 Welcome, everyone. We're going to talk about air traffic control, insecurity, and ADSB. My name is Ryder Kunkel. I've got all the gobbledygook after my name, security researcher. I'm actually here on my own, not with any company or anything. And I see my beer coming. And just on my own, and I just thought it'd be interesting to talk about this. So some of the agenda we're going to talk about is who I am, get the product placement in, and ATC background, a little bit about ATC background, air traffic control background. Sure. You want to wait a minute? All right, he wants me to wait. We can do a do over on the AV. Maybe not. He wants me to wait. Sure. Anybody have a hardware hacking badge question? I'll answer. Oh, sure. What? Hardware hacking badge question. You connect all the wires together until it burns your chest. The neat thing, Joe Grant talked about it. The only thing that I'll talk about that there's one pin on here that is really useful. It's a reset pin. You could take one pin to ground, and it resets the processor. I'm thinking reboot. Resets the processor, then you don't have to take the battery in and out. People have been having problems with the battery, the physical plastic thing breaking off the back of the badge because they keep pulling the battery in and out. One solder point, and then you take it to ground. And whereas ground, there's ground all over the badge. And afterwards, I can show you. It's that one. Everybody see the pin? Yes, that one, exactly. And here I'm talking to you all. Oh, well. Yes. Oh, there's only one layer. Come on. There's only one layer. I think Joe Grant said that in his talk. Only one layer. Oh, you missed it. Yeah. Yes. A drill press. No, I don't think so. That's cool. Has everybody seen the big badge together? Yes? Can you what? All the components. There was a hardware kit that was being sold, and it is sold out. But the parts list is on here to find the parts. The only thing they said was it's really hard to solder is the microphone. And I'm not a hardware guy, but I actually had a side of the microphone on here. The solder pads are underneath. You have to do something special. It was above me. I just learned how to surface mount solder. So are we doing good? OK, we're going to start over. Do over. Get the product placement in there again. OK. Air traffic control, insecurity in ADSB. My name's Ryder Kunkel with a bunch of letters afterwards. I'm a security researcher. I'm just here on my own, not with my company or anything. Didn't want to get shut down like other people. I'll talk a little bit about who I am, ATC background. And we'll talk about a disk operating system on the Denial of Service attack on an air traffic control tower. We'll talk about the state of the airline security and where we are going. And then this thing ADSB. So a little bit about me. I've been in security field for more than 12 years. Worked with secure operating systems, those rainbow series books. How many people have seen the rainbow series books from the 80s? Anybody have a real set, like a real orange book? Oh, one hand. What a shame. They really wanted to make that available to everybody. So they're still out there, if you want to read through them. Firewalls, Proxies Trainers, Ham radio operator, and private pilot. So I have to put this first slide in. After this talk, flying is safe. Commercial airlines is the safest mode of transport. You've all probably heard it. You're more likely to die driving to the airport and from the airport than in a commercial airplane. Are planes going to fall out of the sky after this talk? No, not for anything that's in the talk. I can't talk about icing or weather or anything like that. It's flying safe after this talk, definitely. If some of this talk illegal, well, you tell me. And the disclaimers don't do this. There's some seats up in the front. If you guys want seats in the front. So and if I hadn't mentioned, let's first ask if anybody's a pilot, anybody a pilot? Actually, more. Yay, let's hear it for pilots. We're what? Less than 1,500,000, right? It's horrible. I feel like a dying breed. I don't know. It's great. You all should learn to fly. OK, so what we're not going to focus on is airport physical security, cockpit door security, X-ray security, all of those things. We're going to focus on the computers used by air traffic control, how airplanes report their prediction to air traffic control, and this thing called NextGen ATC. And you know it's NextGen, because they capitalized a G in the middle of the word. So that's got to be cool, right? So also I want to just mention of why I came up of this talk, and rightfully so, you all have come up with great talks about how to hack wireless networks, SSL vulnerabilities. But I want to do something different. And we're a smart bunch here. And when I show you some of these slides, you're going to be like, why haven't more people been talking about this information? OK, so air traffic control is busy moving planes through the air. FAA, that's their job. Planes from point A to point B. And ATC not focused a little bit on the network security equipment. In some ways, people would say, who would want to hack a radar scope? And in the beginning, ATC radar scope was a physical radar out there on the field with a big hard wire to one tube that swept around on a circle, a standalone