SlideShare ist ein Scribd-Unternehmen logo

Costin, francillon ghost is in the air(traffic)

DefconRussia
DefconRussia
1 von 51
Downloaden Sie, um offline zu lesen
Ghost is in the Air(Traffic) Andrei Costin <andrei.costin@eurecom.fr> Aurelien Francillon <aurelien.francillon@eurecom.fr>
andrei# whoami SW/HW security researcher, PhD candidate Mifare Classic Interest in Hacking MFPs + MFCUK avionics PostScript http://andreicostin.com/papers/ http://andreicostin.com/secadv/ 1
Administratrivia #0 DISCLAIMER  This presentation is for informational purposes only. Do not apply the material if not explicitly authorized to do so  Reader takes full responsibility whatsoever of applying or experimenting with presented material  Authors are fully waived of any claims of direct or indirect damages that might arise from applying the material  Information herein represents author own views on the matter and does not represent any official position of affiliated body  tldr;  DO NOT TRY THIS AT HOME!  USE AT YOUR OWN RISK! 2
Agenda 1. ATC Today (SSR) 2. Today’s Problems 3. ATC “Tomorrow” (ADS-B) 4. “Tomorrow”s Problems 5. Exploit scenarios & Demos 6. Solutions and take-aways 3
ATC Today… 4
How do radars work without ADS-B? 5
SSR transmits basic solicited data  SSR is solicited type of communication  Solicitation via XPDR  Solicitation via voice VHF  Example of data from SSR XPDR:  Aircraft Address  Altitude  Code (squawk)  Angles (Roll/Track) 6
Agenda 1. ATC Today (SSR) 2. Today’s Problems 3. ATC “Tomorrow” (ADS-B) 4. “Tomorrow”s Problems 5. Exploit scenarios & Demos 6. Solutions and take-aways 7
Automatic Dependent Surveillance - Broadcast (CASA, 2006) 8 Inputs are not robust enough
Input mistakes have severe implications Garmin GTX32x Avionics Tranponders 9
Agenda 1. ATC Today (SSR) 2. Today’s Problems 3. ATC “Tomorrow” (ADS-B) 4. “Tomorrow”s Problems 5. Exploit scenarios & Demos 6. Solutions and take-aways 10
ADS-B is a $billions world-wide effort from 2002… US GOV ITDashboard - FAAXX704 (ADS-B) 11
Guidance for the Provision of Air Traffic Services Using ADS-B for Airport Surface Surveillance GPS GLONASS GALILEO 12 How does ADS-B work? – Architectural view
ADS-B – INsideOUT… ICAO/FAA ADS-B Implementation Workshop  ADS-B is being used over 2 existing technologies:  Mode-S – 1090 MHz (replies) and 1030 MHz (interrogation)  PPM @ 1 Mbps  UAT (Universal Access Transceiver) – 978 MHz (replies)  CP-2FSK @ 1.041667 Mbps (modulation index h >= 0.6) 13
ATC Tomorrow – NextGen, ATC/M and eAircrafts 14
Australia Airservices ADS-B Coverage Map 15 ADS-B Deployment Map – Australia
FAA NextGen Technologies Interactive Map (ADS-B) 16 ADS-B Deployment Map – USA
How does community get this data? AirNav RadarBox Mode-S Beast with miniASDB Kinetic SBS Summarized list of enthusiast-level ADS-B radar receivers microADSB USB PlaneGadgets ADS-B Aurora Eurotech SSRx miniADSB Funkwerk RTH60 microADSB-IP BULLION 17
How does ADS-B look like? – Community view 18
ADS-B frame – modulation, format, security  Frames encoded in  Pulse-position-modulation (PPM)  1 bit = 1 us  Shared-medium (no CA/CD), theoretical bandwidth 1 Mbit/sec 19
ADS-B frame – modulation, format, security  Frames encoded in  Pulse-position-modulation (PPM)  1 bit = 1 us  Shared-medium (no CA/CD), theoretical bandwidth 1 Mbit/sec  Frames composed of  A preamble  8 bits for TX/RX sync  A data-block  56 bits for short frames  112 bits for extended/long frames  Mandatory to have  24 bits ICAO address of aircraft  24 bits error-detection parity 20
ADS-B frame – modulation, format, security Page intentionally left blank 21
Agenda 1. ATC Today (SSR) 2. Today’s Problems 3. ATC “Tomorrow” (ADS-B) 4. “Tomorrow”s Problems 5. Exploit scenarios & Demos 6. Solutions and take-aways 22
ADS-B Main Threats – Summary ADS-B Threat Fail / warn / ok Entity/message authentication Entity authorization (eg. medium access)* Entity temporary identifiers/privacy Message integrity (HMAC) Message freshness (non-replay) Encryption (message secrecy) Massive public DBs with private detail* 23
Potential mitigations exist… but are not public  Mode-4/Mode-5 IFF Crypto Appliqué  2-Levels Crypto secured version of Mode S and ADS-B GPS position  Defined for military NATO STANAG 4193  Enhanced encryption  Spread Spectrum Modulation  Time of Day Authentication  Level1:  Aircraft Unique PIN  Level2:  Level1 + other (unknown for now) information  Apparently based on Black & Red keys crypto  ADS-B also specifies, but not details available about crypto/security:  DF19 = Military Extended Squitter  DF22 = Military Use Only 24
Agenda 1. ATC Today (SSR) 2. Today’s Problems 3. ATC “Tomorrow” (ADS-B) 4. “Tomorrow”s Problems 5. Exploit scenarios & Demos 6. Solutions and take-aways 25
ADS-B – Adversary Model – By location  Ground-based  Easier to operate (win criminals)  Easier to be caught (win agencies)  Easier to defend or mitigate against (win agencies)  Eg. Angle of arrival, time-difference of arrival  Airborne  Drones  UAV  Autonomously pre-programmed self-operating checked-in luggage:  Pelican case, barometric altimeter, battery, embed-devs, GPS, RF…  Possibly could work around angle of arrival  Could pose more advanced threat to ADS-B IN enabled aircrafts  Important: not extensively modeled in the attacker & threat modeling of Mode-S/ADS-B 26
ADS-B – Adversary Model – By role  Pilots  Bad intent  (Un)Intentional pranksters  Pranksters  Abusive users/organizations  Privacy breachers – eg. Paparazzi  Message conveyors  Criminals  Money (more likely). Eg.: Underground forums with “Worldwide SDRs for hire” – potentially very profitable underground biz (think sniff GSM)  Terror (less likely)  Military/intelligence  Espionage  Sabotage 27
Example: external abusers + public data correlation Strategically positioned Have a well-defined target Poses inexpensive devices Can publicly access private details (why is this allowed?!) 28
Public access, seriously? USA (FAA) 29
Public access, seriously? Australia (CASA) 30
Public access, seriously? UK (CAA) 31
DoS constraints  ADS-B over 1090 MHz Mode-S ES has is PPM @ 1 MHz  It means bandwidth 1 Mbps  For 112 bit messages  Upper limits  MAX different 9000 fake airplanes  OR same fake airplane in 9000 different positions/sec  Pretty damn fast UFOs!  Assumptions  Nobody else (il)legitimately transmits  OR the upper limit is decreasing over-liniarly with linear increase in transmitters 32
Hardware setup Hardware Functions Price SDR USRP1 Main RF support 700 USD SBX ADS-B OUT/IN (attack) 475 USD WBX ADS-B OUT/IN (attack) 450 USD DBSRX2 ADS-B IN (verify) 150 USD Plane ADS-B IN (verify) ~245 USD Gadget Attenuators Limit output (SMA cable) <10 USD Cables Alternative SDRs Alternative ADS-Bs 33
ADS-B Message Replay Quick reference  Capture ADS-B data:  UHD-mode  uhd_rx_cfile.py --spec B:0 --gain 25 --samp-rate 4000000 -f 1090000000 -v ~/CAPTURE_adsb.fc32  Pre-UHD-mode  usrp_rx_cfile.py  Replay the captured data:  UHD-mode  tx_transmit_samples --file ~/CAPTURE_adsb.fc32 --ant "TX/RX" --rate 4000000 --freq 1090000000 --type float -- subdev B:0  Pre-UHD-mode  usrp_replay_file.py 34
