Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Transportation Government Security IT

FAA Denies Vulnerabilities In New Air Traffic Control System 141

bingbong writes "The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."
This discussion has been archived. No new comments can be posted.

FAA Denies Vulnerabilities In New Air Traffic Control System

Comments Filter:
  • Bad FAA! (Score:5, Insightful)

    by Jerslan ( 1088525 ) * on Wednesday August 22, 2012 @04:23PM (#41086897)
    [rolls up newspaper]
    [smacks FAA on the nose with rolled newspaper]
    Bad! Bad FAA! We encrypt and authenticate our CRITICAL systems!
    [smacks FAA on the nose with rolled newspaper]
    • We encrypt and authenticate our CRITICAL systems

      the FAA payroll system may well be encrypted

    • Re:Bad FAA! (Score:5, Funny)

      by Anonymous Coward on Wednesday August 22, 2012 @04:40PM (#41087105)

      But it was certified! CERRRRRRRRTIFIED! AND it was accredited! Both! At once! What more do you people WANT from us? Geez!

      • FAIL is a valid certification...
      • by Anonymous Coward

        As someone who is often involved in the Certification and Accreditation of sensitive systems, I can certify that this is mostly a paperwork drill for paper shufflers.

      • by Anonymous Coward

        There is a very real difference between being compliant with a standard (or certified,) and having actual useful security.

        And this very fact seems to be willfully overlooked by organizations more and more. If you are certified and accredited, then when something goes horribly wrong you can point the blame at those who told you that you were doing a great job with your system. How would you know it was a problem when some important experts came in to check everything out? It doesn't seem to matter anymore

        • It's OK the guy's who have the final decisions will be MBA PMPs who are also CBAPs. They KNOW the important things that need being done.: get certified and go to meetings; meetings about getting certified if they can arrange it.
      • I think their real concern was that it be Accredified.
      • Who wants to bet that the company doing the certification has a friend at the company building the computers?

    • by AK Marc ( 707885 )
      I agree with the FAA for one point. Encryption is unnecessary if the physical is secure. The problem is so many people assume the physical is when it isn't. Encrypting everything doesn't help if you have terminals insecure, anyway.
      • Explain to me how the communications between the tower and the planes are "physically secure". Have they gone all out and used quantum entanglement communicators?
        • by Teancum ( 67324 )

          Naw, they are using "sub-space communicators" instead.

          It is a reasonable thing you are pointing out, where "wireless" and "physically secure" simply can't be compatible. I have heard of missiles that spool out wire for guidance or control during flight, so I presume that is another way to secure communications. I'm sure that works out real well for commercial aircraft though. A physical data link still seems vulnerable to some kinds of attacks, so your original point is justified.

        • by AK Marc ( 707885 )
          Well, for one, aren't they using licensed spectrum? Thus it's illegal to transmit on it, making it "secure", right?
          • Good idea, use licensed spectrum to make it illegal to interfere with air traffic control.

            Maybe they should also move the tower onto private land so they can stop bothering with those pesky locks on the door.
    • by slick7 ( 1703596 )

      [rolls up newspaper] [smacks FAA on the nose with rolled newspaper] Bad! Bad FAA! We encrypt and authenticate our CRITICAL systems! [smacks FAA on the nose with rolled newspaper]

      Obviously, the FAA is too big to fail. I'll believe that when planes stop falling out of the sky.

    • It's easy to be concerned about encryption and authentication in a general sense, but no solutions are being offered that would make any sense.
      For encryption, who holds which keys? At best, you have thousands of planes flying around with public keys, and hundreds of airports with the private keys? Leaks are bound to happen. Or you use lots of individual keys -- at which point you're likely to have leaks AND synchronization issues, where a tower can't read data from a plane because the key's not in the syste

      • by HiThere ( 15173 )

        For encryption, the FAA holds the keys. It's not a perfect system, it won't stop all attacks. But it allows you to recognize unsigned packets, and it allows you to determine which issued key sent the invalid packets. (Only afterwards, unfortunately.) But you can pull key authentication if there's cause...like a plane being stolen. There *might* be too much time lag for that to be effective, but that depends on the attack vector. Actually, forget encryption. that doesn't buy you much, and it's expensiv

  • by Joe_Dragon ( 2206452 ) on Wednesday August 22, 2012 @04:27PM (#41086933)

    The Setec Astronomy box can get the past codes used in the certified and accredited system.

    • by plover ( 150551 ) *

      The Setec Astronomy box can get the past codes used in the certified and accredited system.

      So can an Arduino.

  • by Anonymous Coward

    I'm so glad that their system has been certified and accredited. That should mitigate all of the risk there.

