 And now, random man. Apparently I need no introduction. Thank you. So, yes, a few of you know me. I've been speaking for like six years. Who am I? Consultant. Yeah, yeah, yeah. I just got my CISSP. Decided to troll ISC Square and had Kevin Mitnick as my first work reference for that. That was fun. Written some books, I do trainings after the day. Renderlab.net is my site. Remember a few groups. I've been here every year since DEF CON 7, since 1999. There are kids running around that weren't even born when I first started going to DEF CON. I have the scars to prove it. It is scary how many years I've been here. And every year it gets better. You guys make this a friggin' awesome con. I quit jobs to come down here. There's nothing that would stop me. I'm the guy that goes to a conference in Poland and has this waiting for me. Apparently my reputation precedes me a little bit. But first I want to address something. The Kaminsky problem. Over multiple cons, Dan Kaminsky and I are speaking at the same time. I have yet to see him actually speak. This is getting absolutely ridiculous. In his blog he actually plugs it as the render man birthday paradox. Which is highly ironic because yesterday was my birthday. And I don't think he has any cookies this year. But what the hell? Oh hell. Oh hell. Apparently I get to drink. Absolutely no one make a head joke. But basically I'm thinking next year, basically with Dan I think we just need to find a way to really screw with DEF CON and any other con we end up at and speak together at some point and see how they schedule that one. So for this talk I have to do some ass covering and I have to thank the EFF for vetting this and giving me some suggestions as to what to say. For the love of SpongeBob, do not try anything you're about to see. We're talking about screwing potentially with commercial air traffic control and airliners in flight. This is not a natural tenable position for a human being. 500 miles an hour, 6 miles above the surface of the earth. Use this information to make air travel safer. Use this to alert people that gee maybe there are other systems out there we should be looking at to protect ourselves. Think about how this happened and how we can make sure that future systems are built in a more secure manner because as you'll see this is absolutely terrifying stuff and this happens a lot. We as hackers have a unique insight. We think about things in terms of security. We always think about the outside. We always think about that X factor, that thing that nobody else in the world seems to do. I mean yesterday you had the chief of the NSA standing up here saying the same thing. Don't necessarily agree with everything he said but the sentiments there. We as a group have got to be more involved in the world. So just for reference, here is the statute of the United States criminal code about interfering with air navigation systems of which basically half the stuff I'm talking about if you actually did it would be violating. You're looking at five years in jail and a bunch of fines and all sorts of fun. This talk is kind of weird. I want to be wrong. I want to find out that I am completely wrong about everything I'm about to talk about. I'm not a pilot. I am not an air traffic control operator. Could you imagine me as an air traffic control operator? I am in no way associated with air traffic or commercial airlines or anything like that beyond flying cattle class a whole bunch. I'm very good at stuffing people in the overhead bins now. If I get some acronym or some minor detail wrong, I apologize. You think the computer industry is bad for acronyms, start reading some of this documentation. It's insane. This research is ongoing and the air traffic control system is so huge there's no way I could talk about everything in it or understand it for, you know, it would take me years. But this stuff is too important to just keep quiet. So I wanted to point it all this out now so I can get other people on board so it's not just all me and another handful of people. The whole crux of this talk is I want to prove to myself that air travel is still safe, that moving to the next generation air traffic control system does not make things any more dangerous. I'm continually trying to prove this to myself and failing. So I need your help to try to assure myself that this is working. So I get interested in this stuff purely by accident. But a program called Plain Finder AR in October of 2010. Some of you may have remembered this program because it was pissing off Homeland Security and I can't remember which congressman or whatever it was but basically stood in front of the, on the floor of congress and said all these horrible things saying oh my God the terrorists can track our airplanes and all this stuff and it's like you have absolutely no idea how this works, do you? As one can say for a lot of things with congress. Essentially what happens is you take your iPhone, you point it at a con trail in the sky or in a direction. It knows where you are, what direction and angle you've got it pointed at and you're looking through the camera and it overlays the flight information where the flight is. Kind of cool, sitting in an airport and say oh what flight is, oh that's one going on to Lulu, okay that's kind of neat. I've played around with this for a while. I started asking okay well how does this work? Where are they getting this information? It can't all be just downloaded onto the phone or something, it requires a web look