LAS VEGAS — It’s a Twilight Zone episode waiting to happen. A commercial pilot at 30,000 feet gets sudden instructions from air traffic control on the ground that another plane is headed his way.
The pilot diverts as directed but then controllers tell him a third plane is now in his path, and then a fourth and fifth. Yet when the pilot looks out his window, he sees nothing in the sky.
This is the kind of spoofing attack that could become possible, according to security researcher Andrei Costin, who spoke at the Black Hat security conference on Wednesday about serious vulnerabilities in a new air traffic control system that is currently being deployed in the U.S. and elsewhere.
The system, known as Automated Dependent Surveillance-Broadcast, or ADS-B, uses radio frequencies for communication between one plane and another and between planes and the ground. It’s already widely used in Australia, where planes are required to be ADS-B compliant by 2013, and is expected to replace radar for air traffic control of commercial planes by 2020.
But according to Costin, a doctoral candidate at Eurecom, a graduate school and research institute in France, ADS-B is marred by serious security vulnerabilities that would make it possible for someone to spoof a plane and inject false messages into the system, leading air traffic controllers to “see” planes where none exist.
The problems with ADS-B are identical to many other types of critical infrastructure systems that lack encryption and authentication of communications. The communication that occurs between planes and ground systems is transmitted in cleartext and doesn’t require the source of a transmission to be authorized, thereby allowing an attacker on the ground to intercept, read and change messages being transmitted or to inject wholly fake messages into the communication stream that the system accepts as genuine.
An attacker can also conduct a replay attack by intercepting and recording packets from the air, storing them and then continuously replaying them back to the system when he wants, using relatively inexpensive equipment.
“It’s not very hard to mount this [attack],” says Costin. “It’s basically an open opportunity … for any attacker having medium technical knowledge.”
Air traffic controllers facing the sudden and unexpected appearance of planes would still have backup sources to verify the information – they could cross check flight plans, for example, to see if there’s any record of a plane scheduled to fly on that path. They could also consult backup radar signals. But doing so would consume time and energy in the case of even just a few phantom planes, and would become prohibitively time-consuming in the case of hundreds of such false transmissions, essentially creating what Costin calls a “human resources denial of service.”
The Federal Aviation Administration, when asked about the vulnerabilities by Forbes prior to the conference, said that it had “a thorough process in place to identify and mitigate possible risks to ADS-B, such as intentional jamming” and that it “conducts ongoing assessments of ADS-B signal vulnerabilities…. An FAA ADS-B security action plan identified and mitigated risks and monitors the progress of corrective action. These risks are security sensitive and are not publicly available.”