system. And through the years, they figured out, oh, well, they can make analog repeaters, and then they can make two scopes. And then somebody said, oh, we can just put that over TCPIP. And not really thinking. So we'll get into them. So I want to give you a little bit of background on air traffic control, air traffic control, these VOAs, transponders, and flight plans. OK, so what is ATC? Can everybody see this? I keep whenever you get pictures, you try to blow them up and blow them up. So I want to just give a thing. If people don't know this, this is from a pilot's point of view. So when the little airplane takes off on the left there, he has an airport tower. He takes off. And there's Tractcon that has departure control, en route control, and oceanic control. Not a plug for United Airlines, but I still love on Channel 9 and United Airlines, you can even today hear the cockpit transmissions. How many people, Amy, listen to that on United? Hey, yay! So that's great hearing that stuff. And hearing when you get put in a hold or something like that and the plane keeps turning, you know why. You're like, somebody's like, why the plane keeps turning right? Why is that? So you also can see that with the control tower, there's a whole back end system that the air traffic control has, the ATC, SSC, ATC system command center that gets planes from point A to point B. Originally, this system was all proprietary and hardwired, not connected to anything. And slowly, through modernization, this has been TCPIP networks and Windows 2000. So and also there's these things. How many people have ever seen one of these taxing around an airport, this big bowling pin thing? So this is called a VOR, VHF, Omni Directional Radio Range. It's pretty darn cool that this won't go into that much electronics. But basically, this is what planes today will navigate from point A to point B. And they're spread out through the whole United States. And planes will take off from the ground and they'll navigate from point A to point B. So there is more direct routing, but it's really these are the help make the airways in the sky that planes will navigate from point A to point B, using these VOR devices. This will come up in a minute. Not that I found any problems with anything transmitting on VHF, no encryption. So this is also what an airplane transponder looks like today. And for those that fly now, that's a pretty old one that probably has vacuum tubes in it. Yes, vacuum tubes. And it has a way that there's a unique number that Air Traffic Control can tell you, a unique number that you program into the device. And what this is for, the transponder is for, is when radar systems deployed out through the entire United States, when a radar system will sweep a plane and quote, paint a plane, it will interrogate the transponder and the transponder will respond with its unique number, the four-digit number, and also an unconfirmed altitude from the plane, which I thought that was interesting, that Air Traffic Control is relying on the unconfirmed altitude that the plane is saying. That's how it is today. So that'll come into play in a little bit. And then there's also these things called flight plans. So think about if you want to drive from here from Vegas to Los Angeles, you probably would, whenever, look at some mapping program and say, oh, I want to take this interstate, that interstate, that interstate. You sort of have a plan for how you want to drive from point A to point B. Well, when pilots, either a private pilot or commercial pilots, they'll actually have a plan for I want to take off from Vegas and fly to LA. So I might take off from Vegas and fly from this VOR to that VOR to that VOR and get to Vegas. So that's what their request is. Well, a flight plan is just a request to the FAA. That goes into a central computer. And the FAA will then figure out, oh, well, five other planes are trying to take the same road. And there's going to be too much traffic. So maybe they'll send a couple planes a different way. And so these flight plans is just a request. And we'll see in a minute how FAA will actually say, you know what, no, we don't want you to take that interstate. We just want you to take the bumpy, dirt two-lane roads from here from LA to Vegas to LA. OK, I commented out DB Cooper to save a little bit of time. But I'll just quickly mention DB Cooper. You can't have an airline talk without DB Cooper. And maybe I'll just bring up the slide anyway. DB Cooper. How many people have heard of DB Cooper before? Yeah, it's a great talk about it. I love the fact that they have what a proposed sketch of in. And I really wonder if he was really wearing a jacket and tie. I guess it was a different time then, right? In fact, here's a skyjack when he's wearing a tie. So yeah, legendary, for those that don't know, a legendary skyjacker, he stole $200,000 when, man, it doesn't seem like much. And he actually requested from them. He got parachutes. And he pulled open the air stair in the back of a 727 and parachuted out the back, was never found again. In my mind, it was unique because they didn't think that anybody would do that. He was on the flight. They thought he was going to go to Mexico. And maybe the parachutes were a cover. So it was very interesting. There's a lot of theories of what actually happened to him. But it was