FAA Denies Vulnerabilities In New Air Traffic Control System

bingbong writes "The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."

Bad FAA!

[Jerslan]

[rolls up newspaper]
[smacks FAA on the nose with rolled newspaper]
Bad! Bad FAA! We encrypt and authenticate our CRITICAL systems!
[smacks FAA on the nose with rolled newspaper]

Re:Bad FAA!

[crutchy]

We encrypt and authenticate our CRITICAL systems

the FAA payroll system may well be encrypted

Re:Bad FAA!

But it was certified! CERRRRRRRRTIFIED! AND it was accredited! Both! At once! What more do you people WANT from us? Geez!

Re:Bad FAA!

[DarwinSurvivor]

Explain to me how the communications between the tower and the planes are "physically secure". Have they gone all out and used quantum entanglement communicators?

The Setec Astronomy box can get the past codes

[Joe_Dragon]

The Setec Astronomy box can get the past codes used in the certified and accredited system.

Re:The Setec Astronomy box can get the past codes

[plover]

The Setec Astronomy box can get the past codes used in the certified and accredited system.

So can an Arduino.

maybe they don't use ruggedOS?

[jehan60188]

maybe they don't use ruggedOS?

Re:maybe they don't use ruggedOS?

[Impy+the+Impiuos+Imp]

I'm sure they secured the back panel with the more obscure Torx screws, too.

The FAA , another broken government organization.

[bongey]

The troubling part of many government organizations is it is more important to have a "certified and accredited", than to have system that works correctly and securely. The really scary part is there can be known bugs in FAA accredited system(operational flight programs, ground radar systems) and the manufactor will not release fix because that requires another accrediation process. Thought the point of the FAA was to make sure aviation is safe, not to make people fill out forms.

Certified and accredited: By Whom?

[jandrese]

Did the vendors who made the systems do the certification? Was security one of the criteria on the accreditation process? I would assume some form of security was on there, but do the people who know stuff about security (like the NSA) approve it?

NextGen has been a huge boondoggle up to this point, and I wouldn't be surprised at all if an insecure system crept through the approval process because all of the alternatives kept failing. Encrypting the traffic would not be trivial either, because you have issues with key management and the fact that anybody can buy transponders and reverse engineer keys out of them. This equipment ultimately has to be available to every Tom, Dick, and Harry small aircraft pilot to be useful, and it's impossible to vet all of them. Even if you did, light aircraft aren't secure storage facilities, and it only takes one theft to render a naive system broken.

I'm confused

[wcrowe]

So, let me get this straight. We have to grope old women wearing diapers and four year olds for safety reasons, but there is no need to worry about the software because it is "certified"?

Re:I'm confused

[ark1]

It's all about security theatre. Airport passenger screening is setup in a way to reduce fear within the general population instead of actual risks. Improving software security will not enhance the feeling of security in your average citizen.

Doesn't know much about the system

[vlm]

explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy.

He doesn't know much about the system. OK. go ahead... try to break it.... what'll happen? Nothing.

Spraying junk into the system is irrelevant. Being unauth and unencrypted its simpler and cheaper just to build a raw RF jammer than to feed in formatted junk reports. That works really well until the .mil shows up to train their jamming countermeasures equipment against your jammer. Whoops. DF work isn't all that complicated and the higher the frequency the easier it is. Radar jamming has been an option for what, 70 years now, and nothing really ever comes of it? ATC/pilots already have procedures to survive radar outages. Happens all the time. Send a nice thunderstorm thru, send in the backhoes (lots of remote radar units connected by fiber). So jamming/spamming/forcing it out of service is useless. Nothing an attacker can send will break anything.

I know about the ADS-B data structure. This stuff is small and simple. We're not talking about radar and jetliner sending sandboxed java applets to each other, its incredibly simpler than that. Its like declaring you can hack buffer overflows over a morse code telegraph. There's not enough "stuff" in the protocol to be turing complete.