up. So this led me to sites like Plain Finder.net, Flight Rider 24, Radar Virtual. Essentially what these sites do is they aggregate data from all over the world. Users set up ground stations wherever they are and then collect data from flights going over and feed this information into a common database for each of these sites runs off a different database. But then puts all this stuff into nice Google maps or flyable maps and you can see you in pretty much real time air traffic. Okay this is kind of cool. It's about 10 minute delay on that traffic but still you can see what flights are coming in and out of town. Lots of interesting info. You can query and see okay what flight is this? Oh that's the one on the Honolulu. What kind of plane is that? Oh 747 owned by these guys. There's a huge amount of information there and this is really neat stuff. The sort of stuff that just a few years ago was unfeasible to think that we'd have access to. So it all went downhill from there. I've been vastly underemployed for a year which means I have a lot of free time on my hands. Generally what I say is that when I get bored bad things happen. What I have been doing a lot of is speaking. All over Canada, Europe, U.S. So I fly a lot. So I'm spending a lot of time at airports which considering my background in wifi usually ends badly as well. But you sit around and you're thinking for you know at the Las Vegas airport here you've got a flight landing every 90 seconds. That's an awful lot of metal, money, people moving around. How does this all work? How does this all fit together? You always hear about air traffic control but does anybody really know how it works anymore? This is why I should always be employed. I started thinking about this stuff. So I did some research. Air traffic control really hasn't changed much since the 1970s. So you know if you ever watch airplane, you know, wonderful movie, with the exception of you know the comedic elements, it's pretty much like that. Primary radar. You know the big radar dishes you see rotating on top of the conning towers. Basically they just send out a signal, bounces off metal, comes back. That's how you tell where something is. That's what they've been doing since the 1970s. They now have a, whoa, drinks are kicking in. They don't have a transponder system, a secondary radar system. So as that radar goes out, it sends out a pulse that the transponder receives and then sends out a signal back with a transponder code as well as altitude information. So previously with primary radar going around, they knew the bearing and approximately the distance of the flight but they had no idea of altitude. They didn't know anything. All of that was transmitted over voice channel. Now with secondary radar you at least have some sort of tracking saying, oh, this is American Airlines flight. But there's still a huge amount of work required. Still a lot of voice communication going back and forth. Disinterrogation only happens every few seconds. And when you've got something flying 500 miles an hour, its position changes really quickly. So you aren't getting as accurate a picture of what's going on in the sky as you think. The pilots get no benefits. Air traffic control knows where they are. The pilots don't. You know, any saying, oh yeah, you need to be careful. There's another flight over here. That all comes back from air traffic control. The pilots are essentially flying blind in a lot of ways. It's kind of scary. This requires that there be a large separation of planes. You can't have planes, you know, riding each other's ass all the way in. You have to maintain a certain level of separation for safety because you don't know, you know, exactly where things are. You know, it could get too close. Bad things could happen. So we're still pretty much running by our seat of our pants. IVR, which is basically a waypoint based system, is not optimal. So a lot of airlines are saying, well, we need to improve this because if we're flying point to point to point, you know, shortest distance between two points is a straight line. They aren't doing that. They want to be able to do that, saves gas. You know, you're always hearing about the fuel surcharges and all that crap nowadays. And air travel is increasing. You've got limited capacity. You can't build an airport every five miles kind of situation. You've got cities where, you know, you look at the Las Vegas airport here, McCarran, there's only a limited amount of space that you can do there. You can only so much throughput you can put through there. So you need to do everything you possibly can to squeeze everything you can out of there. And then you just get really weird crap, things like weather. There was that volcano a couple of years ago in Iceland, which I am certainly not going to try to pronounce the name of. These sort of events can cause havoc all around the world. And those effects in one location can ripple because the entire situation is dependent. A flight leaving Europe landing in the United States is then going to continue on somewhere else. If that plane doesn't arrive, well, it just backs up the whole system. So the decision was made, something needs to change. That change became the next generation air traffic control system. The late 90s, FAA and others created an initiative to revamp air traffic control in the U.S. and by proxy, essentially the world. They wanted to do more with less, take the existing systems. Because the problem is you've got, you know, like, what