    • Re:I'm so glad (Score:4, Insightful)

      by pixelpusher220 ( 529617 ) on Wednesday August 22, 2012 @05:20PM (#41087615)
      How do you get the public to not care about the TSA?

      Make an Air Traffic Control system so vulnerable nobody will want to fly...
  • by jehan60188 ( 2535020 ) on Wednesday August 22, 2012 @04:31PM (#41086997)

    maybe they don't use ruggedOS?

  • by bongey ( 974911 ) on Wednesday August 22, 2012 @04:32PM (#41087007)
    The troubling part of many government organizations is it is more important to have a "certified and accredited", than to have system that works correctly and securely. The really scary part is there can be known bugs in FAA accredited system(operational flight programs, ground radar systems) and the manufactor will not release fix because that requires another accrediation process. Thought the point of the FAA was to make sure aviation is safe, not to make people fill out forms.
    • Cowboy coding is the absolute last thing you want in these systems. Rushing out the latest bug fixes is a terrible model for software that puts life at risk. Yes, this version might be hackable and that could cause problems if someone has malicious intent. Fixing the issue without a LOT of QA and bureaucracy to make sure proper testing procedures are followed is far more likely to kill people.

      • by bongey ( 974911 )
        Not for cowboy coding , or no QA . The problem is FAA since the system is "accredited" means it is safe, which is exactly the problem the article is pointing out.
        • by HiThere ( 15173 )

          I don't know if you can judge their real opinions and intent by their public statements. Lying to the public isn't only practiced by politicians.

      • "Rushing out the latest bug fixes is a terrible model for software that puts life at risk."

        Not if you have adequate code tests in place. But of course, if you did, you probably wouldn't have the bugs in the first place...

      • "Cowboy coding is the absolute last thing you want in these systems."

        No. The absolute last thing you want in these systems is cowboy system architects, which alas, is clearly what they had in this case. As far as the cowboy coding, it varies greatly with the cowboy.

    • the FAA can be more forgiving than EASA (I've worked on the opposite side of the table to both), but at least they don't just rubber stamp someone else's certification like most authorities... they can't just change the way their ATC system is secured overnight, and I'm sure if they are aware of a potential risk they are looking into it (as an organization they may be as faceless as any other, but there are some really smart people working there). aviation is probably one of the most bureaucratic and heavil
      • by Lightn ( 6014 ) on Wednesday August 22, 2012 @06:06PM (#41088185) Homepage
        Are you familiar with the discussion around Full disclosure [wikipedia.org]? There are good reasons to publicly release vulnerabilities and if people were made legally liable for doing that, it would probably decrease our security in the long run. Assuming the information Renderman released points to an actual vulnerability, the FAA response shows the exact reason why full disclosure is necessary.
      • Oh sure, blame the messenger. It is now his fault that FAA has a shitty insecure system, and it is his fault for not telling FAA, except that, hey, he did tell them.

        In fact, after he told them, the FAA said - no, we're secure.

        In fact, after he showed them, the FAA said - no, we're secure because we can filter it out.

        Bah, humbug. The faults lies with exactly one entity. The one that is pushing out the insecure shit. Not someone who found it insecure. For you or anyone else to blame him is fucking bullsh

        • Considering that it's the government I'm surprised they didn't simply try to classify and bury it.

        • But that's not how it ends! The Emperor strings the little imp up by his little boy toes for pointing out that he was not wearing any clothes! That teaches naughty little boys to point out the truth when the opposite has been "certified" and "accredited" by those selling you your new duds.
    • As always, it's the government (except the NSA) not being attractive enough or not paying enough to get some real experts on board.
      There are many government-paid university researchers around. Why was there no academic project to evaluate the quality of the system?

      • As always, it's the government (except the NSA) not being attractive enough or not paying enough to get some real experts on board.

        Private industry is just as bad. The big bucks on on perception management, and anything technical is generally approached with a "don't bother me" attitude. This works in private industry, because perception management is actually more important to making money. Kinda like politics.

        It depends on the organisation that you are working for. I have worked in excellent and poor government departments, and I have worked in excellent and poor private companies.

        Face-palm stupidity is orthogonal the private/p

    • by bleh-of-the-huns ( 17740 ) on Wednesday August 22, 2012 @06:12PM (#41088249)

      This is totally incorrect.

      Flaws and vulnerabilities discovered during the C&A process result in POA&Ms (Plan of Action and milestones) for each flaw and vulnerability. Each of those POA&Ms is tracked, and there is timeframe that the issue must be resolved, depending on the severity. Once flaw remediation is complete, the POA&M is closed.