The attack vector is incredibly narrow. I know a lot more about piloting and radar RF and microcontrollers, and frankly pretty much everything in the system compared to this guy and I can't figure out how to actually bust it.

Look at the guy's presentation. notes as I scan thru the slides. 1) He's cooler than you, crendentialism means he's correct (LOL) 2) he drinks vodka, very impressive proof 3) he admits he knows nothing about ATC and radar 4) He doesn't know much about RF or comms (pulse per second modulated, wtf is this star trek technobabble) 5) Other people are looking and no one has come up with anything 6) his threats are not serious and/or not realistic and/or already exist 7) I love this quote "some threats are total unknowns" yeah I think thats an excellent summary of the ADS-B "security hole". 8) the pretend made up scandal about the FAA not releasing "sensitive security information" is about skin painting radar coverage for smuggler detection, thats why they claim it has no impact on passenger aircraft... its not all space alien coverup unless your passenger craft is 50 feet off the ocean and full of coke I think you're OK. 9) "Not trying to spew FUD" LOL ok dude I hope the audience laughed at that. 10 ) Dude calls a homemade SDR RX an "exploit" LOL 11) he hopes they don't unplug primary radar... well duh how would they catch smugglers if all they had to do was flick a circuit breaker to disappear...

Look I know the guys not an idiot in general. But this is the kind of thing that happens when someone who doesn't know anything about any individual components of a big system, or anything about the big system itself, gets all FUDdy and self promotional. If you don't know anything about the terrain you're fighting in or the tools you have, you'll lose, no matter how smart you are.

TLDR is don't worry its not an issue. FUD FUD FUD self promotion thats all.

Re:Doesn't know much about the system

[SirBitBucket]

I beg to differ... Both the TRACON (or tower) radar, and the jetliner TCAS radar could be spoofed with multiple (like hundreds or thousands if need be) targets. How will the TRACON or TCAS software handle this many targets? It must drop some of them. Which ones should it drop? VFR targets? Targets not in the IFR system? What if bad guy spoofs the same code as existing targets (which he can read himself)? Eventually the real targets must get lost.

Are there ways to handle this? Yes, old school "strips," and greater separation manually... But what if the controllers can't find the real targets? In VFR conditions everyone must see and avoid anyway, and IFR flights would probably have to revert to VFR if in VMC. But what of a bunch of IFR flights in actual IMC? TCAS you say? What if said bad guy could spoof TCAS as well? TCAS would likely handle the huge amount of targets even worse than the TRACON software (might even crash... in the software sense). Add a power stuck mic to jam up all the COMM frequencies and you cause a lot of trouble indeed. Pilots must follow a discreet set up rules in this case, but they are not perfect in that they cannot help a jetliner that has had a headwind the whole way, and is low on fuel with now opportunities to make it to a VMC field.

I'm just saying I believe with enough resources it could be done. Create a ton of fake targets near a busy airport in bad weather. Jam all COM frequencies. Jam GPS, Jam the ILS/MLS. Jam the VOR signals, and any remaining NDBs. It may not lead to loss of life if the bad weather was not too far widespread (such that IFR flights could proceed to VMC and land VFR), but either way it would cause a lot of monetary damage, and a lot of terror in the flying public...

Encryption would be a very good thing for ADS-B. As we update the system from old school mode C, we might as well be countering these things.

Re:Doesn't know much about the system

[slimjim8094]

And if you did all that, it would be damn close to, if not actually (GPS is military), an act of war. Want to see just how fast the government can respond to an incident? Try the above. I'd give you about 15 minutes before you had military on your ass. They have smart missiles that can automatically target GPS and radar jammers, if they get desperate enough to get rid of your interference. And as you note, there's already procedures for going "old-school" and not relying on radar or TCAS or ILS. Even in "hard" IMC you should be able to use your instruments to stay in the air and away from other planes, and you should have enough fuel (you did your fuel calculation correctly, right?) to circle around a bit waiting for the situation to be resolved.

Re:Doesn't know much about the system

[Bistromat]

Hi, I'm one of the authors.