somebody that analyzed the system and used it to his advantage. And then I want to talk about 9-11 only from this one piece. It was an absolutely horrible event. We all know that. But the hijackers knew enough to turn the transponders off in the commercial airliners. They knew enough from their flight simulator training that there's a magic button. And yes, in those big planes, this is not what the transponder looked like. I hope not. But they knew enough. You see it has an off. All of the transponders have an off button for reasons that you need that. And then once when the hijackers turned the transponder off, then what happened? The planes were not transmitting their altitude. So the 9-11, the hijackers, air traffic and curl did not know the altitude that the planes were at. I don't know how many people knew. Did any people know that? Wow, not many people. Some people. It's kind of surprising that they knew enough to do that. And we all know they had certain manufacturers, GPSs on the dashboards, that they could find things. So and this is true that we've not developed anything to mitigate this attack country-wide. That if somebody were to take over a cockpit and you got to get through all the door and everything, but if the transponder is off, we would not know the plane's altitude. The only place is this ADIS, and I love this name, and I always write it down so I don't mess it up, Air Defense Identification Zone. And that is around Washington DC. It's extremely secure. It's a flight area 30 miles around Washington DC that they have all sorts of things to mitigate planes trying to fly into the capital. And as a side note, it is a side note that if you were to have your transponder like this with 1-2-0-0 in the ADSE, you would get visits from jets, because they have specifically said, this is a squat code that you do not. You use this everywhere else throughout the country, but this is a code you do not squat inside Washington DC. So they could sort of tell if there's a newbie flying around in DC, not knowing what they're doing. OK, so this one was a great story. How many people heard of that one pilot to try to fake his own death? Yeah, this is, you know, you don't head towards Eglin Air Force Base. Bad idea. Anybody know where Eglin Air Force Base, right? In the Panhandle of Florida? Yeah. Yeah, he didn't look at a map or something. So for the story, what it is, is here's a pilot, I don't know. I'll say it allegedly, but I think some facts have come out, where he tried to fake his own death. So he was in a high performance airplane that was pressurized at altitude in probably people going to scream out the state he took off from. I think many have even been in Indiana, and he was heading south towards the Gulf of Mexico. And he declared an emergency saying that his front windshield had caved in on him, and he was covered in blood. And oh my gosh, he's going to die and everything. And he descended his airplane. But you know, from reading some of the reports, the air traffic control, the guy must not have been good with social engineering or something. They just smelled something fishy with the way he was talking, the way the plane leveled out at 5,000, 7,000 feet or something. So the gentleman set the plane on autopilot, and at 5,000 or 7,000 feet, he bailed out over the bayou. Now because he was flying south, and Eglin Air Force Base, one of the biggest air force bases, two F-16s actually intercepted the plane that got there, and they came up on the wing. They noticed that the cockpit door was open. There was no lights on in the plane, and they had done, obviously, they probably did flare and chaff and tried to do whatever they can to look at the plane. And it appeared that there was nobody in the plane. The plane actually ended up crashing. The pilot didn't even do enough. He didn't even have enough fuel on board a crashed in a residential area in the Panhandle. They didn't even make it to the Gulf of Mexico. But I just found it fascinating how he was another, maybe he was trying to be D.B. Cooper or something like that and fake his own death. It just was very interesting. But one of the points was I thought it was interesting how that the air traffic control towers just kind of felt something fishy in the way the plane had moved and what it did, that they had scrambled the jets, and the jets would actually be able to come up on the plane that quickly. So switching gears. I want to talk about my proposed denial of service attack in an ATC tower. So I felt some very warm, fuzzy. I was talking to a goon before, and he said, oh, he might or this and that with the FAA. And I started talking about this. And he said, oh, he was like, oh, that's BS. And then he sort of thought about a little about five minutes ago, wow, that would work. So I always feel I was worried about things like this that if people, you always see the BS flag and you always wonder if these things are real. So before I show it to you, what I want to say is that I just want to propose to stop planes from taking off. So if we could, planes would be able to land, plane field would get from point A to point B. But if we could find a way to stop commercial planes from taking off with or slow them down, that would be bad, right? And maybe you could take it to the next step. I really like what Joe Grand said in his parking meter