FAA Denies Vulnerabilities In New Air Traffic Control System 141
bingbong writes "The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."
The Setec Astronomy box can get the past codes (Score:4, Interesting)
The Setec Astronomy box can get the past codes used in the certified and accredited system.
The FAA , another broken government organization. (Score:3, Interesting)
Re:Doesn't know much about the system (Score:5, Interesting)
Are there ways to handle this? Yes, old school "strips," and greater separation manually... But what if the controllers can't find the real targets? In VFR conditions everyone must see and avoid anyway, and IFR flights would probably have to revert to VFR if in VMC. But what of a bunch of IFR flights in actual IMC? TCAS you say? What if said bad guy could spoof TCAS as well? TCAS would likely handle the huge amount of targets even worse than the TRACON software (might even crash... in the software sense). Add a power stuck mic to jam up all the COMM frequencies and you cause a lot of trouble indeed. Pilots must follow a discreet set up rules in this case, but they are not perfect in that they cannot help a jetliner that has had a headwind the whole way, and is low on fuel with now opportunities to make it to a VMC field.
I'm just saying I believe with enough resources it could be done. Create a ton of fake targets near a busy airport in bad weather. Jam all COM frequencies. Jam GPS, Jam the ILS/MLS. Jam the VOR signals, and any remaining NDBs. It may not lead to loss of life if the bad weather was not too far widespread (such that IFR flights could proceed to VMC and land VFR), but either way it would cause a lot of monetary damage, and a lot of terror in the flying public...
Encryption would be a very good thing for ADS-B. As we update the system from old school mode C, we might as well be countering these things.
Re:Doesn't know much about the system (Score:5, Interesting)
And if you did all that, it would be damn close to, if not actually (GPS is military), an act of war. Want to see just how fast the government can respond to an incident? Try the above. I'd give you about 15 minutes before you had military on your ass. They have smart missiles that can automatically target GPS and radar jammers [wikipedia.org], if they get desperate enough to get rid of your interference. And as you note, there's already procedures for going "old-school" and not relying on radar or TCAS or ILS. Even in "hard" IMC you should be able to use your instruments to stay in the air and away from other planes, and you should have enough fuel (you did your fuel calculation correctly, right?) to circle around a bit waiting for the situation to be resolved.
Re:Doesn't know much about the system (Score:4, Interesting)
Hi, I'm one of the authors.
The demonstration used a COTS SDR to transmit ADS-B squitters from positions derived from an aircraft flying in FlightGear. The same SDR was simultaneously receiving ADS-B frames from real aircraft, *including* the spoofed frames being transmitted locally. The combined frames were brought into the Google Earth display for viewing. Criticism suggesting that "it's just a flight simulator, it's not real" is incorrect: these are valid, correct ADS-B frames, transmitted (into a dummy load), which will be received and decoded by ADS-B IN hardware. There is a spec (DO-260B), and the transmissions meet that spec.
The purpose of the demonstration was to show that valid ADS-B frames can be generated and transmitted by low-cost SDR hardware. This capability raises a number of interesting possible attack vectors, which were discussed in the presentation. The secondary purpose of the presentation was to get the FAA to clarify the countermeasures they plan on using to detect, identify, and eliminate spoofed transmissions from the data which controllers see. Specifically, there are two other sources of data they can use: multilateration, which depends on time-difference-of-arrival to calculate the originating position of a transmission (same principle as GPS); and maintaining a network of primary surveillance radar. Prior to this week (Steve Henn of NPR was the first to get the memo from the FAA), the FAA had not stated that they planned to maintain a full radar network, or to use multilateration to vet reports. In fact, reading older documentation, explicit mention is made of *shutting down* PSR to save money after ADS-B implementation is complete. So, you understand our concern.
Additionally, ADS-B IN implementation aboard aircraft (rather than ground stations) provides no facility for validating reports via TDOA; this means that you can inject false reports into aircraft which are listening to other ADS-B reports. Currently few aircraft support this capability, but for those that do, you can squit fake aircraft right into their traffic display.
Lastly, the last couple of slides from the Defcon presentation discuss an attack vector against TCAS, the collision avoidance system aircraft use to maintain separation when ATC fails to do so. This attack vector is particularly concerning because it provides direct pilot guidance: a false aircraft on a collision course will create audio and visual warnings in the cockpit (a "resolution advisory"). Therefore, you could potentially cause an aircraft to maneuver to avoid an intruder which isn't actually there. Obviously, this is concerning, and I'm unaware of any way to combat this.
So yes, the presentation may have looked "FUDdy" without background into the problem, but there are real security issues here which need to be dealt with.