      No recertification required. The only time recertification is required is when a certain percentage of the system is changed, not updated or fixed.

    • The troubling part of many government organizations is it is more important to have a "certified and accredited", than to have system that works correctly and securely.

      That is absolutely a problem with private industry as well. And if you raise questions -- the messenger will be shot. If you demonstrate that something is wrong, you may well be shown the door.

  • by jandrese ( 485 ) <kensama@vt.edu> on Wednesday August 22, 2012 @04:33PM (#41087025) Homepage Journal
    Did the vendors who made the systems do the certification? Was security one of the criteria on the accreditation process? I would assume some form of security was on there, but do the people who know stuff about security (like the NSA) approve it?

    NextGen has been a huge boondoggle up to this point, and I wouldn't be surprised at all if an insecure system crept through the approval process because all of the alternatives kept failing. Encrypting the traffic would not be trivial either, because you have issues with key management and the fact that anybody can buy transponders and reverse engineer keys out of them. This equipment ultimately has to be available to every Tom, Dick, and Harry small aircraft pilot to be useful, and it's impossible to vet all of them. Even if you did, light aircraft aren't secure storage facilities, and it only takes one theft to render a naive system broken.
    • I agree completely, and most likely because the previous transponder system did not have any problems with spoofing it did not receive too much attention. Any government tends to be reactionary rather than proactive. So far the only transponders that are encrypted are military Identify Friend Foe (IFF) systems for obvious reasons.
    • by AmiMoJo ( 196126 )

      All aircraft in US airspace have to be registered. They have a unique identifying code. Standard public key crypto would allow the system to authenticate messages are really from the transponder they claim to be from, preventing spoofing. Someone could, as you say, copy one transponder's keys but it would be easy to simply blacklist that key and issue the real aircraft with a new one.

      The real problem is what do you do when you receive an unauthenticated message. Potentially it represents an aircraft experie

  • I'm confused (Score:5, Insightful)

    by wcrowe ( 94389 ) on Wednesday August 22, 2012 @04:39PM (#41087087)

    So, let me get this straight. We have to grope old women wearing diapers and four year olds for safety reasons, but there is no need to worry about the software because it is "certified"?

    • God damn I wish I had mod points.
    • by Anonymous Coward

      Both are excellent examples of security theater.

    • Re:I'm confused (Score:5, Insightful)

      by ark1 ( 873448 ) on Wednesday August 22, 2012 @05:20PM (#41087609)
      It's all about security theatre. Airport passenger screening is setup in a way to reduce fear within the general population instead of actual risks. Improving software security will not enhance the feeling of security in your average citizen.
  • by vlm ( 69642 ) on Wednesday August 22, 2012 @04:51PM (#41087225)

    explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy.

    He doesn't know much about the system. OK. go ahead... try to break it.... what'll happen? Nothing.

    Spraying junk into the system is irrelevant. Being unauth and unencrypted its simpler and cheaper just to build a raw RF jammer than to feed in formatted junk reports. That works really well until the .mil shows up to train their jamming countermeasures equipment against your jammer. Whoops. DF work isn't all that complicated and the higher the frequency the easier it is. Radar jamming has been an option for what, 70 years now, and nothing really ever comes of it? ATC/pilots already have procedures to survive radar outages. Happens all the time. Send a nice thunderstorm thru, send in the backhoes (lots of remote radar units connected by fiber). So jamming/spamming/forcing it out of service is useless. Nothing an attacker can send will break anything.

    I know about the ADS-B data structure. This stuff is small and simple. We're not talking about radar and jetliner sending sandboxed java applets to each other, its incredibly simpler than that. Its like declaring you can hack buffer overflows over a morse code telegraph. There's not enough "stuff" in the protocol to be turing complete.

    The attack vector is incredibly narrow. I know a lot more about piloting and radar RF and microcontrollers, and frankly pretty much everything in the system compared to this guy and I can't figure out how to actually bust it.

    Look at the guy's presentation. notes as I scan thru the slides. 1) He's cooler than you, crendentialism means he's correct (LOL) 2) he drinks vodka, very impressive proof 3) he admits he knows nothing about ATC and radar 4) He doesn't know much about RF or comms (pulse per second modulated, wtf is this star trek technobabble) 5) Other people are looking and no one has come up with anything 6) his threats are not serious and/or not realistic and/or already exist 7) I love this quote "some threats are total unknowns" yeah I think thats an excellent summary of the ADS-B "security hole". 8) the pretend made up scandal about the FAA not releasing "sensitive security information" is about skin painting radar coverage for smuggler detection, thats why they claim it has no impact on passenger aircraft... its not all space alien coverup unless your passenger craft is 50 feet off the ocean and full of coke I think you're OK. 9) "Not trying to spew FUD" LOL ok dude I hope the audience laughed at that. 10 ) Dude calls a homemade SDR RX an "exploit" LOL 11) he hopes they don't unplug primary radar... well duh how would they catch smugglers if all they had to do was flick a circuit breaker to disappear...

