Flaws found in mandated aircraft safety system

Researchers proved attackers with control over a wireless network and possessing off-the-shelf equipment could jam and interfere with flight collision systems, elevating the otherwise low risk of a crash.

An attacker could theoretically flood air traffic control monitors with images of fake aircraft and even modify the trajectory of those in the sky -- undermining systems that aim to provide pilots with information on the location and direction of aircraft.

The system in question is mandated for use in Australia.

The automatic dependent surveillance-broadcast (ADS-B) network was last week mandated to be installed for all aircraft cruising above 29,000 feet in Australia by the nation's Civil Aviation Safety Authority (CASA). Australia was the first country to deploy the system using the 1090ES platform.

The United States uses a dual ADS-B platform of 1090ES for all flight altitudes and what critics argue was the more effective Universal Access Transceiver (UAT) system for flights below 18,000 feet.

Crucially, the latter platform provides enough bandwidth to enable encryption, which would render the demonstrated attacks ineffective.

"Our results reveal some bad news," researchers Matthias Schafer, Vincent Lenders, and Ivan Martinovic wrote in a research paper (pdf). "Attacks on ADS-B can be inexpensive and highly successful."

The researchers' findings revealed that air traffic safety systems "should not rely exclusively on ADS-B".

Attacks on the ADS-B system could be used to reveal the position of hidden military aircraft using cheap equipment that could detect planes from 450 kilometres away.

"Our measurements conclude that the reception quality and range with low cost equipment is remarkable," the researchers wrote.

CASA did not respond to multiple requests for comment from this publication.

Adelaide-based private pilot and aviation programmer Bas Scheffers (@basscheffers) said the industry should have opted for UAT which would reduce costs for pilots and enable the use of encryption.

"The military do encrypted ADS-B on 1090 by making each position report actually three transmissions long and even then [it] is manageable if you are the military but impossible in the civilian world," Scheffers said.

"In my opinion, 1090ES should never have been used for ADS-B. UAT is the better technology, the lower cost technology and has enough bandwidth to implement proper public/private key signing of messages."

Airservices Australia, which deploys ADS-B, said flight controllers used other mechanisms in conjunction with ASD-B including voice and data communications, flight planning and radar.
 
"Australia's air traffic control system and network has multiple layers of safety, security and resilience built into it to both mitigate and minimise current and prevailing risks," a spokesperson said.
 
"All threats, both real and perceived to our environment are monitored and reviews undertaken to ensure the integrity of our systems is balanced against the alternatives."

The air navigation provider said it "regularly assesses" risks to Australia's airways including "ongoing assessment of the risks associated with the adoption and use of new technologies such as" ADS-B.

Digital rights advocate Geordie Guy (@GordyPls), operator of an ADS-B real-time flight tracking service, said spoofing could cause problems if pilots and operators did not consult other sources of information.

"ADS-B is probably be easy to spoof because it's an insecure peer-to-peer protocol for exchanging information by participants," Guy said.

"The good news is pilots don't actually rely on ADS-B as a sole system, because pilots don't rely on any single piece of information to navigate and fly ... for now I think the words 'hacked air traffic control' spoken out loud are a thousand times scarier than the actual danger of bad ADS-B traffic broadcast."

Further criticism of the ADS-B mandate centred on the estimated $30,000 cost burden it placed on recreational pilots, that it would be limited because many light aircraft would never be fitted with the technology, and that it failed to address broader aviation safety concerns. 

In a interview, former director of the Australian Aircraft Owners & Pilots Association Bill Hamilton said the ADS-B system may force pilots to rely too much on their screens and not enough looking out the cockpit.

"Mid-air collisions almost never happen outside of gliders," Hamilton said. "It's a failure of basic training, of pilots to keep a proper lookout."

The 'ghost aircraft'

The researchers revealed that previously known attacks thought to be out of reach of attackers were both accessible and cheap, and had also discovered the new attack in which aircraft trajectories could be modified.

Information on particular aircraft could also be gleaned, leading to the possibility of targeted attacks, according to the research.

The new virtual trajectory modification attack could be implemented by combining message deletion and injection which erased aircraft position reports and replayed modified versions, or by modifying position reports of aircraft in the air.

Attackers with about $2000 worth of commercial off-the-shelf equipment could create a flood of fake aircraft to appear on the monitors of pilots and ground control staff. The attacks first discovered in 2010 and further developed in 2011 meant 'ghost aircraft' could appear as taxiing or flying.

"... combined with poor visibility, this could force controllers to deny landings or instruct aircraft to change their altitude and or course unnecessarily," the researchers wrote.

"In the air, on-board ADS-B-based collision avoidance systems offer attackers a simple way to distract pilots. Again, with poor visibility, pilots primarily make decisions based on their instruments what makes them vulnerable to malicious interference."

Operators would face a "complete loss of situational awareness" in the event of a flood of fake aircraft as it would be "difficult and time-consuming" to spot real aircraft.

Researchers also found attackers could initiate false alarms such as those an aircraft might transmit in a terrorist attack, and also make aircraft disappear off monitors. Ground stations too could be jammed, wiping ADS-B signal messages.

"Especially in high density areas (around major international airports), a sudden failure of the surveillance or collision avoidance systems is described as devastating by controllers and could result in confusion and human failure with fatal consequences," the researchers wrote.

Complex attacks that combined the demonstrated scenarios were considered "imaginable" but were beyond the scope of the research.

The researchers noted the attacks presented a heightened risk due to a doubling flight movements predicted by the European Organisation for the Safety of Air Navigation to occur by 2030.