Air traffic control: an easy target for hackers?
Next-generation ADS-B aircraft tracking systems are set to revolutionise future ATC operations, but are the signals adequately protected from hacking? Chris Lo speaks to Eurecom security researcher Andrei Costin about the new system's vulnerability to mid-air cyber attacks.
By 2020, Automatic Dependent Surveillance-Broadcast (ADS-B) will be a compulsory requirement on the majority of aircraft in US airspace as part of the country's Next Generation Air Transportation System initiative. ADS-B is designed to eventually replace radar as the primary method of tracking and controlling aircraft in the US and around the world.
The GPS-based system, which allows real-time, automatic tracking of aircraft by ATC centres, brings with it a raft of benefits over its ageing predecessor, including improved safety, enhanced air traffic flow management and more detailed data transfer. But during the last few years, academics and industry experts have been pointing to mounting evidence that the system is currently unprotected against hacking, whether by online pranksters or as part of a more directed cyber attack on critical infrastructure.
These worrying reports revolve around the fact that ADS-B communications are unencrypted and incorporate no user verification system, meaning hackers could gain access to communication between aircraft and ATC centres and send false information to mislead pilots or overwhelm controllers with fake aircraft signals. Needless to say, such attacks could cause unprecedented chaos and safety issues if they were to infiltrate busy airspace.
Eurecom researcher Andrei Costin has studied the evidence closely, and is now working to warn the industry and aviation bodies of the feasibility of disrupting the new system. Following his 'Ghosts in the Air (Traffic)' presentation at last month's Black Hat security conference in Las Vegas, we spoke to Costin about the havoc that hackers could wreak on ADS-B, and the relative ease with which they could accomplish it.
Chris Lo: What are your biggest concerns about the cybersecurity of next-gen systems such as ADS-B?
Andrei Costin: The biggest concern is the fact that the communication on the system is unencrypted, which in the first place poses some real privacy concerns. But, supposing that privacy concerns would not be a major issue in this case, the biggest issue I see with ADS-B technology is that it doesn't have any mechanism to make sure that the sender of the message is the one who really sends the message.
Basically, there is no built-in, even basic mechanism to make sure that the messages are really coming from the people or the device they claim to be coming from.
CL: In what ways could this form of hacking affect ATC and airport operations?
AC: The mere fact that someone could inject a fake air plan into the air traffic control screens is pretty serious.
Another serious thing could be simple jamming, which affects any other radar frequency or wireless technology. Jamming is a more general problem so that's not ADS-B specific.
The main problem that's specific to ADS-B is the possibility to inject these fake messages or to try to modify real messages sent by real planes as they're sent over the air, and relay the modified version to the ATC centre.
CL: How proficient would a hacker have to be to gain access to an ATC system and create false signals?
AC: The main concern is that a non-technical and non-sophisticated attacker with a very low budget, below $2,000, can accomplish this kind of attack in no time and with no particular knowledge.
I would draw a very clear parallel to the GSM [Global System for Mobile Communications] hacking attacks, where Karsten Nohl and his group basically put up a system where, by running some scripts and having some hard drives and the same hardware device, you could crack the GSM system, which was thought to be secure and only theoretically broken. But the system was practically broken with simple script.
CL: Do you think developers of these communications technologies consistently underestimate the abilities of hackers?
AC: Yes, I think it's one of the key problems nowadays with critical infrastructure, and in general with the way technology is designed.
The designers and architects of even big systems such as ADS-B either don't understand or completely underestimate the sophistication of current attacks, and the ease of achieving these attacks by non-technical people.
In five years, these attacks have become laughably cheap, and of kindergarten-level technical complexity.
This is something that the industry as a whole, both airlines and ATC, should take on-board and not underestimate the technological advances and the falling price of technology, which means these attacks will become even cheaper and more sophisticated in the future.
CL: Is there any way for investigators to track false signals back to the people who created them?
AC: As far as we know, [government aviation agencies] have pretty good technology for locating the original rogue signals in case they have put some critical system at risk or interfere with one, like air traffic or ADS-B. They can bring up devices and more or less locate the rogue signals.
Of course, methods exist to evade that. The rogue signals can come from multiple sources, so it would be harder to detect, or if they localise them, it will be harder to address, let's say, 100 rogue transmitters at the same time.
Or, if the attacker has planted the rogue transmitter on a mobile device, such as a car or, worse, on a drone or UAV. Then, the detection of this kind of target is more complex, because the attacker is not static, it's mobile or could even be flying.
So there are at least a couple of ways in which attackers can evade the detection and localisation techniques used by regulatory bodies.
CL: Are there other ways in which hackers or criminals could abuse the ATC system, like tracking flight movements to sell the information?
AC: That's definitely one of the possibilities. There are at least two different publically known techniques to look up airplane identification over publically available databases, and correlate private jets with the actual owners of those jets.
Imagine if cars registered in the UK or any other country, could be looked up along with their owners and other details via a publically available database. That would be a huge privacy concern. This is already possible for private airplanes - with airlines, it's less easy.
But with the private jets, high-profile people are using those; that could potentially be a lucrative market for tip sellers or paparazzi, or maybe even for darker economic purposes, such as trying to figure out which CEO made which trip to which country, trying to figure out some insider information.
The possibilities are endless, but the idea that we and other researchers are trying to convey is that looking up these sensitive details about private people can provide lucrative markets to not-so ethical people.
CL: What steps need to be taken to make ADS-B more secure against cyber attacks?
AC: Even after full deployment of ADS-B most probably the old radar system will still be the primary source for locating and identifying aircraft, and ADS-B will be used as a secondary source to correlate the data.
Regarding other mechanisms, there is also collaboration between multiple ground stations and ground ATCs, which share information on their private communication links, so they can carry out triangulation or multilateration.
This is a mitigation that is required to be used, but they cannot use it extensively, otherwise all the benefits of ADS-B technology are being lost, because they would need more ground stations and more coverage by ground stations. This would cost money, and sometimes it's not feasible to deploy them everywhere. It's a mitigation that works, but it negates all the benefits of ADS-B, so it's not very heavily used.
The academic community has come up with various solutions to the problems that I have mentioned, because several groups have been researching the vulnerabilities of ADS-B.
Every group has tried to propose a specific solution for the protocol. They involve things like grouped aircraft, where a group of aircraft share information and validate each other's broadcasts, so they form a group of 'trusted aircraft', so any fake signals would be rejected by the group. These solutions are trying to add more layers of protection on top of the existing technology.
Can mathematical modelling and game theory be used to make airport security less predictable to aggressors? Teamcore, a US research team working with the TSA and Los Angeles Airport, is working to prove that it can.
Could tomorrow's airport systems predict passenger flows in advance, in order to alleviate the chaos of day-to-day operations? Chris Lo finds out about a pioneering AI system which could lead the way to the semi-sentient airport of the future.
It sounds like the stuff of science fiction, but avatars really are being employed as airport staff. These 3D, life-size holograms provide instructions, give directions and even advertise products. But will they replace real workers?