7 years later, instead of exploiting unsecured air traffic control systems, all you have to do is fly a £90 drone bought from Argos into an air field and you cause chaos.

Looks like I picked the wrong week to stop sniffing glue.

aviation nerd here. a word about the GPS jamming: if you jam GPS the aircraft can still use ground based beacon stations for navigation to an airport(which in fairness can also be jammed). still not a good thing to do, just something to make your next flight a little less stressful.

"Can't just roll everything into hangars and retrofit for a couple weeks" well, 2020 happened, lot's of things ground to a halt and welp. Here we are.

A couple months ago the FAA "flipped a switch" and older ADS-B in units started to have ghost aircraft in the on board ADS-B traffic reporting. This has caused many pilots at my operation to distrust traffic alerts until we have looked at the "fish finder" and out the window. interesting.....

As dangerous as some of this stuff is it's good to see people researching and paying attention to it. Hopefully it gets into the faces of the right people so there can be some serious work done on preventing these various possibilities.

"There are MotherFuckin' hackers on this MotherFuckin' plane!"

Thanks Christiaan008 for uploading these talks, still interesting almost 10 years later

Really interesting talk. My intuition tells me that an attack on this system would have to be a one-time event, or at least a short period of effectiveness. Also, pilots can communicate via radio at the speed of light. With the safety margins in place for distance between aircraft, I dont see how besides causing trouble and maybe some injured unbuckled passengers from a sharp dive, this could actually make happen what everyone is thinking: two planes colliding into each other or a building. The scariest part for me honestly was when you remove the human from the equation i.e that autopilot. If the autopilot will indeed listen to spoofed data, that is scary indeed.

The ATC system doesn't take the ADS-B flight information from the web app that you look up; the web app that your tracker uses takes information from the ATC system.

Good presentation, but ATC has all of that verbal communication for a reason, the habits and behaviors of the system were developed in wartime, and are more redundant than the presentation would have you believe. Not to say that there should not be improvements, but aviation tends to be all about redundancy, and this presentation is only looking at one system without discussing all the other systems.

Does anyone know if any of these issues have been addressed yet? getting pretty damn close to that 2020 implementation date :|

spoof a russian fighter squadron in the air on an approach to air force one during a period of "tension" and you've got WWIII made by a $20 radio transmitter.

This is very compelling stuff. It raises eyebrows, that's for sure!

As an amateur radio operator and an aviation fan, I have a dongle, SDR, and 1090 packet interpreter to watch on my lap top at my leisure local air traffic out to about 300 nautical miles. Now with a little extra equipment I can transmit on my SDR on amateur bands in Morse code. How much more would it take to create a SDT(software designed transmitter)? Not a whole lot really and since I have amateur equipment, i.e. antennae already up I cold easily plug into them and do pretty much anything he was talking about. On a smaller scale I could load the laptop with the installed SDT, dongle, and appropriate mobile antenna and sit outside a major airport hub and play with the ATC and local aircraft. So considering my present abilities with my digital capable radio equipment, sending emails, files, etc., imagine how easy it would be to do exactly what he is talking about here. It is a real threat and one not to be taken lightly.

The thing is that with aviation you want things to be as simple as possible so there aren't many things that can go wrong.

The RTL SDR can RX these at 1.09GHZ (1090mhz) and there is tons of free software to view traffic from ADS-B directly

This is why planes still have pilots on them even though in theory they could have been unmanned since the mid 90s. If the GPS or TCAS is lost and it sometimes happens even without meddling by hackers they can still fly the aircraft via instruments.

GPS is a minimum equipment list item on all commercial airliners so without it they must not take off, or if it gets jammed in flight ATC will talk them into the nearest airport. Plus planes all have analogue and digital compasses so they could just follow a bearing back to a control zone to be talked in if outside radar cover.

Well, there's no question that you can spoof ADS-B signals, just as you could spoof ATC communication, but each plane still has a pilot sitting in the cockpit controlling the plane, and unless they are Children of the Magenta, they'll rule out your spoofed plane withing seconds of you creating it. As for TCAS, to spoof a plane on the TCAS, you'll have to solve the distance problem, not just by replying earlier than expected, but by replying *before* the interrogation signal was sent, and that's like predicting the lottery numbers next week

I come back and watch this talk every few years because its so unbelievable. Anyone know if anythings changed over the decade?