Re:Doesn't know much about the system (Score:4, Interesting)
Why waste dev time on a SDR TX when you can buy a used transponder off ebay for cheap or just steal one?
Just sayin its not all that practical.
Because the SDR TX took one evening in Gnuradio to implement.
Third is data gathering from multiple sites. You cannot generate enough power / altitude from the ground to knock out a substantial range. Talk to some microwave RF guys. So use the ring of airports/radars around the transmitter.... Of course this sucks AT o'hare if the jammer is in the o'hare parking lot...
For ground purposes why can the ADS RX be on a narrow beam antenna? HMm a network of them just triangulated on you.
We aren't jamming. We're spoofing. Your idea regarding triangulation is generally correct, although they use multilateration, not direction of arrival. However, if your signal is only loud enough to be heard by a single station (or two stations), you can't multilaterate, and since 1090MHz is very much line of sight, the odds multiple stations will hear a ground-based spoofer are slim.
They HAVE To maintain it. Otherwise my learjet full of coke gets the "cloaked ship" star trek effect if I flip the transponder circuit breaker off. They're never, ever, going to give up on skin painting. Maybe some phb who's never ATC'd or piloted a plane made up some story, but...
I'm totally with you here. The problem is the FAA initially appeared not to recognize this; it appeared they wanted to maintain PSR/SSR in congested areas, but shut down some primary sites in less-trafficked areas. I am as glad as you are that they seem to understand the necessity of maintaining complete PSR/SSR.
Therefore, you could potentially cause an aircraft to maneuver to avoid an intruder which isn't actually there.
Talk to a pilot. The first thing you do is visual the incoming. So that limits it to IFR only conditions right off the top.
A successful attach is going to be pretty ineffective and very dangerous to attempt. I just don't see it as an issue.
If these attacks become popular, planes will just pop the tcas circuit breakers on order of ATC (probably in the ATIS/AWOS message?) and fly "pre-tcas" which works just fine.
I don't agree with this. Disabling TCAS is a hazard in itself, ESPECIALLY in IFR condx. This is a problem.
Re:Doesn't know much about the system (Score:5, Interesting)
Greetings,
As the guy on stage giving the presentation, I feel the need to comment. I see Nick was already here ahead of me covering most of the points, but I figured I'd chime in.
The FlightGear Demo video was, as Nick mentioned, a way to show that it was possible to put ADS-B data into the air with equipment available to any hobbiest. We used a flight sim and a dummy load because at no time would we ever put real data into the air without proper permissions and safety precautions. As much as I want to know what would happen, I have no desire to see anything bad happen to any aircraft or members of the flying public. It was a proof of concept to show the theory and a potential tool to test these theories.
I fully admit I dont know the system inside and out. I dont see how someone needs to be in order to spot things that are just not right.
In all the comments, much was said, but little evidence was offered. If you have evidence that you can share publically, please do so. Contact me at renderlab.net and prove me wrong. I would love to do a presentation where I answer all of my questions to my complete satisfaction.
A few points were raised repeatedly that I'd like to address:
"But multilateration takes care of that". Really. Please show me the report. What was the methodology for establishing that as adaquate?
"But pilots and controllers are smart people" They are also human and make mistakes. Training and preperation are going to be key to solving this
"Publicity seeking" Yes, I am seeking publicity, to get the aviation authorities to open up about these issues and provide some transparancy into the
"Try to hack it, nothing will happen". I want to, with permission of course. This is why I'm asking anyone who has access to aircraft, ATC operations gear, manuals, avionics, etc. To come forth and let us test our theories publically. If everything is secure and safe, then the worst thing that happens is I look a bit foolish, but we all can fly home feeling a bit safer.
Yes, there may have been errors in the slides. I admit so right at the beginning. The aviation industry is more acronym happy than the computer industry. Some of the numbers are from official documents and older versions of SOP's or summaries or any number of sources. Until I have the controllers procedures and standards manual in my hand, I only have publically available documents to go from, which may contain variations or errors. I'm human.
Lastly many comments questioned my motives and the logic of going public. I set out to prove to myself that ADS-B and NextGen were safe. I failed in that. I do not think it is as secure and safe as has been made out to be. I kept trying to prove to myself it was safe but every avenue turned up more evidence to the contrary. I exhausted all the documents and resources I could find and so wanted to turn to the hacker community that I know and love and get thier help in trying to prove my theories wrong. These theories have been around longer than I and are most certain to have been discussed by existing bad guys. As was stated many times, dont shoot the messenger.
TL;DR version: Show me your evidence, prove to me NextGen is safe. Let us test it for ourselves publically.