 Hello everyone, thank you for attending my virtual presentation. So I am Guy, I'm a master's student from EPFL and ETH Zurich in Switzerland and I've been working with ARMA Swiss on privacy in general aviation and most particularly on the recent attempt from the FAA in the US. First, why do we need privacy in general aviation? In the recent years, a lot of articles underline privacy issue in general aviation. For instance, it would be possible to predict company merchant acquisition by tracking company aircraft as demonstrated in Bloomberg article. It is also possible to track diplomats' trips to foreign country, which is of course not desirable, or to track the use of corporate check. Furthermore, I guess that pilots just don't want to be tracked on flying so that's why privacy policy is needed in general aviation. But before diving into the actual poll I see, I will quickly introduce aircraft communications. Aircraft need to be identifiable at all time on flying for obvious security reasons. So first it can be identified by the TAN number, which is the unique registration by the national authority, it's also called N number in the US. And this number can never be changed. So that is the number that is usually printed at the back of the aircraft or on the tail. Aircraft can also be identified by their IKO address, which is a 24B transponder ID that is assigned by the International Civil Aviation Organization. And there is a direct translation between the tail number and the IKO address in the US. So if you're interested, I wrote a converter that is available in my GitHub. And aircraft can also be identified by their call sign, which is a unique flight identifier, and it can be changed for each flight. And for instance, private aircraft often use their tail number as a call sign. Aircraft use ATSP standing for Automatic Dependent Surveillance Broadcast to communicate with the ground station and with other aircraft. ATSP equipment is mandatory in many countries such as the US, Australia and European country. I will not explain in detail how ATSP operates, but what we need to know is that basically aircraft broadcasts twice a second information such as their position, velocity, etc. And these broadcasts are identified by the IKO address and the call sign of the aircraft. Anyone equipped with a cheap software-defined radio can receive this broadcast from a distance of 600 km. CrowdSource network tries to cover large areas with antenna and software-defined radios in order to get a global ATSP coverage and make aircraft trajectories publicly available online. Using a CrowdSource network, it is trivial to track an aircraft using only its IKO address or its call sign. Aircraft can change their call sign for each flight, but not their IKO address, so they are actually easy to track. So this situation is a serious issue for aircraft and passenger privacy. And until recently, the only way aircraft operators could protect themselves from being tracked was to ask kindly CrowdSource network to make tracking available for the aircraft. But some CrowdSource networks do not offer this service. Concerning these issues, the FAA published the following statement. FAA acknowledges the desire of some operators to limit the availability of real-time ATSP position and identification information for a specific aircraft. To address privacy concern, the FAA has initiated the Privacy IKO address program to improve the privacy of eligible aircraft. So this Privacy IKO address program allows unrolled aircraft operator to periodically change their IKO address acting as a pseudonym. So if the aircraft operator simultaneously changes the IKO address and the call sign of the aircraft, it makes the aircraft harder to track. This program is unfortunately, at least for now, limited to aircraft registered in the U.S. using a specific DSB system and a third-party call sign just for flights in the domestic U.S. airspace. Which means that if an aircraft wants to fly abroad, it has to use its permanently assigned IKO address and is automatically revealed to anyone that wishes to track it. In the first phase of the program, the FAA will monitor the program and a new Privacy IKO address, or PIA, can be requested every 60 calendar days. And in the second phase, the program will be transitioned to third-party call sign providers and the PIA change frequency will go down to 20 business days, or 28 calendar days, approximately. To illustrate the privacy improvement, we show an aircraft identified by its IKO address landing at an airport. On ground at the airport, the operator will request a new Privacy IKO address and program it into the aircraft transponder and change the aircraft call sign before its next flight. So an adversary can observe that an aircraft with IKO address A12345 arrive at the airport and that another aircraft with IKO address is ABCDEF, left the airport later on. If the aircraft is the only one that stays at the airport for the given time frame, then identifying that A12345 and ABCDEF is actually the same aircraft is trivial. But if multiple aircraft enrolled in the PIA program are changing their IKO address in the same airport during the same