Guys you have no idea about the security holes at international airports. I did a contract at a certain international airport and the IT help desk is in a public accessible zone, requiring no badge. The door is unlocked except in the middle of the night when a tech steps out to inspect the digital signage. None of the admin PCs or IT Dept PCs are protected by bitlocker. As a matter of fact I've cloned hard drives several times without any issues (had to find an imaging workaround when we had some issues with SCCM). Probably dozens of the digital signage PCs sit in unlocked cabinets at check in kiosks, there isn't a Kensington lock in sight. RSA Secur IDs for things like VPN access are given out to contractors over the phone with little to no authentication. The security is a mess. As an entry level help desk tech there wasn't a whole lot I was able to do in terms of convincing managers that some profound changes need to be made to adequately secure the installation. I don't work there anymore but it feels like a ticking timebomb. Is there any local IT security company I can get involved with and somehow get a report into the hands of the right people? Maybe get a contact out of it?

An interesting talk by someone who only knows half the story. I must say, I've never even considered the security vulnerabilities of ADS-B until watching this talk so it was great to hear a perspective on it. Something a lot of people are pointing out, though, is that ADS-B is not the be all end all. ATC relies on verbal communication. Everything else we use (transponders, GPS, ILS, and even ADS-B) are simply to make it more convenient. A lot of air traffic in the US is done VFR where pilots talk to other pilots on a common frequency and rely on reporting each others positions and intentions to fly safely. No GPS or ATC to be found there. Attacking ADS-B is not nearly as drastic as Renderman was making it out to be. In his presentation, he mentions how if he put a ghost plane in front of an airliner then they might frantically push the nose down to avoid a collision. Sorry, but that's just not possible. ATC would have given the pilots ample notice of the traffic before collision even became a possibility. If a plane just popped up like that then they would know it was probably a spoof. Regardless, ADS-B isn't what is used for collision avoidance. For that, we use TCAS and TCAS uses transponder signals from other aircraft. Technically you *could* spoof a transponder signal but that's something you'd have to look into as I think it's easier said than done. In the cockpit, pilots see traffic from TCAS, specifically those transponder signals, not from ADS-B. Something that really surprises me is how this presentation has aged. These are legitimate concerns even now in 2020 after ADS-B has been put into law as a requirement. The reason I feel as though there is no need for all of this security is because it's just not worth it. The only way you could REALLY mess up air traffic is by messing with the VHF frequencies we use to talk to each other. Messing with anything else is just more of an inconvenience than anything. Even then, the only areas where you can mess with traffic is with ARTCCs and maybe TRACONs. Ground and Tower controllers can see everything they need to with their eyes. Computer screens just make it more convenient and, as a result, safer. And if those en-route controllers can't see anything on their radar, that's why pilots have two eyeballs, TCAS, and a VHF radio. And if it's night, we have surprisingly visible NAV and beacon lights so you know where planes are and which direction they're facing. You'd be surprised how smoothly stuff would run if all we lost was radar contact. Granted it wouldn't be sustainable and would result in some temporary groundings but it's not like planes would be falling out of the sky or crashing into each other. A much more legitimate concern to have is that of hacking the avionics of an airplane. Renderman brings up the work of Chris Roberts, and what he's been able to do is quite astonishing yet not that surprising. On the Boeing 737-8, for example, it incorporates new technology in the cockpit but all control surfaces are still directly linked to the cockpit and can function even with a complete loss of avionics. In several Airbus aircraft this is not the case as they are fly-by-wire, meaning there's a CAT6 in-between the stick and the actual control surfaces. Well, not literally, but you get the point. Seriously, though...the avionics compartment of an A350 looks like a Google datacenter. I can only imagine the vulnerabilities when you have passenger wifi running in the same space as a, for all intents and purposes, LAN network for the entire airplane's systems.

This is why automatic systems need to be able to be overrides by a human pilot. If a human get incapacitated or fail to notice a error, the computer can adjust it for him. If the computer got spoofed or malfunctioned, the human pilot can take over. They should work together. Never should the computer system take complete control

You talk about eaves droping but you can already essentially do this with "older" methods. All airtraffic voice is easy to listen too (though maybe illegal depending on your country). Flights are filed before they are flown and data of where these flights will go are relatively accessible. Commercial flying isn't secret as ground based attackers would need some serious equipment to actually intercept a flight (we're talking missiles) and mostly flights avoid areas where known threats such as this happen. There seems to be a lot of paranoia from extremely unlikely sources and there's an extent to which you have to just say living is dangerous.

They should do what we do with https and have a central agency or multiple ones.

@18:35 I don't get the point about "the average public" being able to look at a flight map. I know it might sound crazy, but the average public can look up in the sky to see where planes are. I don't even need to look up to know that there is a line of planes taking off every few seconds from my local airport and by afternoon there will be at least two lines coming in. If I cared about specifics, I could go to any booking site.

Whatever you do, safe aeronautical navigation needs some kind of radio transmission to work (wether it's voice or any other data). Any radio transmission can be jammed, therefore security/safety can not be achieved...

