ADS-B Replay Attacks
Thread Starter
Join Date: Jun 2011
Location: KLAX
Posts: 1
Likes: 0
Received 0 Likes
on
0 Posts
ADS-B Replay Attacks
Capturing, storing, modifying and replaying ADS-B data is a trivial task. It would be a simple matter to launch a man-in-the-middle attack against an aircraft in flight, and using a high gain yagi antenna aimed at a particular aircraft, the attacker could create any traffic display scenario he would like the pilot to see, whether 1000 aircraft or none.
This is not merely theoretical but a demonstrable fact. This is ECM 101
Since these transmissions are not encrypted they are vulnerable to mischief. All aircraft communications are sent in the clear and equally vulnerable. For less than $10,000 you can jam out an ILS and substitute your own if your desire is to guide an airplane to a threshold of your choosing. VOR DME is laughingly easy to spoof.
While the TSA is busy confiscating shampoo, it's very easy to acquire the computer and radio gear needed to inject malicious signals into the nav data stream. Since these important signals are neither encrypted or authenticated, this is a massive security vulnerability waiting for exploit.
I suspect this technology is already in the wild and may explain one or more puzzling air crashes...
Does anyone know of work being done to close this hole? Why has no attention been paid to securing our exposed radio navigation signals?
TIA.
This is not merely theoretical but a demonstrable fact. This is ECM 101
Since these transmissions are not encrypted they are vulnerable to mischief. All aircraft communications are sent in the clear and equally vulnerable. For less than $10,000 you can jam out an ILS and substitute your own if your desire is to guide an airplane to a threshold of your choosing. VOR DME is laughingly easy to spoof.
While the TSA is busy confiscating shampoo, it's very easy to acquire the computer and radio gear needed to inject malicious signals into the nav data stream. Since these important signals are neither encrypted or authenticated, this is a massive security vulnerability waiting for exploit.
I suspect this technology is already in the wild and may explain one or more puzzling air crashes...
Does anyone know of work being done to close this hole? Why has no attention been paid to securing our exposed radio navigation signals?
TIA.
Join Date: Mar 2009
Location: Chicago, IL, US
Age: 73
Posts: 48
Likes: 0
Received 0 Likes
on
0 Posts
I'm sure some people have looked at this and decided that the cost/benefit ratio doesn't justify the massive investment that would be required to address the possible issues. I'd also guess that people who might be able to spoof these systems have concluded that there are cheaper and more dramatic ways to kill people. The object of terrorism is to use dramatic acts to promote a cause. Deaths which might well be mistaken for equipment malfunction or pilot error and would depend on the terrorists being able to claim undeniable credit just don't do the trick.
Besides, you're asking a bunch of professional pilots whose whole job is to be fully aware of the developing situation to blindly follow your spoofed electronic guidance without cross-checking other inputs available to them. They are trained to recognize a bad ILS signal (e.g. wrong rate of descent from known waypoints), incorrect VOR, etc. Only the TCAS scenario really works in my mind, and only if ATC has already established a context in which the false warning would make sense to the pilot. Trying to use TCAS to get a pilot to fly into the ground or another aircraft would be pretty tough. Actually I think, given last week's near-collision at JFK, that hijacking a tower or ground controller's frequency could be more deadly.
Hollywood might buy your plot for the next edition of the "Die Hard" series but I think the bad guys have more faith in proven technology like underpants bombs.
Besides, you're asking a bunch of professional pilots whose whole job is to be fully aware of the developing situation to blindly follow your spoofed electronic guidance without cross-checking other inputs available to them. They are trained to recognize a bad ILS signal (e.g. wrong rate of descent from known waypoints), incorrect VOR, etc. Only the TCAS scenario really works in my mind, and only if ATC has already established a context in which the false warning would make sense to the pilot. Trying to use TCAS to get a pilot to fly into the ground or another aircraft would be pretty tough. Actually I think, given last week's near-collision at JFK, that hijacking a tower or ground controller's frequency could be more deadly.
