Slashdot Mirror
FAA Denies Vulnerabilities In New Air Traffic Control System
bingbong writes "The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."
[rolls up newspaper]
[smacks FAA on the nose with rolled newspaper]
Bad! Bad FAA! We encrypt and authenticate our CRITICAL systems!
[smacks FAA on the nose with rolled newspaper]
The Setec Astronomy box can get the past codes used in the certified and accredited system.
I'm so glad that their system has been certified and accredited. That should mitigate all of the risk there.
maybe they don't use ruggedOS?
The troubling part of many government organizations is it is more important to have a "certified and accredited", than to have system that works correctly and securely. The really scary part is there can be known bugs in FAA accredited system(operational flight programs, ground radar systems) and the manufactor will not release fix because that requires another accrediation process. Thought the point of the FAA was to make sure aviation is safe, not to make people fill out forms.
If anyone out there has participated in the federal C&A process, you would know that it is susceptible to political pressure and has largely been a check-box activity. The C&A process needs to be overhauled badly. People should have no-confidence that the system is secure, even if it has received a C&A.
You can't hack into our SCADA system, it's bonafide!
(O brother quote)
Did the vendors who made the systems do the certification? Was security one of the criteria on the accreditation process? I would assume some form of security was on there, but do the people who know stuff about security (like the NSA) approve it?
NextGen has been a huge boondoggle up to this point, and I wouldn't be surprised at all if an insecure system crept through the approval process because all of the alternatives kept failing. Encrypting the traffic would not be trivial either, because you have issues with key management and the fact that anybody can buy transponders and reverse engineer keys out of them. This equipment ultimately has to be available to every Tom, Dick, and Harry small aircraft pilot to be useful, and it's impossible to vet all of them. Even if you did, light aircraft aren't secure storage facilities, and it only takes one theft to render a naive system broken.
I read the internet for the articles.
Even if they can filter out spoofed plains, can they filter out a million of them a second? A computer making up random planes and spitting them out at a high rate of speed is going to cause trouble.
Of course you could also be really mean and have a real plane spit into a million plains all on slightly different trajectories. I wonder if the system can handle that as well. I wonder if planes can handle getting bogus data about themselves? These are things people usually don't think to test for.
I'm sure others can come up with even better ways to overload the system.
Also the most important part "certified" to what standards / criteria?
They could easily be certified insane, insecure etc.
So, let me get this straight. We have to grope old women wearing diapers and four year olds for safety reasons, but there is no need to worry about the software because it is "certified"?
Proverbs 21:19
explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy.
He doesn't know much about the system. OK. go ahead... try to break it.... what'll happen? Nothing.
Spraying junk into the system is irrelevant. Being unauth and unencrypted its simpler and cheaper just to build a raw RF jammer than to feed in formatted junk reports. That works really well until the .mil shows up to train their jamming countermeasures equipment against your jammer. Whoops. DF work isn't all that complicated and the higher the frequency the easier it is. Radar jamming has been an option for what, 70 years now, and nothing really ever comes of it? ATC/pilots already have procedures to survive radar outages. Happens all the time. Send a nice thunderstorm thru, send in the backhoes (lots of remote radar units connected by fiber). So jamming/spamming/forcing it out of service is useless. Nothing an attacker can send will break anything.
I know about the ADS-B data structure. This stuff is small and simple. We're not talking about radar and jetliner sending sandboxed java applets to each other, its incredibly simpler than that. Its like declaring you can hack buffer overflows over a morse code telegraph. There's not enough "stuff" in the protocol to be turing complete.
The attack vector is incredibly narrow. I know a lot more about piloting and radar RF and microcontrollers, and frankly pretty much everything in the system compared to this guy and I can't figure out how to actually bust it.