thing that he sort of talked about as a high level of what you can do with parking meters and that maybe somebody are going to take that to the next level with that. So it's just an idea. So the proposed attack is get a fake ID. Well, there might be people here that you can get fake IDs and of course it's illegal, right? Get an aviation medical. Anybody know why? Anybody, can anybody tell me a quick quiz? So there, what do you get when you get an aviation medical certificate? I didn't hear what you said. You get a, that's right, you get a student pilot certificate and with your student pilot certificate, you get issued a unique certificate number. So this unique certificate number is, so I find it interesting in the process as it is that you have to go to a doctor's office and the doctor that certifies you that you're okay, there's different classes of medical certificates from class three, class two and class one, commercial airline pilots that are flying for United and all those, they have to get a class one medical and have to renew it and, but I find it interesting if you get a student pilot certificate with this unique certificate number that goes in a database, which we'll kind of talk about. So once when you have this fake person and the certificate number, now you can use that name and authenticate yourself with these websites called Duat and Duats and there's a couple other ones that even there's a flight aware that I had completely forgotten that you could easily use flight aware and AOPA website that Duat and Duats, everybody's registered for websites before, but when this website you register you username, you know, user and it request your student pilot certificate number before it will let you log into this website or the two different websites, okay, we get two chances. Once when you log in then you're an authenticated user, it is, it has SSL running, so you're an authenticated user in the website, right? So you could create and submit multiple flight plans and when you create a flight plan, right, remember what a flight plan is, it's my request to get from Las Vegas to Los Angeles, that request has got to go to a central computer, central computer has to say, oh, a lot of people are doing that, well, maybe I want to, you know, send a different routing, so if you could take this and then what happens is there's a physical printer inside air traffic control towers where it prints out a paper tape and that paper tape is what the FAs will say is your request, so with that if you could find a way to have that little printer print out a lot of false requests, you might be able to slow down some of the other people trying to use the system. It was just an idea, with that what's also interested, what's also interesting is that, we'll talk about that, so we'll talk about those websites, so this is what sort of a medical certificate looks like where you get a unique number and the website's Duat and Duats, so this is what the Duat website looks like where after you've authenticated you get an access code, password and aircraft ID, so the aircraft ID would be the aircraft that you would like to make a flight plan with. And I had to throw this slide in here. Did not anybody notice the A was capitalized? I don't know, it just really bugged me that here they're trying to warn me off and the A was capitalized? I don't know, whatever, but so yes, warning, warning, warning, govern aviation, you know, this is bad, this is illegal. And this is what the flight plan form looks like, that one, and I left it blank, you guys left it blank and you would have to figure out how to fill it out and submit it. Now, there's some other ways that you could do this having multiple flight plans. There are ways you can call on a telephone number and talk to, you talk to a briefer and have a flight plan submitted. But you would have to, and what's interesting about that is there's no authentication. They don't ask your pilot certificate number, it's just you talking to somebody on the phone and by the end of the conversation, they will type in and have a flight plan get submitted into the system. So what's also interesting is potentially I left the top of the header, but potentially after you're an authenticated user and through, you know, inside the SSL, maybe there's a way you can write a script to have this do this or maybe there's a, I don't know all cross-site scripting and things like that and all the stuff with headers, but you're an authenticated user, they already think you're gonna be doing good things. So this isn't like trying to break the SSL's encryption, you're already in there. This is what the, so if you completely fail being able to do that with this website, well guess what, you have a whole different company and a whole different website you could try it with. The same medical certificate called DUATS. And this was also, the next slide was a little interesting too. They still have telnet access. I'll just say that, they have telnet access. Whatever that means, I don't know what that means. I'll take a drink of beer. But look, you know, I have complete respect with controllers, the FAA, the FAA is trying to move planes from point A to point B. These three tools, DUAT and DUATS help pilots be able to submit flight plans quicker, be able to get planes quicker from point A to point B. Okay, that's