    Look I know the guys not an idiot in general. But this is the kind of thing that happens when someone who doesn't know anything about any individual components of a big system, or anything about the big system itself, gets all FUDdy and self promotional. If you don't know anything about the terrain you're fighting in or the tools you have, you'll lose, no matter how smart you are.

    TLDR is don't worry its not an issue. FUD FUD FUD self promotion thats all.

    • by Desler ( 1608317 )

      What's funny is that he can't even prove he can really do it. To demonstrate this supposed vulnerability ihe used a flight sim and then said 'just trust us that it'll work in real life'.

      Haines and hacker Nick Foster demonstrated this by spoofing a fake aircraft into simulated San Francisco airspace, using the Flight Gear simulator program. He said spoofing a target into the real ADS-B system would be a simple matter of transmitting the signal on the ADS-Bfrequencies.

      • by Bistromat ( 209985 ) on Wednesday August 22, 2012 @07:29PM (#41089081)

        I'm one of the authors.

        Unfortunately, transmitting live spoofed data into the real ATC system is Guantanamo fodder, and I'm trying to avoid becoming a domestic terrorist if at all possible.

        That said, this wasn't merely a simulation: real ADS-B frames were transmitted by a low-cost SDR (into a dummy load) based on the position of a simulated aircraft flying in FlightGear. Those transmitted frames were received by the same SDR (alongside real frames from real aircraft), and the resulting tracks plotted in Google Earth.

        See my comment here: http://tech.slashdot.org/comments.pl?sid=3065807&cid=41088873 [slashdot.org] for more information.

        • by vlm ( 69642 )

          transmitting live spoofed data into the real ATC system

          If you want to tx live unspoofed data talk to a avionics tech / aircraft mechanic or a guy who develops this stuff for a living. Its not that much of an accomplishment. Like saying you "hacked FM broadcasting" because you built a kit FM transmitter.

          If you want to generate spoofed data because you're good or bad a cheap aviation transponder and an imaginary NMEA stream will do quite well. No need to "build" stuff just go appliance operator...

    • by SirBitBucket ( 1292924 ) on Wednesday August 22, 2012 @05:10PM (#41087439)
      I beg to differ... Both the TRACON (or tower) radar, and the jetliner TCAS radar could be spoofed with multiple (like hundreds or thousands if need be) targets. How will the TRACON or TCAS software handle this many targets? It must drop some of them. Which ones should it drop? VFR targets? Targets not in the IFR system? What if bad guy spoofs the same code as existing targets (which he can read himself)? Eventually the real targets must get lost.

      Are there ways to handle this? Yes, old school "strips," and greater separation manually... But what if the controllers can't find the real targets? In VFR conditions everyone must see and avoid anyway, and IFR flights would probably have to revert to VFR if in VMC. But what of a bunch of IFR flights in actual IMC? TCAS you say? What if said bad guy could spoof TCAS as well? TCAS would likely handle the huge amount of targets even worse than the TRACON software (might even crash... in the software sense). Add a power stuck mic to jam up all the COMM frequencies and you cause a lot of trouble indeed. Pilots must follow a discreet set up rules in this case, but they are not perfect in that they cannot help a jetliner that has had a headwind the whole way, and is low on fuel with now opportunities to make it to a VMC field.

      I'm just saying I believe with enough resources it could be done. Create a ton of fake targets near a busy airport in bad weather. Jam all COM frequencies. Jam GPS, Jam the ILS/MLS. Jam the VOR signals, and any remaining NDBs. It may not lead to loss of life if the bad weather was not too far widespread (such that IFR flights could proceed to VMC and land VFR), but either way it would cause a lot of monetary damage, and a lot of terror in the flying public...

      Encryption would be a very good thing for ADS-B. As we update the system from old school mode C, we might as well be countering these things.

      • by slimjim8094 ( 941042 ) on Wednesday August 22, 2012 @06:50PM (#41088663)

        And if you did all that, it would be damn close to, if not actually (GPS is military), an act of war. Want to see just how fast the government can respond to an incident? Try the above. I'd give you about 15 minutes before you had military on your ass. They have smart missiles that can automatically target GPS and radar jammers [wikipedia.org], if they get desperate enough to get rid of your interference. And as you note, there's already procedures for going "old-school" and not relying on radar or TCAS or ILS. Even in "hard" IMC you should be able to use your instruments to stay in the air and away from other planes, and you should have enough fuel (you did your fuel calculation correctly, right?) to circle around a bit waiting for the situation to be resolved.

