Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FAA Denies Vulnerabilities In New Air Traffic Control System

Soulskill posted about 2 years ago | from the what's-the-worst-that-could-happen dept.

Transportation 141

bingbong writes "The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."

cancel ×

141 comments

Sorry! There are no comments related to the filter you selected.

Bad FAA! (5, Insightful)

Jerslan (1088525) | about 2 years ago | (#41086897)

[rolls up newspaper]
[smacks FAA on the nose with rolled newspaper]
Bad! Bad FAA! We encrypt and authenticate our CRITICAL systems!
[smacks FAA on the nose with rolled newspaper]

Re:Bad FAA! (2)

crutchy (1949900) | about 2 years ago | (#41086939)

We encrypt and authenticate our CRITICAL systems

the FAA payroll system may well be encrypted

Re:Bad FAA! (0)

Anonymous Coward | about 2 years ago | (#41086989)

Looks like they didn't get a FIPS 140-2 compliant system.

Re:Bad FAA! (5, Funny)

Anonymous Coward | about 2 years ago | (#41087105)

But it was certified! CERRRRRRRRTIFIED! AND it was accredited! Both! At once! What more do you people WANT from us? Geez!

Re:Bad FAA! (0)

Anonymous Coward | about 2 years ago | (#41087315)

In that case, I have a beautiful golden bridge to sell you, it's certified to be true gold and ivory, with accredited gems on them.

Re:Bad FAA! (1)

pixelpusher220 (529617) | about 2 years ago | (#41087561)

FAIL is a valid certification...

Re:Bad FAA! (1)

Anonymous Coward | about 2 years ago | (#41087877)

As someone who is often involved in the Certification and Accreditation of sensitive systems, I can certify that this is mostly a paperwork drill for paper shufflers.

Re:Bad FAA! (0)

Anonymous Coward | about 2 years ago | (#41088979)

What more do you people WANT from us?

It also needs to have electrolytes [imdb.com] .

It's all about accountability (1)

Anonymous Coward | about 2 years ago | (#41089293)

There is a very real difference between being compliant with a standard (or certified,) and having actual useful security.

And this very fact seems to be willfully overlooked by organizations more and more. If you are certified and accredited, then when something goes horribly wrong you can point the blame at those who told you that you were doing a great job with your system. How would you know it was a problem when some important experts came in to check everything out? It doesn't seem to matter anymore if you have proper security (or otherwise can accomplish whatever goal your system is meant to achieve.) It only matters that some important people *said* that it did.

Ignorance is used as a tool to deflect blame onto others. And if you can save money, make a deadline, or impress your superiors by cutting these corners, it is even better! It is entirely to their advantage to place all the merit on their certifications and shrug off those who would point out the truth of the situation.

Re:Bad FAA! (1)

Jane Q. Public (1010737) | about 2 years ago | (#41089507)

I think their real concern was that it be Accredified.

Re:Bad FAA! (1)

shentino (1139071) | about 2 years ago | (#41089559)

Who wants to bet that the company doing the certification has a friend at the company building the computers?

Re:Bad FAA! (1)

AK Marc (707885) | about 2 years ago | (#41087867)

I agree with the FAA for one point. Encryption is unnecessary if the physical is secure. The problem is so many people assume the physical is when it isn't. Encrypting everything doesn't help if you have terminals insecure, anyway.

Re:Bad FAA! (1)

slick7 (1703596) | about 2 years ago | (#41089017)

[rolls up newspaper] [smacks FAA on the nose with rolled newspaper] Bad! Bad FAA! We encrypt and authenticate our CRITICAL systems! [smacks FAA on the nose with rolled newspaper]

Obviously, the FAA is too big to fail. I'll believe that when planes stop falling out of the sky.

The Setec Astronomy box can get the past codes (3, Interesting)

Joe_Dragon (2206452) | about 2 years ago | (#41086933)

The Setec Astronomy box can get the past codes used in the certified and accredited system.

Re:The Setec Astronomy box can get the past codes (2)

plover (150551) | about 2 years ago | (#41087261)

The Setec Astronomy box can get the past codes used in the certified and accredited system.

So can an Arduino.

I'm so glad (1)

Anonymous Coward | about 2 years ago | (#41086957)

I'm so glad that their system has been certified and accredited. That should mitigate all of the risk there.

Re:I'm so glad (0)

Anonymous Coward | about 2 years ago | (#41087005)

All hear is lalalala, certified, lalala, accredited, lalalala. Now go away.

Re:I'm so glad (3, Insightful)

pixelpusher220 (529617) | about 2 years ago | (#41087615)

How do you get the public to not care about the TSA?

Make an Air Traffic Control system so vulnerable nobody will want to fly...

maybe they don't use ruggedOS? (4, Funny)

jehan60188 (2535020) | about 2 years ago | (#41086997)

maybe they don't use ruggedOS?

Re:maybe they don't use ruggedOS? (3, Funny)

Impy the Impiuos Imp (442658) | about 2 years ago | (#41088001)

I'm sure they secured the back panel with the more obscure Torx screws, too.

The FAA , another broken government organization. (2, Interesting)

bongey (974911) | about 2 years ago | (#41087007)

The troubling part of many government organizations is it is more important to have a "certified and accredited", than to have system that works correctly and securely. The really scary part is there can be known bugs in FAA accredited system(operational flight programs, ground radar systems) and the manufactor will not release fix because that requires another accrediation process. Thought the point of the FAA was to make sure aviation is safe, not to make people fill out forms.

Re:The FAA , another broken government organizatio (0)

Anonymous Coward | about 2 years ago | (#41087235)

The troubling part of many government organizations is it is more important to have a "certified and accredited", than to have system that works correctly and securely. The really scary part is there can be known bugs in FAA accredited system(operational flight programs, ground radar systems) and the manufactor will not release fix because that requires another accrediation process. Thought the point of the FAA was to make sure aviation is safe, not to make people fill out forms.

