Air Traffic Control Systems Vulnerabilities Could Make for Unfriendly Skies [Black Hat]

Researcher Andrei Costin discusses the security challenges facing ADS-B technology and how attackers can spoof air traffic signals.

The skies may not be as friendly as some people think.

In a talk at the Black Hat USA conference, security researcher Andrei Costin discussed the possibility of spoofing signals to air traffic control systems in attacks – all courtesy of roughly $1,000 worth of equipment. After his presentation, he sat down with SecurityWeek and revealed more details of how attackers could exploit weaknesses in the Automatic Dependent Surveillance-Broadcast (ADS-B) technology.

Costin, who is a PhD candidate at Eurecom – a research institute in France – said that the security issues he talked about in his presentation have been known for a while, though no one had actually demonstrated them. The weaknesses he demonstrated could potentially have large future implications, as the U.S. has mandated that the majority of aircraft operating within its airspace to be equipped with some form of ADS-B Out by 2020.

“Our intent was to make a practical demonstration of the attack, [with] the idea that the right people see the easiness and the cheapness of the attack so they can fix it now before they have the potential of a user can do the same thing,” he said.

To launch the attack, he used software-defined radio, which he said could be purchased for around $1,000. He also used an ADS-B receiver in order to verify the spoofed messages were being accepted. Because there is no encryption or authentication mechanism protecting ADS-B messages, the information can be intercepted and spoofed by attackers. For example, the attacker could mount a replay attack, intercepting packets with flight information in the air and then replaying them back to a targeted system.

“It is impossible to verify that the message is a real one or a spoof, and that it comes from a legitimate aircraft or device,” he said. “It’s an architecture issue…the protocol and the messages have to be improved in order to support authentication and encryption.”

This could have safety as well as privacy concerns, because an attacker could determine the location for example of a private jet. Though it is possible to use filed flight plans to rule out a spoofed signal indicating a plane is at a particular place that becomes difficult if there are a large number of planes involved, Costin explained.

He said he is unaware of any attacks like this taking place in the wild, though he speculated that it would be just a matter of time before it happened.

“The complexity I would say is medium,” noting that acquiring the necessary hardware is simple, but the attacker would need to have some knowledge of digital signal processing.

In a statement released to the media, the Federal Aviation Administration said it conducts ongoing assessments of ADS-B vulnerabilities and has a “security action plan” that mitigates risk. The agency also stated that it monitors the “progress of corrective action,” and plans to maintain about half of the current network of secondary radars as a backup to ADS-B in the event it is needed. Costin however, was more skeptical of the situation.

“The main mitigation that is currently helping is that they don’t use [ADS-B] as a primary…radar,” he said.