 afternoon everyone. Is everyone having a good DEF CON? That didn't sound real convincing. Is everyone having a good DEF CON? Excellent. All right. This is one heck of a room. There's a lot of... apologize if I can't make eye contact with everyone but I'll try. So thank you for coming to this talk. I'm gonna talk about air traffic control and security. How many people came to my talk last year? Yes, I did. So, wow, not that many. Oh, okay. Well, it's out on the web. One hand over there still raised. So let's just get right into it. You know, I've got 20 minutes and you always have too many slides so I've tried to pare it down. So I'll talk a little bit about who I am. Overview from last year. Some insecurities today and a little proposal that I'm proposing out to the crowd. A DEF CON sort of has the 20-minute talks be, you know, maybe you don't have the research completed or just some ideas or take it out to the community and see what people think. So that's sort of what I have. I thought this was an interesting little Dilbert here. Can everybody read that in the back? I don't want to read a Dilbert. Okay, so who am I? Security guy, whatever, blah, blah, we can keep going. So I wanted to say that first, flying is safe. It's one of the safest ways to travel if not the safest way to travel. After this talk, airplanes are not gonna follow the sky. Well, not because anything I'm gonna say. And you know, this is the standard disclaimer slide that everybody needs to do. That's why we have, you know, also EFF. So any pilots in the audience? Okay, all right. I don't see anybody with the bullshit flags, but you know, if you please feel free. All right, so you know, why did I do the talk last year and this year? You know, air traffic control is moving busy moving planes throughout the air. In the past, they haven't really been focused on network security equipment because radar scopes were physical radar site and, you know, physical huge cable back to a one unit. It was a big deal for them when they originally had repeaters and they could actually repeat a scope. So also, you know, sort of just a teaser of what I'm gonna talk about. You know, ATC and FAA has really only been concentrating on, you know, these days scriptedies and nation states. And I think I've come up with another group that they may want to concentrate on more that might be a little more dangerous. So, okay, a little bit, if a lot of you hadn't been here last year, I'll give a little bit more on the overview of my talk from last year. So, we talked about how the ATC was running, you know, this operating system. No, no, no. The denial of service attack on an ATC flight plan. So, I proposed last year the idea that let's not take a look at, you know, anything with, you know, boarding on planes or anything like that. Let's take a look at if we can find a way to do a denial of service attack to stop airplanes from being able to take off. So with commercial flights these days on instrument flight plans, they actually need to submit their flight plan into air traffic control. Air traffic control will give them the routing information back and then the planes are allowed to take off. So, the idea was if you could find a way to stuff a lot of fake or bogus flight plans into that central machine and overwhelming potentially, you know, normal flight plans of airlines would not be able to, you know, wouldn't happen. So, I thought it was interesting that I got to talk to some people from the FAA, a very positive last year and they admitted, oh yeah, and we did this to ourselves. That last year, you know, that last year, you know, that air traffic control, they were teaching their new controllers how to actually make and create flight plans on their own production network and in teaching the students on their own production network, the students were hitting the submit button and actually inputting bogus plans into the flight system. So, oh well, I guess it was a little justification that potentially that, you know, hole. Now, they have done some things to mitigate that, to look at the, you know, number of flight plans per minute that get input in the system and they have some circuit breakers that they've put in for that. A lot of, just to make sure their own controllers don't do it again. Last year, I also talked about next gen. This next gen that's going to cure cancer and, you know, it's unbelievable. The next gen is the overcompensing word that the FAA has been using to solve every problem that they have. The idea of, the idea that to be able to reduce delays and all the airports around the country to be able to have airplanes be able to vector themselves and get to locations quicker. And one of those pieces is this, is this piece of technology called ADSB, which I mentioned last year. ADSB is a way that each airline, airliner themselves would actually broadcast their latitude, longitude, altitude and who they are identification in a clear text packet, which I thought was interesting. And the idea with ADSB is that radar sites are expensive. If we can have all the airplanes broadcasting their specific location, then that would save on radar sites and then also allow the FAA to pack more planes in the air and be able to have less separation. You know, they have all these intel separations. I'm not a controller, so some of those buzzwords. So we'll kind of touch on ADSB again in this talk. So what's also interesting that's happened from last year, it really seems that for whatever reason from last year to this year, the FAA seems like they have some funding. They have some of the biggest contracts. I don't know if anybody has gotten any FAA contracts. Maybe nobody wants to raise a hand. But some very large million and billion dollar contracts, the FAA has gone out to this second bullet about trying to generate and create next-gen technologies of these ideas of an air-traff control tower that could be virtual and have one control