ADS-B Message Injection Quick reference guide  ADS-B data crafting  Tweak the captured data  Load I/Q data: d_cap = read_float_binary(‘~/CAPTURED_adsb.fc32’)  Modify the samples: d_cft = adsb_randomize(d_cap)  Write back I/Q data: write_float_binary(d_cft, ‘~/CRAFTED_adsb.fc32’)  Generate the data  MatLab – modulate(adsb_frame, fc, fs, ‘ppm’)  GNUradio – write native C++ block  Transmit the crafted data:  UHD-mode  tx_transmit_samples --file ~/CRAFTED_adsb.fc32 --ant "TX/RX" --rate 4000000 --freq 1090000000 --type float --subdev B:0  Pre-UHD-mode  usrp_replay_file.py 35
ADS-B Message Analyze/Visualize/Plot Quick reference guide  GNURadio ModeS tests:  Pre-UHD-mode (by Eric Cottrell):  gr-air/src/python/usrp_mode_s_logfile.py  UHD-mode (by Nick Foster):  gr-air-modes/python/uhd_modes.py –a –w –F ~/CRAFTED_adsb.fc32  GNURadio:  gr_plot_psd_c.py -R 4000000 ~/CAPTURE_adsb.fc32  gr_plot_psd_c.py -R 4000000 ~/CRAFTED_adsb.fc32  Octave + gnuplot:  n_samp = 500000  trig_lvl = 0.01  d_cap = read_float_binary(‘CAPTURE_adsb.fc32’, n_samp)  axis ([0, n_samp, -trig_lvl, trig_lvl])  plot(arr) 36
Code showcase 37
Demo showtime  http://www.youtube.com/zveriu 38
ADS-B Fuzzing notes  PlanePlotter doesn’t show at all planes whose ICAO24 starts with 0xxxxx like 031337  No indication in the standard it should be this way  We don’t know how real-world radars behave to such fuzzing  Anyone in the audience? 39
Agenda 1. ATC Today (SSR) 2. Today’s Problems 3. ATC “Tomorrow” (ADS-B) 4. “Tomorrow”s Problems 5. Exploit scenarios & Demos 6. Solutions and take-aways 40
High-level perspective – Timelines  SDR Community  1988 (Peter Hoeher and Helmuth Lang) - SDR prototype  1991/1992 (Joseph Mitola) - SDR theory and paper  October 2003 (Ettus) - USRP1 available $US750  September 2008 (Ettus) - USRP2 available $US1700 (http://www.ruby-forum.com/topic/165227)  13 Jan 2010 (Ettus) - WBX Tranceiver board available (http://lists.gnu.org/archive/html/discuss-gnuradio/2010-01/msg00146.html)  23 Mar 2011 (Ettus) - USRP N200 $US1500 and USRP N210 $US1700 available (http://lists.ettus.com/pipermail/usrp- announce_lists.ettus.com/2011-March/000007.html)  15 Apr 2011 (Ettus) - SBX Tranceiver board available (http://lists.ettus.com/pipermail/usrp-announce_lists.ettus.com/2011-April/000008.html)  February 2012 (Antti Palosaari) - RTL-SDR discovered (http://thread.gmane.org/gmane.linux.drivers.video-input- infrastructure/44461/focus=44461)  ADS-B Standartization/Regulatory  Jul 2002 (FAA) - Federal Aviation Administration (FAA) announced a dual link decision using 1090 MHz ES for air carrier and private/commercial operators of high performance aircraft and UAT for the typical general aviation user as media for the ADS-B system in the United States (http://www.faa.gov/news/press_releases/news_story.cfm?newsId=5520&print=go)  March 2003 - First ADS-B demonstrations (AOPA for CAP)  April 2003 (RTC) - DO-260A "Minimum Operational Performance Standards for 1090 MHz Extended Squitter Automatic Dependent Surveillance – Broadcast (ADS-B) and Traffic Information Services – Broadcast (TIS-B)"  Jul 2004 (RTC) - DO-282A "Minimum Operational Performance Standards for Universal Access Transceiver (UAT) Automatic Dependent Surveillance – Broadcast."  2004 - US Development & testing stations deployed  2007 - Early estimates stated the cost to equip a general aviation aircraft ranged from $7,644 to $10,920 for ADS-B Out and from $10,444 to $29,770 for ADS-B Out and ADS-B In, depending on aircraft type.  2009 - US Ground segment implementation and deployment  2009 - Assuming 2009 market prices for individual system components, a UAT retrofit was estimated at $18,000 and new at $25,000. For a 1090ES retrofit $4,200 and new at $18,000.  Dec 2009 - Australia in world first for nationwide ADS-B coverage  Research community  Jan 2001 - An Assessment of the Communications, Navigation, Surveillance (CNS) Capabilities Needed to Support the Future Air Traffic Management System  Oct 2001 - Vulnerability assessment of the transportation infrastructure relying on GPS  2002 - Validation techniques for ADS-B surveillance data  2003 - GPS integrity and potential impact on aviation safety  Sept 2004 - Aircraft ADS-B Data Integrity Check  2008/2009 - Vast security research on Future eEnabled Aircraft and their support infrastructure  Oct 2010 - Identification of ADS-B System Vulnerabilities and Threats  2010 - Assessment and Mitigation of Cyber Exploits in Future Aircraft Surveillance  2010 - Visualization & Assessment Of ADS-B Security For Green ATM  2011 - Security analysis of the ADS-B implementation in the next generation air transportation system  Oct 2011 - Aircraft Systems Cyber Security  Oct 2011 - On the Requirements for Successful GPS Spoofing Attacks  Jul 2012 - First public practical setups and demonstrations on ADS-B attacks (BH12US, DC19) 41
ADS-B Security Solutions  Solutions could include:  Verifiable multilateration (MLAT) with multiple ground-stations, but:  “Group of aircrafts” concepts  AANETs should inspire from VANETs solutions  Lightweight PKI architectures and protocols. Our thoughts:  FAA, EUROCONTROL, CASA as CAs  CAs root keys installed/updated during ADS-B device mandatory certification process  HMAC on each broadcast message  Every broadcast a subset of HMAC bits 42
ICAO 12th Air Navigation Conference - CSTF Take-aways – THE GOOD 43
Take-aways – THE BAD  ADS-B is a safety-related mission-critical technology  Yet, ADS-B lacks minimal security mechanisms  This poses direct threat to safety  ADS-B costs tremendous amount of money, coordination, time  Yet, ADS-B is defeated in practice with  FOSS or moderate-effort custom software  Relatively low-cost SDRs hardware  ADS-B assumptions are not technologically up-to-date  Doesn’t account users will have easy access to RF via SDRs  Doesn’t account users will have easy access to UAV, drones, etc.  SDRs and their decreasing price are not the problem ADS-B is flawed and is the actual architectural root-cause 44
Take-aways – THE UGLY  Portable RF sniffer  Uber cheap (25 USD)  few MHz ~ 2.x GHz  RTL-SDR via RTL 2832U + E4000  Portable ‘universal’ RF transceiver  Cheap (300 USD)  few MHz ~ 2.x GHz  HackRF by mossmann  Exponentially more functionality  Compared to 2009 PM3 price  TCAS  100% affected user base vs ~30% on ADS-B  Involves TAs & Ras  pilots are expected to respond immediately to the RA  aircraft will at times have to manoeuver contrary to ATC instructions or disregard ATC instructions  Custom Verilog required  More stable/precise timing required 45
References (academia, standards, reports) 46
References (related talks)  22C3 – I see airplanes  DefCon17 – Air Traffic Control: Insecurity and ADS-B  DefCon18 – Air Traffic Control Insecurity 2.0  GRConf2011 – ADS-B in GnuRadio  DefCon20 – Hacker + Airplanes = No Good Can Come Of This 47
Acknowledgements  Thanks to Aurelien Francillon, my PhD professor & advisor, for his tremendous support on this research  Thanks to EURECOM for time offered to finalize this research and whitepaper 48
Challenge for all POC hackers and not only!  Check out: code.google.com/p/libadsb  Library for ADS-B encoding/decoding and utilities  Help community – write ASN.1 specifications for ADS-B  Easy Wireshark integration + core of libadsb  Provide formal specification of lengthy documents  Teach yourself – improve the demo code above  Top 4+1 contributors get either one of these:  Rtl-sdr dongle  Arduino baseboard  Raspberry Pi Fell free to shout: zveriu@gmail.com 49
Thank you! Questions, ideas, corrections? Andrei Costin <andrei.costin@eurecom.fr> Aurelien Francillon <aurelien.francillon@eurecom.fr>

