Slashdot Mirror
Researcher Finds Security Holes In FAA's New Flight Control System
gManZboy writes "A key component of the FAA's emerging 'Next Gen' air traffic control system is fundamentally insecure and ripe for manipulation and attack, security researcher Andrei Costin said in a presentation Wednesday at Black Hat 2012. Costin outlined a series of issues related to the Automatic Dependent Surveillance-Broadcast (ADS-B) system, a replacement to the decades-old ground radar system used to guide airplanes through the sky and on the ground at airports. Among the threats to ADS-B: The system lacks a capability for message authentication. 'Any attacker can pretend to be an aircraft' by injecting a message into the system, Costin said. There's also no mechanism in ADS-B for encrypting messages. One example problem related to the lack of encryption: Costin showed a screen capture showing the location of Air Force One — or that someone had spoofed the system."
An air traffic control system is not a flight control system. Flight control systems in the aviation world relate to things that control the ailerons, elevators and rudders on an aircraft. ATC systems may provide inputs into an FCS when in autopilot but it is an external input.
This type of problem is what happens in "modern" development where customers and developers design the program. Neither have an understanding of the implications of their choices.
Sometimes things have to be designed from the ground up, and the logical integrity verified before the first line of code is written.
WAM can ameliorate the injection problem the TFA mentions (they could still lie but it won't matter), but it requires more hardware and communications equipment. The US is the last to jump on board with wholescale ADS-B adoption so these problems are more than just hypothetical. You can see the passive aspect of the article at work here. Planefinder is a central repository where people with software defined radios configured to listen to ADS-B dump their output.
refactor the law, its bloated, confusing and unmaintainable.
I work in the industry, and I can tell you that there are a number of reasons that this is nothing to be concerned about. First and foremost, any "New System" that the FAA would put in place (including ADS-B Only ACT) will take decades before the change is actually made. Things move at glacial speeds in ATC, due to all the testing and verification required.
There are technical reasons this type of spoofing/interference isn't a problem as well, but I won't get into those. Rest assured, an ATC system won't be taken down by anything this gentleman has 'discovered'.
The public being able to track planes by listening in on their communications, which may indeed have privacy implications, has been the status quo for years. You can find all sorts of online sites with those kinds of maps (example). Maybe that should or shouldn't be the case, but I think it's fair to say it's the current expected case: if you're flying in a plane, your location is public knowledge to anyone within range of your transmissions who cares to listen to them.
Now being able to inject bogus messages, that's a completely different kind of security problem.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
No one died yet from that type of attack so it won't happen unless enough people put pressure. But after the 9/11 attack, I don't think it's gonna a problem to fix those security issues... I hope
So now I don't need the SETEC ASTRONOMY box to get into the radar system.
Posting AC, I work on ATC software.
Perhaps I'm being naive, but I'm not entirely sure where the threat is here. ATC systems work with flight plans, so if someone is spoofing an ADS-B tracks and generating multiple tracks, we're generally going associate the track that most closely matches the predicted position of the place; most likely the real one. More importantly, ATC systems factor in more than one type of surveillance source, most places with ADS-B will have RADAR coverage. Once you factor in secondary RADAR (even if it's slower and less reliable), you're going to need a whole other aircraft to spoof another one since it's looking for actual aircraft, not just messages from ground stations.
I'm pretty new to the field, but these threats seem exactly as described, theoretical.
Knowing where an aircraft is doesn't really help you if it is at 30000 feet. Anyone trying to assassinate the president will wait until it is approaching or leaving an airport before letting off the shoulder fired missile.
Will we keep RADAR coverage? Some of the magazines I've read indicate that as the ADS-B transition continues that RADAR coverage will be phased out. Maybe they only meant the secondary RADARs and not the primary, but that is not how the articles read. If that becomes the case, then assuming the dot closest to the flight plan is the real one, could be an error.
refactor the law, its bloated, confusing and unmaintainable.
Well I'm sure there are very competent engineers twice my age, but the state of project management for highly complex software systems still leaves a bit to be desired. management still has a little bit of catching up to do when it comes to making secure applications. They likely realize that these features are needed but often get left on cutting floor due to cost and deadlines. I find the security risk assessment executive management levels in the industry in general to be lacking direction and focus on this leads to mistakes such is this.
Part of me wonders if it is because management simply lacks a strong engineering or software perspective in the general consciousness. It's easy to forget that the decade ago not everyone was using a computer and that 20 years ago the internet to be measured in a petabyte. People still kept their documents and procedures and binders. I wonder if we will have better software when generations that have grown up around computers pervade the highest level of management in companies that sell and develop software.