        • I still think it would be plausible... The regs only require enough fuel to reach your primary airport, your alternate, plus 45 mins. Winds aloft forecasts are not always accurate and many a plane has landed without a 45 min reserve. I am not so sure that you could shut such a jamming system down if it were well organized. For one, the bad guys could have multiple jammers making it difficult to locate them, and more time consuming to shut them down. One or more of the jammers could be from another aircraft,
          • by HiThere ( 15173 )

            If you're going to go to all that trouble, use robot jammers (i.e., no operator required, so no loss to speak of when they get blown up) and booby trap them you you can't move them without them exploding. No need to hide them, just superglue them to the pavement in various unobtrusive places, and set them to start on a timer. Or on a wi-fi signal, but timer is probably better.

            It's probably do-able, but I think the result would be more inconvenience than anything else. Everybody is just redirected to an a

        • "And if you did all that, it would be damn close to, if not actually (GPS is military), an act of war. Want to see just how fast the government can respond to an incident? Try the above. I'd give you about 15 minutes before you had military on your ass."

          Well then, it's a damn good thing that nobody would ever want to take that risk [wikipedia.org]!

        • I'd give you about 15 minutes before you had military on your ass.

          Considering that the military didn't really manage to do anything useful in the 34 minutes that elapsed between the second plane hitting the WTC and the Pentagon being struck on 9/11, I have my doubts about that estimate.

      • by vlm ( 69642 )

        nd IFR flights would probably have to revert to VFR if in VMC. But what of a bunch of IFR flights in actual IMC?

        If tcas is going off you're doin it wrong. Old fashioned separation rules. By altitude.

        Some non pilots think aviation is handled like a video game where you dodge dodge dodge like a WWI biplane dogfight. Not so.

        You rarely navigate by radar because its extremely embarassing to tell ATC you're lost and need a vector... you nav using GPS and VORs and NBDs

    • I'd imagine you're right. If the ADS-B goals lead to greater automation then there could be a problem. Even if fake signals were generated against the ADS-B system while radar was fully functional. Sure the system might cause a few alarms, but operators can easily qualify the alerts by checking the radar, and what not. With more automation, however, perhaps that level of qualification and human oversight is not used to discriminate alerts. I do not know just how far the ADS-B system (or future ones) in
    • by plover ( 150551 ) *

      While the most effective bank robbers in history have been MBAs (Lehman Bros.), that doesn't mean an MBA is a requirement for robbing a bank.

      Renderman certainly isn't an idiot. His qualifications are: hacker. We have ample instances where a hacker is able to make a system perform in an unexpected fashion, yielding profit, mayhem, or both. And he is very much an expert in that field.

      7) I love this quote "some threats are total unknowns" yeah I think thats an excellent summary of the ADS-B "security hole".

      You mocked him without refuting the point. Yes, the known problems are addressed. Sure, the attacks you can think of are cover

      • by Desler ( 1608317 )

        Except he hasn't even shown he can do what he claims. He just says that based on what he could do in a flight sim that reality would be the exact same.

    • by CompMD ( 522020 )

      As a fellow engineer who has worked on traffic systems and transponders that use ADS-B, thank you a thousand times for bringing some sense into this conversation.

      • by Zero__Kelvin ( 151819 ) on Wednesday August 22, 2012 @09:35PM (#41089977) Homepage
        No. He didn't bring some sense into the conversation. The people who brought sense into the conversation asked the question "what kind of idiot designs the system to make injection possible in the first place?" Computing History, as short as it is, is chock full of people who said "it is not a problem" because they couldn't imagine how it would be a problem, and then someone else came along and showed them the hard way. You're playing with people's lives. Not encrypting the connections in 2012 is tantamount to gross negligence. Period.
    • > ...works really well until .mil shows up [at your jammer]

      By that time half a dozen planes have crashed. 9/11 was a can-happen-only-once event, too.

    • by DL117 ( 2138600 )

      I'd mode you up, but you're already +5.

    • by Bistromat ( 209985 ) on Wednesday August 22, 2012 @07:09PM (#41088873)

      Hi, I'm one of the authors.

      The demonstration used a COTS SDR to transmit ADS-B squitters from positions derived from an aircraft flying in FlightGear. The same SDR was simultaneously receiving ADS-B frames from real aircraft, *including* the spoofed frames being transmitted locally. The combined frames were brought into the Google Earth display for viewing. Criticism suggesting that "it's just a flight simulator, it's not real" is incorrect: these are valid, correct ADS-B frames, transmitted (into a dummy load), which will be received and decoded by ADS-B IN hardware. There is a spec (DO-260B), and the transmissions meet that spec.

