Flight disruptions can cost billions of dollars, but most modern commercial flights rely on air traffic control systems that harbor serious vulnerabilities. The Federal Aviation Administration uses an infrastructure called NextGen, which relies on Automatic Dependent Surveillance – Broadcast, or ADS-B for short.
Since the beginning of 2020, all aircraft that fly within the U.S. must be equipped with ADS-B Out. This aspect of ADS-B broadcasts an airplane's vital information, in plain text, for everyone in broadcast range to receive. Below, we'll learn more about ADS-B and how it allows anyone to track flights from airlines to Air Force One on a smartphone, as well as how hackers can hijack it.
Imagine you're a pilot just finishing up a long transatlantic flight. It's night, and you're relying primarily on your instruments, when out of the blue, your traffic collision avoidance system (TCAS) yells at you "Traffic one mile ahead. Descend. Descend!" After thousands of hours of training, you instinctually comply, when suddenly 99 more planes appear in your display. If you are flying an Airbus in autopilot, then there isn't even a choice — it reacts automatically.
Consider the mayhem that could be caused using this kind of attack on air traffic control at a major airport during the busy holiday season. Mother Nature has already provided a multitude of examples of the chaos that ensues from disruption. There was that "nightmare for thousands of LAX travelers," as well as Icelandic volcano Eyjafjallajökull that caused flight disruptions that cost airlines $1.7 billion.
Now it doesn't take Mother Nature — a single hacker can have similar results.
What we described is an example of a spoofing attack on the "ADS-B In" and TCAS, which work together in a cooperative ranging system, as they are both built on the same foundational Mode S data link. This represents one type of vulnerability in the FAA's NextGen system, one that has been known as early as Sept. 18, 2001.
Some applications may require independent validation of the ADS-B information … to detect spoofing and this is the aspect where the security concerns are raised.
The attack was demonstrated in 2012, and again in 2016 by a separate individual, but it's been almost 19 years since we've known about the vulnerability and nothing has been done about it. It would be trivial for a malicious hacker to take either of these programs and execute them in the real world with the use of an inexpensive $300 software-defined radio (SDR).
But what is ADS-B in the first place? ADS-B comes in two flavors: ADS-B Out and ADS-B In. Perhaps the easiest way to think about ADS-B Out is to envision the tour guides at the museum waving their flags about and shouting, "I'm over here, follow me!" That's what aircraft equipped with ADS-B Out transmitters basically do.
ADB-S Out uses onboard instruments, including GPS, to populate 112 bits-long data packets with such information as aircraft identification, surface position, airborne position with barometric altitude, airborne velocities, and airborne position with GPS altitude. Then, the data broadcasts over 1090 MHz.
They do it every second — in plain text, unencrypted, unauthenticated — which creates all sorts of vulnerabilities in the system. As you can guess, ADS-B In is the receiving portion of the system on the aircraft and is what opens the plane to spoofing attacks.
Despite its vulnerabilities, ADS-B is the backbone of the FAA's NextGen system. The system intends to allow more aircraft to operate in any given airspace with increased safety, while simultaneously easing the growing burden on air traffic control.
The FAA had even mandated that "aircraft operating in most controlled U.S. airspace must be equipped with ADS-B Out by Jan. 1, 2020" without addressing the fact that ADS-B was and is inherently insecure.
As of July 2020, almost 99,000 general aviation fixed-wing aircraft in the U.S. have already been equipped out of about 168,000 total, or about 59 percent. Three years prior, there were only 29,000 equipped, or 17 percent. The percentage of equipped commercial airliners is much larger, at 87 percent. And these numbers don't even account for military aircraft or experimental lightcraft in the U.S.
While only ADS-B Out is required by the law to receive the full benefits, the aircraft also benefits from ADS-B In. It is likely they will have this, considering companies like uAvioni produce such transceiver systems for under $1,000.
In fact, in his excellent talk (slides) at Defcon 20, Brad Haines, aka Renderman, goes on to point out yet more threats including jamming, injection, and what we are looking at today — eavesdropping — what FAA's Ron Jones called "probably the most fundamental security issue with ADS-B."
Since spoofing aircraft and potentially causing billions of dollars' worth of chaos would be wrong, needless to say, highly illegal, we can do the next best thing and receive those data packets instead of broadcasting fake ones. This is still quite interesting, considering we can track most military aircraft and "untrackable" private jets, like Air Force One and rendition flights.
It gets even better for the paranoid among you who are afraid of "spies in the sky," such as the FBI and Department of Homeland Security (DHS) surveillance aircraft, because now you can keep eyes on the eyes in the sky. Those of you that have already read our previous article on SDR can probably guess that an SDR is all we need to eavesdrop. That's right, plug in our $25 SDRs and tune into 1090 MHz!
However, in reality, it's even easier than that. If you have a smartphone, there's an app for that. In fact, there are multiple options available. Several web services have already crowdsourced a distributed network of ADS-B receivers, with Flightradar24 and FlightAware being two of the biggest. FlightAware is even working on a satellite constellation to track all flights globally from space.
Today, we are going to download the Flightradar24 app and learn about what ADS-B Out has to offer. In the next article in this series, we will learn how to make our own receiver for a mere $35 using a Raspberry Pi Zero W and an SDR.
If you don't want to download and install the app or can't, you can also check out the flightradar24.com website in a browser, which has all the same information. You can still follow along with the rest of the article below, however, the icons will be in different places.
