 Hello and welcome to my aerospace village talk on wireless privacy issues and aviation. I really, really appreciate the opportunity to share research in this area, even under these fairly unusual circumstances. And I also want to take the time to comment the organization around the village, which is a great initiative that brings together so many stakeholders in order to tackle security issues and aviation. If you don't know me, my name is Martin Schrömeyer. I am working at the cyber defense campus of analysis, science and technology in Switzerland. And I am also a junior research fellow at the University of Oxford. So let's dive in. When we speak about wireless privacy, what do we mean? The heart of the issue is that we cannot normally prevent access to wireless signals that are being sent on a wire channel. If we physically control all of the lines and nodes, the number of possible adversaries is normally limited. In contrast, the wireless channel is inherently broadcast. As you can see here, it is typically omnidirectional and there are no physical containment measures possible. So sending or receiving messages does not require you to physically tap into the network infrastructure. Based on this inherent broadcast property, I want to concentrate on two attack primitives today. The first one is eavesdropping. So a breach of the confidentiality of the transmitted data. This is a well established concept, of course, and can fundamentally be prevented through the use of encryption. Our phones, laptops do this fairly securely and hassle-free these days, despite the occasional breakdown. The second one is location privacy. Often we do not want to prevent the content of the communication data being exposed, but also the position of the participants. This gains additional importance in wireless networks. Users are often mobile and we can track their movements over time simply by estimating where the signals come from. Such tracking has many positive use cases. For example, if you're in a museum standing in front of a painting and a system can deliver matching information to you. However, tracking also facilitates many high-profile privacy breaches. So let's apply these concepts to aviation. Here we have to understand first that the threat model of aviation has changed drastically over the past decade or so. First, aviation is moving away from analog technologies such as voice or radar and increasingly using digital communication networks and automation. The second aspect is just as important, which is the widespread availability of cheap, hard and software, as well as knowledge about aviation protocols. These two developments combined lead to the fact that many more people are capable of affecting wireless atrophic communication systems than before. And practically anyone can listen to wireless aviation communications these days. In short, the threat model has moved from a purely nation-state actor model to a whole range of groups with different capabilities and motivations. In today's talk, it is actually sufficient to focus on the purely passive eavesdroppers as observing the communication is entirely sufficient to exploit many of the privacy issues in aviation. Now let's look at some real world examples of confidentiality and location privacy issues in different aviation protocols which were collected from our own research over the years. First, we will talk about the data link ACARS, which has been deployed for decades and is still in use by most larger aircraft around the world. Let me just say at this point that all of these examples now are of course anonymized. Still, you can intuitively see that this is not good. A lot of very critical data is absolutely sent in the clear, and neither Sally here nor Tom would be happy if they knew that their medical information is being broadcast, not only to ground staff, but also to anyone listening in the 300 mile radius of the aircraft. Further privacy issues in this area include information about personal belongings by crew that you could just go and collect. And of course, our favorite example that often serves to drive the point home, full credit card data for higher value transactions and onboard duty free shopping. This credit card thing is indeed still ongoing with some airlines in 2020, despite notifications provided years ago. Some people in the industry have actually acknowledged that there's an issue with this. And they came up with what you can see here. If you're watching this recording, you can maybe take an extended look at these messages and figure out quickly what is wrong here before I spoil it. But for now, let me tell you. As you may have guessed, this type of ACARS data link encryption is using a mono alphabetic substitution cipher that is broken in minutes. It is used by a wide range of private military and even government aircraft. And again, this has been going on for more than a decade now. Still, this data link issue, we could say it is fairly straightforward. And this could still be solved with better crypto solution that are standardized and verified. Honestly, some of them even exist in aviation, but operators of aircraft and airlines still believe they're too expensive. As a last point on this issue, if you believe that using satellite communication for your data link will avoid any of these issues with software defined radios, then think again. This year is an example of military aircraft using ACARS, which sent out detailed flight information in advance and regular updates about its movements, which can easily be received by any third party. This is also a good time to transition to a second