FAA Denies Vulnerabilities In New Air Traffic Control System

bingbong writes "The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."

Bad FAA!

[Jerslan]

[rolls up newspaper]
[smacks FAA on the nose with rolled newspaper]
Bad! Bad FAA! We encrypt and authenticate our CRITICAL systems!
[smacks FAA on the nose with rolled newspaper]

I'm confused

[wcrowe]

So, let me get this straight. We have to grope old women wearing diapers and four year olds for safety reasons, but there is no need to worry about the software because it is "certified"?

Re:I'm confused

[ark1]

It's all about security theatre. Airport passenger screening is setup in a way to reduce fear within the general population instead of actual risks. Improving software security will not enhance the feeling of security in your average citizen.

Re:Doesn't know much about the system

[Bistromat]

I'm one of the authors.

Unfortunately, transmitting live spoofed data into the real ATC system is Guantanamo fodder, and I'm trying to avoid becoming a domestic terrorist if at all possible.

That said, this wasn't merely a simulation: real ADS-B frames were transmitted by a low-cost SDR (into a dummy load) based on the position of a simulated aircraft flying in FlightGear. Those transmitted frames were received by the same SDR (alongside real frames from real aircraft), and the resulting tracks plotted in Google Earth.

See my comment here: http://tech.slashdot.org/comments.pl?sid=3065807&cid=41088873 for more information.