why they're there. You don't have to then physically call somebody in a plane. It's neat here to see my DUAT shortcut. So if you keep flying from Las Vegas to LA, you can bring up your flight plan and have this rapidly fill out. And instead of talking to a weather briefer, you could actually save time. And it also saves money. But, you know, there's real reasons why we have these websites for efficiency. It's just, you know, I don't, you know, I wonder if they've looked at, you know, how secure they are, which we'll answer. Also another thing is every air traffic control tower actually has telephone numbers. And this is a good thing and a bad thing. It's a good thing, like we've all seen in the movies, if you actually have to call a tower, there, these numbers are there. But like anything, if you're focusing on one specific tower, you could always do a denial of service attack also on the telephone system and slow down inbound calls. No, of course, controllers would have cell phones and other things like that and other sidelines and red phones and things. But, and then, of course, what happens in other countries sometimes where the radio frequencies, they're all in the clear, you know, VHF. Here's a quick question. With the FA, is it FM or AM? Anybody know what the ATC is? AM, I heard some Fs come out of there. It's AM. It's AM, yes, it's all, anybody know why? Long range, yes, yes. So it's VHF AM, kind of cool. Little. So you could potentially jam the ATC radio frequencies, which is interesting, you know, sometimes in some foreign countries, the taxi drivers have hacked their little, you know, radios, they talk to each other and they might interrupt, you know, screw up frequencies that air traffic control is trying to talk on. But if one would wanna do a focused attack on one specific tower, there's a lot of vectors to slow down planes from taking off. Now, planes will still be able to get from point A to point B, there's processes in place, if certain things happen that they will still be able to land, planes are not gonna follow this guy, it's just trying to slow down planes from taking off. Okay, so, and then I kind of sort of stepped back and kind of looked around. Maybe drank a beer. And the FAA published a report. How many people read this report? Anybody read it? Who's the pilot and didn't read this report? Like this actually made press. I was like, oh no, I'm gonna talk about something that's already made some press. So this is a public document, review of web application security and intrusion detection in air traffic control systems. FAA, report number. So really, has anybody seen it? Anybody shy? Okay, okay, a couple people have raised their hands. Okay. So this is in the FAA's own words to kind of back up maybe, maybe not what I was saying about these two Duatt and Duatt's websites and that. So this is right out of the report that they looked at a total number of 70 web applications, 70 into 763, I don't know how many that is a person, but so the number of high risk vulnerabilities, 763 high risk vulnerabilities that they found in 70 web applications. Is that a lot? I don't know. So it was shocking. So, and then also from their report, they, I don't want to get into too much detail, but there's the internet out there, there's the FTI aviation telecommunications infrastructure, mission support network, mission supports networks there, and then they have the air traffic control, the ATC operational systems. Now, this is, see that dotted line? This is in the report. That dotted line should not happen, right? Right, mission support, you'd hope, or you'd hope that there's firewalls or something there. So, and I guess that they have found cases where the two networks have been connected together, which is not good, which we'll talk a little bit about. So here's also some things that they, this is right out of the report with IDS. So what was interesting is, total number of facilities, 734, well, it's really not, because if you see little star, it says in the thousands, remote sites, so in the thousands of remote sites. So on the ATC network, which would be this bottom in blue, how many IDSs allegedly do they have deployed? And then they, on the mission support network, they only have 11 currently. So it actually is a pretty damning report, which I 100% also defend they are working. I've talked to some people already at this conference that they're already working on contracts and they're working on trying to fix these things, and which is good. So, but I, you know, I was, now these are the two things that I found in this document that nobody else picked up in the press. Does anybody see anything wrong with these two things? These were in the PDF that was published on the internet. So the first top box, now the, you know, I don't know, you know, everybody knows secret top, you know, classified secret top secret. I would almost kind of, no, you know, there you go. That's what happens when you lean on a laptop. You get shift F5. So the, I would almost sort of call some of this maybe sensitive information. So here in this report, so of all those vulnerabilities, they list out the networks that they looked at. I wouldn't have done that. I wouldn't have had it as a footnote. I just, I don't know. What do you think? Would you have put that in your report showing all these vulnerabilities