was some of the numbers? It was almost half of the air fleet is in the air at any given time. So it's not like you can stop all air travel, take it to some hangars for a couple of weeks, retrofit everything and then put it back out. The world would grind to a halt. And that would be a bad thing, by the way. So they wanted to modernize this over a period of time, approximately 20 years. Some of the mandates for the system kick in in 2020. So we still got lots of time here. They wanted to save costs on air traffic control equipment because big primary radar dishes that spin around on top of towers are very expensive. But at the same time, they also wanted to save fuel for the airlines so they could cut costs, save time and increase capacity. The key for this is ADS-B. This is the data source for the plane finder sites I mentioned and the focus of this talk. And I need a drink. So ADS-B is automatic dependent surveillance broadcast. Planes are now being equipped with GPS to determine their own position. They broadcast that over a 1090 megahertz length or for smaller planes, 978 megahertz for general aviation. At approximately one hertz. So once a second. So you get a much faster update than you did with primary radar. This information contains the aircraft ID, altitude, position, latitude and longitude, bearing speed, all that stuff, airframe numbers, et cetera. This is received by the network of ground stations. Now, these ground stations can be a lot more plentiful because they're a lot cheaper than a big spinning, rotating radar dish. This is particularly useful because you can also stick these ground stations on things like offshore oil platforms in places like the Gulf of Mexico where there hadn't been primary radar coverage before because you couldn't put a radar dish there. So before it was, oh, plane is entering Gulf of Mexico. We can't track it for a couple hours while it's flying over. And then it pops out the other side. Sort of a triangle thing. But now they can. The early pilots of this were in Alaska where there's just a very mountainous region that they needed to know exactly where they were because on landing, you're basically going through this mountain valley. If you're a couple of hundred feet either side, you've got problems. The certainty of location allows flights to be a lot closer. If you know that a flight is here and another flight is here, your margin of error is a lot smaller. Apparently I'm offline. Your margin of error is a lot smaller and you can pack flights in, which means you can have more flights landing and increase your capacity. This protocol works in two forms. There's ADSB out and ADSB in. So quick graphic here. You can see planes using GPS to determine location. Send a signal down to air traffic control. There's also some interplane communication which I'll get to and data coming back from air traffic control to the plane. So it's a lot more data being pushed around than previous systems. There we go. But when you start looking at the protocol itself, this looks like it's off a lot like a network packet, doesn't it? So with ADSB out, this is from the plane out to the world and out to air traffic control. No interrogation needed. This is the automatic part. That's getting annoying. Instead of the primary, secondary radar system, planes just report their position via GPS. Send omnidirectionally every direction to the ground stations and other aircraft that are in the area. Air traffic control scope used to be the big sweeping arm going around in the old CRT tubes. That is now replaced digital displays and populated from this information. Uses 1090 megahertz for the commercial stuff, you know, the big 747s, commercial airliners. General aviation uses another system on 978 megahertz, UAT. It's a slightly different link format, but effectively it does the same things. So ADSB in is information flowing into the plane, which is something that's fairly new. It's optional equipment that can be installed in aircraft. It allows them to receive these signals. It's not mandatory, but it's one of those, it's a nice to have, because what it does is it allows planes to be aware of each other without air traffic control intervention. I am just going to say, go away. There we are. So suddenly you have plane to plane communication. You can say, hey, I'm over the Gulf of Mexico, but I know that there's another plane not far off my starboard side. Starboard? I'm not nautical either. For UAT, for small aircraft that never had weather radar, they're now able to get weather reports in from air traffic control. So this is awesome if you're flying around in your little sesson. You can actually know what weather is coming up. You're not having to guess or look at forecasts, which are notoriously not the most accurate thing. The amount of situational awareness increases dramatically. This makes air travel safer. You know exactly where everything is around you, plus chance of collisions, et cetera. Also works for ground equipment, you know, taxiing aircraft, other equipment on the ground. It is expensive though, to put these systems into commercial airliners, $5,000 to $10,000 for just the broadcast out, up to $20,000 for in, because you've got a whole new display panel that needs to be put in. This stuff ain't cheap. Generally aviation market is getting a lot cheaper. You know, nice little handheld Geo GPS size units are out now. The problem is for a lot of the testing I was looking at doing, there's not a lot on the used market yet. So this