TCAS, the collision avoidance system aircraft use to maintain separation when ATC fails to do so. This attack vector is particularly concerning because it provides direct pilot guidance: a false aircraft on a collision course will create audio and visual warnings in the cockpit (a "resolution advisory"). Therefore, you could potentially cause an aircraft to maneuver to avoid an intruder which isn't actually there. Obviously, this is concerning, and I'm unaware of any way to combat this.
So yes, the presentation may have looked "FUDdy" without background into the problem, but there are real security issues here which need to be dealt with.
Re: (Score:2)
Why waste dev time on a SDR TX when you can buy a used transponder off ebay for cheap or just steal one?
Just sayin its not all that practical.
Specifically, there are two other sources of data they can use
Third is data gathering from multiple sites. You cannot generate enough power / altitude from the ground to knock out a substantial range. Talk to some microwave RF guys. So use the ring of airports/radars around the transmitter.... Of course this sucks AT o'hare if the jammer is in the o'hare parking lot...
For ground purposes why can the ADS RX be on a narrow beam
Re:Doesn't know much about the system (Score:4, Interesting)
Why waste dev time on a SDR TX when you can buy a used transponder off ebay for cheap or just steal one?
Just sayin its not all that practical.
Because the SDR TX took one evening in Gnuradio to implement.
Third is data gathering from multiple sites. You cannot generate enough power / altitude from the ground to knock out a substantial range. Talk to some microwave RF guys. So use the ring of airports/radars around the transmitter.... Of course this sucks AT o'hare if the jammer is in the o'hare parking lot...
For ground purposes why can the ADS RX be on a narrow beam antenna? HMm a network of them just triangulated on you.
We aren't jamming. We're spoofing. Your idea regarding triangulation is generally correct, although they use multilateration, not direction of arrival. However, if your signal is only loud enough to be heard by a single station (or two stations), you can't multilaterate, and since 1090MHz is very much line of sight, the odds multiple stations will hear a ground-based spoofer are slim.
They HAVE To maintain it. Otherwise my learjet full of coke gets the "cloaked ship" star trek effect if I flip the transponder circuit breaker off. They're never, ever, going to give up on skin painting. Maybe some phb who's never ATC'd or piloted a plane made up some story, but...
I'm totally with you here. The problem is the FAA initially appeared not to recognize this; it appeared they wanted to maintain PSR/SSR in congested areas, but shut down some primary sites in less-trafficked areas. I am as glad as you are that they seem to understand the necessity of maintaining complete PSR/SSR.
Therefore, you could potentially cause an aircraft to maneuver to avoid an intruder which isn't actually there.
Talk to a pilot. The first thing you do is visual the incoming. So that limits it to IFR only conditions right off the top.
A successful attach is going to be pretty ineffective and very dangerous to attempt. I just don't see it as an issue.
If these attacks become popular, planes will just pop the tcas circuit breakers on order of ATC (probably in the ATIS/AWOS message?) and fly "pre-tcas" which works just fine.
I don't agree with this. Disabling TCAS is a hazard in itself, ESPECIALLY in IFR condx. This is a problem.
Re:Doesn't know much about the system (Score:5, Interesting)
Greetings,
As the guy on stage giving the presentation, I feel the need to comment. I see Nick was already here ahead of me covering most of the points, but I figured I'd chime in.
The FlightGear Demo video was, as Nick mentioned, a way to show that it was possible to put ADS-B data into the air with equipment available to any hobbiest. We used a flight sim and a dummy load because at no time would we ever put real data into the air without proper permissions and safety precautions. As much as I want to know what would happen, I have no desire to see anything bad happen to any aircraft or members of the flying public. It was a proof of concept to show the theory and a potential tool to test these theories.
I fully admit I dont know the system inside and out. I dont see how someone needs to be in order to spot things that are just not right.
In all the comments, much was said, but little evidence was offered. If you have evidence that you can share publically, please do so. Contact me at renderlab.net and prove me wrong. I would love to do a presentation where I answer all of my questions to my complete satisfaction.