The FAA is only broken if you believe that its purpose is to protect citizens. Its purpose is to promote the aviation industry, not promote safety. http://www.pbs.org/wgbh/pages/frontline/flyingcheap/

I'm glad updates must be accredited. (2)

bigtrike (904535) | about 2 years ago | (#41087241)

Cowboy coding is the absolute last thing you want in these systems. Rushing out the latest bug fixes is a terrible model for software that puts life at risk. Yes, this version might be hackable and that could cause problems if someone has malicious intent. Fixing the issue without a LOT of QA and bureaucracy to make sure proper testing procedures are followed is far more likely to kill people.

Re:I'm glad updates must be accredited. (0)

Anonymous Coward | about 2 years ago | (#41087361)

But the point is that there are a ton of bugs in these systems because of the difficulty and cost of releasing bug fixes, and a ton of workarounds for other people's bugs when you have to interoperate with them ('// If we send message X to version 1.3 of the Foobar SuperAvionics system it crashes, so we have to detect their hardware and send message Y instead').

You don't want people rushing out fixes that introduce new bugs, but you also don't want to make bug fixes so complex and expensive that nothing ever gets fixed and you end up relying on a rats' nest of undocumented workarounds.

Re:I'm glad updates must be accredited. (1)

cavreader (1903280) | about 2 years ago | (#41089005)

"But the point is that there are a ton of bugs in these systems because of the difficulty and cost of releasing bug fixes" Name one bug free software system that does more than render "Hello World!". And even that better not be on a machine connected to the Internet or other public network. I you want security you need to isolate the entire system from any and all remote network accessibility. Then you need to secure the physical accessibility points which is easier and cheaper than continuously waiting for the elusive bug free software to come along. If people demanded 100% secure systems they would only be able to update their applications about once every 10 years and their OS every 20 years if they were lucky. The best thing anyone can do now is manage the risk factors and hope things work out.

Re:I'm glad updates must be accredited. (1)

Jane Q. Public (1010737) | about 2 years ago | (#41089547)

"Name one bug free software system that does more than render 'Hello World!'."

That's completely beside the point. The issue here is that there are very OBVIOUS flaws that should never have been there, and they don't plan to fix them anytime soon.

Re:I'm glad updates must be accredited. (1)

bongey (974911) | about 2 years ago | (#41087479)

Not for cowboy coding , or no QA . The problem is FAA since the system is "accredited" means it is safe, which is exactly the problem the article is pointing out.

Re:I'm glad updates must be accredited. (1)

Jane Q. Public (1010737) | about 2 years ago | (#41089527)

"Rushing out the latest bug fixes is a terrible model for software that puts life at risk."

Not if you have adequate code tests in place. But of course, if you did, you probably wouldn't have the bugs in the first place...

Re:I'm glad updates must be accredited. (1)

Zero__Kelvin (151819) | about 2 years ago | (#41089915)

"Cowboy coding is the absolute last thing you want in these systems."

No. The absolute last thing you want in these systems is cowboy system architects, which alas, is clearly what they had in this case. As far as the cowboy coding, it varies greatly with the cowboy.

Re:The FAA , another broken government organizatio (2)

crutchy (1949900) | about 2 years ago | (#41087373)

the FAA can be more forgiving than EASA (I've worked on the opposite side of the table to both), but at least they don't just rubber stamp someone else's certification like most authorities... they can't just change the way their ATC system is secured overnight, and I'm sure if they are aware of a potential risk they are looking into it (as an organization they may be as faceless as any other, but there are some really smart people working there). aviation is probably one of the most bureaucratic and heavily regulated industries in the world, and while every software system has potential and real security risks, an organisation like the FAA can only go as far as they practically can given their operating budget and regulatory mandate.

they can shut down the sky (in the USA at least) but would anyone really want that because of a potential security risk in their software? maybe they should, but at what cost? would shutting down the airways kill more people due to increased road traffic and frustration than may be killed by an ATC hack? these are questions that the FAA will be struggling with, but the answers aren't black and white.

what classifies as a security risk? just because someone at Defcon brags about how he can hack the system may or may not mean that he can... or that anyone else can. I didn't read anything in TFA that suggested he actually has, only that he has shown it in simulations and makes assertions.

If Brad was seriously concerned, he would be working with the FAA and he wouldn't have publicized such a risk. If he didn't discover the risk, someone else would have no doubt (or the FAA may already have been aware of it anyway), but publicizing a potential security risk in something as important as Air Traffic Control is in itself a security risk. I think his motivations extend no further than gaining hacker cred, except I'm not even a hacker and I know that's not how it works. Hacker cred is gained by actually hacking... not just bragging to people how you reckon you can hack something.

Brad may not be culpable enough to execute such a hack, but by publicizing it he's putting the information in the hands of plenty of people who might, so if a plane crashes as a result of the very hack that Brad Haines has made known, wouldn't he deserve a portion of the blame? A court could possibly say... yes.

Re:The FAA , another broken government organizatio (4, Informative)

Lightn (6014) | about 2 years ago | (#41088185)

Are you familiar with the discussion around Full disclosure [wikipedia.org] ? There are good reasons to publicly release vulnerabilities and if people were made legally liable for doing that, it would probably decrease our security in the long run. Assuming the information Renderman released points to an actual vulnerability, the FAA response shows the exact reason why full disclosure is necessary.

Mod parent up (1)

Esteanil (710082) | about 2 years ago | (#41088711)

Ran out of points - mod parent up

Re:The FAA , another broken government organizatio (2)

the_B0fh (208483) | about 2 years ago | (#41089397)

Oh sure, blame the messenger. It is now his fault that FAA has a shitty insecure system, and it is his fault for not telling FAA, except that, hey, he did tell them.

In fact, after he told them, the FAA said - no, we're secure.

In fact, after he showed them, the FAA said - no, we're secure because we can filter it out.

Bah, humbug. The faults lies with exactly one entity. The one that is pushing out the insecure shit. Not someone who found it insecure. For you or anyone else to blame him is fucking bullshit.

Re:The FAA , another broken government organizatio (1)

shentino (1139071) | about 2 years ago | (#41089585)

Considering that it's the government I'm surprised they didn't simply try to classify and bury it.