Hollywood might buy your plot for the next edition of the "Die Hard" series but I think the bad guys have more faith in proven technology like underpants bombs.
Join Date: Oct 2001
Location: Kelsterbeach
Posts: 124
Likes: 0
Received 0 Likes
on
0 Posts
The TSA isn't about making air travel safe but to make people 'feel' safe.
After 9/11 the public felt unsafe and stopped flying. Now that the TSA and their moronic security theater is in place, the travellers are back, and so the TSA's goal is achieved.
Neither confiscating fluids, invading old ladies' underwear nor encrypting electronic signals enhance safety. But inconviniencing travellers gets noticed as it happens in public and the media writes about it. The encryption will go unnoticed.
After 9/11 the public felt unsafe and stopped flying. Now that the TSA and their moronic security theater is in place, the travellers are back, and so the TSA's goal is achieved.
Neither confiscating fluids, invading old ladies' underwear nor encrypting electronic signals enhance safety. But inconviniencing travellers gets noticed as it happens in public and the media writes about it. The encryption will go unnoticed.
While spoofing additional aircraft into the air picture is a known issue of ADS-B, blotting out the real ones at the same time is not nearly so easy to achieve as the signal is not a continous transmission.
It's also worth remembering that the near-term air to air aspirations of ADS-B are currently extremely modest. Assisting visual aquisition is one. Maintaining safe separation from a single other aircraft that has already been positively identified by ATC is another.
ILS can be jammed. But readily spoofed to a false touchdown point - I don't think so (sorry Die Hard fans).
Similarly DME. As with ADS-B the extra signals don't blot out the genuine ones because it is not a continuous transmission. So inconsistent readings yes. Consistently false reading - unlikely.
And VOR? Very difficult to spoof unless you actually build one! And a DVOR wouldn't fit in the back of your car.
It's also worth remembering that the near-term air to air aspirations of ADS-B are currently extremely modest. Assisting visual aquisition is one. Maintaining safe separation from a single other aircraft that has already been positively identified by ATC is another.
ILS can be jammed. But readily spoofed to a false touchdown point - I don't think so (sorry Die Hard fans).
Similarly DME. As with ADS-B the extra signals don't blot out the genuine ones because it is not a continuous transmission. So inconsistent readings yes. Consistently false reading - unlikely.
And VOR? Very difficult to spoof unless you actually build one! And a DVOR wouldn't fit in the back of your car.
Join Date: Aug 2003
Location: Scotland
Posts: 240
Likes: 0
Received 0 Likes
on
0 Posts
Don't forget that all these things are actively monitored; the ILS installation includes a monitor that can see whether it is off-air (or lying), as does a VOR, a DME and so on. Since the first task in spoofing a Navaid would be to turn off the real one, any intervention would very quickly be detected. (As already mentioned, jamming a navaid to make it unusable would be easier, but that generally does not satisfy any terrorist objectives - it just makes the pilots job slightly harder).
The biggest threat (which there WAS a film about - an old B&W movie set in Ireland if I recall correctly) is spoofing ATC voice communications. If you can "steal" a frequency, and sound like you know what you are doing, you could radar vector traffic wherever you like...
The biggest threat (which there WAS a film about - an old B&W movie set in Ireland if I recall correctly) is spoofing ATC voice communications. If you can "steal" a frequency, and sound like you know what you are doing, you could radar vector traffic wherever you like...
jmmilner
Only the TCAS scenario really works in my mind, and only if ATC has already established a context in which the false warning would make sense to the pilot.
Only the TCAS scenario really works in my mind, and only if ATC has already established a context in which the false warning would make sense to the pilot.
TCAS uses reported altitude and rate of closing range. You can spoof one but not the other. If you can get the victim aeroplane fast enough and low enough you can spoof an alert with a ground based transmitter (directly beneath the track). But only briefly. As the range gets really short the alert cancels as it looks like the 'threat' is passing safely to the side.
TCAS has built in protections against providing RA's to fly you into the ground.
