FAA Denies Vulnerabilities In New Air Traffic Control System 141
bingbong writes "The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."
Bad FAA! (Score:5, Insightful)
[smacks FAA on the nose with rolled newspaper]
Bad! Bad FAA! We encrypt and authenticate our CRITICAL systems!
[smacks FAA on the nose with rolled newspaper]
Certified and accredited: By Whom? (Score:5, Insightful)
NextGen has been a huge boondoggle up to this point, and I wouldn't be surprised at all if an insecure system crept through the approval process because all of the alternatives kept failing. Encrypting the traffic would not be trivial either, because you have issues with key management and the fact that anybody can buy transponders and reverse engineer keys out of them. This equipment ultimately has to be available to every Tom, Dick, and Harry small aircraft pilot to be useful, and it's impossible to vet all of them. Even if you did, light aircraft aren't secure storage facilities, and it only takes one theft to render a naive system broken.
I'm confused (Score:5, Insightful)
So, let me get this straight. We have to grope old women wearing diapers and four year olds for safety reasons, but there is no need to worry about the software because it is "certified"?
Re:I'm confused (Score:5, Insightful)
Re:I'm so glad (Score:4, Insightful)
Make an Air Traffic Control system so vulnerable nobody will want to fly...
Re:Doesn't know much about the system (Score:5, Insightful)
I'm one of the authors.
Unfortunately, transmitting live spoofed data into the real ATC system is Guantanamo fodder, and I'm trying to avoid becoming a domestic terrorist if at all possible.
That said, this wasn't merely a simulation: real ADS-B frames were transmitted by a low-cost SDR (into a dummy load) based on the position of a simulated aircraft flying in FlightGear. Those transmitted frames were received by the same SDR (alongside real frames from real aircraft), and the resulting tracks plotted in Google Earth.
See my comment here: http://tech.slashdot.org/comments.pl?sid=3065807&cid=41088873 [slashdot.org] for more information.
Re:Doesn't know much about the system (Score:4, Insightful)