How to Track ADS-B Equipped Aircraft on Your Smartphone

Aug 30, 2017 06:25 PM
Jul 17, 2020 10:35 PM

Flight disruptions can cost billions of dollars, but most modern commercial flights rely on air traffic control systems that harbor serious vulnerabilities. The Federal Aviation Administration uses an infrastructure called NextGen, which relies on Automatic Dependent Surveillance – Broadcast, or ADS-B for short.

Since the beginning of 2020, all aircraft that fly within the U.S. must be equipped with ADS-B Out. This aspect of ADS-B broadcasts an airplane's vital information, in plain text, for everyone in broadcast range to receive. Below, we'll learn more about ADS-B and how it allows anyone to track flights from airlines to Air Force One on a smartphone, as well as how hackers can hijack it.

How Important Is ADS-B?

Imagine you're a pilot just finishing up a long transatlantic flight. It's night, and you're relying primarily on your instruments, when out of the blue, your traffic collision avoidance system (TCAS) yells at you "Traffic one mile ahead. Descend. Descend!" After thousands of hours of training, you instinctually comply, when suddenly 99 more planes appear in your display. If you are flying an Airbus in autopilot, then there isn't even a choice — it reacts automatically.

Consider the mayhem that could be caused using this kind of attack on air traffic control at a major airport during the busy holiday season. Mother Nature has already provided a multitude of examples of the chaos that ensues from disruption. There was that "nightmare for thousands of LAX travelers," as well as Icelandic volcano Eyjafjallajökull that caused flight disruptions that cost airlines $1.7 billion.

Now it doesn't take Mother Nature — a single hacker can have similar results.

636395668199412361.jpg

This is ADS-B data taken while nearly all aircraft over western Europe were grounded on Thursday, April 15, 2010, following an eruption under Eyjafjallajökull glacier in Iceland.

What we described is an example of a spoofing attack on the "ADS-B In" and TCAS, which work together in a cooperative ranging system, as they are both built on the same foundational Mode S data link. This represents one type of vulnerability in the FAA's NextGen system, one that has been known as early as Sept. 18, 2001.

Some applications may require independent validation of the ADS-B information … to detect spoofing and this is the aspect where the security concerns are raised.

The attack was demonstrated in 2012, and again in 2016 by a separate individual, but it's been almost 19 years since we've known about the vulnerability and nothing has been done about it. It would be trivial for a malicious hacker to take either of these programs and execute them in the real world with the use of an inexpensive $300 software-defined radio (SDR).

How Does ADS-B Work?

But what is ADS-B in the first place? ADS-B comes in two flavors: ADS-B Out and ADS-B In. Perhaps the easiest way to think about ADS-B Out is to envision the tour guides at the museum waving their flags about and shouting, "I'm over here, follow me!" That's what aircraft equipped with ADS-B Out transmitters basically do.

ADB-S Out uses onboard instruments, including GPS, to populate 112 bits-long data packets with such information as aircraft identification, surface position, airborne position with barometric altitude, airborne velocities, and airborne position with GPS altitude. Then, the data broadcasts over 1090 MHz.

They do it every second — in plain text, unencrypted, unauthenticated — which creates all sorts of vulnerabilities in the system. As you can guess, ADS-B In is the receiving portion of the system on the aircraft and is what opens the plane to spoofing attacks.

636395666359100280.jpg

It's not hard to snoop on ADS-B. This cheap DVB-T dongle can read ADS-B (airplane's ID, location, and speed) data for airplanes within 250 km of the receiver.

Despite its vulnerabilities, ADS-B is the backbone of the FAA's NextGen system. The system intends to allow more aircraft to operate in any given airspace with increased safety, while simultaneously easing the growing burden on air traffic control.

The FAA had even mandated that "aircraft operating in most controlled U.S. airspace must be equipped with ADS-B Out by Jan. 1, 2020" without addressing the fact that ADS-B was and is inherently insecure.

As of July 2020, almost 99,000 general aviation fixed-wing aircraft in the U.S. have already been equipped out of about 168,000 total, or about 59 percent. Three years prior, there were only 29,000 equipped, or 17 percent. The percentage of equipped commercial airliners is much larger, at 87 percent. And these numbers don't even account for military aircraft or experimental lightcraft in the U.S.

While only ADS-B Out is required by the law to receive the full benefits, the aircraft also benefits from ADS-B In. It is likely they will have this, considering companies like uAvioni produce such transceiver systems for under $1,000.

In fact, in his excellent talk (slides) at Defcon 20, Brad Haines, aka Renderman, goes on to point out yet more threats including jamming, injection, and what we are looking at today — eavesdropping — what FAA's Ron Jones called "probably the most fundamental security issue with ADS-B."