topic, location privacy. We know that everybody is being tracked on the ground using your mobile phone. However, in the air, it is a bit different with aircraft broadcasting the position to other aircraft and air traffic control to safeguard themselves and the whole airspace. The communication is not supposed to be encrypted and anyone can listen to the same information. So tracking aircraft globally with ease is absolutely a thing. Here we can see that even the US president is being tracked, in this case, during the campaign of the 2016 election. So let's take a closer look at this problem. First, we need to talk about metadata. Maybe you're familiar with the MAC address of your network phones and laptops. Well, basically the same thing exists for aircraft. It is a unique 24-bit identifier, which is hard-coded into the transponder of any aircraft and provided by the International Civil Aviation Organization. This ID is practically never changed unless the aircraft is sold, making it perfect for any sustained tracking purposes. To make the connection between this identifier and the owner or operator, you can apply all sorts of different databases and websites available publicly on the internet, which is something that we did and you can see here. So this is a visual representation of all non-European government aircraft visiting Europe over a single year. You can clearly identify some hotspots, unsurprisingly in London or Paris, but also in Switzerland or Nice. From this, we were also able to identify dozens of high-profile multilateral meetings with five or more attendees during the considered time period. From the World Economic Forum to NATO summits. This is, for example, Davos, I think, one or two years ago, and you can clearly see all of the different government aircraft landing at Zurich Airport. One striking example of the impact of these issues for governments is provided by two investigative journalists who have set up a Twitter bot and is connected to a receiver based at Geneva Airport. It tweets out arrivals and departures by a set of aircraft used by authoritarian governments. And it is known that this is tracked by several organizations watching corruption on the world. And the public awareness has created formal investigations such as this one, where the vice president of Equatorial Guinea had some of their assets seized. However, the lack of privacy actually extends much beyond governments and also affects corporate activities as well. We took a look at the activities of different corporations in Europe during a single year by tracking the movements of corporate aircraft and relating them to stock market moving merchant acquisition activities. And indeed, in six out of the seven cases that we examined, we could find a decent to really really good signal with landings and the immediate surroundings of the target. In five cases, these visits came up to 25 days before and three even within a week. In many of these cases, exercising significant share price changes on the day of the announcement. Let's look at one case for illustration. Here we can see the flights of a large American medical company to the city of Basel in Switzerland with the headquarter of the takeover target activity and was this is a zoomed in version of the same image showing the actual dates and times of the landings at the airport. We can see several flights around the end of January, just before the acquisition was announced as you can see in this. We can even go further and look at some later with us to Basel highlighted here, which came a day before the acquisition was completed. This illustrates just how much we can learn about the activities of public corporations for watching their flight movements. In the last year, this was also picked up in the mainstream media, as you can see here, for example, in this Bloomberg article. So, is there anything that can be done about this surely many people are aware of these tracking issues by now and want to prevent them where possible. Why are we in this situation the first place anyway. Well, first I want to spell it out clearly why we don't have any proper security and privacy by design in these technologies. A good case study is the novel ADSB protocol, which has only been made mandatory in some advanced countries just this year, but was actually conceived in the mid 1990s with a much, much different threat model as discussed before. Why it takes this long is due to a host of reasons, including strict certification and testing requirements. And the wish for maximum interoperability across across the globe. If you look a bit closer, things get even worse. As ADSB is built on hard and software standards developed by Lincoln labs in the 1970s. Now it should be very obvious that wireless security has moved much faster outside aviation than inside during this time. But if you can have, if you cannot have privacy by design, what is being done. The first and most notable mitigation is to hide sensitive aircraft from public websites for brockless maintain maintained by flight authorities. The aircraft are either entirely hidden, or they are anonymized as shown here. Of course, this approach is entirely useless from security researchers point of view, as the data is still all available. It is simply not displayed anymore. So, while this certainly qualifies as security theater, it at least shows that some people do care about their privacy. The second mitigation approach would be to obscure the ownership within all of the publicly available records. Private aircraft are often registered via shell companies or bank trusts, sometimes the whole