Slashdot Mirror

← Back to Stories (view on slashdot.org)

FAA Denies Vulnerabilities In New Air Traffic Control System

Posted by Soulskill on from the what's-the-worst-that-could-happen dept.

bingbong writes "The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."

10 of 141 comments (clear)

  1. Bad FAA! by Jerslan · · Score: 5, Insightful

    [rolls up newspaper]
    [smacks FAA on the nose with rolled newspaper]
    Bad! Bad FAA! We encrypt and authenticate our CRITICAL systems!
    [smacks FAA on the nose with rolled newspaper]

    1. Re:Bad FAA! by Anonymous Coward · · Score: 5, Funny

      But it was certified! CERRRRRRRRTIFIED! AND it was accredited! Both! At once! What more do you people WANT from us? Geez!

  2. I'm confused by wcrowe · · Score: 5, Insightful

    So, let me get this straight. We have to grope old women wearing diapers and four year olds for safety reasons, but there is no need to worry about the software because it is "certified"?

    --
    Proverbs 21:19
    1. Re:I'm confused by ark1 · · Score: 5, Insightful

      It's all about security theatre. Airport passenger screening is setup in a way to reduce fear within the general population instead of actual risks. Improving software security will not enhance the feeling of security in your average citizen.

  3. Doesn't know much about the system by vlm · · Score: 5, Informative

    explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy.

    He doesn't know much about the system. OK. go ahead... try to break it.... what'll happen? Nothing.

    Spraying junk into the system is irrelevant. Being unauth and unencrypted its simpler and cheaper just to build a raw RF jammer than to feed in formatted junk reports. That works really well until the .mil shows up to train their jamming countermeasures equipment against your jammer. Whoops. DF work isn't all that complicated and the higher the frequency the easier it is. Radar jamming has been an option for what, 70 years now, and nothing really ever comes of it? ATC/pilots already have procedures to survive radar outages. Happens all the time. Send a nice thunderstorm thru, send in the backhoes (lots of remote radar units connected by fiber). So jamming/spamming/forcing it out of service is useless. Nothing an attacker can send will break anything.

    I know about the ADS-B data structure. This stuff is small and simple. We're not talking about radar and jetliner sending sandboxed java applets to each other, its incredibly simpler than that. Its like declaring you can hack buffer overflows over a morse code telegraph. There's not enough "stuff" in the protocol to be turing complete.

    The attack vector is incredibly narrow. I know a lot more about piloting and radar RF and microcontrollers, and frankly pretty much everything in the system compared to this guy and I can't figure out how to actually bust it.

    Look at the guy's presentation. notes as I scan thru the slides. 1) He's cooler than you, crendentialism means he's correct (LOL) 2) he drinks vodka, very impressive proof 3) he admits he knows nothing about ATC and radar 4) He doesn't know much about RF or comms (pulse per second modulated, wtf is this star trek technobabble) 5) Other people are looking and no one has come up with anything 6) his threats are not serious and/or not realistic and/or already exist 7) I love this quote "some threats are total unknowns" yeah I think thats an excellent summary of the ADS-B "security hole". 8) the pretend made up scandal about the FAA not releasing "sensitive security information" is about skin painting radar coverage for smuggler detection, thats why they claim it has no impact on passenger aircraft... its not all space alien coverup unless your passenger craft is 50 feet off the ocean and full of coke I think you're OK. 9) "Not trying to spew FUD" LOL ok dude I hope the audience laughed at that. 10 ) Dude calls a homemade SDR RX an "exploit" LOL 11) he hopes they don't unplug primary radar... well duh how would they catch smugglers if all they had to do was flick a circuit breaker to disappear...

    Look I know the guys not an idiot in general. But this is the kind of thing that happens when someone who doesn't know anything about any individual components of a big system, or anything about the big system itself, gets all FUDdy and self promotional. If you don't know anything about the terrain you're fighting in or the tools you have, you'll lose, no matter how smart you are.