      The purpose of the demonstration was to show that valid ADS-B frames can be generated and transmitted by low-cost SDR hardware. This capability raises a number of interesting possible attack vectors, which were discussed in the presentation. The secondary purpose of the presentation was to get the FAA to clarify the countermeasures they plan on using to detect, identify, and eliminate spoofed transmissions from the data which controllers see. Specifically, there are two other sources of data they can use: multilateration, which depends on time-difference-of-arrival to calculate the originating position of a transmission (same principle as GPS); and maintaining a network of primary surveillance radar. Prior to this week (Steve Henn of NPR was the first to get the memo from the FAA), the FAA had not stated that they planned to maintain a full radar network, or to use multilateration to vet reports. In fact, reading older documentation, explicit mention is made of *shutting down* PSR to save money after ADS-B implementation is complete. So, you understand our concern.

      Additionally, ADS-B IN implementation aboard aircraft (rather than ground stations) provides no facility for validating reports via TDOA; this means that you can inject false reports into aircraft which are listening to other ADS-B reports. Currently few aircraft support this capability, but for those that do, you can squit fake aircraft right into their traffic display.

      Lastly, the last couple of slides from the Defcon presentation discuss an attack vector against TCAS, the collision avoidance system aircraft use to maintain separation when ATC fails to do so. This attack vector is particularly concerning because it provides direct pilot guidance: a false aircraft on a collision course will create audio and visual warnings in the cockpit (a "resolution advisory"). Therefore, you could potentially cause an aircraft to maneuver to avoid an intruder which isn't actually there. Obviously, this is concerning, and I'm unaware of any way to combat this.

      So yes, the presentation may have looked "FUDdy" without background into the problem, but there are real security issues here which need to be dealt with.

      • by vlm ( 69642 )

        Why waste dev time on a SDR TX when you can buy a used transponder off ebay for cheap or just steal one?

        Just sayin its not all that practical.

        Specifically, there are two other sources of data they can use

        Third is data gathering from multiple sites. You cannot generate enough power / altitude from the ground to knock out a substantial range. Talk to some microwave RF guys. So use the ring of airports/radars around the transmitter.... Of course this sucks AT o'hare if the jammer is in the o'hare parking lot...

        For ground purposes why can the ADS RX be on a narrow beam

        • by Bistromat ( 209985 ) on Wednesday August 22, 2012 @08:35PM (#41089617)

          Why waste dev time on a SDR TX when you can buy a used transponder off ebay for cheap or just steal one?

          Just sayin its not all that practical.

          Because the SDR TX took one evening in Gnuradio to implement.

          Third is data gathering from multiple sites. You cannot generate enough power / altitude from the ground to knock out a substantial range. Talk to some microwave RF guys. So use the ring of airports/radars around the transmitter.... Of course this sucks AT o'hare if the jammer is in the o'hare parking lot...

          For ground purposes why can the ADS RX be on a narrow beam antenna? HMm a network of them just triangulated on you.

          We aren't jamming. We're spoofing. Your idea regarding triangulation is generally correct, although they use multilateration, not direction of arrival. However, if your signal is only loud enough to be heard by a single station (or two stations), you can't multilaterate, and since 1090MHz is very much line of sight, the odds multiple stations will hear a ground-based spoofer are slim.

          They HAVE To maintain it. Otherwise my learjet full of coke gets the "cloaked ship" star trek effect if I flip the transponder circuit breaker off. They're never, ever, going to give up on skin painting. Maybe some phb who's never ATC'd or piloted a plane made up some story, but...

          I'm totally with you here. The problem is the FAA initially appeared not to recognize this; it appeared they wanted to maintain PSR/SSR in congested areas, but shut down some primary sites in less-trafficked areas. I am as glad as you are that they seem to understand the necessity of maintaining complete PSR/SSR.

          Therefore, you could potentially cause an aircraft to maneuver to avoid an intruder which isn't actually there.

          Talk to a pilot. The first thing you do is visual the incoming. So that limits it to IFR only conditions right off the top.

          A successful attach is going to be pretty ineffective and very dangerous to attempt. I just don't see it as an issue.

          If these attacks become popular, planes will just pop the tcas circuit breakers on order of ATC (probably in the ATIS/AWOS message?) and fly "pre-tcas" which works just fine.

          I don't agree with this. Disabling TCAS is a hazard in itself, ESPECIALLY in IFR condx. This is a problem.