Re:The FAA , another broken government organizatio (1)

rrohbeck (944847) | about 2 years ago | (#41087671)

As always, it's the government (except the NSA) not being attractive enough or not paying enough to get some real experts on board.
There are many government-paid university researchers around. Why was there no academic project to evaluate the quality of the system?

Face-palm stupidity orthogonal to private/public (1)

microbox (704317) | about 2 years ago | (#41089299)

As always, it's the government (except the NSA) not being attractive enough or not paying enough to get some real experts on board.

Private industry is just as bad. The big bucks on on perception management, and anything technical is generally approached with a "don't bother me" attitude. This works in private industry, because perception management is actually more important to making money. Kinda like politics.

It depends on the organisation that you are working for. I have worked in excellent and poor government departments, and I have worked in excellent and poor private companies.

Face-palm stupidity is orthogonal the private/public axis.

Re:The FAA , another broken government organizatio (4, Informative)

bleh-of-the-huns (17740) | about 2 years ago | (#41088249)

This is totally incorrect.

Flaws and vulnerabilities discovered during the C&A process result in POA&Ms (Plan of Action and milestones) for each flaw and vulnerability. Each of those POA&Ms is tracked, and there is timeframe that the issue must be resolved, depending on the severity. Once flaw remediation is complete, the POA&M is closed.

No recertification required. The only time recertification is required is when a certain percentage of the system is changed, not updated or fixed.

Re:The FAA , another broken government organizatio (1)

microbox (704317) | about 2 years ago | (#41089243)

The troubling part of many government organizations is it is more important to have a "certified and accredited", than to have system that works correctly and securely.

That is absolutely a problem with private industry as well. And if you raise questions -- the messenger will be shot. If you demonstrate that something is wrong, you may well be shown the door.

C&A Process Is Broken (0)

Anonymous Coward | about 2 years ago | (#41087009)

If anyone out there has participated in the federal C&A process, you would know that it is susceptible to political pressure and has largely been a check-box activity. The C&A process needs to be overhauled badly. People should have no-confidence that the system is secure, even if it has received a C&A.

He's bonafide! (0)

Anonymous Coward | about 2 years ago | (#41087023)

You can't hack into our SCADA system, it's bonafide!

(O brother quote)

Certified and accredited: By Whom? (4, Insightful)

jandrese (485) | about 2 years ago | (#41087025)

Did the vendors who made the systems do the certification? Was security one of the criteria on the accreditation process? I would assume some form of security was on there, but do the people who know stuff about security (like the NSA) approve it?

NextGen has been a huge boondoggle up to this point, and I wouldn't be surprised at all if an insecure system crept through the approval process because all of the alternatives kept failing. Encrypting the traffic would not be trivial either, because you have issues with key management and the fact that anybody can buy transponders and reverse engineer keys out of them. This equipment ultimately has to be available to every Tom, Dick, and Harry small aircraft pilot to be useful, and it's impossible to vet all of them. Even if you did, light aircraft aren't secure storage facilities, and it only takes one theft to render a naive system broken.

Re:Certified and accredited: To What? (0)

Anonymous Coward | about 2 years ago | (#41087081)

Also the most important part "certified" to what standards / criteria?
They could easily be certified insane, insecure etc.

Re:Certified and accredited: To What? (1)

the_B0fh (208483) | about 2 years ago | (#41089411)

Oh, if only I read this before I responded earlier. I would have gladly saved my mod points for this...

Re:Certified and accredited: By Whom? (1)

Marksolo (970704) | about 2 years ago | (#41087459)

I agree completely, and most likely because the previous transponder system did not have any problems with spoofing it did not receive too much attention. Any government tends to be reactionary rather than proactive. So far the only transponders that are encrypted are military Identify Friend Foe (IFF) systems for obvious reasons.

DOS (0)

Anonymous Coward | about 2 years ago | (#41087069)

Even if they can filter out spoofed plains, can they filter out a million of them a second? A computer making up random planes and spitting them out at a high rate of speed is going to cause trouble.

Of course you could also be really mean and have a real plane spit into a million plains all on slightly different trajectories. I wonder if the system can handle that as well. I wonder if planes can handle getting bogus data about themselves? These are things people usually don't think to test for.

I'm sure others can come up with even better ways to overload the system.

Re:DOS (1)

vlm (69642) | about 2 years ago | (#41087303)

The mesh of ADS ground stations extends around the jammer. The jammer can only screw up stuff within say a couple miles (microwave line of sight) So you pull data from the neighboring RX which are unjammed.

Its about as much of an operational problem as voice channel jamming, VOR jamming, NDB jamming, and ILS jamming, which are all conceptually the same. Theoretically it could be done, but it probably wouldn't have much effect other than getting a 1 way ticket to gitmo, so....

Re:DOS (1)

queazocotal (915608) | about 2 years ago | (#41089929)

A balloon that will carry 10 pounds to 30000 feet is under a hundred dollars.

Re:DOS (1)

cheater512 (783349) | about 2 years ago | (#41087841)

Just for kicks, make a program that takes output from /dev/null, manipulate it in to the correct format, then send.

Re:DOS (4, Funny)

tibman (623933) | about 2 years ago | (#41088839)

you've taken data OUT of /dev/null?! Don't do it! Put it back in!

Re:DOS (1)

cheater512 (783349) | about 2 years ago | (#41088955)

Whoops. I meant /dev/urandom. Not sure why I put /dev/null

I'm confused (5, Insightful)

wcrowe (94389) | about 2 years ago | (#41087087)

So, let me get this straight. We have to grope old women wearing diapers and four year olds for safety reasons, but there is no need to worry about the software because it is "certified"?

Re:I'm confused (1)

Iniamyen (2440798) | about 2 years ago | (#41087119)

God damn I wish I had mod points.

Re:I'm confused (1)

Anonymous Coward | about 2 years ago | (#41087177)

Both are excellent examples of security theater.

Re:I'm confused (0)

Anonymous Coward | about 2 years ago | (#41087211)

How sweet. You thought they did all that for your "security".

