Researcher Finds Security Holes In FAA's New Flight Control System

gManZboy writes "A key component of the FAA's emerging 'Next Gen' air traffic control system is fundamentally insecure and ripe for manipulation and attack, security researcher Andrei Costin said in a presentation Wednesday at Black Hat 2012. Costin outlined a series of issues related to the Automatic Dependent Surveillance-Broadcast (ADS-B) system, a replacement to the decades-old ground radar system used to guide airplanes through the sky and on the ground at airports. Among the threats to ADS-B: The system lacks a capability for message authentication. 'Any attacker can pretend to be an aircraft' by injecting a message into the system, Costin said. There's also no mechanism in ADS-B for encrypting messages. One example problem related to the lack of encryption: Costin showed a screen capture showing the location of Air Force One — or that someone had spoofed the system."

Misleading title...

[Vylen]

An air traffic control system is not a flight control system. Flight control systems in the aviation world relate to things that control the ailerons, elevators and rudders on an aircraft. ATC systems may provide inputs into an FCS when in autopilot but it is an external input.

Re:

[d3ac0n]

True, but since ATC's DO provide info to FCS's, and since most commercial flights are nowadays operated almost entirely by FCS except during takeoff and landing, the potential for extreme mischief exists in the form of making airplanes "disappear" and then redirecting them to random (or attacker chosen) destinations, causing mid-air collisions, or any other kind of bad behavior that could be done by causing traffic control confusion.

Of course, there is still the pilot onboard to correct ftc errors (if noti

Re:Misleading title...

[Anonymous Coward]

True, but since ATC's DO provide info to FCS's,

No they don't. Period. ATC NEVER provides direct control to planes. PILOTS provide information to FCS, which may or may not be provided via ATC, which may or may not be at least partially based on ADS. Its also worth noting that ADS is not intended to replace radar in high traffic areas, which are in fact the areas most likely targeted for tom foolery.

Re:

[DL117]

+1. ATC does not control airplanes directly, they communicate with pilots.

Re:

[bobbied]

Actually, the PILOTS control the aircraft and have the *FINAL* decision about flying the aircraft. Compliance to Air Traffic Control instructions are legally required in some instances but there are exceptions. If the pilot determines that following the instruction would be impossible, unsafe or beyond the capabilities of the aircraft, he can refuse. Of course, the FAA can fine and take your license away once you get on the ground if they don't agree with you.

If a pilot chooses to disobey, he had better d

Re:Misleading title...

[sHORTYWZ]

True, but since ATC's DO provide info to FCS's

As an Air Traffic Controller with both the Army and at one of the largest airports in the midwest, I'm sorry to say, but this post couldn't be any more distant from the truth. We provide absolutely no information to the FCS on aircraft and at no point does our hardware communicate anything to the aircraft. We receive information from aircraft and that is it.

All navigation on the aircraft is done by completely internal equipment that the pilot can override at any point.

Air Traffic Controllers (the people) issue instructions, which the pilots are obligated to obey, but in the case that they believe an instruction from ATC is unsafe, they have the final say (and will ultimately be liable for the choice, but that's another matter).

Runway collisions become ever more likely the longer a compromise situation exists.

Runway collisions? Ground control is done via visual observation from the tower by a human being. Also, the pilots have windows which they can see out of. Yes, there are radar systems on the ground to back up some areas that are harder to see on large airfields, but visual control is still the primary method of control on the ground.

Re:

[Hillgiant]

What happens to the system when it displays planes that are not there?

Or conceals planes that are?

Re:

[Vylen]

Nothing, as so to speak. ATC systems are not entirely autonomous systems. People, whether they be air traffic control or the pilots have to interpret the information and act on them.

Re:

[Anonymous Coward]

> What happens to the system when it displays planes that are not there?

If it doesn't have a flight plan, or is squawking a code not assigned by ATC, then they know something weird is going on. Maybe we lose the use of a little airspace, since ATC will probably not allow other airplanes to fly into conflict with the ghost plane. Maybe fighters are scrambled

> Or conceals planes that are?

Flyway 70 heavy, negative radar contact. Resume standard position reporting.

Solutions are there, but not being used

[nten]

WAM [wikipedia.org] can ameliorate the injection problem the TFA mentions (they could still lie but it won't matter), but it requires more hardware and communications equipment. The US is the last to jump on board with wholescale ADS-B adoption so these problems are more than just hypothetical. You can see the passive aspect of the article at work here [planefinder.net]. Planefinder is a central repository where people with software defined radios configured to listen to ADS-B dump their output.

Re:

[fluffythedestroyer]

Don't underestimate your attacker, well to be honest, don't underestimate terrorist. Cause that's what it's all about after all especially when we talk about those security. This would be a wet dream for them. it's not because they live in rock caves they know nothing about electronic. I think they prooved that with flying those airplanes. This only mean when they want to do something and they put their minds to it, they can accomplish what they want pretty easily.