    TLDR is don't worry its not an issue. FUD FUD FUD self promotion thats all.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:Doesn't know much about the system by SirBitBucket · · Score: 5, Interesting
      I beg to differ... Both the TRACON (or tower) radar, and the jetliner TCAS radar could be spoofed with multiple (like hundreds or thousands if need be) targets. How will the TRACON or TCAS software handle this many targets? It must drop some of them. Which ones should it drop? VFR targets? Targets not in the IFR system? What if bad guy spoofs the same code as existing targets (which he can read himself)? Eventually the real targets must get lost.

      Are there ways to handle this? Yes, old school "strips," and greater separation manually... But what if the controllers can't find the real targets? In VFR conditions everyone must see and avoid anyway, and IFR flights would probably have to revert to VFR if in VMC. But what of a bunch of IFR flights in actual IMC? TCAS you say? What if said bad guy could spoof TCAS as well? TCAS would likely handle the huge amount of targets even worse than the TRACON software (might even crash... in the software sense). Add a power stuck mic to jam up all the COMM frequencies and you cause a lot of trouble indeed. Pilots must follow a discreet set up rules in this case, but they are not perfect in that they cannot help a jetliner that has had a headwind the whole way, and is low on fuel with now opportunities to make it to a VMC field.

      I'm just saying I believe with enough resources it could be done. Create a ton of fake targets near a busy airport in bad weather. Jam all COM frequencies. Jam GPS, Jam the ILS/MLS. Jam the VOR signals, and any remaining NDBs. It may not lead to loss of life if the bad weather was not too far widespread (such that IFR flights could proceed to VMC and land VFR), but either way it would cause a lot of monetary damage, and a lot of terror in the flying public...

      Encryption would be a very good thing for ADS-B. As we update the system from old school mode C, we might as well be countering these things.

    2. Re:Doesn't know much about the system by slimjim8094 · · Score: 5, Interesting

      And if you did all that, it would be damn close to, if not actually (GPS is military), an act of war. Want to see just how fast the government can respond to an incident? Try the above. I'd give you about 15 minutes before you had military on your ass. They have smart missiles that can automatically target GPS and radar jammers, if they get desperate enough to get rid of your interference. And as you note, there's already procedures for going "old-school" and not relying on radar or TCAS or ILS. Even in "hard" IMC you should be able to use your instruments to stay in the air and away from other planes, and you should have enough fuel (you did your fuel calculation correctly, right?) to circle around a bit waiting for the situation to be resolved.

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    3. Re:Doesn't know much about the system by Bistromat · · Score: 5, Insightful

      I'm one of the authors.

      Unfortunately, transmitting live spoofed data into the real ATC system is Guantanamo fodder, and I'm trying to avoid becoming a domestic terrorist if at all possible.

      That said, this wasn't merely a simulation: real ADS-B frames were transmitted by a low-cost SDR (into a dummy load) based on the position of a simulated aircraft flying in FlightGear. Those transmitted frames were received by the same SDR (alongside real frames from real aircraft), and the resulting tracks plotted in Google Earth.

      See my comment here: http://tech.slashdot.org/comments.pl?sid=3065807&cid=41088873 for more information.

    4. Re:Doesn't know much about the system by Render_Man · · Score: 5, Interesting

      Greetings,

      As the guy on stage giving the presentation, I feel the need to comment. I see Nick was already here ahead of me covering most of the points, but I figured I'd chime in.

      The FlightGear Demo video was, as Nick mentioned, a way to show that it was possible to put ADS-B data into the air with equipment available to any hobbiest. We used a flight sim and a dummy load because at no time would we ever put real data into the air without proper permissions and safety precautions. As much as I want to know what would happen, I have no desire to see anything bad happen to any aircraft or members of the flying public. It was a proof of concept to show the theory and a potential tool to test these theories.

      I fully admit I dont know the system inside and out. I dont see how someone needs to be in order to spot things that are just not right.

      In all the comments, much was said, but little evidence was offered. If you have evidence that you can share publically, please do so. Contact me at renderlab.net and prove me wrong. I would love to do a presentation where I answer all of my questions to my complete satisfaction.

      A few points were raised repeatedly that I'd like to address:

      "But multilateration takes care of that". Really. Please show me the report. What was the methodology for establishing that as adaquate?