---Up Up Down Down Left Right Left Right B A START
{digital, secure} : choose one.
Sheesh, evil *and* a jerk. -- Jade
The FAA says: 'it has taken steps to mitigate risks uncovered as part of an ADS-B security action plan. The agency declined to identify the risks it has identified or addressed, calling them "security-sensitive." '
Seems strange,
Could be a normal knee jerk reaction of a 'security' person.
Could be to prevent showing the FAA in a bad light.
I sure hope it's not that the mitigations still left holes and so we have a system protected by security through obscurity.
Security through obscurity only works is the bad guy is prevented from knowing critical details of how the system works.
For a published system, this seems unlikely.
Another kind of security through obscurity is a system with a simple vulnerability that you hope the bad guy doesn't see.
This assumes a dumb bad guy. In the long term, this seems a dumb (squared) assumption.
I'm not sure how long ADS has been around (decades?) but it's never been encrypted. I'm surprised they've taken so long to notice.
I don't see it happening any time soon either, because end-to-end key management would be a nightmare. Airlines hate updating their avionics because it takes the plane out of service for days of reconfiguration and testing.
And what do you do if the aircraft doesn't have the right key for the ATC center they need to communicate with?
I worked briefly on a DO-178B project (the process standard for aircraft systems software), and this sounds entirely likely to me. The reason is that DO-178B basically requires you to code everything, rather than using existing libraries unless they are also certified (and almost nothing open source is certified). It doesn't make the software better -- in fact, it makes it worse, since you have a bunch of coders reimplementing algorithms for everything because they can't use outside libraries. It also makes it takes 3 times as long to document the software as it does to develop it.
ADS-B is in use already and has been since at latest 2000 in the NAT system for position reporting while crossing the Atlantic though the advanced features are still not installed in most commercial aircraft. I'm not aware of any exploits of this kind as of yet- not to say TFA is wrong. Current ATC methods are exploitable and there are numerous and continuing incidences of meaconing and intrusion of VHF and UHF control frequencies (North Korea are famous troublemakers). Anyone with a transceiver can do this so I'm surprised it doesn't happen more often. The concerns are likely valid but less significant than current vulnerabilities. What does surprise me is that we're still controlling aircraft in the same manner as when I started flying 25 years ago- I'm ready to embrace some improvements. The greatest annoyance: not having full duplex transceivers.
Have you ever noticed that anybody driving slower than you is an idiot, and anyone going faster than you is a maniac?
Having sat thru a number of talks at defcon they can be a lot of fun and interesting but rarely educational.
One example few years back a presenter demonstrated MITM attack against windows SMB.
My thought was if there is no machine authentication or data encryption on wire just WTF did anyone expect? The guy didn't discover anything he just implemented what everyone else already knew could be done.
When title says "Research Finds Security Hole" ... it is actually researcher rediscovered what everyone else with domain knowledge already knew.
I suspect a great number of tools can be abused by denying GPS, jamming VHF party line, ranging signals, radars..etc. The point of this system seems to be a safety tool to add situational awareness. It does not "replace" anything it just adds capabilities.
I'm not sure what the point would be of encrypting if half the value of this system is allowing other pilots to see WTF is going on around them.
I would much prefer the system to be insecure and everyone know it then have it be "secure" and people relying on the data without thinking or checking.
Seems to me to just be the avaiation industries equivalent of maritimes AIS with exactly the same issues raised.. AIS never excused anyone from watchkeeping or radar.
I work for a company that has some equipment in this system. My understanding is that ADSB target were being triangulated by multiple antennas in order to prove they were real targets, kind of using a MULTILAT type check against the GPS position provided. Now it may be possible to overload the servers by transmitting millions of fake targets or blinding the antennas but you could do that with RADAR today.
As for are we going to keep radar... Thats a question of more is the FAA going to keep radar. It makes no sense to keep beacon antena's going because ADSB is basically better beacon data. For defense and light aircraft it might be worth keeping the search radars in place but they are pretty poor for ATC so the FAA will probably try to pawn them off on the DOD (but still keep using them as a backup).
Does this scenario remind anyone else of the old War Games movie, where WOPPER would put fake Backfire bombers on NORAD's screens?
Life is hard, and the world is cruel
If you believe a bunch of jack-off Saudi arabs flew into the WTC, then you really don't know the status of FCS.
The mind conceives, the body achieves, the spirit manifests.