Empfohlen

Nac distr mil aero supply security
Nac distr mil aero supply securityNac distr mil aero supply security
Nac distr mil aero supply securityPaul Fulhorst
 
2012 july mil soft_ie_capabilities__iic_solutions-general-eng
2012 july mil soft_ie_capabilities__iic_solutions-general-eng2012 july mil soft_ie_capabilities__iic_solutions-general-eng
2012 july mil soft_ie_capabilities__iic_solutions-general-engmilsoftSDC
 
Iwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiIwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiMarco Lisi
 
Tunnel Radio Communications and Tracking for Mining
Tunnel Radio Communications and Tracking for MiningTunnel Radio Communications and Tracking for Mining
Tunnel Radio Communications and Tracking for MiningTunnel Radio of America
 
Finnish Land forces C4I development based on SDR
Finnish Land forces C4I development based on SDRFinnish Land forces C4I development based on SDR
Finnish Land forces C4I development based on SDRJuha Mattila
 
Implementation of WRC-15 for space services
Implementation of WRC-15 for space servicesImplementation of WRC-15 for space services
Implementation of WRC-15 for space serviceshfng
 
Mixed signal verification challenges - slides
Mixed signal verification challenges - slidesMixed signal verification challenges - slides
Mixed signal verification challenges - slidesRégis SANTONJA
 
Weather Flying and the iPad
Weather Flying and the iPadWeather Flying and the iPad
Weather Flying and the iPadSporty's Pilot Shop
 

Empfohlen

Nac distr mil aero supply security
Nac distr mil aero supply securityNac distr mil aero supply security
Nac distr mil aero supply securityPaul Fulhorst
 
2012 july mil soft_ie_capabilities__iic_solutions-general-eng
2012 july mil soft_ie_capabilities__iic_solutions-general-eng2012 july mil soft_ie_capabilities__iic_solutions-general-eng
2012 july mil soft_ie_capabilities__iic_solutions-general-engmilsoftSDC
 
Iwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiIwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiMarco Lisi
 
Tunnel Radio Communications and Tracking for Mining
Tunnel Radio Communications and Tracking for MiningTunnel Radio Communications and Tracking for Mining
Tunnel Radio Communications and Tracking for MiningTunnel Radio of America
 
Finnish Land forces C4I development based on SDR
Finnish Land forces C4I development based on SDRFinnish Land forces C4I development based on SDR
Finnish Land forces C4I development based on SDRJuha Mattila
 
Implementation of WRC-15 for space services
Implementation of WRC-15 for space servicesImplementation of WRC-15 for space services
Implementation of WRC-15 for space serviceshfng
 
Mixed signal verification challenges - slides
Mixed signal verification challenges - slidesMixed signal verification challenges - slides
Mixed signal verification challenges - slidesRégis SANTONJA
 
Weather Flying and the iPad
Weather Flying and the iPadWeather Flying and the iPad
Weather Flying and the iPadSporty's Pilot Shop
 
Iaetsd ads-b technology with gps aided geo
Iaetsd ads-b technology with gps aided geoIaetsd ads-b technology with gps aided geo
Iaetsd ads-b technology with gps aided geoIaetsd Iaetsd
 
Shared Responsibility for the ILS: How Does That Work?
Shared Responsibility for the ILS: How Does That Work?Shared Responsibility for the ILS: How Does That Work?
Shared Responsibility for the ILS: How Does That Work?Colby Riggs
 