Look at the guy's presentation. notes as I scan thru the slides. 1) He's cooler than you, crendentialism means he's correct (LOL) 2) he drinks vodka, very impressive proof 3) he admits he knows nothing about ATC and radar 4) He doesn't know much about RF or comms (pulse per second modulated, wtf is this star trek technobabble) 5) Other people are looking and no one has come up with anything 6) his threats are not serious and/or not realistic and/or already exist 7) I love this quote "some threats are total unknowns" yeah I think thats an excellent summary of the ADS-B "security hole". 8) the pretend made up scandal about the FAA not releasing "sensitive security information" is about skin painting radar coverage for smuggler detection, thats why they claim it has no impact on passenger aircraft... its not all space alien coverup unless your passenger craft is 50 feet off the ocean and full of coke I think you're OK. 9) "Not trying to spew FUD" LOL ok dude I hope the audience laughed at that. 10 ) Dude calls a homemade SDR RX an "exploit" LOL 11) he hopes they don't unplug primary radar... well duh how would they catch smugglers if all they had to do was flick a circuit breaker to disappear...
Look I know the guys not an idiot in general. But this is the kind of thing that happens when someone who doesn't know anything about any individual components of a big system, or anything about the big system itself, gets all FUDdy and self promotional. If you don't know anything about the terrain you're fighting in or the tools you have, you'll lose, no matter how smart you are.
TLDR is don't worry its not an issue. FUD FUD FUD self promotion thats all.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
The troubling part of many government organizations is it is more important to have a "certified and accredited", than to have system that works correctly and securely. The really scary part is there can be known bugs in FAA accredited system(operational flight programs, ground radar systems) and the manufactor will not release fix because that requires another accrediation process. Thought the point of the FAA was to make sure aviation is safe, not to make people fill out forms.
The FAA is only broken if you believe that its purpose is to protect citizens. Its purpose is to promote the aviation industry, not promote safety. http://www.pbs.org/wgbh/pages/frontline/flyingcheap/
Cowboy coding is the absolute last thing you want in these systems. Rushing out the latest bug fixes is a terrible model for software that puts life at risk. Yes, this version might be hackable and that could cause problems if someone has malicious intent. Fixing the issue without a LOT of QA and bureaucracy to make sure proper testing procedures are followed is far more likely to kill people.
Sounds like a Dlibert comic
I wonder what kind of "certificates" you can order online and use effectively. Besides diplomas I mean... Certainly those don't work, right? Not as if there were ever a Yahoo CEO to have falsified their education. Press credentials? Security certs?
So they went out and bought a "Type R" sticker instead of buying a hotrod?
Lt. Worf mastered the use of illusionary ship signatures to fool enemy warships. The trick, as it seems to apply here, is to fool the computer not the sensors. The ATC system may believe there are ghost ships out there, but sensors (radar) won't corroborate it.
the FAA can be more forgiving than EASA (I've worked on the opposite side of the table to both), but at least they don't just rubber stamp someone else's certification like most authorities... they can't just change the way their ATC system is secured overnight, and I'm sure if they are aware of a potential risk they are looking into it (as an organization they may be as faceless as any other, but there are some really smart people working there). aviation is probably one of the most bureaucratic and heavily regulated industries in the world, and while every software system has potential and real security risks, an organisation like the FAA can only go as far as they practically can given their operating budget and regulatory mandate.
they can shut down the sky (in the USA at least) but would anyone really want that because of a potential security risk in their software? maybe they should, but at what cost? would shutting down the airways kill more people due to increased road traffic and frustration than may be killed by an ATC hack? these are questions that the FAA will be struggling with, but the answers aren't black and white.
what classifies as a security risk? just because someone at Defcon brags about how he can hack the system may or may not mean that he can... or that anyone else can. I didn't read anything in TFA that suggested he actually has, only that he has shown it in simulations and makes assertions.
If Brad was seriously concerned, he would be working with the FAA and he wouldn't have publicized such a risk. If he didn't discover the risk, someone else would have no doubt (or the FAA may already have been aware of it anyway), but publicizing a potential security risk in something as important as Air Traffic Control is in itself a security risk. I think his motivations extend no further than gaining hacker cred, except I'm not even a hacker and I know that's not how it works. Hacker cred is gained by actually hacking... not just bragging to people how you reckon you can hack something.
