Researcher: Hackers could trick new air traffic control systems into seeing fake aircraft
The new system will be rolled out in the United States by 2014
The FAA says it conducts onging assessments of vulnerabilites
Air traffic control technology is getting a major upgrade in the United States that is scheduled to be completed in 2014, but the new systems are susceptible to potentially dangerous manipulation, according to a security researcher.
The actual flaws might seem mild compared to everyone’s worst fears and common Hollywood plot lines. Planes cannot be forced from the sky or dangerously redirected. But the researcher says the system can be tricked into seeing aircraft that are not actually there. Messages sent using the system are not encrypted or authenticated, meaning anyone with the basic technology and know-how could identify a plane and see its location.
Computer scientist Andrei Costin, a Ph.D. student at Eurecom, gave a talk on the weaknesses of the new air traffic system at the Black Hat security conference in Las Vegas on Wednesday. He did not mention any known hacks of the system, but did demonstrate the potential negative scenarios.
Old radar systems are being replaced with a new technology called Automatic Dependent Surveillance - Broadcast system, or ADS-B. The traditional radars work by sending a signal that triggers an aircraft’s responder to send back its position. The new system uses the global satellite navigation system to continuously broadcast the locations of planes. The information is sent to other aircraft and ground stations; the ground station sends the location to air traffic controllers.
The new system will open up this flight information to a new player: the general public.
“There are various applications which you can go to and basically see, online, in real time, all the airplanes which broadcast their information,” said Costin.
According to Costin, the chance of these security holes being exploited for terrorism is unlikely, but he says they still have the potential to be used by pranksters, paparazzi and military intelligence organizations interested in tracking private aircraft or confusing air traffic control systems on the ground. Intercepting the messages, jamming the system or attacking it by adding false information does not require advanced technology; the necessary software-defined radio retails for under $800.
One of the technology’s makers downplayed the threat.
“We are quite familiar with the theory that ADS-B could be ‘spoofed,’ or barrage jammed by false targets. There’s little new here. In fact, just about any radio frequency device can be interfered with somewhat,” said Skip Nelson, the president of ADS-B Technologies, which is one of many companies making these components. “I obviously can’t comment on countermeasures, but you should know that this issue has been thoroughly investigated and international aviation does have a plan.”
In a statement, the Federal Aviation Administration said it already has a process in place for addressing potential threats to the system, and it does conduct ongoing assessments of vulnerabilities: “An FAA ADS-B security action plan identified and mitigated risks and monitors the progress of corrective action. These risks are security sensitive and are not publicly available.”
The FAA has sunk millions of dollars into the system. The benefits of the ADS-B are that it will show more precise locations of aircraft and pilots will have access to more information about surrounding aircraft while in the air. The FAA also says it is more environmentally friendly by making flight routes more direct and saving on fuel.
Given the large time and financial investment, the FAA is not going to abandon the new technology. However, it isn’t throwing out the old system completely, just in case.
“The FAA plans to maintain about half of the current network of secondary radars as a backup to ADS-B in the unlikely event it is needed,” the FAA said in its statement.