Comunicaciones ADS-B
Comunicaciones ADS-BComunicaciones ADS-B
Comunicaciones ADS-BAlex Casanova
 
2012 FLIGHT PLAN CONTENT CHANGES
2012 FLIGHT PLAN CONTENT CHANGES2012 FLIGHT PLAN CONTENT CHANGES
2012 FLIGHT PLAN CONTENT CHANGESÜlger Ahmet
 
Fc744 Landingear
Fc744 LandingearFc744 Landingear
Fc744 Landingeartheoryce
 
ADS-B presentation
ADS-B presentationADS-B presentation
ADS-B presentationEngin Karabulut
 
Fireprotection
FireprotectionFireprotection
Fireprotectiontheoryce
 
ADSB with GAGAN
ADSB with GAGANADSB with GAGAN
ADSB with GAGANShivam Sharma
 
ADS-B Update: equipping for 2020 (August 2015 edition)
ADS-B Update: equipping for 2020 (August 2015 edition)ADS-B Update: equipping for 2020 (August 2015 edition)
ADS-B Update: equipping for 2020 (August 2015 edition)sportyspilotshop
 
Airspace Classification
Airspace ClassificationAirspace Classification
Airspace Classificationalpha_sherdil
 
ADS-B & The 2020 FAA Final Rule
ADS-B & The 2020 FAA Final RuleADS-B & The 2020 FAA Final Rule
ADS-B & The 2020 FAA Final RuleTodd Shellnutt
 
Fc744 Hydraulics
Fc744 HydraulicsFc744 Hydraulics
Fc744 Hydraulicstheoryce
 
Air Traffic Control Organization Lesson
Air Traffic Control Organization LessonAir Traffic Control Organization Lesson
Air Traffic Control Organization LessonÜlger Ahmet
 
Fc744 Fuel
Fc744 FuelFc744 Fuel
Fc744 Fueltheoryce
 
Aircraft Communication Topic 4 hf communication system
Aircraft Communication Topic 4 hf communication systemAircraft Communication Topic 4 hf communication system
Aircraft Communication Topic 4 hf communication systemIzah Asmadi
 
Nav Topic 10 instrument landing systems
Nav Topic 10 instrument landing systemsNav Topic 10 instrument landing systems
Nav Topic 10 instrument landing systemsIzah Asmadi
 
10 Things every iPad pilot should know
10 Things every iPad pilot should know10 Things every iPad pilot should know
10 Things every iPad pilot should knowSporty's Pilot Shop
 
Aircraft Communication Topic 3 radio components
Aircraft Communication Topic 3 radio componentsAircraft Communication Topic 3 radio components
Aircraft Communication Topic 3 radio componentsIzah Asmadi
 
Book 02
Book 02Book 02
Book 02xykers
 
Etops at a glance
Etops at a glanceEtops at a glance
Etops at a glanceMichael_Etops
 
Ann over
Ann overAnn over
Ann overNASAPMC
 
Close Air Support CSAF Update
Close Air Support CSAF UpdateClose Air Support CSAF Update
Close Air Support CSAF Update1st_TSG_Airborne
 

Weitere ähnliche Inhalte

Andere mochten auch

Iaetsd ads-b technology with gps aided geo
Iaetsd ads-b technology with gps aided geoIaetsd ads-b technology with gps aided geo
Iaetsd ads-b technology with gps aided geoIaetsd Iaetsd
 
Shared Responsibility for the ILS: How Does That Work?
Shared Responsibility for the ILS: How Does That Work?Shared Responsibility for the ILS: How Does That Work?
Shared Responsibility for the ILS: How Does That Work?Colby Riggs
 
Comunicaciones ADS-B
Comunicaciones ADS-BComunicaciones ADS-B
Comunicaciones ADS-BAlex Casanova
 
2012 FLIGHT PLAN CONTENT CHANGES
2012 FLIGHT PLAN CONTENT CHANGES2012 FLIGHT PLAN CONTENT CHANGES
2012 FLIGHT PLAN CONTENT CHANGESÜlger Ahmet
 
Fc744 Landingear
Fc744 LandingearFc744 Landingear
Fc744 Landingeartheoryce
 
Fireprotection
FireprotectionFireprotection
Fireprotectiontheoryce
 
ADS-B Update: equipping for 2020 (August 2015 edition)
ADS-B Update: equipping for 2020 (August 2015 edition)ADS-B Update: equipping for 2020 (August 2015 edition)
ADS-B Update: equipping for 2020 (August 2015 edition)sportyspilotshop
 
Airspace Classification
Airspace ClassificationAirspace Classification
Airspace Classificationalpha_sherdil
 
ADS-B & The 2020 FAA Final Rule
ADS-B & The 2020 FAA Final RuleADS-B & The 2020 FAA Final Rule
ADS-B & The 2020 FAA Final RuleTodd Shellnutt
 
Fc744 Hydraulics
Fc744 HydraulicsFc744 Hydraulics
Fc744 Hydraulicstheoryce
 
Air Traffic Control Organization Lesson
Air Traffic Control Organization LessonAir Traffic Control Organization Lesson
Air Traffic Control Organization LessonÜlger Ahmet
 
Fc744 Fuel
Fc744 FuelFc744 Fuel
Fc744 Fueltheoryce
 
Aircraft Communication Topic 4 hf communication system
Aircraft Communication Topic 4 hf communication systemAircraft Communication Topic 4 hf communication system
Aircraft Communication Topic 4 hf communication systemIzah Asmadi
 
Nav Topic 10 instrument landing systems
Nav Topic 10 instrument landing systemsNav Topic 10 instrument landing systems
Nav Topic 10 instrument landing systemsIzah Asmadi
 
10 Things every iPad pilot should know
10 Things every iPad pilot should know10 Things every iPad pilot should know
10 Things every iPad pilot should knowSporty's Pilot Shop
 
Aircraft Communication Topic 3 radio components
Aircraft Communication Topic 3 radio componentsAircraft Communication Topic 3 radio components
Aircraft Communication Topic 3 radio componentsIzah Asmadi
 
Book 02
Book 02Book 02
Book 02xykers
 

Andere mochten auch (20)

Iaetsd ads-b technology with gps aided geo
Iaetsd ads-b technology with gps aided geoIaetsd ads-b technology with gps aided geo
Iaetsd ads-b technology with gps aided geo
 
Shared Responsibility for the ILS: How Does That Work?
Shared Responsibility for the ILS: How Does That Work?Shared Responsibility for the ILS: How Does That Work?
Shared Responsibility for the ILS: How Does That Work?
 
