Forgot your password?
typodupeerror
Government Security IT Your Rights Online

Researcher Finds Security Holes In FAA's New Flight Control System 60

Posted by samzenpus
from the blue-screen-and-sky dept.
gManZboy writes "A key component of the FAA's emerging 'Next Gen' air traffic control system is fundamentally insecure and ripe for manipulation and attack, security researcher Andrei Costin said in a presentation Wednesday at Black Hat 2012. Costin outlined a series of issues related to the Automatic Dependent Surveillance-Broadcast (ADS-B) system, a replacement to the decades-old ground radar system used to guide airplanes through the sky and on the ground at airports. Among the threats to ADS-B: The system lacks a capability for message authentication. 'Any attacker can pretend to be an aircraft' by injecting a message into the system, Costin said. There's also no mechanism in ADS-B for encrypting messages. One example problem related to the lack of encryption: Costin showed a screen capture showing the location of Air Force One — or that someone had spoofed the system."
This discussion has been archived. No new comments can be posted.

Researcher Finds Security Holes In FAA's New Flight Control System

Comments Filter:
  • Misleading title... (Score:5, Informative)

    by Vylen (800165) on Friday July 27, 2012 @07:10AM (#40788903)

    An air traffic control system is not a flight control system. Flight control systems in the aviation world relate to things that control the ailerons, elevators and rudders on an aircraft. ATC systems may provide inputs into an FCS when in autopilot but it is an external input.

    • Re: (Score:3, Informative)

      by d3ac0n (715594)

      True, but since ATC's DO provide info to FCS's, and since most commercial flights are nowadays operated almost entirely by FCS except during takeoff and landing, the potential for extreme mischief exists in the form of making airplanes "disappear" and then redirecting them to random (or attacker chosen) destinations, causing mid-air collisions, or any other kind of bad behavior that could be done by causing traffic control confusion.

      Of course, there is still the pilot onboard to correct ftc errors (if noti

      • by Anonymous Coward on Friday July 27, 2012 @08:16AM (#40789321)

        True, but since ATC's DO provide info to FCS's,

        No they don't. Period. ATC NEVER provides direct control to planes. PILOTS provide information to FCS, which may or may not be provided via ATC, which may or may not be at least partially based on ADS. Its also worth noting that ADS is not intended to replace radar in high traffic areas, which are in fact the areas most likely targeted for tom foolery.

      • by bobbied (2522392)

        Actually, the PILOTS control the aircraft and have the *FINAL* decision about flying the aircraft. Compliance to Air Traffic Control instructions are legally required in some instances but there are exceptions. If the pilot determines that following the instruction would be impossible, unsafe or beyond the capabilities of the aircraft, he can refuse. Of course, the FAA can fine and take your license away once you get on the ground if they don't agree with you.

        If a pilot chooses to disobey, he had better d

      • by sHORTYWZ (777909) on Friday July 27, 2012 @09:45AM (#40790375) Homepage

        True, but since ATC's DO provide info to FCS's

        As an Air Traffic Controller with both the Army and at one of the largest airports in the midwest, I'm sorry to say, but this post couldn't be any more distant from the truth. We provide absolutely no information to the FCS on aircraft and at no point does our hardware communicate anything to the aircraft. We receive information from aircraft and that is it.

        All navigation on the aircraft is done by completely internal equipment that the pilot can override at any point.

        Air Traffic Controllers (the people) issue instructions, which the pilots are obligated to obey, but in the case that they believe an instruction from ATC is unsafe, they have the final say (and will ultimately be liable for the choice, but that's another matter).

        Runway collisions become ever more likely the longer a compromise situation exists.

        Runway collisions? Ground control is done via visual observation from the tower by a human being. Also, the pilots have windows which they can see out of. Yes, there are radar systems on the ground to back up some areas that are harder to see on large airfields, but visual control is still the primary method of control on the ground.

    • by Hillgiant (916436)

      What happens to the system when it displays planes that are not there?

      Or conceals planes that are?

      • by Vylen (800165)

        Nothing, as so to speak. ATC systems are not entirely autonomous systems. People, whether they be air traffic control or the pilots have to interpret the information and act on them.

      • Re: (Score:1, Informative)

        by Anonymous Coward

        > What happens to the system when it displays planes that are not there?

        If it doesn't have a flight plan, or is squawking a code not assigned by ATC, then they know something weird is going on. Maybe we lose the use of a little airspace, since ATC will probably not allow other airplanes to fly into conflict with the ghost plane. Maybe fighters are scrambled

        > Or conceals planes that are?

        Flyway 70 heavy, negative radar contact. Resume standard position reporting.