The demonstration used a COTS SDR to transmit ADS-B squitters from positions derived from an aircraft flying in FlightGear. The same SDR was simultaneously receiving ADS-B frames from real aircraft, *including* the spoofed frames being transmitted locally. The combined frames were brought into the Google Earth display for viewing. Criticism suggesting that "it's just a flight simulator, it's not real" is incorrect: these are valid, correct ADS-B frames, transmitted (into a dummy load), which will be received and decoded by ADS-B IN hardware. There is a spec (DO-260B), and the transmissions meet that spec.

The purpose of the demonstration was to show that valid ADS-B frames can be generated and transmitted by low-cost SDR hardware. This capability raises a number of interesting possible attack vectors, which were discussed in the presentation. The secondary purpose of the presentation was to get the FAA to clarify the countermeasures they plan on using to detect, identify, and eliminate spoofed transmissions from the data which controllers see. Specifically, there are two other sources of data they can use: multilateration, which depends on time-difference-of-arrival to calculate the originating position of a transmission (same principle as GPS); and maintaining a network of primary surveillance radar. Prior to this week (Steve Henn of NPR was the first to get the memo from the FAA), the FAA had not stated that they planned to maintain a full radar network, or to use multilateration to vet reports. In fact, reading older documentation, explicit mention is made of *shutting down* PSR to save money after ADS-B implementation is complete. So, you understand our concern.

Additionally, ADS-B IN implementation aboard aircraft (rather than ground stations) provides no facility for validating reports via TDOA; this means that you can inject false reports into aircraft which are listening to other ADS-B reports. Currently few aircraft support this capability, but for those that do, you can squit fake aircraft right into their traffic display.

Lastly, the last couple of slides from the Defcon presentation discuss an attack vector against TCAS, the collision avoidance system aircraft use to maintain separation when ATC fails to do so. This attack vector is particularly concerning because it provides direct pilot guidance: a false aircraft on a collision course will create audio and visual warnings in the cockpit (a "resolution advisory"). Therefore, you could potentially cause an aircraft to maneuver to avoid an intruder which isn't actually there. Obviously, this is concerning, and I'm unaware of any way to combat this.

So yes, the presentation may have looked "FUDdy" without background into the problem, but there are real security issues here which need to be dealt with.

Re:Doesn't know much about the system

[Bistromat]

I'm one of the authors.

Unfortunately, transmitting live spoofed data into the real ATC system is Guantanamo fodder, and I'm trying to avoid becoming a domestic terrorist if at all possible.

That said, this wasn't merely a simulation: real ADS-B frames were transmitted by a low-cost SDR (into a dummy load) based on the position of a simulated aircraft flying in FlightGear. Those transmitted frames were received by the same SDR (alongside real frames from real aircraft), and the resulting tracks plotted in Google Earth.

See my comment here: http://tech.slashdot.org/comments.pl?sid=3065807&cid=41088873 for more information.

Re:Doesn't know much about the system

[Bistromat]

Why waste dev time on a SDR TX when you can buy a used transponder off ebay for cheap or just steal one?

Just sayin its not all that practical.

Because the SDR TX took one evening in Gnuradio to implement.

Third is data gathering from multiple sites. You cannot generate enough power / altitude from the ground to knock out a substantial range. Talk to some microwave RF guys. So use the ring of airports/radars around the transmitter.... Of course this sucks AT o'hare if the jammer is in the o'hare parking lot...

For ground purposes why can the ADS RX be on a narrow beam antenna? HMm a network of them just triangulated on you.

We aren't jamming. We're spoofing. Your idea regarding triangulation is generally correct, although they use multilateration, not direction of arrival. However, if your signal is only loud enough to be heard by a single station (or two stations), you can't multilaterate, and since 1090MHz is very much line of sight, the odds multiple stations will hear a ground-based spoofer are slim.