gets to be a bit of a problem. This is as of 1.35 p.m. this afternoon, London. Gee, isn't there a really big event going on in London right now? Just looking at this, do you think it's a good idea that, you know, the average public is able to look at something like this? So the hacker side of my brain took over when I was researching this protocol and how that, you know, little app on my phone worked. You start looking at these things and you start thinking, well, how is this actually being transmitted? Like, what does the actual protocol look like? And as I showed you the packet there earlier, I couldn't immediately find anything where they talked about how they mitigate potential threats about this. Every answer seemed to be trust us. Well, I don't trust easily. Previous experience usually means that they either haven't thought of those risks and are trying to cover it up or they had thought of these risks and were just completely oblivious. I started digging and found out I'm not the only one. ADSB is unencrypted and unauthenticated. Right there, that sound. I love that sound. Anyone can listen to 1090 megahertz or 578 for general aviation and decode the transmission in the aircraft in real time. It's a really simple pulse position modulation. You know, it's not a very, they want this thing to be very robust because, you know, you get a lightning flash or something like that. You don't want your signal scrambled. You want this to just go through its really simple stuff. There's no data level authentication of the aircraft. Just a simple checksum. You don't know that it actually came from that aircraft. There is some correlation with primary radar in this hybrid time as they're transitioning. They're starting to implement multilateration in a lot of cases. I'll get more to that later, though. But I'm running a ground station at home sitting on my desk, little box, modus beast that records, that sucked to a big like four and a half foot antenna, that takes in this ADSB signal from the surrounding area, processes it, uploads it to the internet to some of these sites, and I'm able to look at my own, you know, personal virtual air traffic. I'm able to see all the flight paths for the area around my home. And this is actually really interesting because there's times where like at four o'clock in the morning, this flight goes over when the airport's usually closed. Like, where the hell is that? You know, log on, able to see, oh, that's still a FedEx flight going out to Montreal or something. Like five years ago, the ability for me to check on the air traffic in my area without relying on anybody else. That's nuts. Others have been able, starting to look at this as well. Ryder Kunkel, Defcon 17 and 18, did some talks where he briefly alluded to this. He was basically looking at existing air traffic control systems and looking beyond that. Baylent Sieber, Spench.net, has been doing a huge amount of research with software defined radios, and also with ADSB and using those cheap RTL USB TV dongles, using those to actually become ADSB receivers. USAF Major Donald McKellie found his graduate research project from a couple of years ago where he was researching this stuff. All of these people so far have not, if you read their work, had not found any mitigations for this. They were just saying, well, there's all these potential threats. Nobody's mitigating this. Nick Foster, SDR Radio Professional Badass, has been doing a bunch of research in this and helped me out a great deal. But really no one has come up with solid answers as to is this safe or not? Everything's conjecture and hoping, and that isn't comforting. Largely a North American problem, because the FEAs demanded that this be, their order came down, that this be all implemented, that every plane, and within certain criteria, be equipped by 2020. Europe is waiting until 2030. But this is already being utilized all over the world. I believe Australia is pretty much already implemented at everywhere. UPS has equipped all of their flights with ADSB out. They were an initial testbed for the FAA. There are planes over our head right now that are ADSB equipped in using this. It's the inevitable direction. We've only got eight years before it's mandatory on this continent that, you know, to ask some of these hard questions as the flying public. I fly a lot and want to get home safely. I am very aware of the irony of talking about attacking next generation air traffic control when I have to fly home. But there's a multitude of threat vectors we need to look at. First threat, ADSB out. So this is plane 2 air traffic control eavesdropping. This is simple, you know, as I said, unencrypted, unauthenticated protocols. I'm running a base station. I'm able to record all of this myself. Gee, this is all clear text. What can I data mine with that? I get multiples of these stations. I can do my own homebrew multilateration. Even if a plane is not broadcasting its GPS coordinates, if it's broadcasting anything that I can identify, I can still locate that. You know, Air Force 1 being a prime example of this. The data mining potential, we know it's in the air when, where, remember the extraordinary rendition flights from a few years ago where they grab a guy in one country, take him to another country to beat the living crap out of them? All of that was uncovered by a bunch of plane spotters who were looking at flights that weren't on normal data channels and tracking where they were going. Because, essentially, in order