and also listing the networks that they looked at? And so, and the Juno, you know, the Juno Aviation Weather System, which we'll talk about a little bit, which is in Sarah Palin State, Alaska. That's in Alaska. But, and this bottom one, I thought it was interesting. So the FAA, rightfully so, wrote a response to all of the things that were found in the, all of the things that were found in the talk. So this was in, this was at the footer of one of the responses of this S colon, backs, backs, backs, you know, of the whole, you know, document. I would have thought that it, right? I mean, you're not, I wouldn't have put that in the document. So, and in the document, they sort of talked about that, you know, they're gonna deploy IDS by February 2010. So that's, that's good, right? And in the document, what, so the FAA response, 4.16.09 was the FAA response to this document. And by February 2010 was when they're gonna, okay. So let's talk about also a little bit about the NextGen air traffic control system. And this concept, ADS-B. So the NextGen air traffic control system is they're gonna convert from some proprietary hardware to commercial off-the-shelf hardware to, which, you know, maybe, maybe a good thing. They're talking about phasing out radar and ILS instrument landing systems in certain areas because radar and ILS are very expensive to maintain. And the ideas would be that they will go to a system that each plane in their transponder of a plane, they'll replace planes' transponders, and a plane will report its who am I latitude, longitude, and altitude in clear text. And based on each plane reporting who they are and where they are in physical space, that that will be displayed on the controller's screens and allow the controllers to move planes around. So, is the transmission encrypted? It is in clear text. So, no. I'm sorry, I couldn't hear you, go ahead. Right, so the gentleman was saying there's no reason to encrypt it if you can look up and see the plane. Was that what you were saying? If you could see the plane. Okay, but this would be, you know, the idea that, I heard some laughs over here. I just repeated what he said. So, but the idea would be that you would no longer have another method. So, for example, if 9-11, if they would find a way to turn off this new ADS-B transponder and not have radar, well maybe the plane might just completely disappear off everything. Yes. A little louder, go scream at me. Could they put a different location? He said it, I didn't say it. So, you could. So, with this, I'll go to the next slide, just talk about it. So, the idea that this who am I and where am I is all in one encrypted packet. And this is already the, some of this next gen ATC has already started to be deployed in Alaska as, and I tell you I know it saved lives because it's been deployed to help pilots. They've been have a lot of aviation actions in Alaska. So, this has been some ADS-B as a test bed to help planes in the air. But, one of the interesting things, I remember I said Juno, I'm gonna go back. Well, Juno was one of the sites that has had vulnerabilities, well that's in Alaska, and they've had some, not on the operational systems, but they've had some trouble in Alaska with computers getting hacked into in Alaska, which is supposed to be our test bed for the next gen ATC system. So, with this insecurity of the who am I and where I am all in one encrypted packet, and that the idea that they're going to rely on GPS is the backbone of the ATC of the next gen system. And then how many people read that a report that GPS satellites are failing faster than got some hands over here, failing faster than they're intended. And even there's a brand new GPS satellite that we put up, they were in commissioning it and they found it was not as accurate as it was supposed to be. So it's been a whole bunch of money and this new satellite was not that, not as accurate. Chinese could shoot them down too. The gentleman up here said that Chinese could shoot them down too. I'm just showing you the stuff. It's not wireless, we're not talking about wireless hacking, but you know what's interesting, you say Chinese can shoot them down. I haven't done that much research. Allegedly, China has deployed ADS-B throughout their country, and I don't know if that's true or not true. Anybody know about China and ADS-B? Nobody's, so that's something to look into, which I wouldn't under, and for me, just having being a pilot, just having GPS be the backbone, I totally GPS has its place, but I would always like to have the idea that you could have radar and ILS. If you don't know an ILS, it's basically some electronic signals sent up from an airport. Maybe you've sort of seen those Yegi antennas, and we know Yegi antennas, Yegi antennas, the end of a runway. That's a localizer antenna that is part of the instrument landing system. There's many things in the field that allow the plane to land. I don't want to go into if there's potential vulnerabilities of the ILS system, but ILS system has been out a lot and they've mitigated some of the things people talking about jamming this and that, but just relying on GPS as the only means of that, and also that the planes themselves will be reporting their position makes me a little nervous. And oh, you could easily fix this ADSB transmission, and ADSB stands for Automated