Brad may not be culpable enough to execute such a hack, but by publicizing it he's putting the information in the hands of plenty of people who might, so if a plane crashes as a result of the very hack that Brad Haines has made known, wouldn't he deserve a portion of the blame? A court could possibly say... yes.
I agree completely, and most likely because the previous transponder system did not have any problems with spoofing it did not receive too much attention. Any government tends to be reactionary rather than proactive. So far the only transponders that are encrypted are military Identify Friend Foe (IFF) systems for obvious reasons.
As always, it's the government (except the NSA) not being attractive enough or not paying enough to get some real experts on board.
There are many government-paid university researchers around. Why was there no academic project to evaluate the quality of the system?
thegodmovie.com - watch it
Of course, if the FAA still believed in simple radar, and did not try to solely rely on ADS-B, they could at least tell if there was an aircraft there or not. But of course, that would put the expense on the FAA, not on individual aircraft owners, many of whom don't even want ADS-B. It sounds like a lot of software marketing stories: we know what you want, and don't try to tell us otherwise. Trust us, it's certified, and it will solve all your problems.
Are you familiar with the discussion around Full disclosure? There are good reasons to publicly release vulnerabilities and if people were made legally liable for doing that, it would probably decrease our security in the long run. Assuming the information Renderman released points to an actual vulnerability, the FAA response shows the exact reason why full disclosure is necessary.
At least that part was interesting. I'm sure there's loads of radio driven digital equipment out there that has been designed under the assumption that the radio is proprietary and therefore the other side is almost certainly going to behave properly.
Isn't this just a repeat of http://yro.slashdot.org/story/12/07/27/0211256/researcher-finds-security-holes-in-faas-new-flight-control-system
captcha:airlock
This is totally incorrect.
Flaws and vulnerabilities discovered during the C&A process result in POA&Ms (Plan of Action and milestones) for each flaw and vulnerability. Each of those POA&Ms is tracked, and there is timeframe that the issue must be resolved, depending on the severity. Once flaw remediation is complete, the POA&M is closed.
No recertification required. The only time recertification is required is when a certain percentage of the system is changed, not updated or fixed.
I came, I conquered, I coredumped
The people performing the process actually follow the guidelines as they were intended.
The guidelines are based on NIST 800 series documentation, as well as any other internal rulebooks and policies in place at a particular organization.
The entire process needs to be performed by independent auditors (as a consultant, one of my duties is the technical aspect of the C&A process), there is no incentive for me to bow to political or management pressure of the system owner. The results are provided directly to the certifying authority, designated for that system, which also falls outside the chain of command for the system being certified.
The problem is that too many federal entities do the C&A process in house, which allows management to futz with the results before passing them on to OMB (all C&A results end up at OMB for the yearly scorecard to be calculated).
With regards to FAA, as I have worked with them in the past, they have had the C&A process performed by in house contractors, or previously, using the DOT C&A group. When the latter option is used, the results tend to be a little better, but they can still be fudged.
I came, I conquered, I coredumped
Is that while the C&A process can be interpreted many ways, in general, it is the security posture of the system and its components, not the functionality. Most assessors do not go that far because depending on the system, they may not be able to, or be equipped to test the actual functionality beyond the component level.
I came, I conquered, I coredumped
Since it is unencrypted, it is possible to just guide a small model plane into an aircraft that advertizes its precise position and speed. This would be a totally "passive" attack.
I just read the presentation. It seems like this guy knows just enough to scare himself and others.
Mistakes:
Page 13: The 'ID Number'(SSR/'squawk code') is automatically attached, it is not manual, nor is 'a great deal of work required'.
Page 14: Pilots DO get traffic data from the current ATC system. Traffic detection systems on airplanes intercept the transponder replies, and use that to detect the location of other air traffic. Larger aircraft have systems that actually communicate each other to avoid collisions in emergencies. Those systems are called PCAS, and TCAS respectively.
Page 14:Standard separation of aircraft is 3-10 miles and 1000 feet. Not 80 miles. That's just stunningly wrong.
Page 15:Airplanes will ALWAYS need to avoid thunderstorms and volcanoes, radar or no radar.