to play nice in airspace, you have to tell air traffic control who you are. I highly suggest you stick around for the next talk, busting the bar, because they're talking about this exact sort of stuff where they're data mining this information. Their method is a little different than using ADSB, but you augment their method with ADSB and you're going to have a hell of a lot of data to mine. Another obvious attack vector injection. What is to stop us, other than a very long jail sentence, from injecting ghost flights into air traffic control systems? Documents that discuss using primary radar, you know, actually bouncing signal off metal, that talk about fusing that with ADSB in order to verify, okay, this plane says it's here, we actually have metal in the air at roughly that location. We can kind of trust that. The same documents that talk about using this system also talk about, hey, ADSB is cheap, we can now turn off primary radar. That's scary. What happens if we introduce just slight variations of existing flights? Say, you know, starts with broadcasting the same location of that flight, but just sort of make them diverge. How do you know which one's the real one? Generally cause confusion to the interopportun moments. You've seen what a snowstorm will do around the holidays at hubs like New York or Atlanta or wherever. It causes chaos for days, people sleeping in airports and all that. Gee, there's an Olympics going on. If you could suddenly introduce a whole bunch of random crap, because air traffic controllers are busy enough as it is. If you throw 50 extra flights in there that they're having to sit down and figure out, okay, what the hell is going on here? There's planes now circling. You've now got other, you got things backing up. It's instantaneous. It is scary when you start thinking of the possibilities of this. Could you train the system? Create a false signal that goes same time every Tuesday at 2 p.m. this random flight that never responds and is never found to have actually metal there. You know, do that for a few weeks and then, gee, that's where your smuggler's flight goes. There is some discussion of multi-lateration in this documentation. So multi-lateration is basically sort of the opposite of triangulation. You have a signal being broadcast from a location, your plane, picked up by multiple base stations. Based on the differences of time between those, you can actually build an arc as to where that signal came from. You get three stations, you're able to draw three arcs, where they intersect, that's where your plane is. But there's nothing that I found that says that this is actually mandatory. The systems are being set up in North America. The company that's implementing them is saying, yes, our systems are capable of doing this. We built it in because it's essentially the same radio. It's nothing fancy there. But there's nothing mandating that airports use this. It may be buried somewhere, but you'd think something, you know, information like that you'd want kind of out front and important. What about jamming? You know, it happens. Radio misconfigured, something like that starts broadcasting on 1090 megahertz. Could you sit outside in the airport and jam their ability to receive flights? Quite possibly. It already happens, he says. You know, purely by accident or malicious intent, who knows. You could detect these, direction find these fairly quickly, multilateration, you know, roll out some trucks to, you know, FCC trucks or whatever to try and find this stuff. But does every airport have this capability? If I did it for 10 minutes and then moved, did it, you know, another an hour later did it for another 10 minutes, are they going to roll the trucks for that? I don't know. What plans do they have? If you target a particular location, again, the Olympics, if you could jam London right as all the athletes and VIPs are coming in for an hour, imagine the amount of chaos, coordinate jamming across multiple travel hubs. Like I said, you've seen what weather will do along the east coast of the U.S. during a major holiday. Introduce, you know, a bit of noise. It could be just a pelican case that you just, like, magnet to the side of a receiving station. Something's gonna happen. I don't know. ADSB doesn't have a contention protocol. It's just a simple broadcast. So if you get too many planes in the same area, the system falls apart because there's just so much noise. No, you can't get the signal through the noise. You could augment this artificially maybe. I don't know. Let's look at ADSB in. So this is plane to plane and air traffic control into the plane. You could inject confusing, impossible, scary types of data to illicit a response. You know, you've got a flight that's been flying cross country for a few hours. You know, pilot's a little tired, whatever. You inject something on his traffic display that suddenly says, yeah, there's a plane 500 yards in front of you. I don't know. Something's gonna happen. Probably something involving a sphincter. 