A few points were raised repeatedly that I'd like to address:
"But multilateration takes care of that". Really. Please show me the report. What was the methodology for establishing that as adaquate?
"But pilots and controllers are smart people" They are also human and make mistakes. Training and preperation are going to be key to solving this
"Publicity seeking" Yes, I am seeking publicity, to get the aviation authorities to open up about these issues and provide some transparancy into the
"Try to hack it, nothing will happen". I want to, with permission of course. This is why I'm asking anyone who has access to aircraft, ATC operations gear, manuals, avionics, etc. To come forth and let us test our theories publically. If everything is secure and safe, then the worst thing that happens is I look a bit foolish, but we all can fly home feeling a bit safer.
Yes, there may have been errors in the slides. I admit so right at the beginning. The aviation industry is more acronym happy than the computer industry. Some of the numbers are from official documents and older versions of SOP's or summaries or any number of sources. Until I have the controllers procedures and standards manual in my hand, I only have publically available documents to go from, which may contain variations or errors. I'm human.
Lastly many comments questioned my motives and the logic of going public. I set out to prove to myself that ADS-B and NextGen were safe. I failed in that. I do not think it is as secure and safe as has been made out to be. I kept trying to prove to myself it was safe but every avenue turned up more evidence to the contrary. I exhausted all the documents and resources I could find and so wanted to turn to the hacker community that I know and love and get thier help in trying to prove my theories wrong. These theories have been around longer than I and are most certain to have been discussed by existing bad guys. As was stated many times, dont shoot the messenger.
TL;DR version: Show me your evidence, prove to me NextGen is safe. Let us test it for ourselves publically.
Re: (Score:3)
dammit render, you even have a slashdot uid lower than mine.
Mail-order certs that you're 100% non-terrorist (Score:1)
I wonder what kind of "certificates" you can order online and use effectively. Besides diplomas I mean... Certainly those don't work, right? Not as if there were ever a Yahoo CEO to have falsified their education. Press credentials? Security certs?
Old Star Trek Tactic (Score:1)
What happened to simple radar? (Score:2)
Fuzzing equipment that talks over the air (Score:1)
The C&A process is only usefull if... (Score:2)
The people performing the process actually follow the guidelines as they were intended.
The guidelines are based on NIST 800 series documentation, as well as any other internal rulebooks and policies in place at a particular organization.
The entire process needs to be performed by independent auditors (as a consultant, one of my duties is the technical aspect of the C&A process), there is no incentive for me to bow to political or management pressure of the system owner. The results are provided directl
The other issue with the statement by FAA (Score:2)
Is that while the C&A process can be interpreted many ways, in general, it is the security posture of the system and its components, not the functionality. Most assessors do not go that far because depending on the system, they may not be able to, or be equipped to test the actual functionality beyond the component level.
Many errors in the presentation: (Score:5, Informative)
I just read the presentation. It seems like this guy knows just enough to scare himself and others.
Mistakes:
Page 13: The 'ID Number'(SSR/'squawk code') is automatically attached, it is not manual, nor is 'a great deal of work required'.
Page 14: Pilots DO get traffic data from the current ATC system. Traffic detection systems on airplanes intercept the transponder replies, and use that to detect the location of other air traffic. Larger aircraft have systems that actually communicate each other to avoid collisions in emergencies. Those systems are called PCAS, and TCAS respectively.
Page 14:Standard separation of aircraft is 3-10 miles and 1000 feet. Not 80 miles. That's just stunningly wrong.
Page 15:Airplanes will ALWAYS need to avoid thunderstorms and volcanoes, radar or no radar.
Page 16:Not too many errors here, but planes ALREADY can be closer than 5 miles.
Page 23(the "scary stuff"): Yes, he(and you) can observe the air traffic. So what? It's not secret, hasn't ever been secret, and doesn't need to be secret. You don't need ADS-B to know that airplanes congregate around airports. This function is largely intentional, and nothing worse than a tool for enthusiasts. Critical thinking will tell you that it's not information that needs to be kept secret(flghtaware.com's FAQ explains this concept very well)
So, the only real point on page 23 is the lac kof authentication. Which isn't much of an issue because it will be validated with radar. And, over the ocean, where there isn't radar, you probably won't have morons in boats spoofing signals.
