ghost is in the air traffic
play

Ghost is in the Air(Traffic) Andrei Costin - PowerPoint PPT Presentation

Mar 05, 2024 •137 likes •708 views

Ghost is in the Air(Traffic) Andrei Costin <andrei.costin@eurecom.fr> Aurelien Francillon <aurelien.francillon@eurecom.fr> andrei# whoami SW/HW security researcher, PhD candidate Mifare Classic Hacking MFPs Interest in MFCUK

  1. Ghost is in the Air(Traffic) Andrei Costin <andrei.costin@eurecom.fr> Aurelien Francillon <aurelien.francillon@eurecom.fr>

  2. andrei# whoami SW/HW security researcher, PhD candidate Mifare Classic Hacking MFPs Interest in MFCUK PostScript avionics http://andreicostin.com/papers/ http://andreicostin.com/secadv/ 1

  3. Administratrivia #0 DISCLAIMER  This presentation is for informational purposes only. Do not apply the material if not explicitly authorized to do so  Reader takes full responsibility whatsoever of applying or experimenting with presented material  Authors are fully waived of any claims of direct or indirect damages that might arise from applying the material  Information herein represents author own views on the matter and does not represent any official position of affiliated body  tldr;  DO NOT TRY THIS AT HOME!  USE AT YOUR OWN RISK! 2

  4. Administratrivia #1 FEEDBACK SURVEYS Please complete the Speaker Feedback Surveys Thank you (= 3

  5. Agenda 1. Intro to ATC 2. ATC Problems Today 3. What is ADS-B? 4. ATC Problems Tomorrow - ADS-B Threats 5. How can ADS-B be exploited? 6. Solutions and take-aways 4

  6. ATC Today… 5

  7. How do radars work without ADS-B? 6

  8. SSR transmits basic solicited data  SSR is solicited type of communication  Solicitation via XPDR  Solicitation via voice VHF  Example of data from SSR XPDR:  Aircraft Address  Altitude  Code (squawk)  Angles (Roll/Track) 7

  9. SSR transponder (XPDR)  XPDR sends so-called squawks  In this example – it squawks code 1200 8

  10. How SSR displays look like? 9

  11. Agenda 1. Intro to ATC 2. ATC Problems Today 3. What is ADS-B? 4. ATC Problems Tomorrow - ADS-B Threats 5. How can ADS-B be exploited? 6. Solutions and take-aways 10

  12. Inputs are not robust enough Automatic Dependent Surveillance - Broadcast (CASA, 2006)  TCAS (Traffic Collision Avoidance System) = very critical component in the air- traffic safety  ACID coordinates the harmonized operational deployment of Mode S Elementary Surveillance 11

  13. Automatic Dependent Surveillance - Broadcast (CASA, 2006) Inputs are not robust enough 12

  14. Input mistakes have severe implications Garmin GTX32x Avionics Tranponders 13

  15. Agenda 1. Intro to ATC 2. ATC Problems Today 3. What is ADS-B? 4. ATC Problems Tomorrow - ADS-B Threats 5. How can ADS-B be exploited? 6. Solutions and take-aways 14

  16. ATC Tomorrow – NextGen, ATC/M and eAircrafts 15

  17. ADS-B is a $billions world- wide effort from 2006… US GOV ITDashboard - FAAXX704 (ADS-B) 16

  18. “unmatched” security, but hey… “Safety - first!” RTCA UAT MOPS DO-282A ADS-B 17

  19. Guidance for the Provision of Air Traffic Services Using ADS-B for Airport Surface Surveillance How does ADS-B work? – Architectural view GPS GLONASS GALILEO 18

  20. ADS-B – INsideOUT … ICAO/FAA ADS-B Implementation Workshop  ADS-B is being used over 2 existing technologies:  Mode-S – 1090 MHz (replies) and 1030 MHz (interrogation)  UAT (Universal Access Transceiver) – 978 MHz (replies) 19