Comunicaciones ADS-B
Comunicaciones ADS-BComunicaciones ADS-B
Comunicaciones ADS-B
 
2012 FLIGHT PLAN CONTENT CHANGES
2012 FLIGHT PLAN CONTENT CHANGES2012 FLIGHT PLAN CONTENT CHANGES
2012 FLIGHT PLAN CONTENT CHANGES
 
Fc744 Landingear
Fc744 LandingearFc744 Landingear
Fc744 Landingear
 
ADS-B presentation
ADS-B presentationADS-B presentation
ADS-B presentation
 
Fireprotection
FireprotectionFireprotection
Fireprotection
 
ADSB with GAGAN
ADSB with GAGANADSB with GAGAN
ADSB with GAGAN
 
ADS-B Update: equipping for 2020 (August 2015 edition)
ADS-B Update: equipping for 2020 (August 2015 edition)ADS-B Update: equipping for 2020 (August 2015 edition)
ADS-B Update: equipping for 2020 (August 2015 edition)
 
Airspace Classification
Airspace ClassificationAirspace Classification
Airspace Classification
 
ADS-B & The 2020 FAA Final Rule
ADS-B & The 2020 FAA Final RuleADS-B & The 2020 FAA Final Rule
ADS-B & The 2020 FAA Final Rule
 
Fc744 Hydraulics
Fc744 HydraulicsFc744 Hydraulics
Fc744 Hydraulics
 
Air Traffic Control Organization Lesson
Air Traffic Control Organization LessonAir Traffic Control Organization Lesson
Air Traffic Control Organization Lesson
 
Fc744 Fuel
Fc744 FuelFc744 Fuel
Fc744 Fuel
 
Aircraft Communication Topic 4 hf communication system
Aircraft Communication Topic 4 hf communication systemAircraft Communication Topic 4 hf communication system
Aircraft Communication Topic 4 hf communication system
 
Nav Topic 10 instrument landing systems
Nav Topic 10 instrument landing systemsNav Topic 10 instrument landing systems
Nav Topic 10 instrument landing systems
 
10 Things every iPad pilot should know
10 Things every iPad pilot should know10 Things every iPad pilot should know
10 Things every iPad pilot should know
 
Aircraft Communication Topic 3 radio components
Aircraft Communication Topic 3 radio componentsAircraft Communication Topic 3 radio components
Aircraft Communication Topic 3 radio components
 
Book 02
Book 02Book 02
Book 02
 
Etops at a glance
Etops at a glanceEtops at a glance
Etops at a glance
 

Ähnlich wie Costin, francillon ghost is in the air(traffic)

Ann over
Ann overAnn over
Ann overNASAPMC
 
Close Air Support CSAF Update
Close Air Support CSAF UpdateClose Air Support CSAF Update
Close Air Support CSAF Update1st_TSG_Airborne
 
Saab Airborne Surveillance Media Brief Farnborough 2014
Saab Airborne Surveillance Media Brief Farnborough 2014Saab Airborne Surveillance Media Brief Farnborough 2014
Saab Airborne Surveillance Media Brief Farnborough 2014Saab AB
 
202209 QSO Today Virtual Ham Introduction to Software Defined Radio with emph...
202209 QSO Today Virtual Ham Introduction to Software Defined Radio with emph...202209 QSO Today Virtual Ham Introduction to Software Defined Radio with emph...
202209 QSO Today Virtual Ham Introduction to Software Defined Radio with emph...dhorvath
 
Ship Ad-hoc Network (SANET)
Ship Ad-hoc Network (SANET) Ship Ad-hoc Network (SANET)
Ship Ad-hoc Network (SANET) Benyamin Moadab
 
X-Haul: towards an integrated 5G transport network architecture
X-Haul: towards an integrated 5G transport network architectureX-Haul: towards an integrated 5G transport network architecture
X-Haul: towards an integrated 5G transport network architectureADVA
 
SSTRM, - StrategicReviewGroup.ca - Maj Dufour Soldier Modernization - Lethal ...
SSTRM, - StrategicReviewGroup.ca - Maj Dufour Soldier Modernization - Lethal ...SSTRM, - StrategicReviewGroup.ca - Maj Dufour Soldier Modernization - Lethal ...
SSTRM, - StrategicReviewGroup.ca - Maj Dufour Soldier Modernization - Lethal ...Phil Carr
 
6 [progress report] for this leisurely side-project I was doing in 2016
6 [progress report] for this leisurely side-project I was doing in 20166 [progress report] for this leisurely side-project I was doing in 2016
6 [progress report] for this leisurely side-project I was doing in 2016Youness Lahdili
 
fcc_cognitive_radio_fette_v8.ppt
fcc_cognitive_radio_fette_v8.pptfcc_cognitive_radio_fette_v8.ppt
fcc_cognitive_radio_fette_v8.pptUmamaheswariK9
 
Technology, Business and Regulation of the Connected Car
Technology, Business and Regulation of the Connected CarTechnology, Business and Regulation of the Connected Car
Technology, Business and Regulation of the Connected Carmentoresd
 
Interference from mimo pmcw radar
Interference from mimo pmcw radarInterference from mimo pmcw radar
Interference from mimo pmcw radarDr. Jianying Guo
 
Design & development of embedded application
Design & development of embedded applicationDesign & development of embedded application
Design & development of embedded applicationeSAT Publishing House
 
Training Course_5G RAN3.0 mmWave Beam Management.pptx
Training Course_5G RAN3.0 mmWave Beam Management.pptxTraining Course_5G RAN3.0 mmWave Beam Management.pptx
Training Course_5G RAN3.0 mmWave Beam Management.pptxgame__over
 
ARINC 818-2 standard overview and its characteristics
ARINC 818-2 standard overview and its characteristicsARINC 818-2 standard overview and its characteristics
ARINC 818-2 standard overview and its characteristicsLogic Fruit Technologies
 
Co-Registration of Small-Scale Satellite Data
Co-Registration of Small-Scale Satellite DataCo-Registration of Small-Scale Satellite Data
Co-Registration of Small-Scale Satellite DataNopphawanTamkuan
 
Wbi Introduction
Wbi IntroductionWbi Introduction
Wbi IntroductionNightcolt
 
SDR for radar 090623
SDR for radar 090623SDR for radar 090623
SDR for radar 090623Bertalan EGED
 

Ähnlich wie Costin, francillon ghost is in the air(traffic) (20)

Ann over
Ann overAnn over
Ann over
 
Close Air Support CSAF Update
Close Air Support CSAF UpdateClose Air Support CSAF Update
Close Air Support CSAF Update
 
Saab Airborne Surveillance Media Brief Farnborough 2014
Saab Airborne Surveillance Media Brief Farnborough 2014Saab Airborne Surveillance Media Brief Farnborough 2014
Saab Airborne Surveillance Media Brief Farnborough 2014
 
202209 QSO Today Virtual Ham Introduction to Software Defined Radio with emph...
202209 QSO Today Virtual Ham Introduction to Software Defined Radio with emph...202209 QSO Today Virtual Ham Introduction to Software Defined Radio with emph...
202209 QSO Today Virtual Ham Introduction to Software Defined Radio with emph...
 