500 miles an hour, you can still brown your shorts. You could introduce conflicting data between air traffic control and the cockpit. Air traffic control says, oh, everything ahead of you is clear. No. According to my display, there's a conga line in front of me. What's going on? Because the aircraft have no source of multi-lateration. They don't know where this, they have no way of correlating where this signal is coming from. They just get GPS coordinates. That's it. They can't verify which where that signal is coming from. This is only used for a traffic display. So this is just a, you know, sort of a nice to have. It's not as important as other systems, but we'll get to those. GPS jamming. The whole source of this thing is GPS locating. You know, you want a really accurate signal. North Korea is currently running GPS jamming along their borders. So it's already happening. The UK ran a bunch of tests along their highways where they had listening posts, listening for rogue signals on GPS frequencies and found a whole bunch of them over a couple of weeks. Usually trucks mounted with jammers so that, you know, they're low jacks so that the boss knows that you're where you are at any time. You know, some guy would just plug this thing into a cigarette lighter to jam that, so the boss couldn't track them. New York airport in New Jersey actually had a situation with this. On a regular basis, they would get a whole bunch of GPS interference at the same time, every day, in the same location. Couldn't figure it out. We finally knew, okay, it's a regular basis. We're able to track this down. We'll go out there, we'll camp out with fresh and finding gear and figure this out. What it was was a delivery truck driver whose boss had low jacked his vehicle so that, you know, keep tabs on him. The guy'd plug in this cigarette lighter GPS jammer and then take a nap. He would park right at the end of the runway in the parking lot and was jamming the friggin airport. These things are only like 20 or 30 dollars on deal extreme, so it's not like they're hard to get. Who's a fan of deal extreme? Aye. All the crap that you should never die. Is anybody actually able to order stuff from there that costs less than 100 dollars for the whole order? You go there for a three dollar cable and it's like, you know, 150 dollars later. But these sort of things can be tucked into baggage. You know, could be sitting on a timer. Okay, what's your fallback position now? You know, we jam GPS for the entirety of the flight. All the advantages of ADS-B suddenly go at the window and if you now disabled a bunch of the original primary stuff, okay, what do we do now? I don't know. Something's gonna happen. GPS spoofing. We manipulate the signals from GPS satellites to say, oh, you're at a different latitude and longitude. The aircraft location tracking is no longer reliable. Okay, best case, we fall back traditional navigation ads, get rid of some of the advantages of ADS-B. Worst case, such as if you're flying through a mountain valley in Alaska, yeah, you intersect something that's a lot bigger than you and that would be bad. Iran may have used this technique to bring down a U.S. drone earlier in the year. That one I don't think will ever actually get a complete answer as to what happened, but still it's interesting to consider and there's just that university team just this past month that was able to take over a U.S. military drone and guide it by just spoofing GPS. You know, it's for like less than a thousand dollars or the stuff. So this stuff is capable of being done right now. Some threats are total unknowns. I don't know. The air traffic control system is huge. The stacks and stacks of documents that are out there and publicly available because so many systems interact with each other in weird ways. I can't understand all this. These guys, I have serious respect for that any of this works at all. But things like, okay, so all these ground stations are networked together. Could I be sitting on the west coast and inject something that shows up on the east coast? I'm sitting in the west coast but my GPS that I'm injecting says east coast. I don't know. I'd like to find out. Honestly, has anyone actually sat down and fuzzed a 747 or in our traffic control tower? There's data going in and out of there. Yeah, there's checksums and everything like that. But what happens when you just start spewing random weird crap at it? How does it deal with that? I don't know. We've got very mature, you know, networking protocols that still fail massively with basic fuzzing techniques. Look into, is Chris Roberts in the audience? No? Okay. Chris Roberts, one role labs. This man scares the hell out of me. Not just because he's in a kilt. His work, basically, he does stuff with, you know, the onboard Wi-Fi on a plane, breaking that and then finding an interconnection between that and the engine control system. So to where he's looking at the output of the Intellibus network for the engine that's outside his window, well in flight, look up his stuff. It is terrifying the stuff that he has found. And then at all this ADS-B stuff into it. From also from his work, how do you know that the chip level code that is being used in these implementations is actually what was originally submitted? A lot of the stuff made in China. We're already finding situations where the code that's in the chip may not be exactly what was supposed to be there. Could this be used as a control channel? We now have data going in and out in a clear text fashion. If we have a particular, you know, change in the checksum or some, you know, mangle the pack in a certain way, could we now use this for controlling onboard malware on a plane? You hope that the engineers, the FAA, DHS, everybody else looked into these threats. But I actually had an interesting conversation yesterday where it was pointed out, they're safety engineers. They're trying to get a plane from A to B operating under certain circumstances as safely