      "But pilots and controllers are smart people" They are also human and make mistakes. Training and preperation are going to be key to solving this

      "Publicity seeking" Yes, I am seeking publicity, to get the aviation authorities to open up about these issues and provide some transparancy into the

      "Try to hack it, nothing will happen". I want to, with permission of course. This is why I'm asking anyone who has access to aircraft, ATC operations gear, manuals, avionics, etc. To come forth and let us test our theories publically. If everything is secure and safe, then the worst thing that happens is I look a bit foolish, but we all can fly home feeling a bit safer.

      Yes, there may have been errors in the slides. I admit so right at the beginning. The aviation industry is more acronym happy than the computer industry. Some of the numbers are from official documents and older versions of SOP's or summaries or any number of sources. Until I have the controllers procedures and standards manual in my hand, I only have publically available documents to go from, which may contain variations or errors. I'm human.

      Lastly many comments questioned my motives and the logic of going public. I set out to prove to myself that ADS-B and NextGen were safe. I failed in that. I do not think it is as secure and safe as has been made out to be. I kept trying to prove to myself it was safe but every avenue turned up more evidence to the contrary. I exhausted all the documents and resources I could find and so wanted to turn to the hacker community that I know and love and get thier help in trying to prove my theories wrong. These theories have been around longer than I and are most certain to have been discussed by existing bad guys. As was stated many times, dont shoot the messenger.

      TL;DR version: Show me your evidence, prove to me NextGen is safe. Let us test it for ourselves publically.

      --
      Where are we going, and why are we in this hand cart?
  4. Many errors in the presentation: by DL117 · · Score: 5, Informative

    I just read the presentation. It seems like this guy knows just enough to scare himself and others.

    Mistakes:

    Page 13: The 'ID Number'(SSR/'squawk code') is automatically attached, it is not manual, nor is 'a great deal of work required'.
    Page 14: Pilots DO get traffic data from the current ATC system. Traffic detection systems on airplanes intercept the transponder replies, and use that to detect the location of other air traffic. Larger aircraft have systems that actually communicate each other to avoid collisions in emergencies. Those systems are called PCAS, and TCAS respectively.
    Page 14:Standard separation of aircraft is 3-10 miles and 1000 feet. Not 80 miles. That's just stunningly wrong.
    Page 15:Airplanes will ALWAYS need to avoid thunderstorms and volcanoes, radar or no radar.
    Page 16:Not too many errors here, but planes ALREADY can be closer than 5 miles.

    Page 23(the "scary stuff"): Yes, he(and you) can observe the air traffic. So what? It's not secret, hasn't ever been secret, and doesn't need to be secret. You don't need ADS-B to know that airplanes congregate around airports. This function is largely intentional, and nothing worse than a tool for enthusiasts. Critical thinking will tell you that it's not information that needs to be kept secret(flghtaware.com's FAQ explains this concept very well)

    So, the only real point on page 23 is the lac kof authentication. Which isn't much of an issue because it will be validated with radar. And, over the ocean, where there isn't radar, you probably won't have morons in boats spoofing signals.

    Page 27: None of these threats are actually dangerous. It's already public. Most flightplans are available online(flightaware.com), and you can see most airplanes in the sky. They take predictable routes around airports. It's not dangerous.

    Page 28: Most of these are valid concerns, but the opportunity to train the system isn't their. Fake flights will quickly be noticed. How? "Hey, none of these planes are landing. And it's tail number doesn't exist".

    Page 30: Autopilots DO NOT automatically avoid collisions, a warning signals the pilots to take action, essentially for this exact reason. Autopilots ONLY do things they have been explicitly told by the PILOT and no one else, including ATC.

    Page 30:Many large aircraft DO have radar onboard for traffic. It's called TCAS.

    Page 31: GPS jamming not new.

    Page 32: Not new. GPS spoofing isn't new, but is VERY rare.

    Points I'd like to highlight:

    1. ADS-B does not need to be private, and is not intended to be private. All of the concerns regarding lack of privacy here are invalid.
    2. Autopilots only take commands from the pilot(s) inside the cockpit. No one else.
    3.Only valid remaining concerns are signal spoofing.
    4.They have planned for this, and are clearly working on countermeasures.

    Just because the government lies and makes mistakes often, doesn't mean they do it always.

    Source:Aviation enthusiast, student pilot, many, many public documents.