time period, it is not possible to link accurately aircraft arriving at the airport with the aircraft leaving the airport. So the best attack is in fact to take a random guess. So in order to maximize the privacy of aircraft using this scheme, we need to maximize the number of aircraft using a PIA and using the same call sign provider changing their PIA simultaneously at the very same airport. So that's a lot of condition, a lot of parameter that can influence the privacy level and we're going to discuss that in details. So here is the bigger picture of the ideal system where all aircraft change their identifier for each flight without any side channel information. So a global adversary can observe the flight, but it is hard to link accurately a flight from a given aircraft. You cannot distinguish aircraft when they are flying if they change their IKO address and call sign at each stop. So this result actually in an asynchronous free route mix net where all aircraft stay inside the mix net forever. In order to quantify privacy performance of such a system, we will look at its traceability index which is defined as the expected ratio of successfully tracked aircraft over time. Here is an example. Time is represented on the x-axis and traceability index of the system is represented on the y-axis. And the traceability index of this example system after 150 days is 50.3%. From the beginning of the year, we observed the U.S. airspace through the crowdsource network OpenSky Networks and detected that 16 aircraft are using a PIA address. 9 of them are using a DCM call sign and 7 of them are using a FFL call sign. Those are two distinct set of aircraft. We observed their aircraft changing their IKO address to a PIA and some of them didn't even update their call sign. So that's trivial to try them even if they wanted to enroll to this privacy program. So we did not observe any PIA change although some operators have been using the PIA for much more than 60 days. We observed that all IKO addresses that we suspected to be PIAs are in the N number range from N410000 to N42 and that 1062 official FIA registration looked like the one on the right so that is reserved with no fee on the 1003 2019 by the SBS program office. And I will now explain an attack on how to track aircraft enroll in the PIA program. So the first step is obviously to identify a target aircraft enrolled in this program. Then we need to associate the privacy IKO address with an actual aircraft registration and finally we need to monitor every PIA change of this aircraft. To detect an aircraft using a PIA we first look for flights using an IKO address in this given range, so the extra decimal range. And then we check in the FIA registry if the associated N number is reserved with no fee by the SBS program office and if it is the case then we're almost sure that this aircraft is using a PIA. After we identify the target aircraft we need to find its original registration. To reach that goal we need to find the very first flight where the privacy IKO address PIA1 was used. So that is our target PIA. So in our example as the flight departs from Chicago we need to find all aircraft that landed at the very same airport in Chicago before the departure of the red flight. So these aircraft are the candidates and we need to eliminate all of them but one. For instance after the departure of the red flight an aircraft which is also identified by the address IKO1 is observed leaving Chicago. So this aircraft is eliminated. Then the aircraft identified by the IKO address IKO2 is observed flying back to its origin so there is only one candidate left which is our target aircraft that changes IKO address from IKO3 to PIA1. So we detected the IKO address change. Once we know IKO3 we look for the associated N number so we do the translation and we look for the associated N number in the FIA registry to find the actual aircraft registration containing all of the owner's details like the name, the address and everything. And so once we have the actual aircraft registration we only need to monitor the PIA change which is essentially the same operation as described previously. Note that if multiple aircraft are changing their PIA at the same airport during the same time period we have to select one at random and the tracking may be inaccurate. But it is also possible to observe flying patterns of the possible candidates to increase the probability to select the correct aircraft according to its pattern after the change. We built a simulator to help us predict how the PIA program would scale if significantly more aircraft joined it. This simulator takes as parameter a number of aircraft, a number of airports the average aircraft life frequency the PIA change frequency and also the simulation duration. So once the simulation starts an aircraft will be picked at random and will fly to a random airport and then another aircraft will be chosen at random flying to another airport and so on. So as the trajectories are random the simulator is not totally realistic but it provides a lower bound to the traceability index as a random flight maximizes the entropy of the system. The simulator is available on GitHub if you want to check it out. We implemented the previously described attack to show the performance when we make a simulator parameter. On this graph we see the traceability index curve for a set of 200 aircraft and 100 airport over a year where aircraft update their PIA respectively every 60 calendar days as is one of the programs so that's the green curve. 