They HAVE To maintain it. Otherwise my learjet full of coke gets the "cloaked ship" star trek effect if I flip the transponder circuit breaker off. They're never, ever, going to give up on skin painting. Maybe some phb who's never ATC'd or piloted a plane made up some story, but...

I'm totally with you here. The problem is the FAA initially appeared not to recognize this; it appeared they wanted to maintain PSR/SSR in congested areas, but shut down some primary sites in less-trafficked areas. I am as glad as you are that they seem to understand the necessity of maintaining complete PSR/SSR.

Therefore, you could potentially cause an aircraft to maneuver to avoid an intruder which isn't actually there.

Talk to a pilot. The first thing you do is visual the incoming. So that limits it to IFR only conditions right off the top.

A successful attach is going to be pretty ineffective and very dangerous to attempt. I just don't see it as an issue.

If these attacks become popular, planes will just pop the tcas circuit breakers on order of ATC (probably in the ATIS/AWOS message?) and fly "pre-tcas" which works just fine.

I don't agree with this. Disabling TCAS is a hazard in itself, ESPECIALLY in IFR condx. This is a problem.

Re:Doesn't know much about the system

[Zero__Kelvin]

No. He didn't bring some sense into the conversation. The people who brought sense into the conversation asked the question "what kind of idiot designs the system to make injection possible in the first place?" Computing History, as short as it is, is chock full of people who said "it is not a problem" because they couldn't imagine how it would be a problem, and then someone else came along and showed them the hard way. You're playing with people's lives. Not encrypting the connections in 2012 is tantamount to gross negligence. Period.

Re:Doesn't know much about the system

[steppedleader]

I'd give you about 15 minutes before you had military on your ass.

Considering that the military didn't really manage to do anything useful in the 34 minutes that elapsed between the second plane hitting the WTC and the Pentagon being struck on 9/11, I have my doubts about that estimate.

Re:Doesn't know much about the system

[Render_Man]

Greetings,

As the guy on stage giving the presentation, I feel the need to comment. I see Nick was already here ahead of me covering most of the points, but I figured I'd chime in.

The FlightGear Demo video was, as Nick mentioned, a way to show that it was possible to put ADS-B data into the air with equipment available to any hobbiest. We used a flight sim and a dummy load because at no time would we ever put real data into the air without proper permissions and safety precautions. As much as I want to know what would happen, I have no desire to see anything bad happen to any aircraft or members of the flying public. It was a proof of concept to show the theory and a potential tool to test these theories.

I fully admit I dont know the system inside and out. I dont see how someone needs to be in order to spot things that are just not right.

In all the comments, much was said, but little evidence was offered. If you have evidence that you can share publically, please do so. Contact me at renderlab.net and prove me wrong. I would love to do a presentation where I answer all of my questions to my complete satisfaction.

A few points were raised repeatedly that I'd like to address:

"But multilateration takes care of that". Really. Please show me the report. What was the methodology for establishing that as adaquate?

"But pilots and controllers are smart people" They are also human and make mistakes. Training and preperation are going to be key to solving this

"Publicity seeking" Yes, I am seeking publicity, to get the aviation authorities to open up about these issues and provide some transparancy into the

"Try to hack it, nothing will happen". I want to, with permission of course. This is why I'm asking anyone who has access to aircraft, ATC operations gear, manuals, avionics, etc. To come forth and let us test our theories publically. If everything is secure and safe, then the worst thing that happens is I look a bit foolish, but we all can fly home feeling a bit safer.

Yes, there may have been errors in the slides. I admit so right at the beginning. The aviation industry is more acronym happy than the computer industry. Some of the numbers are from official documents and older versions of SOP's or summaries or any number of sources. Until I have the controllers procedures and standards manual in my hand, I only have publically available documents to go from, which may contain variations or errors. I'm human.

Lastly many comments questioned my motives and the logic of going public. I set out to prove to myself that ADS-B and NextGen were safe. I failed in that. I do not think it is as secure and safe as has been made out to be. I kept trying to prove to myself it was safe but every avenue turned up more evidence to the contrary. I exhausted all the documents and resources I could find and so wanted to turn to the hacker community that I know and love and get thier help in trying to prove my theories wrong. These theories have been around longer than I and are most certain to have been discussed by existing bad guys. As was stated many times, dont shoot the messenger.