  21. Australia Airservices ADS-B Coverage Map ADS-B Deployment Map – Australia 20

  22. FAA NextGen Technologies Interactive Map (ADS-B) ADS-B Deployment Map – USA 21

  23. How does ADS-B look like? – Community view 22

  24. How does community get this data? AirNav RadarBox Mode-S Beast with miniASDB Kinetic SBS Summarized list of enthusiast-level ADS-B radar receivers microADSB USB PlaneGadgets ADS-B Aurora Eurotech SSRx miniADSB Funkwerk RTH60 microADSB-IP BULLION 23

  25. ADS-B frame – modulation, format  Frames encoded in  Pulse-position-modulation (PPM)  1 bit = 1 us  Shared-medium ( no CA/CD ), theoretical bandwidth 1 Mbit/sec 24

  26. ADS-B frame – modulation, format  Frames encoded in  Pulse-position-modulation (PPM)  1 bit = 1 us  Shared-medium ( no CA/CD ), theoretical bandwidth 1 Mbit/sec  Frames composed of  A preamble  8 bits for TX/RX sync  A data-block  56 bits for short frames  112 bits for extended/long frames  Mandatory to have  24 bits ICAO address of aircraft  24 bits error-detection parity 25

  27. Agenda 1. Intro to ATC 2. ATC Problems Today 3. What is ADS-B? 4. ATC Problems Tomorrow - ADS-B Threats 5. How can ADS-B be exploited? 6. Solutions and take-aways 26

  28. ADS-B Main Threats – Summary ADS-B Threat Fail / warn / ok Entity/message authentication Entity authorization (eg. medium access) Entity temporary identifiers/privacy Message integrity (HMAC) Message freshness (non-replay) Encryption (message secrecy) ADS- B is almost like “ALL R/W with ‘Guest as Admin’ enabled” 27

  29. Potential mitigations exist… but are not public  Mode-4/Mode-5 IFF Crypto Appliqu é  2-Levels Crypto secured version of Mode S and ADS-B GPS position  Defined for military NATO STANAG 4193  Enhanced encryption  Spread Spectrum Modulation  Time of Day Authentication  Level1:  Aircraft Unique PIN  Level2:  Level1 + other (unknown for now) information  Apparently based on Black & Red keys crypto  ADS-B also specifies, but not details available about crypto/security:  DF19 = Military Extended Squitter  DF22 = Military Use Only 28

  30. Agenda 1. Intro to ATC 2. ATC Problems Today 3. What is ADS-B? 4. ATC Problems Tomorrow - ADS-B Threats 5. How can ADS-B be exploited? 6. Solutions and take-aways 29

  31. ADS-B – Adversary Model – By role  Pilots  Bad intent  (Un)Intentional pranksters  Pranksters  Abusive users/organizations  Privacy breachers – eg. Paparazzi  Message conveyors  Criminals  Money (more likely). Eg .: Underground forums with “Worldwide SDRs for hire” – potentially very profitable underground biz (think sniff GSM)  Terror (less likely)  Military/intelligence  Espionage  Sabotage 30

  32. Example: internal prankster attack 31

  33. Example: external criminals potential attack  Similar to “internal prankster”  Should not be overlooked though  Any of the fields can be used to encode attacker’s data  For communication similar to C&C (Holywood- style “avionics botnet ”)  For exchanging intelligence data  Attacker’s data can be: obfuscated, encoded, encrypted  Data could mimic real/sniffed ADS-B messages having minor intentional errors/discrepancies which would encode attacker’s data  Example: See the demo 32

  34. Example: external abusers + public data correlation Strategically positioned Have a well-defined target Poses inexpensive devices Can publicly access private details (why is this allowed?!) 33

  35. Public access, seriously? USA (FAA) 34

  36. Public access, seriously? Australia (CASA) 35

  37. Public access, seriously? CAA (UK) 36

  38. ADS-B – Adversary Model – By location  Ground-based  Easier to operate (win criminals)  Easier to be caught (win agencies)  Easier to defend or mitigate against (win agencies)  Eg. Angle of arrival, time-difference of arrival  Airborne  Drones  UAV  Autonomously pre-programmed self-operating checked-in luggage:  Pelican case, barometric altimeter, battery, embed-devs , GPS, RF…  Possibly could work around angle of arrival  Could pose more advanced threat to ADS-B IN enabled aircrafts  Important: not extensively modeled in the attacker & threat modeling of Mode-S/ADS-B 37