as possible, human life, you know, the material cost of the equipment. They're not security engineers. They're not thinking, what if somebody decides to go doing something completely random or horrible? What happens? Okay, they're thinking, oh, if we fly through an area where there's some random interference, that's fine. But what about targeted intelligent, slight manipulations of data? This isn't their normal operating thing. This is new to them. Not for us though. We're sort of the opposite. You know, they're safety engineers. We're security engineers. They're used to thinking about getting things safely and not thinking about security. We're used to thinking about security, definitely not safety. Says the guy with a bottle of crystal head here. So the FAA submitted their ADSB implementation idea to NIST, National Institute for Science and Technology, for security certification. Great, cool. Somebody else independent verification. But in this one document I found, said the FAA specifically assessed the vulnerability risk ADSB broadcast messages being used to target air carrier aircraft. This assessment contains sensitive security information and is controlled under 49 CFR parts one and blah, blah, blah. And its content is otherwise protected from public disclosure. It gets worse. Well, the agency cannot comment on the data in this study. It can't confirm the purposes of responding that the comments in this rulemaking proceeding that using ADSB data does not subject any aircraft to any increased risk compared to the risk that it is experienced today. This is comforting. Yes, we submitted it for security evaluation. We can't tell you if it was crap or not. What threats were they testing against? Do they think of everything? Maybe there's somebody in this room who could think of something else that I haven't. Or that they haven't. Why not threats of tomorrow? Yeah. So how do we mitigate some of this? Multilateration is an obvious one. Time differential between signals. You can approximate the location of where that signal is coming from. But if you're relying on this, then what's the point of putting GPS and everything on the plane so that they know where things are? You just nullified all of your advantages. No indication that this is being used everywhere. What about if the data doesn't match? If I'm able to introduce, you know, have multiple locations and potentially spoof ADSB or spoof the multilateration signal, if I'm saying that there are two planes, same tail number and everything like that at two different locations, how is the UI of the air traffic control system, you know, how does this represented? What are the liabilities if I decide, oh, this one's probably fake. I'm just going to not show it. But it's the real one. The response to most inquiries I've seen are trust us. Yeah, no. Last time I ran into the language from that NIST test was RFID passports the US was looking at implementing. That turned out well, didn't it? Yes, we submitted this to NIST, but we can't tell you what the results were. I'm not trying to spread a bunch of fud here. I'm trying to raise some awareness and pressure. I know that there are people from the FAA in the audience at the moment. I want to work with them. I want to find out that this stuff is safe. I fly home in a couple of days. I want to know that this is safe. I want to know what their procedures are. How do the air traffic controllers deal with weird crap? I have 50 extra planes on my display. What do I do? I don't know. Saying to a room of 2,500 hackers that they're suddenly now interested in air traffic control systems? Will they listen to a response? And if that response is me getting arrested, at least I'm going to have a very nice looking mug shot. A common response is also going to be, oh, but it's too expensive for the common man. A $20 USB TV adapter can be modified to do basic ADSB reception. Currently working with Dragorn trying to get him to implement ADSB in tracking with Kismet Newcore so we can go war driving for airplanes. I got word while in the air on route to Poland that Nick Foster had actually implemented ADSB out through GNU radio. You can see we actually have a valid packet able to go out through GNU radio. The honeymoon's over. Exploiting number one is here. We have the potential now to putting data into the air. GNU radio plot for a MODES extended squirter packet. He also raised his game and impressed the hell out of me. He basically took ADSB in on flight gear in the open-source flight simulator. Populate basically had one radio receiving real-world ADSB packets populate the virtual world of the flight simulator and also has another radio that outputs from your little Cessna out to the real world. So got a little video here. You can see on the my right Google Earth display that is the output from the real world ADSB receiver, the real world tracking. The virtual plane there and at the bottom is the ADSB data stream out. Now this is done in very controlled conditions basically dummy load, you know, two radios connected to each other. It wasn't actually put out into the air. But you can see, so just to explain what's going on here you see okay you've got real planes there, VDR 211 and everything. Those are the real flights. Your mom is not the real flight. Your mom may be as big as a 747 but that's not her. You see it's got valid packets, valid information. And I don't know, I can't tell if it's showing up on the displays or not. Okay so it is you can see the flight path as he's