In 1956, America witnessed a watershed moment in aviation safety. A mid-air collision between two airliners over the Grand Canyon resulted in sweeping changes to safety regulations, and to the creation of the FAA as it exists today.
Technology has moved on significantly since then, and we have a multitude of technological and administrative controls in place that significantly reduce (though not eliminate) the risk of a mid-air collision.
One of the contributing factors of the collision, and one which received much public attention in the aftermath, was the lack of nationwide radar coverage of the continental United States. As a consequence, the controller who was directing the two aircraft didn’t have a complete picture of where exactly they were in relation to each other. This lack of radar coverage, however, is not uncommon in many parts of the world today. Take for example, the fact that MH370 was able to fly for almost seven hours after disappearing from radar and it wasn’t picked up by any ground based radar station during that time. Today however, it’s possible for someone who doesn’t even have a radar station to track commercial (and many private) aircraft with great accuracy, through the use of ADS-B. I myself use an Raspberry Pi powered ADS-B base station to track and upload flight data in real time to FlightRadar24. That allows me to get GPS level accuracy about where an aircraft is, instantaneously. The only delay is the flight time of the signal from the aircraft to my receiver… and unfortunately the laws of physics have decreed that, for now at least, there’s nothing we can do about that. However, there’s still a problem: It’s a line of sight technology, and we still won’t know where exactly an aircraft is if it’s over the horizon. For example, if it were one of the thousands of airliners every day that cross over the Atlantic and Pacific Oceans (cue cool video). Iridium are working to remedy that problem by including ADS-B capable receivers in their satellites, which means we’ll have near global coverage. Hooray!
But that’s not why I started this blog post. I started this blog post because I believe that while ADS-B is a fantastic thing in principle, it’s another system that was essentially devised on the assumption that nobody will try to tamper with it, interfere with it, fool it, deny it or break it. It’s 2017. Robot scripts form botnets out of toasters and vending machines. I have heard it reasoned that ADS-B is a flight safety system, and thus encrypting it or using encryption to provide authentication would place a bar to entry (i.e. it would require additional equipment on board, at greater cost), and for much of general aviation, if it’s not necessary, it’s usually not included. However, what this means is that ADS-B is like one giant airborne system using ARP, and everyone knows how dangerously trusting ARP implementations are, even in modern operating systems. To show just how vulnerable ADS-B is to spoofing, researchers have already demonstrated the obvious (source code here).
Legal Warning: Do not build one of these. Do not transmit on 1090MHz. If you do, I didn’t tell you to do it. I told you precisely not to do it. Your ensuing discussions with the police and other civil authorities will be entirely your own fault.
Blog entry continues below:
Now here’s the thing: ADS-B feeds the recognised air picture within most national air traffic systems (such as NATS in the UK). It informs air traffic controllers of what aircraft are in the skies above, and thus it affects what decisions they make about how to route aircraft to their destinations while maintaining a safe separation between them. Now look at these two images, taken today, which show how aircraft on approach at busy international airports will line up one behind the other in a long chain awaiting their turn to land.
Now imagine recording the ADS-B transmissions from those aircraft and using them in a replay attack. The effects would be instant and mass confusion and panic.
On the ground, the tower would instantly receive warnings of multiple imminent collisions, and under incredible time pressure (and with no precedent for this scenario currently used in training of controllers so far as I’m aware) would not be able to reliably determine which aircraft were real and which were false.
In the air, where on board anti-collision technology TCAS takes a data feed from ADS-B, the aircraft would instantly be issuing very urgent resolution advisories, having never first had a traffic advisory. When faced with confusing, seemingly contradictory, information there is also the possibility of some pilots not acting on it, or acting contrary to it. See the Überlingen mid air collision for a precedent. Those that do act will likely all conduct a series of violent manoeuvres to avoid planes that simply don’t exist and in doing so may even collide with other planes that do.
So there is a problem… and I suspect that it will only be a matter of time until someone does this for real. The aviation industry is a very large one, and like all industries of its size and global reach, it has a very wide turning circle. Change, if it comes, will likely only come slowly, and likely only after an incident has taken place. But what can be done? Perhaps some common sense checks. Include within the equipment that reads ADS-B some logic which asks “Does this make sense?” Airliners don’t just appear out of nowhere. When they do, it should be grounds to conduct additional verifications such as asking the pilot if they can see that plane, or making it a different colour on the display to highlight that it hasn’t been acting like a normal aircraft. Duplicate ICAO hex codes shouldn’t exist. Where they do (as may likely happen in a replay attack), flag that up. Basic direction finding and verification. If the ADS-B signal for an aircraft claiming to be to your West originates from your East, it’s almost certainly falsified.
In each instance however, it should be for the crew or the ground controller to decide whether or not to take action on a suspect signal, because sometimes false positives happen and it’s up to the pilot and the controller to make the safety decisions. Any equipment should only be used to inform those decisions, and shouldn’t be the thing making the decisions.
Well… that’s my thoughts on the matter. Useful when it works, dangerous when it doesn’t. But hey, I’m inherently against taking any unnecessary risk, and so I’m always a doomsayer when it comes to security. You never know, it might never happen…