Dependent Surveillance Broadcast. And then even as broadcast, it still can have broadcast collisions. They have done some things with that, but this is part of the pieces that allegedly that with Nexon ATC that we're gonna be able to push planes, we're gonna get planes from point A to point B quicker. And maybe, maybe or not, my personal opinion is I'd love to build more runways, but unfortunately, I don't know if that'll ever happen. We're closing more airports than building new runways, but like some people said, trying to have 10 planes all take off in a five minute window, it's a challenge. But with this being able to have, the real reason with ADSB is that if you have these planes reporting their lat-longen altitude, you could potentially mitigate a lot of air-to-air collisions if everybody's correctly transmitting their correct location. And it has a lot of benefits and safeties. I just question how much from the security in the, and I'm sure a lot of your minds are running as some people have thrown out some things already of maybe what you could do with this system. And I have no agenda. I just sort of am a pilot and had this idea of looking at these things and it was something different. I'm not trying to get a contract or anything with any of these guys. I just thought you all would be interested in these things. I'm actually shocked that more of you had not have heard of that one PDF document. I've read some, how many people have done penetration testing and written reports? Okay, that's good. So, sort of a call to action is, hey, take a listen to air traffic control, view ADSB broadcasts, and maybe you become a pilot. And I'll take some questions, still a little bit of time, questions, gentlemen there in the black shirt. Yeah, sorry. That says DEF CON, wait, sorry. Is there any potential for doing redundancy using over horizon radar? There is, but according to the FAA, radar systems are extremely expensive and they're trying to minimize the number of new radar systems and decommission them, because they're extremely expensive to have and maintain. Right, yeah, I don't know about that of reducing the number of radar. Yes. No, the question is if I did anything looking at this in the ham radio technology APRS. I know APRS technology, but I haven't done any comparison. There you go, there's a talk for you next year. You've got something to talk about next year, so anyone, sure, anyone else? Yes. Automatic flight processing, automated flight control, I don't know that much about that, but potentially there could be things with that too. Go ahead. They did not look at VORs, remember it was just 70 web applications, it was just web applications that they looked at. They did not look at physical, the report, they didn't look at... Did you try to get inside a VOR? No, they did not, no, no, zero done. And remember that like ILS systems have monitoring, you know, air traffic control towers have alerts in the towers of ILS systems. There's also VORs, there's processes that if VORs go down that, you know, that's all, you know, I'm trying to go to that one slide to get to the name, this one here. No, see, it was just web applications, not VORs. This gentleman and then you, yes. So the question is the, with ADSB, the who am I and your latitude, the longitude and altitude is sent, is there any sorts of signature scheme? Yes, even today every transponder has, even without the four-digit number, there's actually every transponder has a unique number. So yes, that there would still be unique numbers, you could potentially have the hardware and change those unique numbers. So, but it's still set in the clear, you may be able to have that fake signal sent of a TCAS alert or something like that, but yeah, I'm not really sure the question, can I make up a number and do that? I have no idea, so, and then the gentleman over here. So the question is if you do not, so in the current sense, if you do not broadcast your altitude in clear text, well, it's an analog system, so the transponder, the mode S transponder has an altitude encoding, has a hard-coded altimeter in your plane that will do that. There's another mode, it might be mode A, where you can set your GPS not to respond, what the FAA, what the controllers can do, they'll actually ask you what altitude are you're at, and there's certain restrictions, if you're actually not squawking your altitude, the FAA has the right to not allow you in certain airspace. And obviously, if you're in Washington, D.C.E. area and not doing that, that's bad. Yes, yes, and even if it's a hardware failure, you could have hardware failure mid-flight in the ADAC, ADAC. Yeah, so, right, right. Yes, and the, right. Well, so the question has the FAA, blah, blah, blah, blah. I'm not with the FAA, I've got no idea, no idea. I haven't seen that, I'm sure they have, I haven't seen, you know, they've known about the report, I'm sure they're trying to mitigate some of it, but you guys are coming up with stuff I didn't even think about. In the hat. Correct, so the gentleman was saying that UPS cargo airlines has already have deployed ADS-B and it's actually helped them be able to land planes quicker and have planes take off quicker, and it actually has saved money and increased efficiency, that's correct. It is still the ADS-B technology, which you can read the spec that's out