Re:I'm confused (0)

Anonymous Coward | about 2 years ago | (#41087341)

As the person who over saw this, let me tell you it safe. How do I know? My buddy wrote this software, so I know it's safe. Oh and after he got the contract for it, he gave me a boat, with some cash in it. What a great guy!

Re:I'm confused (5, Insightful)

ark1 (873448) | about 2 years ago | (#41087609)

It's all about security theatre. Airport passenger screening is setup in a way to reduce fear within the general population instead of actual risks. Improving software security will not enhance the feeling of security in your average citizen.

Doesn't know much about the system (5, Informative)

vlm (69642) | about 2 years ago | (#41087225)

explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy.

He doesn't know much about the system. OK. go ahead... try to break it.... what'll happen? Nothing.

Spraying junk into the system is irrelevant. Being unauth and unencrypted its simpler and cheaper just to build a raw RF jammer than to feed in formatted junk reports. That works really well until the .mil shows up to train their jamming countermeasures equipment against your jammer. Whoops. DF work isn't all that complicated and the higher the frequency the easier it is. Radar jamming has been an option for what, 70 years now, and nothing really ever comes of it? ATC/pilots already have procedures to survive radar outages. Happens all the time. Send a nice thunderstorm thru, send in the backhoes (lots of remote radar units connected by fiber). So jamming/spamming/forcing it out of service is useless. Nothing an attacker can send will break anything.

I know about the ADS-B data structure. This stuff is small and simple. We're not talking about radar and jetliner sending sandboxed java applets to each other, its incredibly simpler than that. Its like declaring you can hack buffer overflows over a morse code telegraph. There's not enough "stuff" in the protocol to be turing complete.

The attack vector is incredibly narrow. I know a lot more about piloting and radar RF and microcontrollers, and frankly pretty much everything in the system compared to this guy and I can't figure out how to actually bust it.

Look at the guy's presentation. notes as I scan thru the slides. 1) He's cooler than you, crendentialism means he's correct (LOL) 2) he drinks vodka, very impressive proof 3) he admits he knows nothing about ATC and radar 4) He doesn't know much about RF or comms (pulse per second modulated, wtf is this star trek technobabble) 5) Other people are looking and no one has come up with anything 6) his threats are not serious and/or not realistic and/or already exist 7) I love this quote "some threats are total unknowns" yeah I think thats an excellent summary of the ADS-B "security hole". 8) the pretend made up scandal about the FAA not releasing "sensitive security information" is about skin painting radar coverage for smuggler detection, thats why they claim it has no impact on passenger aircraft... its not all space alien coverup unless your passenger craft is 50 feet off the ocean and full of coke I think you're OK. 9) "Not trying to spew FUD" LOL ok dude I hope the audience laughed at that. 10 ) Dude calls a homemade SDR RX an "exploit" LOL 11) he hopes they don't unplug primary radar... well duh how would they catch smugglers if all they had to do was flick a circuit breaker to disappear...

Look I know the guys not an idiot in general. But this is the kind of thing that happens when someone who doesn't know anything about any individual components of a big system, or anything about the big system itself, gets all FUDdy and self promotional. If you don't know anything about the terrain you're fighting in or the tools you have, you'll lose, no matter how smart you are.

TLDR is don't worry its not an issue. FUD FUD FUD self promotion thats all.

Re:Doesn't know much about the system (1)

Desler (1608317) | about 2 years ago | (#41087313)

What's funny is that he can't even prove he can really do it. To demonstrate this supposed vulnerability ihe used a flight sim and then said 'just trust us that it'll work in real life'.

Haines and hacker Nick Foster demonstrated this by spoofing a fake aircraft into simulated San Francisco airspace, using the Flight Gear simulator program. He said spoofing a target into the real ADS-B system would be a simple matter of transmitting the signal on the ADS-Bfrequencies.

Re:Doesn't know much about the system (5, Insightful)

Bistromat (209985) | about 2 years ago | (#41089081)

I'm one of the authors.

Unfortunately, transmitting live spoofed data into the real ATC system is Guantanamo fodder, and I'm trying to avoid becoming a domestic terrorist if at all possible.

That said, this wasn't merely a simulation: real ADS-B frames were transmitted by a low-cost SDR (into a dummy load) based on the position of a simulated aircraft flying in FlightGear. Those transmitted frames were received by the same SDR (alongside real frames from real aircraft), and the resulting tracks plotted in Google Earth.

See my comment here: http://tech.slashdot.org/comments.pl?sid=3065807&cid=41088873 [slashdot.org] for more information.

Re:Doesn't know much about the system (1)

vlm (69642) | about 2 years ago | (#41089403)

transmitting live spoofed data into the real ATC system

If you want to tx live unspoofed data talk to a avionics tech / aircraft mechanic or a guy who develops this stuff for a living. Its not that much of an accomplishment. Like saying you "hacked FM broadcasting" because you built a kit FM transmitter.

If you want to generate spoofed data because you're good or bad a cheap aviation transponder and an imaginary NMEA stream will do quite well. No need to "build" stuff just go appliance operator...

Re:Doesn't know much about the system (1)

Bistromat (209985) | about 2 years ago | (#41089523)

A "cheap" aviation transponder that understands Mode-S/ADS-B? Which one is that?

Re:Doesn't know much about the system (5, Interesting)

SirBitBucket (1292924) | about 2 years ago | (#41087439)

I beg to differ... Both the TRACON (or tower) radar, and the jetliner TCAS radar could be spoofed with multiple (like hundreds or thousands if need be) targets. How will the TRACON or TCAS software handle this many targets? It must drop some of them. Which ones should it drop? VFR targets? Targets not in the IFR system? What if bad guy spoofs the same code as existing targets (which he can read himself)? Eventually the real targets must get lost.

Are there ways to handle this? Yes, old school "strips," and greater separation manually... But what if the controllers can't find the real targets? In VFR conditions everyone must see and avoid anyway, and IFR flights would probably have to revert to VFR if in VMC. But what of a bunch of IFR flights in actual IMC? TCAS you say? What if said bad guy could spoof TCAS as well? TCAS would likely handle the huge amount of targets even worse than the TRACON software (might even crash... in the software sense). Add a power stuck mic to jam up all the COMM frequencies and you cause a lot of trouble indeed. Pilots must follow a discreet set up rules in this case, but they are not perfect in that they cannot help a jetliner that has had a headwind the whole way, and is low on fuel with now opportunities to make it to a VMC field.