  39. Scenario showcase #1 82-000 747-2G4B VC-25A ADFDF8/AE2FF4 ?!?!?! 38

  40. Scenario showcase #1 82-000 747-2G4B VC-25A ADFDF8/AE2FF4 ?!?!?! 39

  41. Scenario showcase #1 – Privacy 82-000 747-2G4B VC-25A ADFDF8/AE2FF4 ?!?!?!  Assumptions:  ADS-B is ALL R/W = Clear-text and No privacy  Open issues:  If ADS-B data is true  Why does “Air Force One” shows itself?  Should this type of aircrafts broadcast their pos/ident?  If yes, wouldn’t they become easy targets?  If no, how would they benefit to/from ADS-B?  If workaround with “fake” reg_nums/call_signs , isn’t this a kind of backdoor in CS terms?  Perhaps they use mostly Mode-5 encrypted mode  Then, why doesn’t everybody have access to Mode -5 in the first place? 40

  42. Scenario showcase #1 – Impersonation 82-000 747-2G4B VC-25A ADFDF8/AE2FF4 ?!?!?!  Assumptions:  ADS-B is ALL R/W = Non-auth (access and messages)  Open issues:  If ADS-B data is false  Someone is already spoofing or not?  How do you know for sure if yes or no?  Also, anyone can say “I am Air Force One”  Does “Air Force One” has special ATC treatment?  If so, can this be an abused procedural “backdoor”?  These open issues raise “uncertainties”  Unless otherwise clarified  Any “uncertainty” poses threat to safety of operation 41

  43. Potential for DoS on ATC human-resource  Attack:  Based on “Fake airplane injection into ATC” attack  Mitigation: there is a mostly manual procedure for an ATC operator to check a flight number against flight plans and flight strips ( flight strips is so 1900 , really!)  Twist1:  Inject 1 mln fake airplanes, both valid and invalid flight plans, filed by different flight plan systems  Result: Potential human-resource exhaustion  Fixes:  Have fully e-automated flight plan exchange and cross-checks  Better, solve ADS-B insecurities and potential is nullified 42

Recommend

Erin Murray The general first idea was to have a playful ghost flying around a building for

Erin Murray The general first idea was to have a playful ghost flying around a building for

Erin Murray The general first idea was to have a playful ghost flying around a building for their own enjoyment. The story of the ghost then became more prominent as I developed my storyboards. The ghost was looking for a place to haunt

336 views • 10 slides
The Ghost in the Machine Dawie van den Heever SSM with implants 2 SSM with implants 3 SSM

The Ghost in the Machine Dawie van den Heever SSM with implants 2 SSM with implants 3 SSM

1 The Ghost in the Machine Dawie van den Heever SSM with implants 2 SSM with implants 3 SSM with implants 4 ECG reconstruction &amp; classification 5 Robotic limbs 6 PANDAS 7 Ghost in the Shell 8 Ghost in the Machine 9

419 views • 17 slides
A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain

A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain

REDRAIN &amp; MIN(SPARK) ZHENG A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain min(spark) zheng Qihoo 360CERT CUHK PhD Alibaba Security Expert Low-level security researcher Pentester with interest in

818 views • 52 slides
Ghost Peaks: How to Fix a Haunting Problem Jacob A. Rebholz Teledyne Tekmar VOC Product Line

Ghost Peaks: How to Fix a Haunting Problem Jacob A. Rebholz Teledyne Tekmar VOC Product Line

Ghost Peaks: How to Fix a Haunting Problem Jacob A. Rebholz Teledyne Tekmar VOC Product Line Manager Outline of Topics What is a ghost peak? How to identify ghost peaks and their source How to correct various sources of

561 views • 43 slides
Piloting HCV GHOST in Michigan www.michigan.gov/hepatitis November 29, 2017 Joe Coyle, MPH

Piloting HCV GHOST in Michigan www.michigan.gov/hepatitis November 29, 2017 Joe Coyle, MPH

Piloting HCV GHOST in Michigan www.michigan.gov/hepatitis November 29, 2017 Joe Coyle, MPH Outline MDHHS HCV Surveillance Basics of HCV GHOST Example of GHOST in Action Implications for Public Health Surveillance MDHHS HCV

455 views • 34 slides
Ghost River State of the Watershed (2018) - Ghost Watershed Alliance Society Photo credit: R.

