Flight disruptions can cost billions of dollars, but most modern commercial flights rely on air traffic control systems that harbor serious vulnerabilities. By 2020, the transition will be complete to a system called NextGen, which relies on Automatic Dependent Surveillance – Broadcast, or ADS-B for short.
"ADS-B Out" broadcasts an airplane's vital information, in plain text, for everyone in broadcast range to receive. In this tutorial, we will learn about ADS-B, how it can be hacked, and how it allows us to track flights from airlines to Air Force One on a smartphone.
Imagine you're a pilot just finishing up a long transatlantic flight. It's night, and you're relying primarily on your instruments, when out of the blue your traffic collision avoidance system (TCAS) yells at you "Traffic one mile ahead. Descend. Descend!" After thousands of hours of training, you instinctually comply, when suddenly 99 more planes appear in your display. In fact, if you are flying an Airbus in autopilot, then there isn't even a choice — it reacts automatically.
Consider the mayhem that could be caused using this kind of attack on air traffic control at a major airport during the busy holiday season. Mother Nature has already provided us with a multitude of examples of the chaos that ensues from air traffic disruption such as the "nightmare for thousands of LAX travelers" or when Icelandic volcano Eyjafjallajökull caused flight disruptions that cost airlines $1.7 billion.
Now it doesn't take Mother Nature — a single hacker can have similar results.
What we described is an example of a spoofing attack on the "ADS-B In" and TCAS, which work together in a cooperative ranging system, as they are both built on the same foundational Mode S data link. This represents one type of vulnerability in the FAA's NextGen system, and one that has been known as early as Sept. 18, 2001.
Some applications may require independent validation of the ADS-B information … to detect spoofing and this is the aspect where the security concerns are raised.
But over 11 years later, nothing has been done about it. Eventually, in 2012, this attack was demonstrated, and again in 2016 by a separate individual. It would be trivial for a malicious hacker to take either of these programs and execute them in the real world with the use of an inexpensive $300 software-defined radio (SDR).
But what is ADS-B in the first place? ADS-B comes in two flavors: ADS-B Out and ADS-B In. Perhaps the easiest way to think about ADS-B Out is to envision the tour guides at the museum waving their flags about and shouting "I'm over here, follow me!" That's essentially what aircraft equipped with ADS-B Out transmitters do.
Using onboard instruments, including GPS, to populate 112 bits long data packets with such information as aircraft identification, surface position, airborne position with barometric altitude, airborne velocities, and airborne position with GPS altitude, the data is then broadcast over 1090 MHz.
They do this every second — in plain text, unencrypted, and unauthenticated — which creates all sorts of vulnerabilities in the system. As you can guess, ADS-B In is the receiving portion of the system on the aircraft, and is what opens the aircraft to spoofing attacks.
Despite this, ADS-B is the backbone of the FAA's NextGen system. This system is intended to allow more aircraft to operate in a given airspace with increased safety, while simultaneously easing the growing burden on air traffic control.
The FAA has even mandated that "aircraft operating in most controlled US airspace must be equipped with ADS-B Out by Jan. 1, 2020" without addressing the fact that ADS-B is inherently insecure. And the FAA is doing its best to convince everyone to use ADS-B Out with a $500 incentive.
As of August 2017, about 29,000 general aviation fixed-wing aircraft in the US have already been equipped out of about 164,200 total. Seventeen percent may not sound like a lot, but the percentage of equipped commercial airliners is much larger, at 2,000 out of about 6,670 aircraft, or 30 percent. And these numbers don't even account for military aircraft in the US.
While only ADS-B Out is required by the law to receive the full benefits, the aircraft also benefits from ADS-B In. It is likely they will have this, considering companies like uAvioni produce such transceiver systems for under $1,000.
In fact, in his wonderful talk (slides) at Defcon 20, Brad Haines, aka Renderman, goes on to point out yet more threats including jamming, injection, and what we are looking at today — eavesdropping — what FAA's Ron Jones called "probably the most fundamental security issue with ADS-B."
Since actually spoofing aircraft and causing potentially billions of dollars' worth of chaos would be bad, needless to say highly illegal, we can do the next best thing and receive those data packets instead of broadcasting fake ones. This is still quite interesting, considering we can track most military aircraft and "untrackable" private jets, like Air Force One and rendition flights.
It gets even better for the paranoid among you who are afraid of "spies in the sky" like the FBI and the Department of Homeland Security (DHS) surveillance aircraft, because now you can keep eyes on the eyes in the sky. Those of you that have already read our previous article on SDR can probably guess that an SDR is all we need to eavesdrop. That's right, plug in our $25 SDRs and tune into 1090 MHz!
However, in reality, it's even easier than that. If you have a smartphone, there's an app for that. In fact, there are multiple options available. Several web services have already crowdsourced a distributed network of ADS-B receivers, with Flightradar24 and FlightAware being two of the biggest. FlightAware is even working on a satellite constellation to track all flights globally from space.
Today, we are going to download the Flightradar24 app and learn about what ADS-B Out has to offer. In the next article in this series, we will learn how to make our own receiver for a mere $35 using a Raspberry Pi Zero W and an SDR.
The app does require Android 4.1 / iOS 8.2 or later, but that shouldn't be a problem unless you have an older phone. If you don't want to download the app or can't, you can also check out the website, which has all the same information. You can still follow along with the rest of this article, however, the icons will be in different places.