I'm just saying I believe with enough resources it could be done. Create a ton of fake targets near a busy airport in bad weather. Jam all COM frequencies. Jam GPS, Jam the ILS/MLS. Jam the VOR signals, and any remaining NDBs. It may not lead to loss of life if the bad weather was not too far widespread (such that IFR flights could proceed to VMC and land VFR), but either way it would cause a lot of monetary damage, and a lot of terror in the flying public...

Encryption would be a very good thing for ADS-B. As we update the system from old school mode C, we might as well be countering these things.

Re:Doesn't know much about the system (5, Interesting)

slimjim8094 (941042) | about 2 years ago | (#41088663)

And if you did all that, it would be damn close to, if not actually (GPS is military), an act of war. Want to see just how fast the government can respond to an incident? Try the above. I'd give you about 15 minutes before you had military on your ass. They have smart missiles that can automatically target GPS and radar jammers [wikipedia.org] , if they get desperate enough to get rid of your interference. And as you note, there's already procedures for going "old-school" and not relying on radar or TCAS or ILS. Even in "hard" IMC you should be able to use your instruments to stay in the air and away from other planes, and you should have enough fuel (you did your fuel calculation correctly, right?) to circle around a bit waiting for the situation to be resolved.

Re:Doesn't know much about the system (1)

SirBitBucket (1292924) | about 2 years ago | (#41088913)

I still think it would be plausible... The regs only require enough fuel to reach your primary airport, your alternate, plus 45 mins. Winds aloft forecasts are not always accurate and many a plane has landed without a 45 min reserve. I am not so sure that you could shut such a jamming system down if it were well organized. For one, the bad guys could have multiple jammers making it difficult to locate them, and more time consuming to shut them down. One or more of the jammers could be from another aircraft, requiring it to be located as airborne, and then found without the overcrowded radar, and then dealt with...

One could also place the jammers in crowded areas, making them impossible to target with missiles without a lot of collateral damage.

All that being said this is much more likely a good plot for the next (or a previous) Die Hard movie than a real hard core terrorist plan. But simply frightening the flying public for a mere 5 minutes would be enough to cause millions in economic losses for the already hurting airlines.

Re:Doesn't know much about the system (1)

Zero__Kelvin (151819) | about 2 years ago | (#41089945)

"And if you did all that, it would be damn close to, if not actually (GPS is military), an act of war. Want to see just how fast the government can respond to an incident? Try the above. I'd give you about 15 minutes before you had military on your ass."

Well then, it's a damn good thing that nobody would ever want to take that risk [wikipedia.org] !

Re:Doesn't know much about the system (1)

vlm (69642) | about 2 years ago | (#41089421)

nd IFR flights would probably have to revert to VFR if in VMC. But what of a bunch of IFR flights in actual IMC?

If tcas is going off you're doin it wrong. Old fashioned separation rules. By altitude.

Some non pilots think aviation is handled like a video game where you dodge dodge dodge like a WWI biplane dogfight. Not so.

You rarely navigate by radar because its extremely embarassing to tell ATC you're lost and need a vector... you nav using GPS and VORs and NBDs

Re:Doesn't know much about the system (1)

SirBitBucket (1292924) | about 2 years ago | (#41089803)

The point was that the bad guys were spoofing multiple targets on TCAS. Thus it would be useless, or telling out to resolve conflicts that do to really exist.

I am a pilot, and understand navigation systems, which was why I said the bad guys would want to jam GPS, VOR, NDBs, ILS/MLS, as well as old fashioned COM frequencies. This would leave only dead reckoning... Given pilotage is worthless is actual IMC.

Re:Doesn't know much about the system (1)

AlienSexist (686923) | about 2 years ago | (#41087579)

I'd imagine you're right. If the ADS-B goals lead to greater automation then there could be a problem. Even if fake signals were generated against the ADS-B system while radar was fully functional. Sure the system might cause a few alarms, but operators can easily qualify the alerts by checking the radar, and what not. With more automation, however, perhaps that level of qualification and human oversight is not used to discriminate alerts. I do not know just how far the ADS-B system (or future ones) intend to go, but if it ever extends to automatically sending instructions to pilots it could cause real problems. For example I recall a PBS show describing a case of 2 Russian planes on a collision course. Both of their mid-air crash warning systems detected the other aircraft and both systems advised their pilots to "pull up." They both did... and still collided. So in the worst case (and with a lot of assumptions) all I can see is an attack vector to possibly confuse pilots. Like you, I don't see a real threat here.

Re:Doesn't know much about the system (1)

plover (150551) | about 2 years ago | (#41087585)

While the most effective bank robbers in history have been MBAs (Lehman Bros.), that doesn't mean an MBA is a requirement for robbing a bank.

Renderman certainly isn't an idiot. His qualifications are: hacker. We have ample instances where a hacker is able to make a system perform in an unexpected fashion, yielding profit, mayhem, or both. And he is very much an expert in that field.

7) I love this quote "some threats are total unknowns" yeah I think thats an excellent summary of the ADS-B "security hole".

You mocked him without refuting the point. Yes, the known problems are addressed. Sure, the attacks you can think of are covered by X and Y and Z redundancies. Fine, I get that. What hasn't happened here is real world abuse. I certainly can't predict what will be found tomorrow, just as nobody predicted CRSF attacks before they were discovered.

He makes valid points that are worth acknowledging with all due seriousness. Don't be so quick to dismiss them.

Re:Doesn't know much about the system (1)

Desler (1608317) | about 2 years ago | (#41088073)

Except he hasn't even shown he can do what he claims. He just says that based on what he could do in a flight sim that reality would be the exact same.

Re:Doesn't know much about the system (0)

Anonymous Coward | about 2 years ago | (#41087597)

Could spoofing a fake aircraft trigger the automated collision avoidance systems into making a pilot change the direction of his plane?