Ghost River State of the Watershed (2018) - Ghost Watershed Alliance Society Photo credit: R.

Ghost River State of the Watershed (2018) - Ghost Watershed Alliance Society Photo credit: R. Drury State of the Watershed Report Formal process by Alberta Government Followed Handbook for State of the Watershed Reporting Used

470 views • 44 slides
Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita

Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita

Tap n Ghost A Compilation of Novel Attack Techniques against Smartphone Touchscreens Seita Maruyama 1 , Satohiro Wakabayashi 1 , Tatsuya Mori 1, 2 1 Waseda University, Japan 2 RIKEN AIP, Japan Tap n Ghost An attack against smartphones

508 views • 30 slides
Ghost effect by curvature Providence, November 2011 M&amp;MOCS MATHEMATICS AND MECHANICS OF

Ghost effect by curvature Providence, November 2011 M&amp;MOCS MATHEMATICS AND MECHANICS OF

Ghost effect by curvature Providence, November 2011 M&amp;MOCS MATHEMATICS AND MECHANICS OF COMPLEX SYSTEMS Universit` a dellAquila - Italy Ghost effect by curvature p. 1/39 Joint project with : L. Arkeryd R. Marra A. Nouri

749 views • 39 slides
Renormalizable ghost-free gravity Alexey Koshelev Universidade da Beira Interior &amp; Vrije

Renormalizable ghost-free gravity Alexey Koshelev Universidade da Beira Interior &amp; Vrije

Renormalizable ghost-free gravity Alexey Koshelev Universidade da Beira Interior &amp; Vrije Universiteit Brussel p-adics 2015 and Brankos fest Belgrade, September 11, 2015 Happy Birthday, Branko! Renormalizable ghost-free gravity Set-up

407 views • 23 slides
Ghost River Watershed Riparian Health Inventory 2011 Highlights March 10, 2012 Benchlands, AB

Ghost River Watershed Riparian Health Inventory 2011 Highlights March 10, 2012 Benchlands, AB

Ghost River Watershed Riparian Health Inventory 2011 Highlights March 10, 2012 Benchlands, AB Ghost River Watershed 2011 Ri par i an those green zones of water-loving vegetation along rivers, streams, lakes and wetlands

817 views • 47 slides
d 4 x g [ RF 1 ( ) R + RF Towards Ghost free and singularity free construction of

d 4 x g [ RF 1 ( ) R + RF Towards Ghost free and singularity free construction of

d 4 x g [ RF 1 ( ) R + RF Towards Ghost free and singularity free construction of gravity Anupam Mazumdar R F 5 ( ) R + Lancaster University R Warren Siegel, Tirthabir Biswas

970 views • 33 slides
The Global Ghost Gear Initiative: A global cross-sectoral approach to tackling derelict fishing

The Global Ghost Gear Initiative: A global cross-sectoral approach to tackling derelict fishing

The Global Ghost Gear Initiative: A global cross-sectoral approach to tackling derelict fishing gear in seafood supply chains Ingrid Giskes Global Head of Campaign Chair of Global Ghost Gear Initiative A global problem In 2009, UNEP &amp; FAO

362 views • 35 slides
Agent for Ms. Pac-Man vs. Ghost Team Competition ,

Agent for Ms. Pac-Man vs. Ghost Team Competition ,

Agent for Ms. Pac-Man vs. Ghost Team Competition , 2012030142 513 - Target Try to maximize your score by eating as many pills/power pills/ghosts as you can

504 views • 9 slides
Traffic signal optimization and traffic assignment Traffic signals Traffic signal optimization