After the app has finished installing, you should be able to simply tap on the icon and have it pop open. It will ask for location permission, which is technically optional. While the app will run without it, you will not be able to use all the features like augmented reality.
Log in by tapping the icon in the top right corner. You will see a screen offering you a free trial. Take this if you wish, it will remove ads and provide some additional data, but be aware that it also signs you up for a subscription.
It's recommended to just tap the login button. If you stay tuned into the next article in this series, you'll learn how to get the highest level of membership, the Flightradar24 Business Plan — a $499.99/year value — for free.
If you don't already have an account, it will automatically create one for you if you log in with Facebook or Google.
Once it sends you back to the home screen, you should see the settings gear icon in the bottom left. You'll want to explore around and set it up the way you like, as there's a lot of room for customization. You can change the map type, put labels on the aircraft icons, add a day/night line to the map, and more.
This is your standard view, and the home screen after opening the app. Aircraft are represented by different icons that give you an idea of their type and heading. To learn more about an aircraft all you have to do is tap on it. You can do that same thing with the airports, which are the teardrop-shaped icons.
The very keen among you may notice a lack of smaller aircraft such as Cessnas and Pipers, also known as general aviation. That's because they operate on a separate 978 MHz frequency, rather than commercial airliners at 1090 MHz, and apps such as Flightradar24 and FlightAware do not attempt to decode traffic on that frequency.
Now we get to use the coolest part of the app. It's as easy tapping on the AR tab in the top-left corner and giving the app permission to use your camera. You may also get a calibration screen. If so, go ahead and follow the instructions to improve accuracy.
Ever look up and wonder what that plane is or where it's going? Enter augmented reality — Pokémon GO, cry your heart out.
What's going on here is the app is using the inertial measurement unit (IMU) in your phone, in conjunction with the GPS, to estimate where you're looking in the sky. Flightradar24 is then able to overlay its ADS-B data on the world, giving you x-ray vision to see planes through clouds or even the roof of your house.
It can be helpful to switch between overview and details so that you can use the altitude to help distinguish between aircraft.
Another of the cooler features is the ability to get what basically amounts to a cockpit view. Once you've selected an aircraft in map or AR view, tap the 3D view in the lower-left corner.
Imagine using this next time you're traveling. Not only will you be able to tell what's what on the ground thanks to the labels Google provides, you'll also get the pilot's view during takeoff and landing!
Suppose you wished to know more about a particular flight. All you have to do is tap on the "More info" icon.
You'll be taken to a page with all the detailed information that you could ever want to know, such as the aircraft type, registration, speed, and altitude. It even makes pretty graphs if you're into that sort of thing.
There's actually quite a lot you can tell from the graph, such as how long it took them to get to cruising altitude (where the altitude line flattens out) and the spikes in the speed due to head/tail winds slowing or speeding the plane.
If you see this and instantly think data mining, then there's good and bad news for you. Flightradar24 doesn't have an open API, however, FlightAware does give you access to the same data as a paid service.
Click the "Route" icon on the bottom bar. It will show you where the flight has been.
It is worth mentioning that Flightradar24 does attempt to use multilateration (MLAT) to mitigate some of the vulnerabilities mentioned previously, particularly spoofing, and provide the most accurate plot of the plane's route.
MLAT works by employing time difference of arrival (TDOA), or in other words, because the speed of light and thus radio waves is a constant, you can calculate the distance by the amount of time it took to arrive, and then draw a circle around your receiver with that number as its radius. When you do this with several receivers, in our case 4 or more, the lines of the circles will all overlap at one point which is where the aircraft should be. However, since 1090 MHz is line-of-sight propagating, you rarely (if ever) will have 4 separate receivers simultaneously detecting the same aircraft below 3,000 feet, as ADS-B is transmitting to such a small area.
Flightradar24's website does claim: "Most parts of Europe and North America are today covered with MLAT above about 3,000–10,000 feet. There is also some MLAT coverage in Mexico, Brazil, South Africa, India, China, Japan, Taiwan, Thailand, Malaysia, Indonesia, Australia, and New Zealand. More areas will get MLAT coverage as we continue to add new receivers to our network."
Search the database by tapping on the bar at the top of the home screen. Maybe you look up a loved one's flight to see if they will arrive on time, or you get as bored as the Boeing pilots and spend 18 hours drawing a 787 the size of the US in the sky. We're living in the age of "inventive flight art."
On the off chance you can't find a certain flight, it may be because Flightradar24 doesn't have coverage or is blocking that flight. In such an event, it can be worthwhile to check FlightAware and the less polished ADS-B Exchange, which is more likely to have aircraft blocked by the other two services.
From the home screen, you can add alerts on the center of the bottom bar. You can't use custom alerts as a free user, but you can unlock it by subscribing or following the next how-to in this series. This is a powerful tool allowing us to create alerts based on Flight, Registration, Airline, or Aircraft Type.
Imagine getting a notification on your phone the next time the FBI decides to fly around in your local area. Those of you that enjoy a little schadenfreude from time to time might also enjoy checking the "Squawk 7700 General Emergency" option.
In this article, we have learned about the ADS-B and its vulnerabilities. Notably, we learned how we can use its unencrypted nature to track military and FBI aircraft, among others, using a free app and web service. In the next of this series, we will dive into building our own ADS-B receiver using a Rasberry Pi and RTL-SDR dongle, and then share our own receiver's data with the world.
Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.
Screenshots by Hoid/Null Byte