      • by Render_Man ( 181666 ) on Wednesday August 22, 2012 @10:50PM (#41090537) Homepage

        Greetings,

        As the guy on stage giving the presentation, I feel the need to comment. I see Nick was already here ahead of me covering most of the points, but I figured I'd chime in.

        The FlightGear Demo video was, as Nick mentioned, a way to show that it was possible to put ADS-B data into the air with equipment available to any hobbiest. We used a flight sim and a dummy load because at no time would we ever put real data into the air without proper permissions and safety precautions. As much as I want to know what would happen, I have no desire to see anything bad happen to any aircraft or members of the flying public. It was a proof of concept to show the theory and a potential tool to test these theories.

        I fully admit I dont know the system inside and out. I dont see how someone needs to be in order to spot things that are just not right.

        In all the comments, much was said, but little evidence was offered. If you have evidence that you can share publically, please do so. Contact me at renderlab.net and prove me wrong. I would love to do a presentation where I answer all of my questions to my complete satisfaction.

        A few points were raised repeatedly that I'd like to address:

        "But multilateration takes care of that". Really. Please show me the report. What was the methodology for establishing that as adaquate?

        "But pilots and controllers are smart people" They are also human and make mistakes. Training and preperation are going to be key to solving this

        "Publicity seeking" Yes, I am seeking publicity, to get the aviation authorities to open up about these issues and provide some transparancy into the

        "Try to hack it, nothing will happen". I want to, with permission of course. This is why I'm asking anyone who has access to aircraft, ATC operations gear, manuals, avionics, etc. To come forth and let us test our theories publically. If everything is secure and safe, then the worst thing that happens is I look a bit foolish, but we all can fly home feeling a bit safer.

        Yes, there may have been errors in the slides. I admit so right at the beginning. The aviation industry is more acronym happy than the computer industry. Some of the numbers are from official documents and older versions of SOP's or summaries or any number of sources. Until I have the controllers procedures and standards manual in my hand, I only have publically available documents to go from, which may contain variations or errors. I'm human.

        Lastly many comments questioned my motives and the logic of going public. I set out to prove to myself that ADS-B and NextGen were safe. I failed in that. I do not think it is as secure and safe as has been made out to be. I kept trying to prove to myself it was safe but every avenue turned up more evidence to the contrary. I exhausted all the documents and resources I could find and so wanted to turn to the hacker community that I know and love and get thier help in trying to prove my theories wrong. These theories have been around longer than I and are most certain to have been discussed by existing bad guys. As was stated many times, dont shoot the messenger.

        TL;DR version: Show me your evidence, prove to me NextGen is safe. Let us test it for ourselves publically.

  • Sounds like a Dlibert comic

    I wonder what kind of "certificates" you can order online and use effectively. Besides diplomas I mean... Certainly those don't work, right? Not as if there were ever a Yahoo CEO to have falsified their education. Press credentials? Security certs?
  • Lt. Worf mastered the use of illusionary ship signatures to fool enemy warships. The trick, as it seems to apply here, is to fool the computer not the sensors. The ATC system may believe there are ghost ships out there, but sensors (radar) won't corroborate it.
  • Of course, if the FAA still believed in simple radar, and did not try to solely rely on ADS-B, they could at least tell if there was an aircraft there or not. But of course, that would put the expense on the FAA, not on individual aircraft owners, many of whom don't even want ADS-B. It sounds like a lot of software marketing stories: we know what you want, and don't try to tell us otherwise. Trust us, it's certified, and it will solve all your problems.
  • At least that part was interesting. I'm sure there's loads of radio driven digital equipment out there that has been designed under the assumption that the radio is proprietary and therefore the other side is almost certainly going to behave properly.
  • The people performing the process actually follow the guidelines as they were intended.

    The guidelines are based on NIST 800 series documentation, as well as any other internal rulebooks and policies in place at a particular organization.

    The entire process needs to be performed by independent auditors (as a consultant, one of my duties is the technical aspect of the C&A process), there is no incentive for me to bow to political or management pressure of the system owner. The results are provided directl

  • Is that while the C&A process can be interpreted many ways, in general, it is the security posture of the system and its components, not the functionality. Most assessors do not go that far because depending on the system, they may not be able to, or be equipped to test the actual functionality beyond the component level.

  • by DL117 ( 2138600 ) on Wednesday August 22, 2012 @06:48PM (#41088639) Homepage

    I just read the presentation. It seems like this guy knows just enough to scare himself and others.