Traffic signal optimization and traffic assignment Traffic signals Traffic signal optimization

Dagstuhl, October 2015 Traffic Signals and User Equilibria Martin Strehler , Ekkehard K ohler BTU Cottbus-Senftenberg { martin.strehler,ekkehard.koehler } @b-tu.de Traffic signal optimization and traffic assignment Traffic signals Traffic

577 views • 55 slides
May 17, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the

May 17, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the

May 17, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the beginning, Is now and ever shall be, World without end! Amen, amen Call to Worship (our ancient writings usher us into this ritual) Why do we praise

473 views • 28 slides
Traffic Shaping, Traffic Policing Peter Puschner, Institut fr Technische Informatik Traffic

Traffic Shaping, Traffic Policing Peter Puschner, Institut fr Technische Informatik Traffic

Traffic Shaping, Traffic Policing Peter Puschner, Institut fr Technische Informatik Traffic Shaping, Traffic Policing Enforce compliance of traffic to a given traffic profile (e.g., rate limiting) By delaying or dropping certain

389 views • 11 slides
dfdfsadsfasdfadfadfadfafdfdf Glory be to the Father And to the Son And to the Holy Ghost As it

dfdfsadsfasdfadfadfadfafdfdf Glory be to the Father And to the Son And to the Holy Ghost As it

April 19, 2020 dfdfsadsfasdfadfadfadfafdfdf Glory be to the Father And to the Son And to the Holy Ghost As it was in the beginning, Is now and ever shall be, World without end! Amen, amen Call to Worship Why do we praise Christ this

387 views • 35 slides
using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
IST Today! Hw#5: Circuit design in Logisim A circuit for any function can be

IST Today! Hw#5: Circuit design in Logisim A circuit for any function can be

OK Recursing? Jotto Corner Faye / Garrett OKer than before? cs5 guess my guess alien: 1 diner: 2 diner: 0 savvy: 1 party: 0 savvy: 1 judge: 2 ghost: 0 ghost: 2 plumb: ? ????? : ? plumb: ? Submission Site vs. Sakai? Sakai can

1.29k views • 100 slides
April 26, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the

April 26, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the

April 26, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the beginning, Is now and ever shall be, World without end! Amen, amen Call to Worship Why do we praise Christ this morning? Ephesians 4:1-8 Walk in a

496 views • 36 slides
Expanding Your Field of Vision What! Only one drink ticket?? Ghost of Christmas Past

Expanding Your Field of Vision What! Only one drink ticket?? Ghost of Christmas Past

Expanding Your Field of Vision What! Only one drink ticket?? Ghost of Christmas Past (Ghost of KYTC Past) KYTC Cash Model Christmas 2007 Cash Model Catastrophe! Cash Balance projected to be $10M in December 2009 Cash Balance

454 views • 19 slides
June 28, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the

June 28, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the

June 28, 2020 Glory be to the Father And to the Son And to the Holy Ghost As it was in the beginning, Is now and ever shall be, World without end! Amen, amen Call to Worship (our ancient writings usher us into this ritual) Why do we

557 views • 44 slides
The Traffic Conflicts Methodology revisited Richard van der Horst Traffic Safety Assessment

The Traffic Conflicts Methodology revisited Richard van der Horst Traffic Safety Assessment

The Traffic Conflicts Methodology revisited Richard van der Horst Traffic Safety Assessment Traffic (un)safety Traffic Accidents limited reflection of traffic (un)safety Traffic Police reports Accident limited sample of

282 views • 26 slides
Intel AMT: Using &amp; Abusing the Ghost in the Machine Parth Shukla - timevortex@google.com

Intel AMT: Using &amp; Abusing the Ghost in the Machine Parth Shukla - timevortex@google.com

Intel AMT: Using &amp; Abusing the Ghost in the Machine Parth Shukla - timevortex@google.com Enterprise Infrastructure Protection 1 Project Goals 1 Explore the best* practical attack using Intel AMT 2 Present a holistic perspective

808 views • 48 slides

More recommend