How Can We Hack with ADS-B?

Since spoofing aircraft and potentially causing billions of dollars' worth of chaos would be wrong, needless to say, highly illegal, we can do the next best thing and receive those data packets instead of broadcasting fake ones. This is still quite interesting, considering we can track most military aircraft and "untrackable" private jets, like Air Force One and rendition flights.

636395664152381532.jpg

Anyone can read ADS-B with a simple setup. This is a Raspberry Pi 2 with Chromium browser on a 3.5" TFT display processing ADS-B data in dump1090 with an RTL-USB stick.

It gets even better for the paranoid among you who are afraid of "spies in the sky," such as the FBI and Department of Homeland Security (DHS) surveillance aircraft, because now you can keep eyes on the eyes in the sky. Those of you that have already read our previous article on SDR can probably guess that an SDR is all we need to eavesdrop. That's right, plug in our $25 SDRs and tune into 1090 MHz!

However, in reality, it's even easier than that. If you have a smartphone, there's an app for that. In fact, there are multiple options available. Several web services have already crowdsourced a distributed network of ADS-B receivers, with Flightradar24 and FlightAware being two of the biggest. FlightAware is even working on a satellite constellation to track all flights globally from space.

Today, we are going to download the Flightradar24 app and learn about what ADS-B Out has to offer. In the next article in this series, we will learn how to make our own receiver for a mere $35 using a Raspberry Pi Zero W and an SDR.

Step 1: Install Flightradar24

Flightradar24 is available in both the Google Play Store and the iOS App Store, so all you have to do is visit your brand of choice to download and install it onto your device.

  • Install Flightradar24 Flight Tracker: Android (free) | iOS (free)

If you don't want to download and install the app or can't, you can also check out the flightradar24.com website in a browser, which has all the same information. You can still follow along with the rest of the article below, however, the icons will be in different places.

Step 2: Run & Set Up an Account

After the app has finished installing, you should be able to tap on the icon and have it pop open. It will ask for location permission, which is technically optional. While the app will run without it, you will not be able to use all of the features, such as augmented reality views.

637305939918751453.jpg
637305940055939380.jpg
637305939918751453.jpg
637305940055939380.jpg

Log in by tapping the profile icon in the top right. You will see a screen offering you a free trial. Take it if you wish since it will remove ads and provides some additional data, but be aware that it also signs you up for a subscription.

It's recommended to just tap the "Log in" button. If you stay tuned to the next article in this series, you'll learn how to get the highest level of membership — the $499 per year Flightradar24 Business Plan — for free.

If you don't already have an account, it will automatically create one for you if you log in with Apple, Facebook, or Google.

637305940560158213.jpg
637305940823908122.jpg
637305940560158213.jpg
637305940823908122.jpg

Step 3: Adjust Settings

Once it sends you back to the home screen, you should see the settings gear icon in the bottom left. You'll want to explore around and set it up the way you like, as there's a lot of room for customization. You can change the map type, put labels on the aircraft icons, add a day/night line to the map, and more.

637305941526251889.jpg
637305941657657954.jpg
637305941784064223.jpg
637305941526251889.jpg
637305941657657954.jpg
637305941784064223.jpg

Step 4: Spot Planes Around You with Radar View

This is your standard view and the home screen after opening the app. Aircraft are represented by different icons that give you an idea of their type and heading. To learn more about an airplane, all you have to do is tap it. You can do that same thing with the airports, which are the teardrop-shaped icons.

637305942825157795.jpg
637305943056408015.jpg
637305942825157795.jpg
637305943056408015.jpg

The very keen among you may notice a lack of smaller aircraft such as Cessnas and Pipers, also known as general aviation. That's because they operate on a separate 978 MHz frequency, rather than commercial airliners at 1090 MHz, and apps such as Flightradar24 and FlightAware do not attempt to decode traffic on that frequency.

Step 5: Use AR View to Spot Aircraft Overhead

Now we get to use the coolest part of the app. Ever look up and wonder what that plane is or where it's going? Enter augmented reality. Pokémon Go, cry your heart out.

Getting the augmented view is as easy tapping on the "AR" tab in the top left of the home screen and giving the app permission to use your camera. You may also get a calibration screen. If so, go ahead and follow the instructions to improve accuracy.

What's going on here is the app is using the inertial measurement unit (IMU) in your phone, in conjunction with the GPS, to estimate where you're looking in the sky. Flightradar24 is then able to overlay its ADS-B data on the world, giving you x-ray vision to see planes through clouds or even the roof of your house.

It can be helpful to switch between overview and details so that you can use the altitude to help distinguish between aircraft.