  • by nten (709128) on Friday July 27, 2012 @07:30AM (#40789009)

    WAM [wikipedia.org] can ameliorate the injection problem the TFA mentions (they could still lie but it won't matter), but it requires more hardware and communications equipment. The US is the last to jump on board with wholescale ADS-B adoption so these problems are more than just hypothetical. You can see the passive aspect of the article at work here [planefinder.net]. Planefinder is a central repository where people with software defined radios configured to listen to ADS-B dump their output.

  • by Trepidity (597) <(gro.hsikcah) (ta) (todhsals-muiriled)> on Friday July 27, 2012 @07:34AM (#40789035)

    The public being able to track planes by listening in on their communications, which may indeed have privacy implications, has been the status quo for years. You can find all sorts of online sites with those kinds of maps (example [planefinder.net]). Maybe that should or shouldn't be the case, but I think it's fair to say it's the current expected case: if you're flying in a plane, your location is public knowledge to anyone within range of your transmissions who cares to listen to them.

    Now being able to inject bogus messages, that's a completely different kind of security problem.

    • by capedgirardeau (531367) on Friday July 27, 2012 @07:40AM (#40789069)

      There is a reason this info is not encrypted: People need to know where airplanes are in the sky, especially other planes, including private aircraft.

      You don't really want airplanes location in the sky to be a secret or you literally run in to serious trouble.

      • by bobbied (2522392)

        There is a reason this info is not encrypted: People need to know where airplanes are in the sky, especially other planes, including private aircraft.

        Actually, I'm not sure how encryption would help. Using a single key doesn't help because it would need to be public. The only way to be totally secure is to have some kind of public/private key set up where every aircraft/radio has an assigned verifiable key to sign things with (at a minimum). The issue becomes key distribution and updating the public keys in some way that is secure. Anything short of total security in the keys and the radios they are loaded into and you are open to this spoofing issue.

        • by X0563511 (793323)

          SSL shows how this problem is solved already. Instead of domain names, you have tail numbers.

          FAA runs the CA. Airlines could have their own intermediaries if desired. Each plane gets a keypair when they get their tail number. Regeneration is required if they have to replace the beacon, though, but if this system wasn't built from shoestrings and 56k modems this wouldn't be a large problem. Or, you could let pilots keep their keypair themselves so they can be loaded as needed, however you'd need to enforce s

          • by bobbied (2522392)

            Encrypting or signing would be a solution but CA and Key maintenance *is* really the problem here no matter how you slice this. Sure, you assign keys to the aircraft by tail number, but you also have to maintain a secure way to assure that this key only gets used on this aircraft and cannot be disclosed otherwise. Aircraft maintenance takes place world wide so the keys must be available to load into radios world wide, which opens up a channel for keys to leak out to unauthorized users. Once you have unaut

    • by DL117 (2138600)
      It doesn't need to be private. There simply isn't any risk from the public knowing where airplanes are. (being able to inject bogus traffic is dangerous, but the worst it could do is cause delays)
  • No one died yet from that type of attack so it won't happen unless enough people put pressure. But after the 9/11 attack, I don't think it's gonna a problem to fix those security issues... I hope
  • SETEC ASTRONOMY box (Score:4, Interesting)

    by Joe_Dragon (2206452) on Friday July 27, 2012 @07:38AM (#40789053)

    So now I don't need the SETEC ASTRONOMY box to get into the radar system.

  • Really? (Score:5, Informative)

    by Anonymous Coward on Friday July 27, 2012 @07:41AM (#40789075)

    Posting AC, I work on ATC software.

    Perhaps I'm being naive, but I'm not entirely sure where the threat is here. ATC systems work with flight plans, so if someone is spoofing an ADS-B tracks and generating multiple tracks, we're generally going associate the track that most closely matches the predicted position of the place; most likely the real one. More importantly, ATC systems factor in more than one type of surveillance source, most places with ADS-B will have RADAR coverage. Once you factor in secondary RADAR (even if it's slower and less reliable), you're going to need a whole other aircraft to spoof another one since it's looking for actual aircraft, not just messages from ground stations.

    I'm pretty new to the field, but these threats seem exactly as described, theoretical.

    • by nten (709128)

      Will we keep RADAR coverage? Some of the magazines I've read indicate that as the ADS-B transition continues that RADAR coverage will be phased out. Maybe they only meant the secondary RADARs and not the primary, but that is not how the articles read. If that becomes the case, then assuming the dot closest to the flight plan is the real one, could be an error.

      • by Brandano (1192819)
        You can presume that a malicious plane will not bother with advertising its position on ADS-B. As a matter of fact it will probably try to be as undetectable as possible to radars or other sensors. So radar coverage will most probably keep on being in place, even if purely for military reasons.
      • by Anonymous Coward

        The intent is and always has been to EXPAND coverage with ADS-B and to augment coverage in RADAR areas. Its true some very rural, moderate to low areas, which currently have radar coverage may disappear, but in ALL areas which have high traffic (as in all areas where any ADS-B hack is worthy of time), RADAR will already be in place.