After the app has finished installing, you should be able to tap on the icon and have it pop open. It will ask for location permission, which is technically optional. While the app will run without it, you will not be able to use all of the features, such as augmented reality views.
Log in by tapping the profile icon in the top right. You will see a screen offering you a free trial. Take it if you wish since it will remove ads and provides some additional data, but be aware that it also signs you up for a subscription.
It's recommended to just tap the "Log in" button. If you stay tuned to the next article in this series, you'll learn how to get the highest level of membership — the $499 per year Flightradar24 Business Plan — for free.
If you don't already have an account, it will automatically create one for you if you log in with Apple, Facebook, or Google.
Once it sends you back to the home screen, you should see the settings gear icon in the bottom left. You'll want to explore around and set it up the way you like, as there's a lot of room for customization. You can change the map type, put labels on the aircraft icons, add a day/night line to the map, and more.
This is your standard view and the home screen after opening the app. Aircraft are represented by different icons that give you an idea of their type and heading. To learn more about an airplane, all you have to do is tap it. You can do that same thing with the airports, which are the teardrop-shaped icons.
The very keen among you may notice a lack of smaller aircraft such as Cessnas and Pipers, also known as general aviation. That's because they operate on a separate 978 MHz frequency, rather than commercial airliners at 1090 MHz, and apps such as Flightradar24 and FlightAware do not attempt to decode traffic on that frequency.
Now we get to use the coolest part of the app. Ever look up and wonder what that plane is or where it's going? Enter augmented reality. Pokémon Go, cry your heart out.
Getting the augmented view is as easy tapping on the "AR" tab in the top left of the home screen and giving the app permission to use your camera. You may also get a calibration screen. If so, go ahead and follow the instructions to improve accuracy.
What's going on here is the app is using the inertial measurement unit (IMU) in your phone, in conjunction with the GPS, to estimate where you're looking in the sky. Flightradar24 is then able to overlay its ADS-B data on the world, giving you x-ray vision to see planes through clouds or even the roof of your house.
It can be helpful to switch between overview and details so that you can use the altitude to help distinguish between aircraft.
Another of the cooler features is the ability to get what basically amounts to a cockpit view. Once you've selected an aircraft in map or AR view, tap the "3D view" button in the lower left. You can switch between the pilot's perspective and an angle behind the plane.
Imagine using this next time you're traveling. Not only will you be able to tell what's what on the ground, thanks to the labels Google provides, but you'll also get the pilot's view during takeoff and landing!
Suppose you wished to know more about a particular flight. All you have to do is tap on the "More info" icon. You'll be taken to a page with all the detailed information that you could ever want to know, such as the aircraft type, registration, speed, and altitude.
It even makes pretty graphs if you're into that sort of thing. There's quite a lot you can tell from the chart, such as how long it took them to get to cruising altitude (where the altitude line flattens out) and the spikes in the speed due to head and tail winds slowing or speeding the plane.
If you see this and instantly think of data mining, then there's good and bad news for you. Flightradar24 doesn't have an open API; however, FlightAware does give you access to the same data as a paid service.
Click the "Route" icon on the bottom bar. It will show you where the flight has been.
It is worth mentioning that Flightradar24 does attempt to use multilateration (MLAT) to mitigate some of the vulnerabilities discussed previously, mainly spoofing, and provide the most accurate plot of the plane's route.
MLAT works by employing time difference of arrival (TDOA), or in other words, because the speed of light and thus radio waves is a constant, you can calculate the distance by the amount of time it took to arrive, and then draw a circle around your receiver with that number as its radius. When you do this with several receivers, in our case, four or more, the lines of the circles will all overlap at one point, which is where the aircraft should be. However, since 1090 MHz is line-of-sight propagating, you rarely (if ever) will have four separate receivers simultaneously detecting the same aircraft below 3,000 feet, as ADS-B is transmitting to such a small area.
Flightradar24's website does claim: "Most parts of Europe and North America are today covered with MLAT above about 3,000–10,000 feet. There is also some MLAT coverage in Mexico, Brazil, South Africa, India, China, Japan, Taiwan, Thailand, Malaysia, Indonesia, Australia, and New Zealand. More areas will get MLAT coverage as we continue to add new receivers to our network."
Search the database by tapping on the bar at the top of the home screen. Maybe you look up a loved one's flight to see if they will arrive on time, or perhaps you get as bored as the Boeing pilots and spend 18 hours drawing a 787 the size of the U.S. in the sky. We're living in the age of "inventive flight art."
On the off chance you can't find a certain flight, it may be because Flightradar24 doesn't have coverage or is blocking that flight. In such an event, it can be worthwhile to check FlightAware and the less polished ADS-B Exchange, which is more likely to have aircraft blocked by the other two services.
From the home screen, you can add "Alerts" at the center of the bottom bar. You can't use custom alerts as a free user, but you can unlock it by subscribing or following the next how-to in this series. This is a powerful tool allowing us to create alerts based on Flight, Registration, Airline, or Aircraft Type.
Imagine getting a notification on your phone the next time the FBI decides to fly around in your local area. Those of you that enjoy a little schadenfreude from time to time might also enjoy checking the "Squawk 7700 General Emergency" option.
In this article, we have learned about ADS-B and its vulnerabilities. Notably, we learned how we could use its unencrypted nature to track military and FBI aircraft, among others, using a free app and web service. In the next part of this series, we'll dive into building our own ADS-B receiver using a Rasberry Pi and RTL-SDR dongle — and then share our own receiver's data with the world.
Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.
Other worthwhile deals to check out: