What happens when a hacker gets bored and curious about airplane tracking systems? In the case of Brad “RenderMan” Haines, aka @ihackedwhat, a very interesting Def Con 20 presentation happened called “Hacker + Airplanes = No Good Can Come Of This.”
When Haines first started talking about using apps to find airplanes and track flights, my mind flashed to Tom Clancy who mentioned a smartphone app like Plane Finder being used by terrorists in his novel Against All Enemies. But Haines was talking reality and not fiction about how easy it is for anyone to track planes in near real time with Plane Finder, FlightRadar, FlightAware and RadarVirtuel. Haines talked about the NextGen Air Traffic Control (ATC) and those apps which use Automated Dependent Surveillance-Broadcast (ADS-B) which will be mandatory in the United States by 2020 and in Europe by 2030. While you are reading this, consider that ADS-B equipped planes are flying overhead right now.
Planes use GPS to determine and broadcast (1090Mhz -- 978Mhz for GA -- at 1Hz) their positions. ADS-B is unencrypted and unauthenticated, Haines explained, showing aircraft ID, altitude, latitude / longitude position, bearing and speed. That location information is considered to be so accurate that it allows flights to pass closer to each other. But being unencrypted and lacking some authentication to prevent spoofed communications, a malicious person could injected false data into real communications. There are two types of ADS-B, in and out.
Although Haines covered many, here are some of ADS-B Out threats. It’s vulnerable to eavesdropping so that anyone can “easily capture cleartext data of air traffic.” There is potential for data mining ADS-B Out, “we know what’s in the air and when.” Even scarier is the threat for injection such as injecting “ghost flights into ATC systems.” If such a thing were to happen right now over the London Olympics, then it would cause “mass chaos.” Another threat includes jamming the ATC reception of ADS-B. Haines asked what would happen if there was a “coordinated jamming across many travel hubs?”
ADS-B In threats also include injection, such as injecting data into an aircraft’s ADS-B In displays or injecting “scary types of traffic to illicit a response.” A hacker could “introduce conflicting data between ATC and cockpit displays.”
During a demo showing off these threats, Haines injected a clearly fake plane called “Your Mom.” Since autopilot systems utilize ADS-B In data for collision avoidance, what if a hacker were to inject a message into the pilot’s screen display saying another plane, like Your Mom, is 500 yards ahead? He suggested, “Something's going to happen, probably involving a sphincter.”
Other threats include GPS jamming which could “block the plane’s ability to use GPS.” In fact, Haines pointed out that GPS jammers can be purchased for as little as $20-30 on Dealextreme.com and such jammers could be "easily tucked into baggage on a timer." There is also GPS spoofing which sends a manipulated signal to generate false latitude and longitude readings. About a month ago, researchers showed off such GPS spoofing to show that malicious hackers could take control of civilian drones and then use those hijacked drones as missiles to crash into other planes or buildings.
Haines concluded with, “If I can find this stuff, so can the bad guys.” I tip my hat to him as during the flight home from Las Vegas, during a particularly vicious thunderstorm which was bouncing the plane and inducing some other passengers to either scream or pray, as I was watching the lightning outside my window, another plane zipped by ever so closely to the jet I was in. At that time, I wondered if the planes were supposed to pass each other in such close proximity or if someone was playing around with a few of the things Haines explained.
Haines is not the only hacker looking into ADS-B vulnerabilities. At Black Hat USA 2012, Andrei Costin presented and demonstrated “Ghost in the Air (Traffic)” [PDF]. The holes in ADS-B have been known since 2006, but even by showing the attack, the takeaway message is “no-FUD and no-apocalypse.” Costin wrote, “Our main contribution is twofold - demonstrate the easiness and practicality of such attacks before the ADS-B is 100% deployed and used as primary surveillance technology; as a consequence of first objective, the second is to dramatically raise awareness of the issues (known before but not properly addressed and/or disseminated) so that these can be fixed in appropriate timeframes before safety is compromised.”
Another interesting talk along these lines at Def Con 20 was Busting the BARR: Tracking “Untrackable” Private Aircraft for Fun & Profit. The FAA has a Block Aircraft Registration Request (BARR), so a celebrity, politician or high-profile person can request their aircraft to be added to the BARR list, meaning that their flight information is not made public. The speakers Dustin Hoffman and Semon Rezchikov demonstrated “a serious, unpatchable method for tracking otherwise ‘untrackable’ BARRed aircraft” and showed how you can bust BARR too by monitoring LiveATC.net and downloading ATC communications. After developing a speech recognition (speech-to-text) software, the researchers were able to scrape radio transmissions of BARR flights that are arriving. OpenBARR currently tracks flights arriving or departing from Las Vegas airports: Henderson, McCarren International, and North Las Vegas, but the researchers plan to include other cities soon.
As you might imagine, finding a way around the BARR list has upset some superstars who didn’t want to be tracked. NBAA spokesman Dan Hubbard blasted away at the researchers, “Getting on an airplane shouldn’t amount to forfeiting your security and privacy to anyone, anywhere in the world with an Internet connection.” Perhaps he had not heard of the flight tracking apps that forfeit the "security and privacy" of regular folks on regular flights?
Hoffman replied, “If Semon and I can pull this off—and this isn’t even our full time job–someone else is already doing it. I’m a libertarian. I don’t think it’s anyone’s business where you travel to. But what’s worse, for everyone to know it’s easy to track you, or to have a false assurance you can’t be tracked?”
That is why most security researchers go public with presentations at conferences like Def Con. It’s not to show what destruction they could wreak, but to explain the vulnerabilities and how systems can be exploited so the companies behind the systems will actually be forced to fix the dangerous flaws. Bad guys would keep it quiet so they could happily continue exploiting everything imaginable. It's sad the security researchers are given so much grief. In the end, the good guys’ talks should result in better security and privacy for us all.