    Mistakes:

    Page 13: The 'ID Number'(SSR/'squawk code') is automatically attached, it is not manual, nor is 'a great deal of work required'.
    Page 14: Pilots DO get traffic data from the current ATC system. Traffic detection systems on airplanes intercept the transponder replies, and use that to detect the location of other air traffic. Larger aircraft have systems that actually communicate each other to avoid collisions in emergencies. Those systems are called PCAS, and TCAS respectively.
    Page 14:Standard separation of aircraft is 3-10 miles and 1000 feet. Not 80 miles. That's just stunningly wrong.
    Page 15:Airplanes will ALWAYS need to avoid thunderstorms and volcanoes, radar or no radar.
    Page 16:Not too many errors here, but planes ALREADY can be closer than 5 miles.

    Page 23(the "scary stuff"): Yes, he(and you) can observe the air traffic. So what? It's not secret, hasn't ever been secret, and doesn't need to be secret. You don't need ADS-B to know that airplanes congregate around airports. This function is largely intentional, and nothing worse than a tool for enthusiasts. Critical thinking will tell you that it's not information that needs to be kept secret(flghtaware.com's FAQ explains this concept very well)

    So, the only real point on page 23 is the lac kof authentication. Which isn't much of an issue because it will be validated with radar. And, over the ocean, where there isn't radar, you probably won't have morons in boats spoofing signals.

    Page 27: None of these threats are actually dangerous. It's already public. Most flightplans are available online(flightaware.com), and you can see most airplanes in the sky. They take predictable routes around airports. It's not dangerous.

    Page 28: Most of these are valid concerns, but the opportunity to train the system isn't their. Fake flights will quickly be noticed. How? "Hey, none of these planes are landing. And it's tail number doesn't exist".

    Page 30: Autopilots DO NOT automatically avoid collisions, a warning signals the pilots to take action, essentially for this exact reason. Autopilots ONLY do things they have been explicitly told by the PILOT and no one else, including ATC.

    Page 30:Many large aircraft DO have radar onboard for traffic. It's called TCAS.

    Page 31: GPS jamming not new.

    Page 32: Not new. GPS spoofing isn't new, but is VERY rare.

    Points I'd like to highlight:

    1. ADS-B does not need to be private, and is not intended to be private. All of the concerns regarding lack of privacy here are invalid.
    2. Autopilots only take commands from the pilot(s) inside the cockpit. No one else.
    3.Only valid remaining concerns are signal spoofing.
    4.They have planned for this, and are clearly working on countermeasures.

    Just because the government lies and makes mistakes often, doesn't mean they do it always.

    Source:Aviation enthusiast, student pilot, many, many public documents.

    • by Anonymous Coward

      TCAS isn't radar. Its a radio receiver/DF unit. You can buy units that go into any plane, and will give you audible warnings just like the big guys. see

      http://www.sportys.com/PilotShop/product/9194

      for example.

      Overall your observations are spot on. This system should have been implemented 10+ years ago.

      • by DL117 ( 2138600 )

        You're talking about PCAS. TCAS is radar, and it also communicates with other TCAS units. The little units that go into light aircraft only give traffic advisories, where TCAS gives resolution advisories. PCAS also can only tell you distance an altitude, TCAS uses radar to give you the actual location of traffic.

    • by hweimer ( 709734 )

      Page 23(the "scary stuff"): Yes, he(and you) can observe the air traffic. So what? It's not secret, hasn't ever been secret, and doesn't need to be secret.

      Actually, I don't think so. With the increased availability of homebrew UAVs, it is probably a bad idea to give out the information how to steer these things right into the flight path of a 747.

  • ahhh, the outfit we cloned and put on the tors two years ago. yeah, they're real smart. A-D-M-I-N, P-A-S-S-W-O-R-D. at least they spelled it right.

  • I wrote about ADS-B homing drones last year and why jetliners (high value targets) should avoid beacon accuracy of Navigation Accuracy Category (NAC) level 7 (less than 93 meter accuracy) or better. It would be relatively easy to fly a piston powered model plane controlled by an iPod Touch connected to a GPS with 3-meter accuracy in front of the path of a jetliner carrying a small payload. The model plane wouldn't need to be fast because it would be the jetliner that runs into the model plane. http://www. [hightechforum.org]
    • Three mobile phones on the ground can locate aircraft to within 3m from a long way away in clear weather.

      • Even if that's possible, it's not nearly as simple as an autonomous standalone payload getting readings fed to it by the jetliner with 3 meter accuracy of position and speed and direction information.
  • But so is everything else, probably apart from ADS-C. Mode S radars, conventional secondary radars, and navaids like NDBs and DMEs. The whole system is open to abuse if you can be bothered but you have to transmit signals to do that and you won't get far without being caught.

Put no trust in cryptic comments.

Working...