'I'm not trying to spread FUD' (quote from the video) - which was most of the talk until the demo @ 42 minutes onwards.

Well the thing is that ads signals are received on the ground are received at more than one site which are geographically diverse. Therefore you would need to know where all these sites are and you would need to inject the same data into all the sites at the same time otherwise the conflicting ADS receiver would be taken out of service and everything would carry on as normal.

You could use this to distract them from a real attack

thumbs up if you were receiving ADSB while you were watching this video

Send a ghost plane hurling towards a tall building in a major american city and the FAA are not going to be allowed to implement this until these issues are sorted.

Is that Hackerman from Kung Fury?

And that's what I get for browsing comments before the video is over. Dammit.

One point from the presentation worth countering 10:24 - even if the air traffic control was real time and perfectly accurate, planes would still have to wait several minutes before coming to land due to wake turbulence. In fluid dynamics, wake turbulence is essentially like the force from a current of water coming from behind a boat, hence the name, although with a plane the force of air being thrust from the engines (backwash) and the vortexes coming from the wings is enough to 1) move the plane forward at 100's of miles/hour, and 2) enough to lift the plane off the ground and elevate it to 30,000 ft. Especially with larger planes, coming too close to these forces even on the ground is enough to knock you off your feet and cause serious injury, and to planes, especially those smaller in size than whoever caused the wake, it causes massive turbulence and also loss of lift in the wings (especially bad close to the ground i.e. near airports, which is almost always unrecoverable due to such little time to react). Essentially, it wouldn't be useful to have planes up each others' arse when coming into land or take off even if it were possible to coordinate such a thing - takeoff/landing is not the time to be fighting someone else's' wake turbulence - if ever such a time exists haha

A time map and altitude sensors, could simply help by verifying.

Why not get in touch with Iron Maiden about borrowing Ed Force One?

That scene From the NET comes to mind when Dale's cessna flies into the mountain.....

Do blimps use ADS-B?

Forgive me if my comments are old hat or if I'm guilty of stating the obvious - I know little to nothing about everything discussed here but I feel there may be something useful in my interpretation of what I am hearing explained here. If radar is loosely considered to be an extension of radio, is the development of ADS-B actually nothing more than a reconfigured DBS Digital Broadcast System? (TV and radio programme information encoded in the signal) Progressing from radio broadcast onto a digital cellular network where 'triangulation' or '3 points of contact' is a functional requirement means as you're smart phone moves around a city it is continually seeking out in all directions for the best 3 base station connections. So if DBS points to ADS, have they applied this cellular solution to air trafficking? Your IMEI being viewed now as an FAA callsign and your handset for example represents the aircraft's physical GPS location? This presentation has correctly demonstrated a distinct lack of authentication protocols that weren't necessary when monitoring data instead of people in planes!

Does it still work like this?

I don't know but do you realize that DefCon is also a security conference, which the title is referring to.

Oh wtf I just clicked the link on a comment reply section and it made me go back to this damn

2020 ends, Any news ?

This is terrifying.

It is very distressing to see many people in the comment section who think it is okay this way. This is mission crtitical data! And it is not read-only, if you have a transmitter! Everyone seems to talk about jammimg and complete loss of something. It is obvious, and probably some backup will get used. But what if an attacker just "shifts" some aircrafts position, not that much to instantly raise any alerts, but enough to achive some bad result? Mailicious systems are thrown out, identified, as somebody said... Is there exist any such network, which correlates different systems, at different locations to determine if some data is plausible or not? What if he does that attack in an area, where the technology level is low, skill levels are low, and probably can do it without noticing? What this system is for, if you can't really trust it, especially not for the purpose it originally built for? Who the hell thought that unauthenticated data transmission in these decades is a good idea? It is proven bad idea countless times, in many areas. While the technology is there for decades now. In 2020, where you could store the public keys of the world on an SSD in your pocket... 🤦‍♂️

ADS-B is unencrypted and unauthenticated :D

Do they have any idea why the atsb in and out receivers are 5 and 20000 dollars? How could they be that expensive? I'm sure the components are pretty simple

No disrespect, and you point out a few legitimately concerning things/possibilities, and I'm not dismissing the need for attention to "this," but....there's way more to all of what's going on up in the wild blue yonder that you're not "getting," for whatever reason(s). Speaking as a general aviation pilot, you're a bit underinformed and over-hyping here. Cheers.

