The Federal Aviation Administration is in the midst of a multibillion-dollar upgrade of the nation's air traffic control system. The new system is called the Next Generation Air Transportation System, or NextGen. It will be highly automated. It will rely on GPS instead of radar to locate planes, and it is designed to allow air traffic controllers and pilots to pack more planes, helicopters and eventually drones into our skies.
But a number of computer security experts are concerned that the cornerstone of NextGen is insecure and vulnerable to hackers.
The current air traffic control system relies on radar.
Last week, I went flying with Mike Eynon, a private pilot and computer security expert. His plane is not equipped with the NextGen system, so we were on radar the entire time. Air traffic control pinged Eynon's plane, and a transponder built into his plane answered back — telling controllers where he was and who he was.
This call-and-response system has been in place for decades. But it's slow and not as accurate as GPS. Also, radar ground stations take up a lot of space and are expensive to maintain; and pilots can turn their transponders off.
The old system is getting overwhelmed.
In fact, when Eynon and I went up, the skies were so crowded over San Francisco that we weren't allowed into the airspace; instead, we headed west over the Santa Cruz Mountains. It's problems like this that NextGen was built to solve.
'Chaos In The System'
The cornerstone of this new system is automatic dependent surveillance-broadcast or ADS-B. Basically, planes will be equipped with GPS and will constantly send out little radio broadcasts announcing to the world who they are and where they are. (NextGen is being phased in over the next eight years. By 2020, planes will be required to use ADS-B to enter the more crowded areas of U.S. airspace.)
And recently, ADS-B has caught the attention of hackers.
"All this research was to try to prove to myself that air travel was still safe," says Brad Haines. "I basically failed at that." Haines is a slightly built Canadian computer consultant with multicolored hair. Online, everyone knows him as RenderMan. Haines is basically a hacker. He likes to take things apart and figure out how they work.
It turns out that ADS-B signals look a lot like little bits of computer code. But unlike traffic on the Internet, these signals are unencrypted and unauthenticated. And for computer security geeks like Haines, these are huge red flags. He soon realized he could spoof these signals and create fake "ghost planes" in the sky.
"The threats can be things like, if I can inject 50 extra flights onto an air traffic controller's screen, they are not going to know what is going on," he says.
Now, this hack won't make planes fall out of the air, but it could be dangerous. A fake plane could cause a real pilot to swerve — or a series of ghost planes could shut down an airport.
"If you could introduce enough chaos into the system — for even an hour — that hour will ripple though the entire world's air traffic control," Haines says.
Haines and a partner, Nick Foster, were not only able to create a radio capable of broadcasting spoofed signals, they were also able to hook a radio to a free online flight simulator game called Flight Gear. They used the game to create a ghost plane — a plane that would appear to be real to air traffic controllers using ADS-B — and then they buzzed San Francisco International Airport.
Here's a video that shows real air traffic as it mixes with a fake signal.
Haines and Foster didn't actually broadcast this signal — but all they would have needed to do in order to do that would have been to add an antenna and amplifier to their radio, and turn it on.
At a hacker conference in Las Vegas, Haines gave a talk spelling out exactly how to do it. (See his presentation slides.)
'A Collision Course With History'
More than 4,500 miles away in France, Andrei Costin, a Romanian grad student, realized the same thing. Working independently, Costin built a little software-defined radio hooked to a computer that created fake ADS-B signals in a lab. (Read Costin's white paper.)
His setup cost less than $2,000. Building and deploying ADS-B across America has cost considerably more. "This technology by now cost $1.1 billion," Costin said.
And it's not just Romanian grad students and Canadian hackers who have expressed concerns about the security of the next generation of air traffic control.
Last year, Air Force Maj. Donald L. McCallie, studying cyberwarfare at the Air Force Institute of Technology, wrote about the same kinds of attacks, and concluded that this system may put us "on a collision course with history."
Until now, the FAA has been reluctant to respond. It hasn't released data from its own security test, and the agency's initial response both to the Air Force paper and the more recent hacks has been muted.
Initially, the agency released a one-paragraph statement that said in part: "An FAA ADS-B security action plan identified and mitigated risks and monitors the progress of corrective action. These risks are security sensitive and are not publicly available."
Pilot Mike Eynon says the FAA "seems to almost be taking the stance of security through obscurity, which only works for a short period of time."
Eynon is not only a pilot; he knows something about security. He's the co-founder of Silver Tail Systems, a computer security firm that's been backed by the CIA.
"I always am a firm believer in making the system transparent and having others actually help you make the system more secure by understanding it," Eynon says.
In the past week, the FAA has become a bit more forthcoming. Officials there say as the NextGen system has been phased in, it has never recorded a spoofed or ghost plane in the sky over the U.S. And they say that even if a hacker did create a ghost plane, there are systems in place that would automatically catch it and weed out the fake signal before it could confuse air traffic controllers or pilots.
The FAA is building a network of more than 700 ADS-B receivers spread across the country. Although eventually the agency plans to decommission hundreds of radars, hundreds more will remain in place.
Weeding Out The Fakes
FAA officials told NPR that NextGen will validate ADS-B signals in three ways.
First, the system will use existing radars to check to make sure that ADS-B signals are real.
Second, it will automatically check to make sure that correct ADS-B receivers are picking up ADS-B messages. So, for example, if someone created a spoofed or ghost plane flying in Montana but sent the signal to an ADS-B receiver in California, the NextGen system would automatically recognize that signal as fake and weed it out before air traffic controllers could see it.
Finally, the system will use physics to try to pinpoint exactly where every ADS-B signal is sent from. It will track when each ADS-B message is received by each ADS-B station, then use the slight time differences to nail down where the signal originated. This technique is called multilateration. But for it to work, there must be multiple listening stations receiving every ADS-B signal.
"If the FAA is really using multilateration, that's a great sign," says Haines' partner, Nick Foster. "But I still wonder if it would be possible to fool the system on the edges. I think the FAA should open it up and let us test it."
Other researchers like Capt. Domenic Magazu at the Air Force Institute of Technology agree. Magazu is concerned that these techniques might not help pilots spot fake ADS-B signals quickly.
A paper by Magazu on this topic will appear this fall in the Journal of Aviation and Aerospace Perspectives.
And researchers from Brad "RenderMan" Haines to Air Force Maj. Donald McCallie have all asked the FAA to be more transparent about how it's testing a multibillion-dollar system the public will soon rely on to keep it safe in the air.
Copyright 2012 National Public Radio. To see more, visit http://www.npr.org/.