Could spoofing this system make an air traffic controller confused as to what altitude a specific plane is at? How about it's location?

Re:Doesn't know much about the system (1)

CompMD (522020) | about 2 years ago | (#41088009)

As a fellow engineer who has worked on traffic systems and transponders that use ADS-B, thank you a thousand times for bringing some sense into this conversation.

Re:Doesn't know much about the system (3, Insightful)

Zero__Kelvin (151819) | about 2 years ago | (#41089977)

No. He didn't bring some sense into the conversation. The people who brought sense into the conversation asked the question "what kind of idiot designs the system to make injection possible in the first place?" Computing History, as short as it is, is chock full of people who said "it is not a problem" because they couldn't imagine how it would be a problem, and then someone else came along and showed them the hard way. You're playing with people's lives. Not encrypting the connections in 2012 is tantamount to gross negligence. Period.

Re:Doesn't know much about the system (1)

Impy the Impiuos Imp (442658) | about 2 years ago | (#41088083)

> ...works really well until .mil shows up [at your jammer]

By that time half a dozen planes have crashed. 9/11 was a can-happen-only-once event, too.

Re:Doesn't know much about the system (0)

Anonymous Coward | about 2 years ago | (#41088207)

He hopes they don't turn off "primary radar" huh?

Here try this -- fly around in controlled airspace and turn off your transponder and see what happens.

I'd assume this guy would claim this was a way to "hack" the system so you become invisible.

Re:Doesn't know much about the system (1)

DL117 (2138600) | about 2 years ago | (#41088645)

I'd mode you up, but you're already +5.

Re:Doesn't know much about the system (3, Interesting)

Bistromat (209985) | about 2 years ago | (#41088873)

Hi, I'm one of the authors.

The demonstration used a COTS SDR to transmit ADS-B squitters from positions derived from an aircraft flying in FlightGear. The same SDR was simultaneously receiving ADS-B frames from real aircraft, *including* the spoofed frames being transmitted locally. The combined frames were brought into the Google Earth display for viewing. Criticism suggesting that "it's just a flight simulator, it's not real" is incorrect: these are valid, correct ADS-B frames, transmitted (into a dummy load), which will be received and decoded by ADS-B IN hardware. There is a spec (DO-260B), and the transmissions meet that spec.

The purpose of the demonstration was to show that valid ADS-B frames can be generated and transmitted by low-cost SDR hardware. This capability raises a number of interesting possible attack vectors, which were discussed in the presentation. The secondary purpose of the presentation was to get the FAA to clarify the countermeasures they plan on using to detect, identify, and eliminate spoofed transmissions from the data which controllers see. Specifically, there are two other sources of data they can use: multilateration, which depends on time-difference-of-arrival to calculate the originating position of a transmission (same principle as GPS); and maintaining a network of primary surveillance radar. Prior to this week (Steve Henn of NPR was the first to get the memo from the FAA), the FAA had not stated that they planned to maintain a full radar network, or to use multilateration to vet reports. In fact, reading older documentation, explicit mention is made of *shutting down* PSR to save money after ADS-B implementation is complete. So, you understand our concern.

Additionally, ADS-B IN implementation aboard aircraft (rather than ground stations) provides no facility for validating reports via TDOA; this means that you can inject false reports into aircraft which are listening to other ADS-B reports. Currently few aircraft support this capability, but for those that do, you can squit fake aircraft right into their traffic display.

Lastly, the last couple of slides from the Defcon presentation discuss an attack vector against TCAS, the collision avoidance system aircraft use to maintain separation when ATC fails to do so. This attack vector is particularly concerning because it provides direct pilot guidance: a false aircraft on a collision course will create audio and visual warnings in the cockpit (a "resolution advisory"). Therefore, you could potentially cause an aircraft to maneuver to avoid an intruder which isn't actually there. Obviously, this is concerning, and I'm unaware of any way to combat this.

So yes, the presentation may have looked "FUDdy" without background into the problem, but there are real security issues here which need to be dealt with.

Re:Doesn't know much about the system (1)

vlm (69642) | about 2 years ago | (#41089491)

Why waste dev time on a SDR TX when you can buy a used transponder off ebay for cheap or just steal one?

Just sayin its not all that practical.

Specifically, there are two other sources of data they can use

Third is data gathering from multiple sites. You cannot generate enough power / altitude from the ground to knock out a substantial range. Talk to some microwave RF guys. So use the ring of airports/radars around the transmitter.... Of course this sucks AT o'hare if the jammer is in the o'hare parking lot...

For ground purposes why can the ADS RX be on a narrow beam antenna? HMm a network of them just triangulated on you.

maintaining a network of primary surveillance radar.

They HAVE To maintain it. Otherwise my learjet full of coke gets the "cloaked ship" star trek effect if I flip the transponder circuit breaker off. They're never, ever, going to give up on skin painting. Maybe some phb who's never ATC'd or piloted a plane made up some story, but...

Therefore, you could potentially cause an aircraft to maneuver to avoid an intruder which isn't actually there.

Talk to a pilot. The first thing you do is visual the incoming. So that limits it to IFR only conditions right off the top.

A successful attach is going to be pretty ineffective and very dangerous to attempt. I just don't see it as an issue.

If these attacks become popular, planes will just pop the tcas circuit breakers on order of ATC (probably in the ATIS/AWOS message?) and fly "pre-tcas" which works just fine.

Re:Doesn't know much about the system (3, Interesting)

Bistromat (209985) | about 2 years ago | (#41089617)

Why waste dev time on a SDR TX when you can buy a used transponder off ebay for cheap or just steal one?

Just sayin its not all that practical.

Because the SDR TX took one evening in Gnuradio to implement.

Third is data gathering from multiple sites. You cannot generate enough power / altitude from the ground to knock out a substantial range. Talk to some microwave RF guys. So use the ring of airports/radars around the transmitter.... Of course this sucks AT o'hare if the jammer is in the o'hare parking lot...