there, so no, it is not encrypted, it's unencrypted. The spec's out there that you create. Yes, have I looked at this or that, but I have no idea about this or that vulnerability. I, like I said, I just a high level, just, you know, just looking at stuff, and this is all stuff that's already out there on the internet, this is nothing, I just, nothing, I don't know, not all that new, but I guess if people hadn't read this report, maybe it's a little new that that, but there was some press about this report and I do know that the FAA is working actively on some of these things. Yes? Oh, well the question is, do I think the ADS-B is an efficient use of taxpayer funds? It's, I'm not gonna touch that one. You know, it's, I'm just telling you information, you make your own informed decision. You make your own decision, you know, so yes. So does the transmissions get used by other aircraft? I'm sorry I didn't mention that, yes. That's where the safety factor comes in, where it has the potential to literally stop air-to-air collisions. That's cool, that's great. Because if ever, if two ADS-B planes are flying, each plane would hear that, hear the latitude, latitude and altitude and be able to plot vectors and say, hey, wait a minute, we're on an intercept course. So that's a good thing, I don't like air-to-air collisions. Yes, it would be, it would be a supplement to TCAS. TCAS is a whole nother system. So, I think there's a couple more. How much more time do I have? Three minutes, okay, in the white shirt in the back. Yes. So the gentleman saying that, you know, if you could tell an airplane, you know, and do a DOS and tell another airplane that there's another airplane next to it. You know, I hadn't thought of that, whatever. You know, it, you know, there's, you know, maybe I've generated some, you guys, to think about it, maybe some more talks to come out. You know, I, when pilot, I want the aviation, I would like, you know, aviation security, and I think, I also want to say our controllers in the FAA, I mean, for the funds that they have, they're doing a bang-up job with what they're doing. I'm not at all negative or against them. I'm, you know, and it's a funding thing why they can't keep radar going. They don't have the money to keep the radar systems going. So, yes. So the question is, how did the finally the fake flight plan connect with the other stuff? So good question. The idea would be that, you know, I was alleging that, you know, you'd be able to write scripts and do this a lot. So, well, you know, that would mean maybe a cross-grite scripting vulnerability or something that this, you know, that this website would allow, you know, 20 flight plans a second to be inputted. Well, maybe you can, because look at all these application, you know, you know, I skipped over it. Look at all these vulnerabilities that they found in web applications. So, did I answer your question? Okay, I just wanted to make sure, yes. Could just be noise or? Right, so let me just repeat the question for the camera. So the comment was with this scan that you might want to ignore low because there is a level of noise whenever you just do a default scan of what you get. I'm totally with you on that. For me, it just shocked me on the number 70 and the number 763. So, I'll get his attention again, but did, I mean, does it shock you the number 70 and the number 783? Not really? Oh, okay, I won't say that for the microphone. So then you've read the document. Okay. Okay, so, and I think we're, one more question. He was first. Yes, go ahead. So, it all depends on the tower. And, so the question is, when you submit it for Duat and Duats, does it automatically get printed out at the tower? It all depends on the tower. And, realize clearance delivery at some airports, clearance delivery is some person in the tower, also. Might be the same person running ground. So, that was just one interesting attack factor I thought about. Now, obviously, yes. There are telephones that the controllers could, if that, I'm sure that there are things, if that physical printer thing is down, that they can do other ways to get flight plans and get planes to take off. And, like I said, it's not gonna stop planes from landing, it's not gonna stop planes from getting point A to point B. But, it was just a, it was an interesting idea of, using the web to be able to flood the central computer that tries to plots where we wanna have all these planes go to. And, I'm sure that they have some things in place to mitigate if they see the same tail number submit 50 flight plans in a minute that, hopefully, it doesn't allow that submission. So, one more or not? One more, yes. Has the FAA, I have no idea. I'll try to hear your question, but I have no idea, has the FAA, but go ahead. Oh, so has the FAA communicated with me? No, I would be happy to talk to them. I'm on their side. I mean, I, this is a published, this document's published out on the internet. The bad guys know this. You know, the bad guys read this. And, if you go to, if you, you know, if you're a private pilot, you learn about duets and duets. I mean, I can't be the only one that have thought of this. So, okay. Well, I really thank everyone for coming to my talk. I'd be outside if you'd like to chat with me or raise the BS flag or whatever. I'd be happy to have you talk with everyone. Thank you.