tower, one central location, and that one control tower would be able to be turned on and work in San Francisco or any control tower. It's kind of interesting. So also it's been a little disappointing. Some of my people that I've met through the FAA, there sort of seems to be a little bit of brain drain. I don't know, maybe that's just normal EBO flow of things, but I just found that a little interesting of some people getting frustrated of the FAA administration. Okay. So I guess I jumped a little ahead with this slide. So the next gen ATC is the idea of converting from proprietary hardware to commercial off-the-shelf hardware. Right now some of the scopes and things that the controllers are using to navigate planes throughout the air are pretty old and some old technology. And just like anything, this first bullet I could even cover and say ATC, the power companies in SCADA and a lot of people have seen. Once when you switch from proprietary hardware to commercial off-the-shelf, you introduce a whole lot of things. The FAA also had all these dedicated links around the country and now they're doing more VPN and trying to use more internet. Classic things you hear in the enterprise and large corporations of all the same problems you all might think of. What was interesting that the next gen, the idea that they felt that radar sites were very expensive to maintain, so that whole ADSB. But then you have things like, well, as far as NORAD now responsible for tracking all airplanes inside the country as well as outside, NORAD still has responsibilities for wanting those radar sites for reasons. So the initial thing that there would be a major cost savings getting rid of radar sites seems that it's not that true anymore that they're still needing to keep them around. And then this idea of switching from a radar sweep to generally knowing where our airplane is from every airplane out there, mandatory having a transponder that'll report latitude, longitude, altitude in clear text. And that's this idea of ADSB. Just recently the FAA mandated that that would be a requirement for most airlines in the, in busy airspace by 2020. Now you say 2020, it seems like a long way out, but if you've known any sort of anything, 2020 will be here pretty darn quick. I'm always amazed at physical construction projects when they're building a road or whatever. Those are 25 year to 30 year projects when you, when you see them digging the side of road. And so it'll be interesting. So something I'm proposing out to the thing that I was sort of thinking about all this and I don't know, maybe I'm, you know, full of whatever, but so wouldn't it be interesting if we could get a live feed of every plane in the air? You know, we've all been out to those websites that you can track live flights, you know, we've probably all tracked our spouse's flight as it goes across the country. Realize, that's not all, that's a subset of the planes that are out there. You know, and you know the idea of climb fences or hack the FAA to get that. And then I thought, you know, maybe there's another way. So and I like this quote and I know everybody says that anytime you see a quote it could be taken out of context. But you know, the FAA notes that there is no right to privacy when operating the NES, National Airspace System. So no right to privacy. And specifically what I was thinking about was there are, how many people came here to DEF CON on an executive jet? Anybody? Executive jets? No? You can, it's okay to raise your hand. Oh, I got one good for you. Good for you to be brave. A two maybe. Good for you. I want to be your friend. So those executive jet guys, I don't know how many people know this, that when you own an executive jet in certain planes, you can request to the FAA, you know what, I would like my tail number not to be rebroadcast out to the internet or third party providers. There's two different layers that they can do that. They can actually have it not be rebroadcast internally or even that the FAA sees it and it's not rebroadcast out to third parties. You know, maybe, you know, an example, large company, if you could be able to see the two different, two large companies, their executive jets, you know, went to the same location. Potentially you could say, well, maybe those two companies are about to merge or, you know, these large companies, they feel it's a security risk that you know that they're, you know, right after the stock market crash, everybody goes to Aspen. So I kind of was also focusing on that, you know, that there's these sort of stealth planes and not stealth, but planes that are still flying in the national airspace system that we, that they still are allowed to use the services of the public, but we're not allowed to track to see where they go. But notice the quote. Okay. So why don't we take it a step farther? Why don't we create our own FAA real time flight tracking database? Why try to even get into the crown jewels of the FAA? You know what? Leave them over there. Why don't we make it ourselves? And you're saying, what? Well, think about it. Right now deployed in Florida and Alaska, ADSB is already deployed and also through the Gulf of Mexico. With some antennas that would be listening to two different transponder frequencies, you would be able to passively listen. Not against law right now. It is for cellular signals, but not against law right now. Listen to that. You'd be able to get the latitude, longitude and ID of the plane and then put in a database. You know, think about it, you know, just even in the city of Aspen, seeing the executive jets land and seeing that. You would be able to, you know, take a third party feed and see all the, you know, all the planes they're actually out there and then, you know, take that and take it away to see, you know, what planes do you guys, you know, what planes does your own database see that, you know, aren't out there? There was a real