Page 16:Not too many errors here, but planes ALREADY can be closer than 5 miles.
Page 23(the "scary stuff"): Yes, he(and you) can observe the air traffic. So what? It's not secret, hasn't ever been secret, and doesn't need to be secret. You don't need ADS-B to know that airplanes congregate around airports. This function is largely intentional, and nothing worse than a tool for enthusiasts. Critical thinking will tell you that it's not information that needs to be kept secret(flghtaware.com's FAQ explains this concept very well)
So, the only real point on page 23 is the lac kof authentication. Which isn't much of an issue because it will be validated with radar. And, over the ocean, where there isn't radar, you probably won't have morons in boats spoofing signals.
Page 27: None of these threats are actually dangerous. It's already public. Most flightplans are available online(flightaware.com), and you can see most airplanes in the sky. They take predictable routes around airports. It's not dangerous.
Page 28: Most of these are valid concerns, but the opportunity to train the system isn't their. Fake flights will quickly be noticed. How? "Hey, none of these planes are landing. And it's tail number doesn't exist".
Page 30: Autopilots DO NOT automatically avoid collisions, a warning signals the pilots to take action, essentially for this exact reason. Autopilots ONLY do things they have been explicitly told by the PILOT and no one else, including ATC.
Page 30:Many large aircraft DO have radar onboard for traffic. It's called TCAS.
Page 31: GPS jamming not new.
Page 32: Not new. GPS spoofing isn't new, but is VERY rare.
Points I'd like to highlight:
1. ADS-B does not need to be private, and is not intended to be private. All of the concerns regarding lack of privacy here are invalid.
2. Autopilots only take commands from the pilot(s) inside the cockpit. No one else.
3.Only valid remaining concerns are signal spoofing.
4.They have planned for this, and are clearly working on countermeasures.
Just because the government lies and makes mistakes often, doesn't mean they do it always.
Source:Aviation enthusiast, student pilot, many, many public documents.
ahhh, the outfit we cloned and put on the tors two years ago. yeah, they're real smart. A-D-M-I-N, P-A-S-S-W-O-R-D. at least they spelled it right.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Ran out of points - mod parent up
I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
no really. CE. so uh yeah good luck FAA with that.
The troubling part of many government organizations is it is more important to have a "certified and accredited", than to have system that works correctly and securely.
That is absolutely a problem with private industry as well. And if you raise questions -- the messenger will be shot. If you demonstrate that something is wrong, you may well be shown the door.
Like all pain, suffering is a signal that something isn't right
I wrote about ADS-B homing drones last year and why jetliners (high value targets) should avoid beacon accuracy of Navigation Accuracy Category (NAC) level 7 (less than 93 meter accuracy) or better. It would be relatively easy to fly a piston powered model plane controlled by an iPod Touch connected to a GPS with 3-meter accuracy in front of the path of a jetliner carrying a small payload. The model plane wouldn't need to be fast because it would be the jetliner that runs into the model plane. http://www.hightechforum.org/new-airline-navigation-system-easy-target-for-terrorists/
There is a very real difference between being compliant with a standard (or certified,) and having actual useful security.
And this very fact seems to be willfully overlooked by organizations more and more. If you are certified and accredited, then when something goes horribly wrong you can point the blame at those who told you that you were doing a great job with your system. How would you know it was a problem when some important experts came in to check everything out? It doesn't seem to matter anymore if you have proper security (or otherwise can accomplish whatever goal your system is meant to achieve.) It only matters that some important people *said* that it did.
Ignorance is used as a tool to deflect blame onto others. And if you can save money, make a deadline, or impress your superiors by cutting these corners, it is even better! It is entirely to their advantage to place all the merit on their certifications and shrug off those who would point out the truth of the situation.
As always, it's the government (except the NSA) not being attractive enough or not paying enough to get some real experts on board.
Private industry is just as bad. The big bucks on on perception management, and anything technical is generally approached with a "don't bother me" attitude. This works in private industry, because perception management is actually more important to making money. Kinda like politics.