20 business days which is 28 calendar days so that's the orange curve for phase 2 of the program and every 10 days in blue that is just to show the difference. So we see that after a year the traceability index of the 60 days frequency update is at 30% whereas the same score is reached after only 101 days and 37 days for the 28 and 10 days PIA update frequency. So updating the aircraft PIA as often as possible gets the best privacy for the system. Now we make the aircraft fleet size vary while keeping the PIA update frequency to 28 days. So a fleet is a set of aircraft using a PIA and the same cosine space. So all of the aircraft are using a DCM cosine or all of them are using a FFL cosine. So we go from a fleet of 50 aircraft in blue to a fleet of 500 aircraft in red and we see that the traceability index after 150 days go from 87.9% for the 50 aircraft fleet down to only 1.5% for the 500 aircraft fleet. So these curves really show that maximizing the number of aircrafts for a fixed set of airports minimizes the traceability index of the system which is what we want. Some obvious improvement to the PIA program would be to add an international poll IC so that aircraft do not need to use their permanently assigned IKO address when flying abroad. Because that reveals their position but also which PIA they used in the past and so it would be easier to track all of their flight history until the moment they flew abroad. And it would be also good to make all ADSP equipped aircraft eligible to enroll in this program in order to maximize the number of aircraft. And all aircraft using a PIA should use the same call sign range which is not the case currently as you can use the program with a DCN and FFL call sign so that makes two distinct sets of aircraft and one for each call sign provider. As the privacy is maximized when aircraft change a PIA as often as possible a major improvement to the program would be to allow aircraft to update their PIA for each flight. This gives us the best theoretical privacy performance without modifying aircraft trajectories. But it comes at a price so it introduces extra work for the administration that has to keep track of all PIA changes and it takes extra effort for aircraft operator to program the new PIA before each flight. So on this graph we can see the traceability index reached by a PIA change for each flight in green compared to the traceability index of the program in phase 1 and 2 in orange and blue. And we can see that the current PIA program is still very far from the best possible performance. Another major possible improvement is to make all aircraft change their PIA simultaneously. This method would consist in making all aircraft owner update their PIA on or before the first flight after a given day. This would help maximizing the number of aircraft updating their PIA during the same time period at the same airport as they all update their PIA at the same time. This strategy would cause no strack cost for the administration as there would be the exact same number of changes and could even be adopted without any official changes in the program if for instance a group of aircraft operators agree on the dates at which they will update their PIA. The drawback of this method is that privacy performance is still far from the theoretical maximum but it's still better than in the regular PIA policy. So this graph represents the traceability index curve of the 28 days update policy with the PIA update uniformly distributed in blue. 28 days policy where all aircraft update their PIA simultaneously in orange and in green the best theoretical performance where aircraft change their PIA for each flight. So we observe a major improvement for the simulation of that policy compared with the uniformly distributed one. For instance, after 150 days the traceability index goes from 56.9% in the regular PIA than 231.3% in the enhanced version. To conclude this presentation we showed that the PIA program makes it slightly harder to track aircraft using ADSB data from Krautos networks. It just makes it more annoying to retrace from a privacy IKO address back to the aircraft owner but it's still possible in the sense the PIA program does not really meet its privacy goal. We show with the simulator that even with a much larger number of aircraft using a PIA we can still track a large proportion of them over time even if they update their PIA as often as possible. And we propose two concrete solutions to improve the privacy in the PIA program. So if you want more details about our work please make sure to check out our paper when it's out and then finally my take on message is if you get to use this program please make sure to update your privacy IKO address as often as possible to increase your privacy level and others privacy level.