TL;DR version: Show me your evidence, prove to me NextGen is safe. Let us test it for ourselves publically.

Re:Doesn't know much about the system

[Bistromat]

dammit render, you even have a slashdot uid lower than mine.

I'm glad updates must be accredited.

[bigtrike]

Cowboy coding is the absolute last thing you want in these systems. Rushing out the latest bug fixes is a terrible model for software that puts life at risk. Yes, this version might be hackable and that could cause problems if someone has malicious intent. Fixing the issue without a LOT of QA and bureaucracy to make sure proper testing procedures are followed is far more likely to kill people.

Re:The FAA , another broken government organizatio

[crutchy]

the FAA can be more forgiving than EASA (I've worked on the opposite side of the table to both), but at least they don't just rubber stamp someone else's certification like most authorities... they can't just change the way their ATC system is secured overnight, and I'm sure if they are aware of a potential risk they are looking into it (as an organization they may be as faceless as any other, but there are some really smart people working there). aviation is probably one of the most bureaucratic and heavily regulated industries in the world, and while every software system has potential and real security risks, an organisation like the FAA can only go as far as they practically can given their operating budget and regulatory mandate.

they can shut down the sky (in the USA at least) but would anyone really want that because of a potential security risk in their software? maybe they should, but at what cost? would shutting down the airways kill more people due to increased road traffic and frustration than may be killed by an ATC hack? these are questions that the FAA will be struggling with, but the answers aren't black and white.

what classifies as a security risk? just because someone at Defcon brags about how he can hack the system may or may not mean that he can... or that anyone else can. I didn't read anything in TFA that suggested he actually has, only that he has shown it in simulations and makes assertions.

If Brad was seriously concerned, he would be working with the FAA and he wouldn't have publicized such a risk. If he didn't discover the risk, someone else would have no doubt (or the FAA may already have been aware of it anyway), but publicizing a potential security risk in something as important as Air Traffic Control is in itself a security risk. I think his motivations extend no further than gaining hacker cred, except I'm not even a hacker and I know that's not how it works. Hacker cred is gained by actually hacking... not just bragging to people how you reckon you can hack something.

Brad may not be culpable enough to execute such a hack, but by publicizing it he's putting the information in the hands of plenty of people who might, so if a plane crashes as a result of the very hack that Brad Haines has made known, wouldn't he deserve a portion of the blame? A court could possibly say... yes.

Re:I'm so glad

[pixelpusher220]

How do you get the public to not care about the TSA?

Make an Air Traffic Control system so vulnerable nobody will want to fly...

Re:The FAA , another broken government organizatio

[Lightn]

Are you familiar with the discussion around Full disclosure? There are good reasons to publicly release vulnerabilities and if people were made legally liable for doing that, it would probably decrease our security in the long run. Assuming the information Renderman released points to an actual vulnerability, the FAA response shows the exact reason why full disclosure is necessary.

Re:The FAA , another broken government organizatio

[bleh-of-the-huns]

This is totally incorrect.

Flaws and vulnerabilities discovered during the C&A process result in POA&Ms (Plan of Action and milestones) for each flaw and vulnerability. Each of those POA&Ms is tracked, and there is timeframe that the issue must be resolved, depending on the severity. Once flaw remediation is complete, the POA&M is closed.

No recertification required. The only time recertification is required is when a certain percentage of the system is changed, not updated or fixed.

Many errors in the presentation:

[DL117]

I just read the presentation. It seems like this guy knows just enough to scare himself and others.