It depends on the organisation that you are working for. I have worked in excellent and poor government departments, and I have worked in excellent and poor private companies.
Face-palm stupidity is orthogonal the private/public axis.
Like all pain, suffering is a signal that something isn't right
Oh sure, blame the messenger. It is now his fault that FAA has a shitty insecure system, and it is his fault for not telling FAA, except that, hey, he did tell them.
In fact, after he told them, the FAA said - no, we're secure.
In fact, after he showed them, the FAA said - no, we're secure because we can filter it out.
Bah, humbug. The faults lies with exactly one entity. The one that is pushing out the insecure shit. Not someone who found it insecure. For you or anyone else to blame him is fucking bullshit.
Oh, if only I read this before I responded earlier. I would have gladly saved my mod points for this...
Considering that it's the government I'm surprised they didn't simply try to classify and bury it.
and the $100 bill......
Naturally.
The Obama Administration has politicized all elements of the un-elected government of the United States of America.
The FAA zombies are now lurking throughout the halls of Congress and even the streets of DC looking for victims, just like
President Obama and his entourage as they cruse the crack neighborhoods of SE DC looking to score cheap narcotics and
same-sex escapades.
Wow. In just 3-years DC looks a lot like Aleppo!
Guess What!
It's Obama's ObombAmerica directed from the White House!
Does Obama like single munition or cluster munition?
Answer B and U get a 'prize' direct from the FBI.
Toodles
There is no such thing as a perfectly secure system - just ask the NSA! I'm not holding my breath until someone pwns the new ATC system and crashes a bunch of planes (the next 9/11 I think), but it won't likely be too long in coming... :rolleyes:
Obama needs space.
Obama needs airspace.
Obama is in desperate need of airspace over the CONUS. Why? Answer: Bombing missions by the U.S.A. Air Force against U.S.A. citizens.
Obama's October Surprise Horror ... Unfolds. :|
But that's not how it ends! The Emperor strings the little imp up by his little boy toes for pointing out that he was not wearing any clothes! That teaches naughty little boys to point out the truth when the opposite has been "certified" and "accredited" by those selling you your new duds.
"You saved 1968." - Ms. Valerie Pringle to the crew of Apollo 8
hey I don't think the FAA is guilt-free... they are after all ultimately responsible for air safety, but you gotta admit an ATC management system isn't exactly a simple thing... i challenge anyone else to come up with something that does the same job that is totally secure for a realistic price. anyone who thinks they can are either bullshitting or just plain full of shit.
and i actually believe the FAA's answer (filtering bogus aircraft) is possibly right in this case, as filtering bogus aircraft doesn't seem like a fundamentally difficult problem... the more i think about it the more i think renderman is just blowing smoke out his own ass.
read the wikipedia article... how exactly is it relevant? in a court case apportioning blame for an aviation accident, full disclousure might be brought up by renderman's defense lawyer, but i doubt it would save him.
and the reason why full disclosure is bad in this case is because it puts people already in the air at risk... put yourself in the shoes of a passenger travelling in an aircraft for a moment
if a flaw was supposedly found in your bank's security, would you want it publicized? maybe after you have your account emptied you might think differently... the bank may be able to reimburse you if it is their fault, but you would still be upset... now imagine how upset you would be if you were flying with your family on vacation and some moron scriptkiddy hacked the ATC and caused the airplane you were in to be diverted, late or crashed and your family dead...... full disclosure my ass. why do you think national security classifications were devised in the first place? ATC may not be a defense issue, but it certainly affects the security of the flying public
nowadays if you go around picking on a public figure becuase of how they dress you're likely to face a defamation lawsuit
...and certifications and accreditations always come with disclaimers
the FAA would hve certified the system to the current airworthiness regulations, which no doubt impose much more stringent requirements than any other type of software security certification (you're probably thinking of something rediculous like McAfee's "Hacker Safe" certification, which is total bullshit, and is nothing like the rigor that the FAA goes through in its certification of anything related to air safety)
http://www.faa.gov/nextgen/implementation/portfolio/trans_support_progs/adsb/faq/#2
But so is everything else, probably apart from ADS-C. Mode S radars, conventional secondary radars, and navaids like NDBs and DMEs. The whole system is open to abuse if you can be bothered but you have to transmit signals to do that and you won't get far without being caught.
http://michaelsmith.id.au
Dijital Pazarlama aka Digital marketing We bring you together with new customers. Find domestic & export customers, we provide you to enter new markets.