Re:

[Megane]

For what it's worth, there were four [wikipedia.org] planes, [wikipedia.org] not two, and other buildings were severely damaged, but not destroyed. (Though I think some were damaged sufficiently that they had to be torn down.)

They can fly 747's with only two weeks of flight training.

For a definition of "fly" that does not include take-off or landing.

Re:

[Agent0013]

I guess Megane is one of the majority of people who conveniently forgot about building 7 falling for what seems like no reason.

In the end I don't think we have to worry about the 'terrorists' flying planes into buildings. No commercial plane I have ever seen has pods attached to the bottom and shoot flame out the front right before impact with the buildings. There are too many inconsistencies with the 'official' story for that to be the truth.

two very different concerns

[Trepidity]

The public being able to track planes by listening in on their communications, which may indeed have privacy implications, has been the status quo for years. You can find all sorts of online sites with those kinds of maps (example [planefinder.net]). Maybe that should or shouldn't be the case, but I think it's fair to say it's the current expected case: if you're flying in a plane, your location is public knowledge to anyone within range of your transmissions who cares to listen to them.

Now being able to inject bogus messages, that's a completely different kind of security problem.

Re:two very different concerns

[capedgirardeau]

There is a reason this info is not encrypted: People need to know where airplanes are in the sky, especially other planes, including private aircraft.

You don't really want airplanes location in the sky to be a secret or you literally run in to serious trouble.

Re:

[bobbied]

There is a reason this info is not encrypted: People need to know where airplanes are in the sky, especially other planes, including private aircraft.

Actually, I'm not sure how encryption would help. Using a single key doesn't help because it would need to be public. The only way to be totally secure is to have some kind of public/private key set up where every aircraft/radio has an assigned verifiable key to sign things with (at a minimum). The issue becomes key distribution and updating the public keys in some way that is secure. Anything short of total security in the keys and the radios they are loaded into and you are open to this spoofing issue.

Re:

[X0563511]

SSL shows how this problem is solved already. Instead of domain names, you have tail numbers.

FAA runs the CA. Airlines could have their own intermediaries if desired. Each plane gets a keypair when they get their tail number. Regeneration is required if they have to replace the beacon, though, but if this system wasn't built from shoestrings and 56k modems this wouldn't be a large problem. Or, you could let pilots keep their keypair themselves so they can be loaded as needed, however you'd need to enforce s

Re:

[bobbied]

Encrypting or signing would be a solution but CA and Key maintenance *is* really the problem here no matter how you slice this. Sure, you assign keys to the aircraft by tail number, but you also have to maintain a secure way to assure that this key only gets used on this aircraft and cannot be disclosed otherwise. Aircraft maintenance takes place world wide so the keys must be available to load into radios world wide, which opens up a channel for keys to leak out to unauthorized users. Once you have unaut

Re:

[DL117]

It doesn't need to be private. There simply isn't any risk from the public knowing where airplanes are. (being able to inject bogus traffic is dangerous, but the worst it could do is cause delays)

harsh reality

[fluffythedestroyer]

No one died yet from that type of attack so it won't happen unless enough people put pressure. But after the 9/11 attack, I don't think it's gonna a problem to fix those security issues... I hope

SETEC ASTRONOMY box

[Joe_Dragon]

So now I don't need the SETEC ASTRONOMY box to get into the radar system.

Re:

[Prof.Phreak]

Indeed, there are way TOO MANY SECRETS already...

Re:

[wonkey_monkey]

+1 Early 90s cult spy movie reference
-1 Made me feel old

Really?

[Anonymous Coward]

Posting AC, I work on ATC software.

Perhaps I'm being naive, but I'm not entirely sure where the threat is here. ATC systems work with flight plans, so if someone is spoofing an ADS-B tracks and generating multiple tracks, we're generally going associate the track that most closely matches the predicted position of the place; most likely the real one. More importantly, ATC systems factor in more than one type of surveillance source, most places with ADS-B will have RADAR coverage. Once you factor in secondary RADAR (even if it's slower and less reliable), you're going to need a whole other aircraft to spoof another one since it's looking for actual aircraft, not just messages from ground stations.

I'm pretty new to the field, but these threats seem exactly as described, theoretical.

coverage

[nten]

Will we keep RADAR coverage? Some of the magazines I've read indicate that as the ADS-B transition continues that RADAR coverage will be phased out. Maybe they only meant the secondary RADARs and not the primary, but that is not how the articles read. If that becomes the case, then assuming the dot closest to the flight plan is the real one, could be an error.

Re:

[Brandano]

You can presume that a malicious plane will not bother with advertising its position on ADS-B. As a matter of fact it will probably try to be as undetectable as possible to radars or other sensors. So radar coverage will most probably keep on being in place, even if purely for military reasons.

Re:

[Anonymous Coward]

The intent is and always has been to EXPAND coverage with ADS-B and to augment coverage in RADAR areas. Its true some very rural, moderate to low areas, which currently have radar coverage may disappear, but in ALL areas which have high traffic (as in all areas where any ADS-B hack is worthy of time), RADAR will already be in place.