Ship Ad-hoc Network (SANET)
Ship Ad-hoc Network (SANET) Ship Ad-hoc Network (SANET)
Ship Ad-hoc Network (SANET)
 
X-Haul: towards an integrated 5G transport network architecture
X-Haul: towards an integrated 5G transport network architectureX-Haul: towards an integrated 5G transport network architecture
X-Haul: towards an integrated 5G transport network architecture
 
SSTRM, - StrategicReviewGroup.ca - Maj Dufour Soldier Modernization - Lethal ...
SSTRM, - StrategicReviewGroup.ca - Maj Dufour Soldier Modernization - Lethal ...SSTRM, - StrategicReviewGroup.ca - Maj Dufour Soldier Modernization - Lethal ...
SSTRM, - StrategicReviewGroup.ca - Maj Dufour Soldier Modernization - Lethal ...
 
6 [progress report] for this leisurely side-project I was doing in 2016
6 [progress report] for this leisurely side-project I was doing in 20166 [progress report] for this leisurely side-project I was doing in 2016
6 [progress report] for this leisurely side-project I was doing in 2016
 
fcc_cognitive_radio_fette_v8.ppt
fcc_cognitive_radio_fette_v8.pptfcc_cognitive_radio_fette_v8.ppt
fcc_cognitive_radio_fette_v8.ppt
 
ADS-B: A Special Report
ADS-B: A Special ReportADS-B: A Special Report
ADS-B: A Special Report
 
Technology, Business and Regulation of the Connected Car
Technology, Business and Regulation of the Connected CarTechnology, Business and Regulation of the Connected Car
Technology, Business and Regulation of the Connected Car
 
Interference from mimo pmcw radar
Interference from mimo pmcw radarInterference from mimo pmcw radar
Interference from mimo pmcw radar
 
Design & development of embedded application
Design & development of embedded applicationDesign & development of embedded application
Design & development of embedded application
 
Training Course_5G RAN3.0 mmWave Beam Management.pptx
Training Course_5G RAN3.0 mmWave Beam Management.pptxTraining Course_5G RAN3.0 mmWave Beam Management.pptx
Training Course_5G RAN3.0 mmWave Beam Management.pptx
 
ARINC 818-2 standard overview and its characteristics
ARINC 818-2 standard overview and its characteristicsARINC 818-2 standard overview and its characteristics
ARINC 818-2 standard overview and its characteristics
 
Co-Registration of Small-Scale Satellite Data
Co-Registration of Small-Scale Satellite DataCo-Registration of Small-Scale Satellite Data
Co-Registration of Small-Scale Satellite Data
 
uElectronics ongoing activities at ESA
uElectronics ongoing activities at ESAuElectronics ongoing activities at ESA
uElectronics ongoing activities at ESA
 
Wbi Introduction
Wbi IntroductionWbi Introduction
Wbi Introduction
 
SDR for radar 090623
SDR for radar 090623SDR for radar 090623
SDR for radar 090623
 
Mobile CDS LTE Simulation Demo
Mobile CDS LTE Simulation Demo Mobile CDS LTE Simulation Demo
Mobile CDS LTE Simulation Demo
 

Mehr von DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

Mehr von DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Costin, francillon ghost is in the air(traffic)