Mistakes:

Page 13: The 'ID Number'(SSR/'squawk code') is automatically attached, it is not manual, nor is 'a great deal of work required'.
Page 14: Pilots DO get traffic data from the current ATC system. Traffic detection systems on airplanes intercept the transponder replies, and use that to detect the location of other air traffic. Larger aircraft have systems that actually communicate each other to avoid collisions in emergencies. Those systems are called PCAS, and TCAS respectively.
Page 14:Standard separation of aircraft is 3-10 miles and 1000 feet. Not 80 miles. That's just stunningly wrong.
Page 15:Airplanes will ALWAYS need to avoid thunderstorms and volcanoes, radar or no radar.
Page 16:Not too many errors here, but planes ALREADY can be closer than 5 miles.

Page 23(the "scary stuff"): Yes, he(and you) can observe the air traffic. So what? It's not secret, hasn't ever been secret, and doesn't need to be secret. You don't need ADS-B to know that airplanes congregate around airports. This function is largely intentional, and nothing worse than a tool for enthusiasts. Critical thinking will tell you that it's not information that needs to be kept secret(flghtaware.com's FAQ explains this concept very well)

So, the only real point on page 23 is the lac kof authentication. Which isn't much of an issue because it will be validated with radar. And, over the ocean, where there isn't radar, you probably won't have morons in boats spoofing signals.

Page 27: None of these threats are actually dangerous. It's already public. Most flightplans are available online(flightaware.com), and you can see most airplanes in the sky. They take predictable routes around airports. It's not dangerous.

Page 28: Most of these are valid concerns, but the opportunity to train the system isn't their. Fake flights will quickly be noticed. How? "Hey, none of these planes are landing. And it's tail number doesn't exist".

Page 30: Autopilots DO NOT automatically avoid collisions, a warning signals the pilots to take action, essentially for this exact reason. Autopilots ONLY do things they have been explicitly told by the PILOT and no one else, including ATC.

Page 30:Many large aircraft DO have radar onboard for traffic. It's called TCAS.

Page 31: GPS jamming not new.

Page 32: Not new. GPS spoofing isn't new, but is VERY rare.

Points I'd like to highlight:

1. ADS-B does not need to be private, and is not intended to be private. All of the concerns regarding lack of privacy here are invalid.
2. Autopilots only take commands from the pilot(s) inside the cockpit. No one else.
3.Only valid remaining concerns are signal spoofing.
4.They have planned for this, and are clearly working on countermeasures.

Just because the government lies and makes mistakes often, doesn't mean they do it always.

Source:Aviation enthusiast, student pilot, many, many public documents.

Re:DOS

[tibman]

you've taken data OUT of /dev/null?! Don't do it! Put it back in!

Re:The FAA , another broken government organizatio

[the_B0fh]

Oh sure, blame the messenger. It is now his fault that FAA has a shitty insecure system, and it is his fault for not telling FAA, except that, hey, he did tell them.

In fact, after he told them, the FAA said - no, we're secure.

In fact, after he showed them, the FAA said - no, we're secure because we can filter it out.

Bah, humbug. The faults lies with exactly one entity. The one that is pushing out the insecure shit. Not someone who found it insecure. For you or anyone else to blame him is fucking bullshit.

Re:I'm so glad

[Teancum]

I thought it was grocery store checkout lines and phone booths, once they ban cell phones as dangerous terrorist devices (due to the ability to use them to trigger a bomb).

Re:Certified and accredited: By Whom?

[AmiMoJo]

All aircraft in US airspace have to be registered. They have a unique identifying code. Standard public key crypto would allow the system to authenticate messages are really from the transponder they claim to be from, preventing spoofing. Someone could, as you say, copy one transponder's keys but it would be easy to simply blacklist that key and issue the real aircraft with a new one.

The real problem is what do you do when you receive an unauthenticated message. Potentially it represents an aircraft experiencing some kind of fault or which isn't registered for some reason. You can't just ignore it completely because if it were real there could be an accident. The FAA seems to be suggesting that they could double check if it is real using radar or some other method, but the point of this system is to cover areas that don't have radar. I suppose given that all high traffic areas are covered the risk is probably fairly minimal, but I really don't know that much about air traffic control in the US.