You need to keep in mind, RADAR has some limitations to which ADS-B can augment and improve. So even if ADS-B information is spoofed, ATC still has the information and procedures

Re:

[Rich0]

I would think that ADS-B might replace most civilian use of radar, but not military use. I know somebody who works with aerospace and apparently after 9/11 there was quite a bit of effort to try to boost primary radar coverage, since any terrorist who wants to do something bad without getting shot down is going to have their transponders off. If you're concerned with actual military air defense then radar is your only option, as incoming bombers aren't going to have lights on, let alone radar transponders

Re:

[Nuitari The Wiz]

From what I remember reading ADS-B is also going to be used where there is no RADAR coverage, over the oceans etc.

It will also be used to communicate to other aircrafts the position of an aircraft, this could be another major source of problems with spoofing communications.

Re:

[Anonymous Coward]

You're talking about ADS-C, which meant to be used when there is no RADAR coverage (and reports will be few and far between). ADS-B relies on ground stations receiving ADS-B messages.

Re:

[DesScorp]

I work at an airport and talk to our FAA tower guys a lot, and they tell me the ultimate goal is to make most radar go away and rely on GPS. FAA has had these plans since the early 2000's, although groups like AOPA protest that we should keep some kind of radar backup.

Air Force One

[bwalzer]

If you wanted to know where Air Force One was wouldn't it be easier just to turn on the news?

Knowing where an aircraft is doesn't really help you if it is at 30000 feet. Anyone trying to assassinate the president will wait until it is approaching or leaving an airport before letting off the shoulder fired missile.

Re:

[Thundaaa Struk]

If Air Force One showed up on radar near a golf course, you can bet your arse it ain't no spoof buddy.

maturity of process

[Zeromous]

Well I'm sure there are very competent engineers twice my age, but the state of project management for highly complex software systems still leaves a bit to be desired. management still has a little bit of catching up to do when it comes to making secure applications. They likely realize that these features are needed but often get left on cutting floor due to cost and deadlines. I find the security risk assessment executive management levels in the industry in general to be lacking direction and focus

Re:

[Zeromous]

Oops..yay mobile

But of course.

[Black Parrot]

{digital, secure} : choose one.

Re:

[malloc]

That's your phone ringing. A phreak from the 80's begs to differ:

{cheap, secure enough}: choose one.

ADS

[0123456]

I'm not sure how long ADS has been around (decades?) but it's never been encrypted. I'm surprised they've taken so long to notice.

I don't see it happening any time soon either, because end-to-end key management would be a nightmare. Airlines hate updating their avionics because it takes the plane out of service for days of reconfiguration and testing.

And what do you do if the aircraft doesn't have the right key for the ATC center they need to communicate with?

Re:

[PPH]

Why encrypt? Unless you are trying to conceal your whereabouts [slashdot.org] its of little use.

What the system could use is an authentication scheme, with transmissions signed, or not. All transmissions would be readable, but each consumer could decide how to handle signed, unsigned, or unverifiable (key not in list) data.

Aircraft to aircraft communications would not need to be authenticated. Just assume, for safety's sake, that if there's something out there, you should avoid it. ATC, approach control and whatnot hav

Re:

[PPH]

Only if you can repeatedly 'bump' other aircraft with false signals. But have that happen in busy airspace with unsigned data packets and watch the fighters scramble to the transmission source. With HARM [wikipedia.org] missiles.

You can thank the DO-178B standard for that

[spiffmastercow]

I worked briefly on a DO-178B project (the process standard for aircraft systems software), and this sounds entirely likely to me. The reason is that DO-178B basically requires you to code everything, rather than using existing libraries unless they are also certified (and almost nothing open source is certified). It doesn't make the software better -- in fact, it makes it worse, since you have a bunch of coders reimplementing algorithms for everything because they can't use outside libraries. It also ma

In use already

[jbwolfe]

ADS-B is in use already and has been since at latest 2000 in the NAT system for position reporting while crossing the Atlantic though the advanced features are still not installed in most commercial aircraft. I'm not aware of any exploits of this kind as of yet- not to say TFA is wrong. Current ATC methods are exploitable and there are numerous and continuing incidences of meaconing [wikipedia.org] and intrusion of VHF and UHF control frequencies (North Korea are famous troublemakers). Anyone with a transceiver can do thi

(Re)discovering the obvious

[WaffleMonster]

Having sat thru a number of talks at defcon they can be a lot of fun and interesting but rarely educational.

One example few years back a presenter demonstrated MITM attack against windows SMB.

My thought was if there is no machine authentication or data encryption on wire just WTF did anyone expect? The guy didn't discover anything he just implemented what everyone else already knew could be done.

When title says "Research Finds Security Hole" ... it is actually researcher rediscovered what everyone else wit

War Games?

[DesScorp]

Does this scenario remind anyone else of the old War Games movie, where WOPPER would put fake Backfire bombers on NORAD's screens?

FCS reality

[slick7]

If you believe a bunch of jack-off Saudi arabs flew into the WTC, then you really don't know the status of FCS.