  • 1. Ghost is in the Air(Traffic) Andrei Costin <andrei.costin@eurecom.fr> Aurelien Francillon <aurelien.francillon@eurecom.fr>
  • 2. andrei# whoami SW/HW security researcher, PhD candidate Mifare Classic Interest in Hacking MFPs + MFCUK avionics PostScript http://andreicostin.com/papers/ http://andreicostin.com/secadv/ 1
  • 3. Administratrivia #0 DISCLAIMER  This presentation is for informational purposes only. Do not apply the material if not explicitly authorized to do so  Reader takes full responsibility whatsoever of applying or experimenting with presented material  Authors are fully waived of any claims of direct or indirect damages that might arise from applying the material  Information herein represents author own views on the matter and does not represent any official position of affiliated body  tldr;  DO NOT TRY THIS AT HOME!  USE AT YOUR OWN RISK! 2
  • 4. Agenda 1. ATC Today (SSR) 2. Today’s Problems 3. ATC “Tomorrow” (ADS-B) 4. “Tomorrow”s Problems 5. Exploit scenarios & Demos 6. Solutions and take-aways 3
  • 6. How do radars work without ADS-B? 5
  • 7. SSR transmits basic solicited data  SSR is solicited type of communication  Solicitation via XPDR  Solicitation via voice VHF  Example of data from SSR XPDR:  Aircraft Address  Altitude  Code (squawk)  Angles (Roll/Track) 6
  • 8. Agenda 1. ATC Today (SSR) 2. Today’s Problems 3. ATC “Tomorrow” (ADS-B) 4. “Tomorrow”s Problems 5. Exploit scenarios & Demos 6. Solutions and take-aways 7
  • 9. Automatic Dependent Surveillance - Broadcast (CASA, 2006) 8 Inputs are not robust enough
  • 10. Input mistakes have severe implications Garmin GTX32x Avionics Tranponders 9
  • 11. Agenda 1. ATC Today (SSR) 2. Today’s Problems 3. ATC “Tomorrow” (ADS-B) 4. “Tomorrow”s Problems 5. Exploit scenarios & Demos 6. Solutions and take-aways 10
  • 12. ADS-B is a $billions world-wide effort from 2002… US GOV ITDashboard - FAAXX704 (ADS-B) 11
  • 13. Guidance for the Provision of Air Traffic Services Using ADS-B for Airport Surface Surveillance GPS GLONASS GALILEO 12 How does ADS-B work? – Architectural view
  • 14. ADS-B – INsideOUT… ICAO/FAA ADS-B Implementation Workshop  ADS-B is being used over 2 existing technologies:  Mode-S – 1090 MHz (replies) and 1030 MHz (interrogation)  PPM @ 1 Mbps  UAT (Universal Access Transceiver) – 978 MHz (replies)  CP-2FSK @ 1.041667 Mbps (modulation index h >= 0.6) 13
  • 15. ATC Tomorrow – NextGen, ATC/M and eAircrafts 14
  • 16. Australia Airservices ADS-B Coverage Map 15 ADS-B Deployment Map – Australia
  • 17. FAA NextGen Technologies Interactive Map (ADS-B) 16 ADS-B Deployment Map – USA
  • 18. How does community get this data? AirNav RadarBox Mode-S Beast with miniASDB Kinetic SBS Summarized list of enthusiast-level ADS-B radar receivers microADSB USB PlaneGadgets ADS-B Aurora Eurotech SSRx miniADSB Funkwerk RTH60 microADSB-IP BULLION 17
  • 19. How does ADS-B look like? – Community view 18
  • 20. ADS-B frame – modulation, format, security  Frames encoded in  Pulse-position-modulation (PPM)  1 bit = 1 us  Shared-medium (no CA/CD), theoretical bandwidth 1 Mbit/sec 19
  • 21. ADS-B frame – modulation, format, security  Frames encoded in  Pulse-position-modulation (PPM)  1 bit = 1 us  Shared-medium (no CA/CD), theoretical bandwidth 1 Mbit/sec  Frames composed of  A preamble  8 bits for TX/RX sync  A data-block  56 bits for short frames  112 bits for extended/long frames  Mandatory to have  24 bits ICAO address of aircraft  24 bits error-detection parity 20
  • 22. ADS-B frame – modulation, format, security Page intentionally left blank 21
  • 23. Agenda 1. ATC Today (SSR) 2. Today’s Problems 3. ATC “Tomorrow” (ADS-B) 4. “Tomorrow”s Problems 5. Exploit scenarios & Demos 6. Solutions and take-aways 22
  • 24. ADS-B Main Threats – Summary ADS-B Threat Fail / warn / ok Entity/message authentication Entity authorization (eg. medium access)* Entity temporary identifiers/privacy Message integrity (HMAC) Message freshness (non-replay) Encryption (message secrecy) Massive public DBs with private detail* 23
  • 25. Potential mitigations exist… but are not public  Mode-4/Mode-5 IFF Crypto Appliqué  2-Levels Crypto secured version of Mode S and ADS-B GPS position  Defined for military NATO STANAG 4193  Enhanced encryption  Spread Spectrum Modulation  Time of Day Authentication  Level1:  Aircraft Unique PIN  Level2:  Level1 + other (unknown for now) information  Apparently based on Black & Red keys crypto  ADS-B also specifies, but not details available about crypto/security:  DF19 = Military Extended Squitter  DF22 = Military Use Only 24
  • 26. Agenda 1. ATC Today (SSR) 2. Today’s Problems 3. ATC “Tomorrow” (ADS-B) 4. “Tomorrow”s Problems 5. Exploit scenarios & Demos 6. Solutions and take-aways 25
  • 27. ADS-B – Adversary Model – By location  Ground-based  Easier to operate (win criminals)  Easier to be caught (win agencies)  Easier to defend or mitigate against (win agencies)  Eg. Angle of arrival, time-difference of arrival  Airborne  Drones  UAV  Autonomously pre-programmed self-operating checked-in luggage:  Pelican case, barometric altimeter, battery, embed-devs, GPS, RF…  Possibly could work around angle of arrival  Could pose more advanced threat to ADS-B IN enabled aircrafts  Important: not extensively modeled in the attacker & threat modeling of Mode-S/ADS-B 26
  • 28. ADS-B – Adversary Model – By role  Pilots  Bad intent  (Un)Intentional pranksters  Pranksters  Abusive users/organizations  Privacy breachers – eg. Paparazzi  Message conveyors  Criminals  Money (more likely). Eg.: Underground forums with “Worldwide SDRs for hire” – potentially very profitable underground biz (think sniff GSM)  Terror (less likely)  Military/intelligence  Espionage  Sabotage 27
  • 29. Example: external abusers + public data correlation Strategically positioned Have a well-defined target Poses inexpensive devices Can publicly access private details (why is this allowed?!) 28
  • 31. Public access, seriously? Australia (CASA) 30
  • 33. DoS constraints  ADS-B over 1090 MHz Mode-S ES has is PPM @ 1 MHz  It means bandwidth 1 Mbps  For 112 bit messages  Upper limits  MAX different 9000 fake airplanes  OR same fake airplane in 9000 different positions/sec  Pretty damn fast UFOs!  Assumptions  Nobody else (il)legitimately transmits  OR the upper limit is decreasing over-liniarly with linear increase in transmitters 32
  • 34. Hardware setup Hardware Functions Price SDR USRP1 Main RF support 700 USD SBX ADS-B OUT/IN (attack) 475 USD WBX ADS-B OUT/IN (attack) 450 USD DBSRX2 ADS-B IN (verify) 150 USD Plane ADS-B IN (verify) ~245 USD Gadget Attenuators Limit output (SMA cable) <10 USD Cables Alternative SDRs Alternative ADS-Bs 33
  • 35. ADS-B Message Replay Quick reference  Capture ADS-B data:  UHD-mode  uhd_rx_cfile.py --spec B:0 --gain 25 --samp-rate 4000000 -f 1090000000 -v ~/CAPTURE_adsb.fc32  Pre-UHD-mode  usrp_rx_cfile.py  Replay the captured data:  UHD-mode  tx_transmit_samples --file ~/CAPTURE_adsb.fc32 --ant "TX/RX" --rate 4000000 --freq 1090000000 --type float -- subdev B:0  Pre-UHD-mode  usrp_replay_file.py 34