43:57 imagine someone did that and the tower be like "well, time to say goodbye, yo momma is gonna hit us"

This is genius, I honestly never would think of this, nice upload

This is some of the most cute responses I've seen in the KZbin comments section, respectfully reacting to a misunderstanding. Now I wish more people were like you.

hmm I would imagine the displays that process ADS-B returns have some sort of way of eliminating duplicates it would probably cause a lot of havoc if you were to listen on 1090 for a certain aircrafts outgoing pings, and then literally RIGHT afterwards, ping with the exact same aircraft details and GPS but an altitude that starts to veer away from the real altitude in a way that causes a conflict, if the receiving system literally just updates the real altitude with your new fake one 1ms after the real packet arrives with your fake one hm. Scary stuff.

I am wondering what Came of this...

Why not use public key decryption? Maybe with the private keys being hardwired into the machines with a system so that it is never kept on record anywhere.

Looking at the engine through the network by his window...jesus...

41:50 brilliant

FlightAware is offering free ADS-B flighfeeders to enable it to track better - scary!

This is just scary...

10:20 ... TCAS enables pilots to see other aircraft

TCAS does neither give left/right guidance (only climb/descent) nor is it linked to the autopilot in any aircraft. Our research group, working with pilots, air traffic controllers and avionics developers has done a lot research on these systems. The information from the video is simply false.

I don't want to watch this because I'll never get on a plane again.

Nice presentation with some great food for thought from the past as the deadline approaches for installation... Sadly, this whole presentation seems to disregard alternative methods of communication. 1-Visual 2-Primary Radar 3-other types of transponder 4-TAS 5-TCAS 6-Good old voice communication 7-Airline adopted tracking systems ADS-B implementation won't mean that these methods completely disappear, just as pilots currently still talk to ATC despite the advances in Radar and Ground to air data transmission for text messaging.

A lot of systems aren't built secure. They just want to do them as cheaply and as quickly as possible. It's the sad state of the "lowest bidder" capitalism that we all know and love.

glad someone else finds protocols the go-to for manipulation

A better film to judge ATC back in the day, would be Pushing Tin imo.

Would it, though?

Is there a pongebob meme reference back in 2012 ? genious

thanx for upload man

any satellite live exploitations? watch live/track...etc

How Could Such an Important System by So Vulnerable? :(

Who's watching in 2020, "the year in which these mandates go into effect"?

my conspiracy hat goes on for laugh at the 12:00 mark what could shut down a full fleet of aircraft in 2020 oooh a world pandemic that restricts travel to other countries by air , not just in the US but all over for a few weeks to months

Oh, look, he is a hacker group member and he also goes to Poland. I am very impressed. Lets see if he can top my abduction of MH370.

This is the story of SS7 all over again.

this. force the government to send fighter jets after ghosts a few times and I think they will change the way they think about the security of the system.

oh...dear

Would make a good film.

czysta wyborowa, luksusowa, finlandia,wyborowa , Great Polish Voodka :D

Malaisian Airlines must watch this video....lol

perfectly fine working system that is safe. if only there was no bad intention. i have no bad intention, why would you?

42:10 - Oh shit....

that is just insanely not secure...

hackers will find a way to hack the "tasers and keyloggers."

"not spewing FUD" spews FUD for an hour

I'm just going to go sit in the corner holding my knees and hyperventilate for minute after watching this one

$5K, $10K, $20K Expensive? For commercial plane worth millions? For plane, which single trip brings more profit? Are you joking? It is like you would buy a car for say $50K and complain that lighter is expensive at $10 This is ridiculous

Shortest distance between two points isn't a straight line, but a curve. The Earth's sphere, remember

Nothing happened, right

22:02 add Angelina to that slide At 14 year of age, she created an embedded neural net in a raspberry pi to detect spoofed planes as result of ADS-B protocol being unencrypted and unauthenticated. kzbin.info/www/bejne/i2KQoYKGe7CWjtE

Encrypt with PGP :D

CISSP_ OH DEAR...

I don't quite see why he received this many negative votes and is being labelled stupid. He probably is just unaware of the DEFCON in this context and politely told people about the DefCon threat level. I thought his comment was nice.

COOL

the talk is great, but the powerpoint is simply horrible.

Now I can't stop thinking about 9/11 !

careful there...

YES! HAVE they checked that for instance, the gps coordinates are between -180 and 180 degrees? what if they're nonsensical? did the coder do a write into a tile caching table and forget to do the %360 and supplying values like 297 or 1028 is going to smash other bits of memory? why would they let all this insecure stuff go into REAL USE with REAL PLANES? I'm literally annoyed >.

Good god! Before i even got to the jamming part, already worked out you could jam the GPS signal with basically a repeater/access point (modified) or other RF transmitter sending random spam data on 1090MHz with higher interpolation than 1Hz, essentially whiting it out. Holy SHIT!