network of them, which makes it difficult to get all of the information that you need from the metadata. However, one single slip of the operational security and the information is out forever, or at least until you buy a new aircraft, which honestly even the richest of the rich do not do every other week. We can find the data on social media or dozens of dedicated plain spotting websites, which with a really large community of physical spotters is super quick and reliable. Of course, when your aircraft's delivery contain your company logo, there's certainly the question why you're trying to hide your ownership through a shell company in the first place. If you see your aircraft land at any given airport, we will immediately know who you are. A third interesting observation is that some military and government aircraft are clearly aware of the privacy issue of their broadcasts and switch them up, switch them off for takeoff and landings in order to conceal the origin and the destinations. Unfortunately, this also does not help against any reasonable competent observer. Because the aircraft are still required to send out their identity and the altitude, which in the end makes it fairly easy to localize them, for example, using multirateration or any really dense sensor network. That leaves us with one last option. You could simply not use your own private aircraft, but instead rely on commercial air transport options. Both government have been known to fly coach from time to time, but whatever their motives were, it can certainly not have been for privacy reasons, as we can see in this excellent example of the then British Prime Minister David Cameron eating Pringles on an easy jet. This was broadcast all over the internet before he had even landed. Finally, I want to address a real and effective fix. You could randomize the transponder ID of sensitive aircraft for each flight, which would stop the trivial tracking of the anonymized aircraft at least. This one is more or less straightforward in theory. However, the problem again is in the legacy system and the global compatibility. The fact that the flight authorities security security knowledge isn't necessarily the greatest. There was a first deployed attempt of this about 10 years ago, where researchers were still easily able to correlate the random identities with the original identity, making the whole thing absolutely useless. The FAA did recommend against using it at the time because of pretty strong safety considerations. And I think if your regulator recommends against using a system for safety reasons, that would probably make most people think twice. However, there might be light at the end of the tunnel, because there's a brand new attempt at dealing with aircraft tracking by the FAA. The so-called Privacy IKO Address Program. It addresses a few of the issues that we've seen here, but the jury is still out on the effectiveness of this one. We've actually now done a preliminary analysis, which I'm not going to spoil here. If you're interested, watch the dedicated talk by Guillaume Michel here in the Aerospace Village. So let me finish my talk with two takeaway lessons. These two lessons are especially for the aviation community and their direct results on our research. The first one will not come as news to any long-time DEF CON attendee, but please do not roll your own crypto. Trying to do that has resulted in spectacular fails across many industries and aviation is certainly no exception. The best example is the ACAS disaster, which leaves recent aircraft with weak proprietary ciphers and leaking their sensitive data, even though they're actively trying to avoid it. Get some help, use known secure standards, and then actually also use these systems, unlike ACAS message security, which has seen virtually no uptake in the wild. The second lesson is where I really, really hope the Aerospace Village will help to make some improvements by bringing together security researchers and aviation stakeholders. But please, if somebody responsibly discusses security issues in your systems with you, do not shoot them down by replying that there's nothing to see, like in this nice example. After contacting the manufacturer, we only received the reply that the malfunction in crypto was not there to protect anything in the first place, and that industry standards or regulations do not require them to build anything better at all. Indeed, they even went as far as to say that all of their users are security experts and would know that their crypto system does not protect anything, which I have a hard time believing to be honest, in particular when I take a look at the software option saying encrypt downlink as seen in this screenshot. So to conclude, first of all, we can say that modern software defined radio technologies have certainly changed the threat model for wireless aviation networks fundamentally. The integration of privacy by design, on the other hand, into legacy aviation systems after this technology step step change is super hard combined together. This means that it's trivially possible to track the movements and the communications of many aircraft, both globally and in real time. And most concerningly, all of the currently available mitigation options are absolutely insufficient and more work is needed to find any real fix in this direction. If you're really interested in our privacy research, you can also check out all of the references for talk on this slide, or you can shoot me some questions in discord later. Thanks a lot for listening and I'm really happy to be part of the aviation village this weekend.