  • 36. ADS-B Message Injection Quick reference guide  ADS-B data crafting  Tweak the captured data  Load I/Q data: d_cap = read_float_binary(‘~/CAPTURED_adsb.fc32’)  Modify the samples: d_cft = adsb_randomize(d_cap)  Write back I/Q data: write_float_binary(d_cft, ‘~/CRAFTED_adsb.fc32’)  Generate the data  MatLab – modulate(adsb_frame, fc, fs, ‘ppm’)  GNUradio – write native C++ block  Transmit the crafted data:  UHD-mode  tx_transmit_samples --file ~/CRAFTED_adsb.fc32 --ant "TX/RX" --rate 4000000 --freq 1090000000 --type float --subdev B:0  Pre-UHD-mode  usrp_replay_file.py 35
  • 37. ADS-B Message Analyze/Visualize/Plot Quick reference guide  GNURadio ModeS tests:  Pre-UHD-mode (by Eric Cottrell):  gr-air/src/python/usrp_mode_s_logfile.py  UHD-mode (by Nick Foster):  gr-air-modes/python/uhd_modes.py –a –w –F ~/CRAFTED_adsb.fc32  GNURadio:  gr_plot_psd_c.py -R 4000000 ~/CAPTURE_adsb.fc32  gr_plot_psd_c.py -R 4000000 ~/CRAFTED_adsb.fc32  Octave + gnuplot:  n_samp = 500000  trig_lvl = 0.01  d_cap = read_float_binary(‘CAPTURE_adsb.fc32’, n_samp)  axis ([0, n_samp, -trig_lvl, trig_lvl])  plot(arr) 36
  • 40. ADS-B Fuzzing notes  PlanePlotter doesn’t show at all planes whose ICAO24 starts with 0xxxxx like 031337  No indication in the standard it should be this way  We don’t know how real-world radars behave to such fuzzing  Anyone in the audience? 39
  • 41. Agenda 1. ATC Today (SSR) 2. Today’s Problems 3. ATC “Tomorrow” (ADS-B) 4. “Tomorrow”s Problems 5. Exploit scenarios & Demos 6. Solutions and take-aways 40
  • 42. High-level perspective – Timelines  SDR Community  1988 (Peter Hoeher and Helmuth Lang) - SDR prototype  1991/1992 (Joseph Mitola) - SDR theory and paper  October 2003 (Ettus) - USRP1 available $US750  September 2008 (Ettus) - USRP2 available $US1700 (http://www.ruby-forum.com/topic/165227)  13 Jan 2010 (Ettus) - WBX Tranceiver board available (http://lists.gnu.org/archive/html/discuss-gnuradio/2010-01/msg00146.html)  23 Mar 2011 (Ettus) - USRP N200 $US1500 and USRP N210 $US1700 available (http://lists.ettus.com/pipermail/usrp- announce_lists.ettus.com/2011-March/000007.html)  15 Apr 2011 (Ettus) - SBX Tranceiver board available (http://lists.ettus.com/pipermail/usrp-announce_lists.ettus.com/2011-April/000008.html)  February 2012 (Antti Palosaari) - RTL-SDR discovered (http://thread.gmane.org/gmane.linux.drivers.video-input- infrastructure/44461/focus=44461)  ADS-B Standartization/Regulatory  Jul 2002 (FAA) - Federal Aviation Administration (FAA) announced a dual link decision using 1090 MHz ES for air carrier and private/commercial operators of high performance aircraft and UAT for the typical general aviation user as media for the ADS-B system in the United States (http://www.faa.gov/news/press_releases/news_story.cfm?newsId=5520&print=go)  March 2003 - First ADS-B demonstrations (AOPA for CAP)  April 2003 (RTC) - DO-260A "Minimum Operational Performance Standards for 1090 MHz Extended Squitter Automatic Dependent Surveillance – Broadcast (ADS-B) and Traffic Information Services – Broadcast (TIS-B)"  Jul 2004 (RTC) - DO-282A "Minimum Operational Performance Standards for Universal Access Transceiver (UAT) Automatic Dependent Surveillance – Broadcast."  2004 - US Development & testing stations deployed  2007 - Early estimates stated the cost to equip a general aviation aircraft ranged from $7,644 to $10,920 for ADS-B Out and from $10,444 to $29,770 for ADS-B Out and ADS-B In, depending on aircraft type.  2009 - US Ground segment implementation and deployment  2009 - Assuming 2009 market prices for individual system components, a UAT retrofit was estimated at $18,000 and new at $25,000. For a 1090ES retrofit $4,200 and new at $18,000.  Dec 2009 - Australia in world first for nationwide ADS-B coverage  Research community  Jan 2001 - An Assessment of the Communications, Navigation, Surveillance (CNS) Capabilities Needed to Support the Future Air Traffic Management System  Oct 2001 - Vulnerability assessment of the transportation infrastructure relying on GPS  2002 - Validation techniques for ADS-B surveillance data  2003 - GPS integrity and potential impact on aviation safety  Sept 2004 - Aircraft ADS-B Data Integrity Check  2008/2009 - Vast security research on Future eEnabled Aircraft and their support infrastructure  Oct 2010 - Identification of ADS-B System Vulnerabilities and Threats  2010 - Assessment and Mitigation of Cyber Exploits in Future Aircraft Surveillance  2010 - Visualization & Assessment Of ADS-B Security For Green ATM  2011 - Security analysis of the ADS-B implementation in the next generation air transportation system  Oct 2011 - Aircraft Systems Cyber Security  Oct 2011 - On the Requirements for Successful GPS Spoofing Attacks  Jul 2012 - First public practical setups and demonstrations on ADS-B attacks (BH12US, DC19) 41
  • 43. ADS-B Security Solutions  Solutions could include:  Verifiable multilateration (MLAT) with multiple ground-stations, but:  “Group of aircrafts” concepts  AANETs should inspire from VANETs solutions  Lightweight PKI architectures and protocols. Our thoughts:  FAA, EUROCONTROL, CASA as CAs  CAs root keys installed/updated during ADS-B device mandatory certification process  HMAC on each broadcast message  Every broadcast a subset of HMAC bits 42
  • 44. ICAO 12th Air Navigation Conference - CSTF Take-aways – THE GOOD 43
  • 45. Take-aways – THE BAD  ADS-B is a safety-related mission-critical technology  Yet, ADS-B lacks minimal security mechanisms  This poses direct threat to safety  ADS-B costs tremendous amount of money, coordination, time  Yet, ADS-B is defeated in practice with  FOSS or moderate-effort custom software  Relatively low-cost SDRs hardware  ADS-B assumptions are not technologically up-to-date  Doesn’t account users will have easy access to RF via SDRs  Doesn’t account users will have easy access to UAV, drones, etc.  SDRs and their decreasing price are not the problem ADS-B is flawed and is the actual architectural root-cause 44
  • 46. Take-aways – THE UGLY  Portable RF sniffer  Uber cheap (25 USD)  few MHz ~ 2.x GHz  RTL-SDR via RTL 2832U + E4000  Portable ‘universal’ RF transceiver  Cheap (300 USD)  few MHz ~ 2.x GHz  HackRF by mossmann  Exponentially more functionality  Compared to 2009 PM3 price  TCAS  100% affected user base vs ~30% on ADS-B  Involves TAs & Ras  pilots are expected to respond immediately to the RA  aircraft will at times have to manoeuver contrary to ATC instructions or disregard ATC instructions  Custom Verilog required  More stable/precise timing required 45
  • 48. References (related talks)  22C3 – I see airplanes  DefCon17 – Air Traffic Control: Insecurity and ADS-B  DefCon18 – Air Traffic Control Insecurity 2.0  GRConf2011 – ADS-B in GnuRadio  DefCon20 – Hacker + Airplanes = No Good Can Come Of This 47
  • 49. Acknowledgements  Thanks to Aurelien Francillon, my PhD professor & advisor, for his tremendous support on this research  Thanks to EURECOM for time offered to finalize this research and whitepaper 48
  • 50. Challenge for all POC hackers and not only!  Check out: code.google.com/p/libadsb  Library for ADS-B encoding/decoding and utilities  Help community – write ASN.1 specifications for ADS-B  Easy Wireshark integration + core of libadsb  Provide formal specification of lengthy documents  Teach yourself – improve the demo code above  Top 4+1 contributors get either one of these:  Rtl-sdr dongle  Arduino baseboard  Raspberry Pi Fell free to shout: zveriu@gmail.com 49
  • 51. Thank you! Questions, ideas, corrections? Andrei Costin <andrei.costin@eurecom.fr> Aurelien Francillon <aurelien.francillon@eurecom.fr>