        You need to keep in mind, RADAR has some limitations to which ADS-B can augment and improve. So even if ADS-B information is spoofed, ATC still has the information and procedures

      • by Rich0 (548339)

        I would think that ADS-B might replace most civilian use of radar, but not military use. I know somebody who works with aerospace and apparently after 9/11 there was quite a bit of effort to try to boost primary radar coverage, since any terrorist who wants to do something bad without getting shot down is going to have their transponders off. If you're concerned with actual military air defense then radar is your only option, as incoming bombers aren't going to have lights on, let alone radar transponders

    • From what I remember reading ADS-B is also going to be used where there is no RADAR coverage, over the oceans etc.

      It will also be used to communicate to other aircrafts the position of an aircraft, this could be another major source of problems with spoofing communications.

      • by Anonymous Coward

        You're talking about ADS-C, which meant to be used when there is no RADAR coverage (and reports will be few and far between). ADS-B relies on ground stations receiving ADS-B messages.

    • by DesScorp (410532)

      I work at an airport and talk to our FAA tower guys a lot, and they tell me the ultimate goal is to make most radar go away and rely on GPS. FAA has had these plans since the early 2000's, although groups like AOPA protest that we should keep some kind of radar backup.

  • If you wanted to know where Air Force One was wouldn't it be easier just to turn on the news?

    Knowing where an aircraft is doesn't really help you if it is at 30000 feet. Anyone trying to assassinate the president will wait until it is approaching or leaving an airport before letting off the shoulder fired missile.

  • Well I'm sure there are very competent engineers twice my age, but the state of project management for highly complex software systems still leaves a bit to be desired. management still has a little bit of catching up to do when it comes to making secure applications. They likely realize that these features are needed but often get left on cutting floor due to cost and deadlines. I find the security risk assessment executive management levels in the industry in general to be lacking direction and focus

  • {digital, secure} : choose one.

    • by malloc (30902)

      That's your phone ringing. A phreak from the 80's begs to differ:

      {cheap, secure enough}: choose one.

  • by 0123456 (636235)

    I'm not sure how long ADS has been around (decades?) but it's never been encrypted. I'm surprised they've taken so long to notice.

    I don't see it happening any time soon either, because end-to-end key management would be a nightmare. Airlines hate updating their avionics because it takes the plane out of service for days of reconfiguration and testing.

    And what do you do if the aircraft doesn't have the right key for the ATC center they need to communicate with?

    • by PPH (736903)

      Why encrypt? Unless you are trying to conceal your whereabouts [slashdot.org] its of little use.

      What the system could use is an authentication scheme, with transmissions signed, or not. All transmissions would be readable, but each consumer could decide how to handle signed, unsigned, or unverifiable (key not in list) data.

      Aircraft to aircraft communications would not need to be authenticated. Just assume, for safety's sake, that if there's something out there, you should avoid it. ATC, approach control and whatnot hav

  • I worked briefly on a DO-178B project (the process standard for aircraft systems software), and this sounds entirely likely to me. The reason is that DO-178B basically requires you to code everything, rather than using existing libraries unless they are also certified (and almost nothing open source is certified). It doesn't make the software better -- in fact, it makes it worse, since you have a bunch of coders reimplementing algorithms for everything because they can't use outside libraries. It also ma
  • ADS-B is in use already and has been since at latest 2000 in the NAT system for position reporting while crossing the Atlantic though the advanced features are still not installed in most commercial aircraft. I'm not aware of any exploits of this kind as of yet- not to say TFA is wrong. Current ATC methods are exploitable and there are numerous and continuing incidences of meaconing [wikipedia.org] and intrusion of VHF and UHF control frequencies (North Korea are famous troublemakers). Anyone with a transceiver can do thi
  • Having sat thru a number of talks at defcon they can be a lot of fun and interesting but rarely educational.

    One example few years back a presenter demonstrated MITM attack against windows SMB.

    My thought was if there is no machine authentication or data encryption on wire just WTF did anyone expect? The guy didn't discover anything he just implemented what everyone else already knew could be done.

    When title says "Research Finds Security Hole" ... it is actually researcher rediscovered what everyone else wit

  • Does this scenario remind anyone else of the old War Games movie, where WOPPER would put fake Backfire bombers on NORAD's screens?

  • If you believe a bunch of jack-off Saudi arabs flew into the WTC, then you really don't know the status of FCS.

How many Unix hacks does it take to change a light bulb? Let's see, can you use a shell script for that or does it need a C program?

Working...