Using digital marketing, brand, services and products in the market that are raising awareness.
Effect of exponentially growing digital world every day, make sure you're one step ahead of your competitors.
Digital Marketing provides consultancy and training services, deliver to the conclusion you via e-projects.
Social Media consulting with the increase followers, you provide a very strong social networking activity.
A first in Turkey! Abroad to find new customers for your destination brand awareness and use ISEO & ISEA.
Digital Brand Consultancy service with your company and your brand with you're writing the fate of the digital world.
Do you want to make a difference in Digital Marketing? Do you want to get out of the first rank on the Google ads? At the time relevant keyword you want to go into organically on the first page? and so on. Here you can find all the answers to your questions, all of the information and services accessible to the world of digital marketing relies on the platform, your service is presented. The industry's best educational opportunities through expert trainers and consultants, as well as meet with corporate advisory services.
Our vision is "we serve organizations or persons, in the world of digital marketing success and provide information, make a difference ..."
Our Mission: "Traditional marketing techniques to be adapted to the digital world .. During the adaptation and use of the latest digital marketing arguments .... "
All aircraft in US airspace have to be registered. They have a unique identifying code. Standard public key crypto would allow the system to authenticate messages are really from the transponder they claim to be from, preventing spoofing. Someone could, as you say, copy one transponder's keys but it would be easy to simply blacklist that key and issue the real aircraft with a new one.
The real problem is what do you do when you receive an unauthenticated message. Potentially it represents an aircraft experiencing some kind of fault or which isn't registered for some reason. You can't just ignore it completely because if it were real there could be an accident. The FAA seems to be suggesting that they could double check if it is real using radar or some other method, but the point of this system is to cover areas that don't have radar. I suppose given that all high traffic areas are covered the risk is probably fairly minimal, but I really don't know that much about air traffic control in the US.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
The fact that a security issue is not disclosed to the public doesn't mean the "bad guys" will never know about it or exploit it. Maybe they already know about it or maybe they'll figure it out eventually, just like the original hacker discovered it himself. If he did it, others motivated enough can do it just fine.
Without public disclosure you can still find your bank account empty and discover that the bank did know about the issue but did nothing for months or years until the shit actually hit the fan. Replace lost money with lost lives in an aviation accident and suddenly "reimbursment" is not an option. Public disclosure is often needed to force the responsible entities to act.
Stop thinking that avoiding public disclosure makes things more safe, it's simply not true.
I'm one of the authors.
Unfortunately, transmitting live spoofed data into the real ATC system is Guantanamo fodder, and I'm trying to avoid becoming a domestic terrorist if at all possible.
And until you brought this up, nobody really gave a shit about spoofing ADS-B. Now by opening your yap, you've awakened a lot of interest in it.
On both sides.
Didn't anybody ever warn you about pointing out that the Emperor's New Clothes were bogus can get your head chopped off by the Emperor?
The fact that a security issue is not disclosed to the public doesn't mean the "bad guys" will never know about it or exploit it
Without public disclosure you can still find your bank account empty
both true, but non disclosure makes it less likely and increases the grace period, and even when the next guy finds it, if he keeps his mouth shut that still makes only 2 possible threats, whereas if you publicize the vulnerability you immediately have millions of potential hackers.
stop thinking that public disclosure makes things more safe, it makes you sound like an idiot
Public disclosure is often needed to force the responsible entities to act
no, actually the hack/disaster itself is usually what forces responsible entities to act (such as aircraft accident or bank account hacking)... as you can tell by TFA, merely knowing of a potential threat doesn't force anything
real experts
who might you suggest? some bong smoking fleabags from MIT?
i would rather trust certification of anything related to aviation safety to the FAA thanks