turning around there over the bay. So regenerating packets that if you put this in front of air traffic control would show up on their display. Now does anybody think that's a good idea? Um, what is he doing? Uh, okay, is he about to buzz the tower? Really? Okay. Yes, so if I was air traffic control right now I, um, how fast would I be running? Fortunately all this is done in a closed environment by training professionals. Um, but yeah you could kind of get the idea that this isn't a good thing. And if he pens around at the moment here and uh you actually see the flight path that it took, you know, if you saw that on a rear scope, oh my god, yeah there you go, you can see it's spun around, come around. That shows over. Okay come on. Oh there it is, okay. So we have the capability of uh generating arbitrary packets. I basically prodded Nick a little bit about this. He had thought to do it, you know, a weekend. Anybody can do this. All the major testing was done at 900 megahertz ISM band. It would not be difficult to adjust this. You can use UAT, ADSB as well. The next guys who do this might not be so nice. There are other things in air traffic control that scare me. Taylor's arrival, where air traffic uploads a flight plan for landing to where they basically pilot receives it, pushes a button, flying pretty much lines itself. Apparently this is also unencrypted, unauthenticated. Having looked into it, I can't confirm, don't call me on that. The air traffic control system is huge and complex. Reading once about one system leads you into a whole bunch of others. It's all tightly integrated. This will be mandatory by 2020. This will be the primary method of air traffic control. It's already used all over the world. There's still time to build counter measures, like not turning off primary radar. Basically if anybody has a 747 or an air traffic control tower that we can borrow, let me know after the talk. I promise to return it in as good condition as I take it from you. But also if you have access just to the avionics, we'd love to actually test this stuff for real. We want to find out. There's some suggested reading, a few documents I found particularly interesting, but there's a lot of information out there. And this is a very scary stuff to consider. Who's thinking about taking the bus home? We should be working on finding and solving these sort of problems. If guys like me can find this stuff, so can bad guys. Significant investment, billions of dollars has already been invested into this system. I want to hear your comments. I want to hear your ideas. I want to work together and research this stuff. But wait, there's more. Nick, get up here. So this is Nick Foster. This is the badass behind the video. This afternoon he was telling me about something he just figured out. So I figured out after a night of heavy drinking last night, first of all just to say this is like shooting fish in a barrel. If you're not scared about this, you should be. This is really easy to do without encryption, without any thought of security in the protocol. It's just not hard. So there's a collision avoidance system called T-CAS that predates ADS-B. It's called traffic collision avoidance system. It's how airplanes keep themselves away from each other. It operates on the same modest data link that ADS-B uses. ADS-B doesn't supplant it. It works with T-CAS. T-CAS is how airplanes avoid hitting each other. ADS-B is how airplanes know where each other are outside of that. So it replies on this cooperative ranging system. It's like a ping-pong. And it slave directly to the pilot. The pilot can see T-CAS reports. If there's a plane nearby that T-CAS says you should watch out for, it's going to show up on the pilot screen. If it can be spoofed, this is bad. Now the pilot is seeing false information. It gets worse. On Airbus and Eurocopter aircraft, it's actually tied in to the autopilot. So if the flight director's turned on and T-CAS says, hey, somebody's coming up close to you, the autopilot is going to take corrective action. Really. This is bad. So T-CAS, in normal operation, the interrogator sends out a ping. It gets a reply back. Okay, it does a little bit of math. It figures out how far the plane is. What's key to this is that there's a fixed 128 microsecond turnaround time that T-CAS has in the protocol that gives the electronics time to gather a response and then transmit it. Well, I don't need 128 microseconds. What if you're not cooperative? If you send out a reply sooner, if you can get a reply out sooner, say you can do it in 70 microseconds, now you can fake your distance from the aircraft much closer. You can create essentially an arbitrary range to the aircraft. Altitude is encoded in the reply, so you can create a synthetic arbitrary altitude that happens to match the aircraft's altitude. That's it. You can create a range track, a collision course between two aircraft, one of which doesn't exist, that's slaved into the autopilot. So that's what we just figured out last night. I'll turn it back to you. Thank you. So, do we have time for questions? No. Okay, I think I know who you are, so no? All right. So apparently Kaminsky actually supplied to me out of the Q&A room, so it's actually going to be in the hallway outside the Q&A rooms. So out this door, down the hall, left, down there, look for me. I'll hang on as long as it takes to answer questions. Nick will be here. Thank you, Nick. Thank you, the EFF. Please talk to us about this stuff. Communicate. Thank you.