Page 27: None of these threats are actually dangerous. It's already public. Most flightplans are available online(flightaware.com), and you can see most airplanes in the sky. They take predictable routes around airports. It's not dangerous.
Page 28: Most of these are valid concerns, but the opportunity to train the system isn't their. Fake flights will quickly be noticed. How? "Hey, none of these planes are landing. And it's tail number doesn't exist".
Page 30: Autopilots DO NOT automatically avoid collisions, a warning signals the pilots to take action, essentially for this exact reason. Autopilots ONLY do things they have been explicitly told by the PILOT and no one else, including ATC.
Page 30:Many large aircraft DO have radar onboard for traffic. It's called TCAS.
Page 31: GPS jamming not new.
Page 32: Not new. GPS spoofing isn't new, but is VERY rare.
Points I'd like to highlight:
1. ADS-B does not need to be private, and is not intended to be private. All of the concerns regarding lack of privacy here are invalid.
2. Autopilots only take commands from the pilot(s) inside the cockpit. No one else.
3.Only valid remaining concerns are signal spoofing.
4.They have planned for this, and are clearly working on countermeasures.
Just because the government lies and makes mistakes often, doesn't mean they do it always.
Source:Aviation enthusiast, student pilot, many, many public documents.
Re: (Score:1)
TCAS isn't radar. Its a radio receiver/DF unit. You can buy units that go into any plane, and will give you audible warnings just like the big guys. see
http://www.sportys.com/PilotShop/product/9194
for example.
Overall your observations are spot on. This system should have been implemented 10+ years ago.
Re: (Score:2)
You're talking about PCAS. TCAS is radar, and it also communicates with other TCAS units. The little units that go into light aircraft only give traffic advisories, where TCAS gives resolution advisories. PCAS also can only tell you distance an altitude, TCAS uses radar to give you the actual location of traffic.
Re: (Score:2)
Page 23(the "scary stuff"): Yes, he(and you) can observe the air traffic. So what? It's not secret, hasn't ever been secret, and doesn't need to be secret.
Actually, I don't think so. With the increased availability of homebrew UAVs, it is probably a bad idea to give out the information how to steer these things right into the flight path of a 747.
who did that accreditation, then? (Score:2)
ahhh, the outfit we cloned and put on the tors two years ago. yeah, they're real smart. A-D-M-I-N, P-A-S-S-W-O-R-D. at least they spelled it right.
I wrote about ADS-B homing drones last year (Score:2)
Re: (Score:2)
Three mobile phones on the ground can locate aircraft to within 3m from a long way away in clear weather.
Re: (Score:2)
Re: (Score:2)
True, of course.
Sure, ADSB is open (Score:2)
But so is everything else, probably apart from ADS-C. Mode S radars, conventional secondary radars, and navaids like NDBs and DMEs. The whole system is open to abuse if you can be bothered but you have to transmit signals to do that and you won't get far without being caught.
Re: (Score:2)
The mesh of ADS ground stations extends around the jammer. The jammer can only screw up stuff within say a couple miles (microwave line of sight) So you pull data from the neighboring RX which are unjammed.
Its about as much of an operational problem as voice channel jamming, VOR jamming, NDB jamming, and ILS jamming, which are all conceptually the same. Theoretically it could be done, but it probably wouldn't have much effect other than getting a 1 way ticket to gitmo, so....
Re: (Score:2)
A balloon that will carry 10 pounds to 30000 feet is under a hundred dollars.
Re: (Score:2)
Just for kicks, make a program that takes output from /dev/null, manipulate it in to the correct format, then send.
Re:DOS (Score:5, Funny)
you've taken data OUT of /dev/null?! Don't do it! Put it back in!
Re: (Score:2)
Whoops. I meant /dev/urandom. Not sure why I put /dev/null