good Freedom for Information Act where they, that I think they actually went, it might have been NASA, that they actually got, for whatever reason, NASA had the data, that they got the list of aircraft tail numbers that were on that blocked list. You know, good. And then I think even EFF might have helped them with that. But that was just a static list. So what, you know, the whole so what, you know, I always, whenever I do something, the whole so what. So, you know, what, what do you think the marketing people would do with this stuff? Four square and be able to know where we are and, you know, real time tracking of everything of, you know, the idea that you could see all the planes, you know, the executive jet traffic and, you know, product placement from all that stuff. You know, we talk about, you know, we talk about cell phones that, you know, there's a level thing. You know, back here when the FASA, you know, there's no right to privacy. When they said that, I was wondering why was somebody even asking the FAA for a right to privacy? And, you know, I thought it was a really interesting idea about that. So, you know, this also is one of the fields the FAA, you know, that the air traffic control and FAA, there's, this is just, you know, an untapped market out there for looking at things that are out there. You know, a friend of mine has, you know, presented at an FAA conference and he was trying to challenge the FAA to reach out to all of you. There's a lot of smart people in this room more, you know, more than I am. Maybe this is, you know, not that great of an idea. Maybe it's, you know, I don't know. You know, so I kind of look at, you know, marketing as, you know, potentially good or evil. I'm not into that whole, you know, walking by a billboard and you know it's me and I get a product placement ad for me. Let's hope it's not Viagra. So, that kind of idea of this central database that with, you know, 20 or less antennas in key markets that's just listening, receiving only, not transmitting and actually trying to make the database yourself. You know, it's a, in my view it's an interesting idea from the fact of, you know, the FAA that in some ways that's their crown jewels if you were to be able to reproduce it, not hack them, let them do whatever they want, reproduce it with the fact that ADSB is going to be transmitting all that stuff. So, kind of need idea. So, and then also, you know, if anybody wants to help, you know, please feel free to, you know, come talk to me and maybe you got another idea that you want. So, you know, it talked about that, you know, obviously it was a little quick for the talk. I'll take just a one or two quick questions and I know that they're going to cut me right off at 20 minutes because there's another speaker here. Yes, sir, I'll try to repeat your question. Go ahead. Oh, do I have any technical references for the format? Yes, it's, they're all out there on the internet, the internets, the ADSB protocols and everything and right now UPS airline, yeah, UPS, yeah, UPS is actually they've equipped all their aircraft with ADSB, the capstone project in Alaska, they have their planes. Now from a safety point of view, yes, they've, in Alaska they had a lot of safety positive of the ADSB from being able to now see small planes in there where radar covers was not, not to that extent. So, any, yes, right, so the, so that, yeah, so the gentleman said, well, what about the idea that one could do a denial of service on the system? You know, in a report that the FAA published that I, that I have in my, in my notes, the FAA felt that, now, get this, you want to take this good or bad, the FAA felt that there's no change in the risk to denial of service from now to with ADSB. No change in the risk, they didn't say what the risk was, there's no change to the risk. So, now, I also want to make one comment about that, you know, there is some talk about, oh, well, you know, jammers and be able to transmit signals, you know, you know something I found out in between last year and this year, the FAA has this term called phantom controllers that people, you know, in parts of the United States, they set up a big, you know, radio and actually try to talk to the, talk to the pilots and maybe try to tell them to turn left to right. What's interesting about that, they usually have once a month the incident and they usually find the guys pretty quick. The, when one keys a radio or keys a, you know, there actually is in the analog level a unique signature that a radio has right when the capacitors and diodes and everything come up that it's not just a quick, quick sharp in your transmitting. There's been, you know, maybe somebody's even presented about that a DEF CON that one can finger fingerprint a radio from the analog level and be able to know that. You know, I know that even in Iraq and Afghanistan they have capabilities to be able to, you know, pinpoint that stuff. So, any other questions were almost at a time? Yes, right here in the front now. Right, so the question, what's the, what's the, what's, how do you, how would you stop somebody's from spoofing the ADSB that they're sending? That's a good question too in the FAA, you know, a lot of these questions they tried to address. I felt they addressed pretty poorly in the, in the document that's, it's, it's one of these references on here. I think it's the first one there. Right, it, actually it might be the last one. I'd be happy to, it's one of these four documents that, that is, that they try to answer those questions. They once again said that there's no change from current to, from current to future. So, they didn't, it's not like they answered the question. And, and this gentleman and, and then we're, oh we're done. Okay, so thank you very much. And if you'd like to talk to me, I'll be right across the hall. I'll be happy to chat with anyone. Thank you very much for your time. Please enjoy your DEF CON.