For ground purposes why can the ADS RX be on a narrow beam antenna? HMm a network of them just triangulated on you.

We aren't jamming. We're spoofing. Your idea regarding triangulation is generally correct, although they use multilateration, not direction of arrival. However, if your signal is only loud enough to be heard by a single station (or two stations), you can't multilaterate, and since 1090MHz is very much line of sight, the odds multiple stations will hear a ground-based spoofer are slim.

They HAVE To maintain it. Otherwise my learjet full of coke gets the "cloaked ship" star trek effect if I flip the transponder circuit breaker off. They're never, ever, going to give up on skin painting. Maybe some phb who's never ATC'd or piloted a plane made up some story, but...

I'm totally with you here. The problem is the FAA initially appeared not to recognize this; it appeared they wanted to maintain PSR/SSR in congested areas, but shut down some primary sites in less-trafficked areas. I am as glad as you are that they seem to understand the necessity of maintaining complete PSR/SSR.

Therefore, you could potentially cause an aircraft to maneuver to avoid an intruder which isn't actually there.

Talk to a pilot. The first thing you do is visual the incoming. So that limits it to IFR only conditions right off the top.

A successful attach is going to be pretty ineffective and very dangerous to attempt. I just don't see it as an issue.

If these attacks become popular, planes will just pop the tcas circuit breakers on order of ATC (probably in the ATIS/AWOS message?) and fly "pre-tcas" which works just fine.

I don't agree with this. Disabling TCAS is a hazard in itself, ESPECIALLY in IFR condx. This is a problem.

Re:Doesn't know much about the system (0)

Anonymous Coward | about 2 years ago | (#41089009)

I don't think this is self promotion at all. I have met the guy a few times and he does not seem to care about fame, he just likes to tinker. That is just my opinion on him from a few meetings in the past.

While it may be simpler/cheaper to RF Jam that is a denial of service attack. If that were to happen then a backup system would be used. If it is possible to insert fake/maniupulated data into the system that has some serious implications.

I really think that is what he is doing here. Raising awareness of a possibility. I do not at all see why I could not transmit a fake packet at the proper frequency to accomplish this. The system has no way to verify the message is from a legitimate source or not. If you can explain to me why I can't do that I am all ears. It would seem from his presentation that he is all ears to why he is wrong too.

Maybe instead of attacking the presenter/presentation tell us why it can't be done.

Re:Doesn't know much about the system (0)

Anonymous Coward | about 2 years ago | (#41089419)

You're right, he doesn't know much about the system. Thus, I agree with you that his privacy concerns about it aren't cause for alarm. And my familiarity with the ATC system is that of an interested amateur. What I know, I've learned from pilot friends, the FAA's published air traffic control history, and reading retired Atlanta Center controller Don Brown's "Say What?" column at AVweb, and his _Get the Flick_ blog.

The concern I see is this: There are people in FAA management who want to retire air search radar, and they see GPS-related technologies like ADS-B as the method to do it. If we allow that to happen, and we allow ADS-B to remain in its present unauthenticated state, how *do* we resolve spoofing? Okay, a flood of fake aircraft is going to attract attention--but what do you do about it? Or how about something smaller, if you presented false aircraft, or false locations for real aircraft? What kind of trouble could that cause, and what methods do you have to address it? How much harder does this get if you can no longer correlate against primary radar returns?

Mail-order certs that you're 100% non-terrorist (1)

AlienSexist (686923) | about 2 years ago | (#41087283)

Sounds like a Dlibert comic

I wonder what kind of "certificates" you can order online and use effectively. Besides diplomas I mean... Certainly those don't work, right? Not as if there were ever a Yahoo CEO to have falsified their education. Press credentials? Security certs?

"Type R" sticker (0)

Anonymous Coward | about 2 years ago | (#41087297)

So they went out and bought a "Type R" sticker instead of buying a hotrod?

Old Star Trek Tactic (1)

AlienSexist (686923) | about 2 years ago | (#41087365)

Lt. Worf mastered the use of illusionary ship signatures to fool enemy warships. The trick, as it seems to apply here, is to fool the computer not the sensors. The ATC system may believe there are ghost ships out there, but sensors (radar) won't corroborate it.

What happened to simple radar? (1)

whizbang77045 (1342005) | about 2 years ago | (#41087679)

Of course, if the FAA still believed in simple radar, and did not try to solely rely on ADS-B, they could at least tell if there was an aircraft there or not. But of course, that would put the expense on the FAA, not on individual aircraft owners, many of whom don't even want ADS-B. It sounds like a lot of software marketing stories: we know what you want, and don't try to tell us otherwise. Trust us, it's certified, and it will solve all your problems.

Fuzzing equipment that talks over the air (1)

ajdub (520241) | about 2 years ago | (#41088225)

At least that part was interesting. I'm sure there's loads of radio driven digital equipment out there that has been designed under the assumption that the radio is proprietary and therefore the other side is almost certainly going to behave properly.

dupe? (0)

Anonymous Coward | about 2 years ago | (#41088247)

Isn't this just a repeat of http://yro.slashdot.org/story/12/07/27/0211256/researcher-finds-security-holes-in-faas-new-flight-control-system

captcha:airlock

The C&A process is only usefull if... (1)

bleh-of-the-huns (17740) | about 2 years ago | (#41088475)

The people performing the process actually follow the guidelines as they were intended.

The guidelines are based on NIST 800 series documentation, as well as any other internal rulebooks and policies in place at a particular organization.

The entire process needs to be performed by independent auditors (as a consultant, one of my duties is the technical aspect of the C&A process), there is no incentive for me to bow to political or management pressure of the system owner. The results are provided directly to the certifying authority, designated for that system, which also falls outside the chain of command for the system being certified.

The problem is that too many federal entities do the C&A process in house, which allows management to futz with the results before passing them on to OMB (all C&A results end up at OMB for the yearly scorecard to be calculated).

With regards to FAA, as I have worked with them in the past, they have had the C&A process performed by in house contractors, or previously, using the DOT C&A group. When the latter option is used, the results tend to be a little better, but they can still be fudged.

