An international team of scientists has released research highlighting vulnerabilities in the upcoming next-generation air traffic control system.
The new Automatic Dependent Surveillance-Broadcast (ADS-B) system is susceptible to jamming or intentional interference from attackers in possession of a wireless network and off-the-shelf equipment, according to researchers from the Kaiserslautern University of Technology in Germany, Swiss federal agency Armasuisse and the University of Oxford in England. Their research was released at the Applied Cryptography and Network Security (ACNS 2013) conference and can be found here.
Expected to become mandatory worldwide in 2020, ADS-S is currently being installed as a replacement to the outdated ground radar system used to guide airplanes in flight and on the ground at airports.
According to the team, an attacker can inject “ghost”—fake—aircraft into the next-gen air traffic control systems, alter the virtual trajectory of airplanes currently in flight or even remove aircraft entirely from the monitors, disrupting the system’s ability to provide pilots with accurate information on the location, speed and direction of other aircraft. While such malicious interference would not directly result in a crash since pilots maintain direct control over the movement of their aircraft, the attack could still cause potentially life-threatening decisions to be made by confused pilots and controllers.
Ground stations are also in danger of being jammed, the team said, adding that “especially in high density areas (around major international airports), a sudden failure of the surveillance or collision avoidance systems is described as devastating by controllers and could result in confusion and human failure with fatal consequences.”
Researchers also found that an attack could imitate alarms such as those an aircraft might transmit during an emergency or terrorist attack.
“Without appropriate countermeasures, critical air traffic management decision processes should not rely on ADS-B derived data,” the researchers said. “We hope that the rule makers and regulators involved in the ADS- B standardization process will recognize the criticality of the described threats and include security as one of its key requirements in future releases.”