An article in AIN’s September issue addressed concerns that have been raised about the security of the ADS-B system, which is headed for widespread deployment around the world. ADS-B is designed to replace radar as the primary method for surveillance of airborne traffic. ADS-B can replace low-resolution radar detection of transponder-equipped aircraft with “automatic dependent surveillance-broadcast” or ADS-B signals, which broadcast speed, location and other information to properly equipped ground stations and other aircraft. ADS-B out-equipment, mandatory in the U.S. starting in 2020, transmits ADS-B information, while the more sophisticated ADS-B in equipment receives ADS-B information and makes it available to pilots.
ADS-B is not secure, according to a white paper published by Eurecom, a teaching and research consortium of seven European universities and nine international partners based in Sophia Antipolis, France. The paper was authored by Andrei Costin and Aurèlien Francillon. “In this paper,” they wrote, “we demonstrate that attacks are both easy and practically feasible for a moderately sophisticated attacker. Attacks range from passive attacks (eavesdropping) to active attacks (message jamming, replaying of injection).” What they mean by “replaying of injection” is creating fake ADS-B targets and injecting them into the ATC system so that controllers and pilots “see” false ADS-B targets that appear to be real aircraft. This so-called “spoofing” or injection of fake targets is one of the most urgent concerns of those raising questions about ADS-B security. And Costin and Francillon have demonstrated false injection, in a closed and safe test rig. They point out that injecting a false target “would require only an amplifier and an antenna to actually emit the radio signals.”
Addressing System Vulnerabilities
What concerns the authors of this white paper most is that, “Surprisingly, despite years of standardization, development, thorough testing and ongoing deployment, by design the ADS-B protocol used in commercial air traffic doesn’t specify mechanisms to ensure that protocol messages are authentic, non-replayed or adhere to other security properties. Given the budget involved, and the sensitivity of air traffic, it is surprising that such a system was not designed with security in mind.”
The white paper outlines specific security ADS-B vulnerabilities:
• Lack of entity authentication to protect against message injection from unauthorized entities.
• Lack of message signatures or authentication codes to protect against tampering of messages or impersonating aircraft.
• Lack of message encryption to protect against eavesdropping.
• Lack of challenge-response mechanisms to protect against replay attacks.
• Lack of ephemeral identifiers to protect against privacy tracking attacks.
Filling these security holes is achievable, according to the white paper, and one way to do so would be to incorporate public key infrastructure (PKI) as “a viable solution for securing ADS-B in the short and long terms. The first and simplest thing that would greatly enhance the security of ADS-B is to add integrity verification to ADS-B messages.”
The white paper authors believe that regulators should require avionics manufacturers to incorporate security integrity checking and PKI distribution processes into their ADS-B products. By doing this, they wrote, “the message injection is suddenly not possible or at least not as easy to accomplish.”
The paper’s conclusion asserts that ADS-B security issues have been well documented in previous studies and by the hacker community, but “the fundamental architectural and design problems of ADS-B have never been addressed and fixed. Also, given the efforts in terms of time and money invested so far and still to be invested, it is unclear why such mission-critical and safety-related protocols [are not] addressed at all and [there is no] security chapter in the main requirements specifications document.”
In response to AIN’s questions about ADS-B security for the September article, the FAA explained that it has ways to filter out spoofed ADS-B targets, although any details about such methods are secret. ITT Exelis, which is building the U.S. ground-station ADS-B network, told AIN: “The U.S. national ADS-B system has received the [FAA] information security certification and accreditation. The accreditation recognizes that the system has substantial information security features built in, including features to protect against the type of spoofing attacks cited in recent media reports. Exelis cannot divulge details on the security features built into the ADS-B system.”
Costin, the white paper co-author, is encouraged that concerns about ADS-B security are getting some new attention. He worries, however, that in the context of modern technology the FAA is naïve when it says it knows how to deal with spoofed targets but that such information is “security sensitive.” In an emailed response to AIN, Costin wrote, “Countless times history [has] shown that in IT/info security, ‘security by obscurity’ failed epically, starting from small companies and ending with giants and seasoned players; and in the long run it turned bad for them and, worse, it turned bad for their paying and unsuspecting customers. Unless the results are made public and the community can assess both the results and the ‘ways’ the FAA, Eurocontrol and ATC-concerned bodies are securing ADS-B and mitigating the threats and risks against described vulnerabilities–all these done in an open and transparent dialogue framework–there are doubts about full security. Indeed, [the FAA’s statement that] ‘We have ways of validating the data that shows up on a controller’s screen’ is true–there are various procedures and backup plans for the cases of ‘ghost [spoofed] aircraft,’ and mostly it is because ATC is still a human-centric technology, where a lot of work is done by humans (coordination, voice communication and so on). However, our point is that the system should be secured from the architecture and design, not as a side effect of the legacy.”
AIN asked a spokesman for the National Air Traffic Controllers Association whether controllers are being trained on how to deal with spoofed ADS-B targets or other security-related ADS-B issues. The spokesman said, “I was able to confirm with our safety and tech folks, there is no special training in place with ADS-B in regards to the matter that you asked about, the security matters and the possible hacking threats. [There is] no special training at this point.”