The disappearance of flight Malaysia Airlines MH370 has raised questions about why it is taking authorities so long to find out the aircraft’s location – with lots of people asking ‘why don’t they just use a GPS tracker to track it down?’ Currently, Air Traffic Control (ATC) uses a combination of radar detectors from the ground, and Aircraft Communications Addressing and Reporting System (ACARS), a system on board the aircraft similar to text messaging, which sends very limited data about a plane’s location every 15-30 minutes. A new GPS-based system which will provide much more detailed information is being rolled out in many countries, with the majority of commercial flights expected to be updated by 2020.
We wanted to break down exactly how secure the navigation systems are on board commercial flights and do they pose a threat to security? Could someone hack into them and cause a catastrophic breach of security, and exactly how easy is it for a criminal to target a commercial plane in such an attack?
First, let’s take a closer look at how a plane’s existing communication system works. Pilots in control of a plane need to be able to easily communicate both with the nearest Air Traffic Control (ATC), and with other nearby aircraft. ATC collects information via two radars – the first radar sends a signal over a voice channel, which bounces off the body of the plane and comes back to ATC. This does not require the plane to respond back – the radar just detects that there is an object in the sky and the plane’s bearing and distance can be calculated by ATC. They also use an SSR (Secondary Surveillance Radar) which not only locates the plane with a radar, but also queries additional information which is received by the plane’s transponder, an electronic device that produces an automatic response when it receives a radio-frequency interrogation. The plane automatically replies with a transponder code identifying the airline, flight, and altitude.
The new, more advanced GPS-based technology called Automatic Dependent Surveillance-Broadcast (ADS-B) allows automatic communication between a plane, other planes in the nearby vicinity and ATC. It is planned to completely replace traditional radar-based surveillance by the end of 2020, not only in the USA but all over the world. The technology consists of two different services: ADS-B Out and ADS-B In.
- ADS-B Out broadcasts accurate information every second about the aircraft ID, altitude, velocity and position to ATC and, in general to any other passing aircraft.
- ADS-B In allows the aircraft to automatically receive data from outside – for example from ATC and other nearby planes. The TCAS (Traffic Collision Avoidance System), which stops planes from colliding, works in co-operation with ADS-B In.
Could the manipulation of ADS-B allow an attacker to change the normal behavior of a plane during the flight? Let’s check out the security of these protocols and why they could cause a problem in-flight:
Clear-text communication means anyone can eavesdrop
Clear text is way of sending data with no encryption. Therefore, eavesdropping of data is an issue. Information broadcast by ADS-B is transmitted in clear-text, which means that anyone could easily use it to locate the plane, identify the aircraft ID and its position and altitude.
Lack of authentication means anyone can impersonate ATC or a passing plane
In most IT systems, when two parties exchange information, at least one will need to authenticate itself i.e. prove they are who they say they are. Most commonly, a username and password is used, but there are other ways, such as key authentication. In some cases such as this one, two-way authentication should be required to ensure that an attacker cannot impersonate any of the parties.
ADS-B does not implement any kind of authentication, and therefore an attacker impersonating another aircraft or ATC would be able to send data to the cockpit and there would be no security mechanism to identify whether the source is legitimate.
Signal jamming could cause a pilot to miss important information
Another potential threat is signal jamming. As the protocol doesn’t require any authentication, an attacker could potentially inject a large amount of data, which could cause disruption or loss of availability of the authentic information from ATC or a passing plane. It could cause the pilot to miss important information.
Lack of integrity validation means an attacker could re-send old messages from ATC
In strong protocols, there are mechanisms in place to detect a loss of integrity or data being manipulated in transit.
The ADS-B In service does not verify the integrity of the data it receives into the plane, which, even if it originated from an authentic source could have been changed or manipulated by an attacker. Similarly, authentic data from ATC or a passing plane could be resent again in future by an attacker. This means that an attacker could fairly easily impersonate ATC by reusing old messages. Moreover, ADS-B does not require any further verification between receiving the data to the plane’s system and sending it to the cockpit – a change upon receipt of the data would not be detected.
GPS jamming and spoofing could make the pilot think the plane is located elsewhere
ADS-B uses a GPS signal for navigation. GPS jamming is not a new technique and it may be possible for an attacker to block the ability of the aircraft to use GPS. Additionally, there has been considerable research on GPS spoofing in which it would be possible to manipulate GPS signals to send fake location coordinates to the GPS receiver. As in the previous attacks, the pilot would be unable to identify whether the GPS reader is reporting accurate information.
Lack of widely-used multilateration makes it easier to perform a successful cyber attack
Multilateration is a mechanism in planes that broadcasts a signal which is picked up by multiple triangulators on the ground. Based on the time difference between the receptions, it is possible to triangulate and identify the exact location of an aircraft. An attacker would find it extremely difficult to manipulate the output from this system as it uses the law of physics. In the case of a cyber attack it would send ATC reliable information about the plane’s true whereabouts. It is generally not used by default.
The attacks explained are not challenging for an attacker to implement. Either someone on board (or on the ground and in range of the aircraft) could potentially trick the pilot into reacting to fake signals such as inexistent passing traffic, fake flight divergence, bogus weather report etc – or stop the pilot from receiving legitimate communication from other planes or ATC without them realizing. The only equipment an attacker would need would be a laptop (or embedded device) and an antenna – and it would be possible for an attacker to do this from the ground, though the range of the attack can vary depending on what kind of hardware the attacker uses.
All the tools a malicious attacker would need can be bought cheaply. It is even possible to convert a TV tuner into an ADS-B receiver. As well as being cheap, the antennas are small, making it even easier to hide them and use discreetly.
In a nutshell, the current communication protocols in ADS-B when looked at in isolation are fundamentally insecure, and manipulation of the information received by an aircraft is relatively easy to do. However, the information above analyses the risks of this protocol used in isolation. Airlines may have additional security mechanisms in place that are designed to minimize the success of potential attacks .e.g processes, procedures, staff training.
As with any system, the data received by the p ADS-B becomes more widespread, manufactures will undoubtedly show due diligence by investing in stronger security mechanisms and ensuring that the risks of cyber-attacks are minimized. Until then, it is just possible that a cyber criminal could at the very least cause confusion for pilots and, in the worst case, divert a flight in mid-air or cause a collision.