The other issue with the statement by FAA (1)

bleh-of-the-huns (17740) | about 2 years ago | (#41088523)

Is that while the C&A process can be interpreted many ways, in general, it is the security posture of the system and its components, not the functionality. Most assessors do not go that far because depending on the system, they may not be able to, or be equipped to test the actual functionality beyond the component level.

Spoofing is the least of the worries about ADS-B (0)

Anonymous Coward | about 2 years ago | (#41088555)

Since it is unencrypted, it is possible to just guide a small model plane into an aircraft that advertizes its precise position and speed. This would be a totally "passive" attack.

Many errors in the presentation: (5, Informative)

DL117 (2138600) | about 2 years ago | (#41088639)

I just read the presentation. It seems like this guy knows just enough to scare himself and others.

Mistakes:

Page 13: The 'ID Number'(SSR/'squawk code') is automatically attached, it is not manual, nor is 'a great deal of work required'.
Page 14: Pilots DO get traffic data from the current ATC system. Traffic detection systems on airplanes intercept the transponder replies, and use that to detect the location of other air traffic. Larger aircraft have systems that actually communicate each other to avoid collisions in emergencies. Those systems are called PCAS, and TCAS respectively.
Page 14:Standard separation of aircraft is 3-10 miles and 1000 feet. Not 80 miles. That's just stunningly wrong.
Page 15:Airplanes will ALWAYS need to avoid thunderstorms and volcanoes, radar or no radar.
Page 16:Not too many errors here, but planes ALREADY can be closer than 5 miles.

Page 23(the "scary stuff"): Yes, he(and you) can observe the air traffic. So what? It's not secret, hasn't ever been secret, and doesn't need to be secret. You don't need ADS-B to know that airplanes congregate around airports. This function is largely intentional, and nothing worse than a tool for enthusiasts. Critical thinking will tell you that it's not information that needs to be kept secret(flghtaware.com's FAQ explains this concept very well)

So, the only real point on page 23 is the lac kof authentication. Which isn't much of an issue because it will be validated with radar. And, over the ocean, where there isn't radar, you probably won't have morons in boats spoofing signals.

Page 27: None of these threats are actually dangerous. It's already public. Most flightplans are available online(flightaware.com), and you can see most airplanes in the sky. They take predictable routes around airports. It's not dangerous.

Page 28: Most of these are valid concerns, but the opportunity to train the system isn't their. Fake flights will quickly be noticed. How? "Hey, none of these planes are landing. And it's tail number doesn't exist".

Page 30: Autopilots DO NOT automatically avoid collisions, a warning signals the pilots to take action, essentially for this exact reason. Autopilots ONLY do things they have been explicitly told by the PILOT and no one else, including ATC.

Page 30:Many large aircraft DO have radar onboard for traffic. It's called TCAS.

Page 31: GPS jamming not new.

Page 32: Not new. GPS spoofing isn't new, but is VERY rare.

Points I'd like to highlight:

1. ADS-B does not need to be private, and is not intended to be private. All of the concerns regarding lack of privacy here are invalid.
2. Autopilots only take commands from the pilot(s) inside the cockpit. No one else.
3.Only valid remaining concerns are signal spoofing.
4.They have planned for this, and are clearly working on countermeasures.

Just because the government lies and makes mistakes often, doesn't mean they do it always.

Source:Aviation enthusiast, student pilot, many, many public documents.

Re:Many errors in the presentation: (1)

Anonymous Coward | about 2 years ago | (#41089455)

TCAS isn't radar. Its a radio receiver/DF unit. You can buy units that go into any plane, and will give you audible warnings just like the big guys. see

http://www.sportys.com/PilotShop/product/9194

for example.

Overall your observations are spot on. This system should have been implemented 10+ years ago.

who did that accreditation, then? (1)

swschrad (312009) | about 2 years ago | (#41088693)

ahhh, the outfit we cloned and put on the tors two years ago. yeah, they're real smart. A-D-M-I-N, P-A-S-S-W-O-R-D. at least they spelled it right.

*COUGH* it's WindowsCE based (0)

Anonymous Coward | about 2 years ago | (#41089153)

no really. CE. so uh yeah good luck FAA with that.

I wrote about ADS-B homing drones last year (1)

George_Ou (849225) | about 2 years ago | (#41089285)

I wrote about ADS-B homing drones last year and why jetliners (high value targets) should avoid beacon accuracy of Navigation Accuracy Category (NAC) level 7 (less than 93 meter accuracy) or better. It would be relatively easy to fly a piston powered model plane controlled by an iPod Touch connected to a GPS with 3-meter accuracy in front of the path of a jetliner carrying a small payload. The model plane wouldn't need to be fast because it would be the jetliner that runs into the model plane. http://www.hightechforum.org/new-airline-navigation-system-easy-target-for-terrorists/ [hightechforum.org]

Re:I wrote about ADS-B homing drones last year (1)

queazocotal (915608) | about 2 years ago | (#41090017)

Three mobile phones on the ground can locate aircraft to within 3m from a long way away in clear weather.

so's the $20 bill (0)

Anonymous Coward | about 2 years ago | (#41089883)

and the $100 bill......

"FAA isn't worried" (0)

Anonymous Coward | about 2 years ago | (#41090237)

Naturally.

The Obama Administration has politicized all elements of the un-elected government of the United States of America.

The FAA zombies are now lurking throughout the halls of Congress and even the streets of DC looking for victims, just like
President Obama and his entourage as they cruse the crack neighborhoods of SE DC looking to score cheap narcotics and
same-sex escapades.

Wow. In just 3-years DC looks a lot like Aleppo!

Guess What!

It's Obama's ObombAmerica directed from the White House!

Does Obama like single munition or cluster munition?

Answer B and U get a 'prize' direct from the FBI.

Toodles

Not holding my breath (0)

Anonymous Coward | about 2 years ago | (#41090241)

There is no such thing as a perfectly secure system - just ask the NSA! I'm not holding my breath until someone pwns the new ATC system and crashes a bunch of planes (the next 9/11 I think), but it won't likely be too long in coming... :rolleyes:

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>