637305943886720773.jpg
637305944973126827.jpg
637305943886720773.jpg
637305944973126827.jpg

Step 6: Hijack the Pilot's View with 3D View

Another of the cooler features is the ability to get what basically amounts to a cockpit view. Once you've selected an aircraft in map or AR view, tap the "3D view" button in the lower left. You can switch between the pilot's perspective and an angle behind the plane.

Imagine using this next time you're traveling. Not only will you be able to tell what's what on the ground, thanks to the labels Google provides, but you'll also get the pilot's view during takeoff and landing!

637305948181876850.jpg
637305948383751686.jpg
637305948181876850.jpg
637305948383751686.jpg

Step 7: Perform Open-Source Intelligence

Suppose you wished to know more about a particular flight. All you have to do is tap on the "More info" icon. You'll be taken to a page with all the detailed information that you could ever want to know, such as the aircraft type, registration, speed, and altitude.

637305950257188726.jpg
637305950416251632.jpg
637305950257188726.jpg
637305950416251632.jpg

It even makes pretty graphs if you're into that sort of thing. There's quite a lot you can tell from the chart, such as how long it took them to get to cruising altitude (where the altitude line flattens out) and the spikes in the speed due to head and tail winds slowing or speeding the plane.

637305951104690574.jpg
637305951315002272.jpg
637305951104690574.jpg
637305951315002272.jpg

If you see this and instantly think of data mining, then there's good and bad news for you. Flightradar24 doesn't have an open API; however, FlightAware does give you access to the same data as a paid service.

Step 8: Track the Aircraft Across the Globe

Click the "Route" icon on the bottom bar. It will show you where the flight has been.

It is worth mentioning that Flightradar24 does attempt to use multilateration (MLAT) to mitigate some of the vulnerabilities discussed previously, mainly spoofing, and provide the most accurate plot of the plane's route.

637305952576720773.jpg
637305953032502019.jpg
637305952576720773.jpg
637305953032502019.jpg

MLAT works by employing time difference of arrival (TDOA), or in other words, because the speed of light and thus radio waves is a constant, you can calculate the distance by the amount of time it took to arrive, and then draw a circle around your receiver with that number as its radius. When you do this with several receivers, in our case, four or more, the lines of the circles will all overlap at one point, which is where the aircraft should be. However, since 1090 MHz is line-of-sight propagating, you rarely (if ever) will have four separate receivers simultaneously detecting the same aircraft below 3,000 feet, as ADS-B is transmitting to such a small area.

Flightradar24's website does claim: "Most parts of Europe and North America are today covered with MLAT above about 3,000–10,000 feet. There is also some MLAT coverage in Mexico, Brazil, South Africa, India, China, Japan, Taiwan, Thailand, Malaysia, Indonesia, Australia, and New Zealand. More areas will get MLAT coverage as we continue to add new receivers to our network."

Step 9: Search for Where Aircraft Have Been

Search the database by tapping on the bar at the top of the home screen. Maybe you look up a loved one's flight to see if they will arrive on time, or perhaps you get as bored as the Boeing pilots and spend 18 hours drawing a 787 the size of the U.S. in the sky. We're living in the age of "inventive flight art."

637305955037033464.jpg
637305955144689791.jpg
637305955037033464.jpg
637305955144689791.jpg

On the off chance you can't find a certain flight, it may be because Flightradar24 doesn't have coverage or is blocking that flight. In such an event, it can be worthwhile to check FlightAware and the less polished ADS-B Exchange, which is more likely to have aircraft blocked by the other two services.

637305955331720702.jpg
637305955922813952.jpg
637305955331720702.jpg
637305955922813952.jpg

Step 10: Add Alerts

From the home screen, you can add "Alerts" at the center of the bottom bar. You can't use custom alerts as a free user, but you can unlock it by subscribing or following the next how-to in this series. This is a powerful tool allowing us to create alerts based on Flight, Registration, Airline, or Aircraft Type.

637305956937345366.jpg
637305957054689596.jpg
637305956937345366.jpg
637305957054689596.jpg

Imagine getting a notification on your phone the next time the FBI decides to fly around in your local area. Those of you that enjoy a little schadenfreude from time to time might also enjoy checking the "Squawk 7700 General Emergency" option.

Continue for More ADS-B Hacking

In this article, we have learned about ADS-B and its vulnerabilities. Notably, we learned how we could use its unencrypted nature to track military and FBI aircraft, among others, using a free app and web service. In the next part of this series, we'll dive into building our own ADS-B receiver using a Rasberry Pi and RTL-SDR dongle — and then share our own receiver's data with the world.

Cover image by L(Phot) Will Haigh via Defence Images/Flickr; Screenshots by Hoid/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!