Securing ACARS: Data Link in the Post-9/11 Environment

Strange as it may seem, there are non-airline people around the world who are passionately interested in the widely used airline operational communications (AOC) data link. Most of them pursue ACARS–short for airborne communication addressing and reporting system–as a hobby, to spot airplanes and track them at home on personal computer map displays. Their Web sites dispense free ACARS decoding software, tips and even live message feeds to like-minded enthusiasts.

Although ACARS message security has been a concern for years, up until now not that much has been done about it. Its use of a proprietary, character-oriented protocol makes messages fairly difficult to interpret, even if they are successfully decoded. You get a string of characters, but what do they mean?

In addition most airlines don’t use standard message types, says Southwest Airlines’ Doug Murri, who chairs the Airlines Electronic Engineering Committee (AEEC) group charged with finding a common approach to ACARS security. The actual messages can be modified by the airlines. Some carriers, for example, use internal codes rather than standard phrases in their messages, making the communications more difficult to understand. "Everybody tweaks [ACARS] a little bit," Murri says.

Manufacturers of ACARS radios have made low-level encryption software available over the last five years. But few carriers have adopted it, given the industry’s financial straits and the difficulty of implementing and administering the solutions. Nor are those solutions standard. Two domestic airlines and one or two international airlines are believed to be using this security software.

So far, ACARS messaging seems to have been relatively incident-free. "I don’t think we’ve ever seen an instance of spoofing," comments Arnold Oldach, principal marketing manager for surveillance and data link products with Rockwell Collins Commercial Systems. (Spoofing is when an outsider is able to pose as the sender of a message.) The worst thing that has occurred, experts say, was the apparent decoding of an ACARS message about a passenger disturbance, which made its way into a newspaper.

FAA is aware of the problem. A presentation by the agency and BCI at an industry conference in 2004 discussed downloadable software that lets users, via ACARS, track the position of aircraft on a map and provides contact reports and message logs.

ACARS is a vital commercial data link between flight crews and their airline dispatch offices. Messages can communicate information such as weight-and-balance data, weather and maintenance reports, engine and fuel data, flight plans, position reports and estimated time of arrival. "Free text" messages are used to discuss and decide on actions such as diversions. ACARS also is used for air traffic control (ATC) messages such as departure and transoceanic clearances. This ATC aspect reinforces the need to make the system more bullet-proof.

Industry Response

The terrorist attacks of Sept. 11, 2001, were a catalyst to carriers’ long-standing concerns, says Murri. ACARS was the most immediate issue for AEEC. Because it’s something everybody has and everybody shares, it was a good place to start. Carriers don’t want proprietary information, such as passenger or engine problems, getting onto the front pages of the papers or the evening news because of the potential damage to their business or brand.

The issues have been discussed in the AEEC data link users forum since 9/11. This group set the stage for the current Data Link Security (DSEC) Subcommittee, which Murri chairs. It was established in November 2005 and had its first meeting in January 2006. DSEC is developing a standard, which eventually will be known as ARINC 823. Its meetings have included representatives from Southwest Airlines, Air France, American Airlines, Continental, Boeing, Airbus, the U.S. Air Force and avionics companies. Lufthansa follows the activity closely but has not attended the meetings.

DSEC will define the ACARS security infrastructure, processes and provisions for creating and using a security system. The goal is to establish a specification that avionics companies can use to create interoperable solutions. After completing the ACARS work, DSEC plans to look at aeronautical telecommunications network (ATN) and Internet protocol (IP) security, perhaps in a different spec. The ACARS security infrastructure must support security measures in an IP environment. Murri hopes to have the ARINC 823 spec out before the end of the year.

The airlines also are aware of security issues with more advanced technologies. The time may come, for example, when carriers want to share broadband satcom links currently aimed at the cabin. Design engineers are studying this issue, but the carriers’ immediate concern is the security of the current data link.

The European Organization for Civil Aviation Equipment (EUROCAE), meanwhile, is undertaking a parallel effort, focusing on next-generation aircraft. EUROCAE’s Working Group 72 is understood to be developing guidance material for aviation authorities on how to assess security technology within the context of safety certifications. Some members of the AEEC group are participating in the European effort, so the two groups are aware of each other’s work and can avoid duplication. DSEC is not covering safety and security certification issues, Murri says. "We’re trying to hit encryption and authentication first," aiming at fairly high-level infrastructure concerns. Authentication is the electronic process by which the parties to a secure communication prove to each other that they are who they claim to be.

DSEC will cover areas such as interfaces, protocols, encryption algorithms and the method for establishing and releasing secure sessions and exchanging messages, advises Don Kauffman, technical manager with Honeywell Aerospace. The choice of encryption algorithms "gets to the heart of interoperability," he says. If someone encrypts a message using a Honeywell box with one set of algorithms but receives the message with a component using a different set of algorithms, the solution wouldn’t work. He notes the concept of "algorithm negotiation," under which the air side and the ground side can select whatever the airline’s preference is. Airlines would be able to add optional algorithms in addition to a common set.

Air Force Push

While the airlines, through AEEC, have commissioned the ACARS security work, the largest near-term beneficiary may be the U.S. Air Force. The service is adopting the data link as part of its mammoth effort to achieve interoperability with civilian air traffic management (ATM) standards. (See story, page 34.)

The Air Force is less than happy with current ACARS security provisions. "If you do a Google search on ACARS, Web sites pop up where you can see hobbyists that intercept messages and post them to the Internet," says Capt. William Cobb, program manager for airborne networking with the U.S. Air Force Research Lab (AFRL). Hobbyists are a fairly benign group, but others with a scanner, a personal computer, ACARS decoding software and Internet access may not be. The military no doubt faces more sophisticated and determined threats.

It’s essentially an open link, Cobb says. "If you know what you’re looking for, it’s easily interceptable." He points to Web sites such as http://uk.groups.yahoo.com/group/acarsonline, devoted to posting intercepted ACARS traffic. Others offer free ACARS decoders, real-time message feeds and explanations of decoded messages.

ACARS is being fielded as part of the Global Air Traffic Management (GATM) program. The service’s Air Mobility Command (AMC) plans to equip 1,200 transport and tanker aircraft by 2020, half of them by 2012, according to David Kassander, a Mitre employee serving as communications, navigation and surveillance (CNS/ATM) lead with AMC headquarters. Approximately 300 aircraft have been equipped so far, half of which have been certified to operate. AMC is acquiring ACARS in order to maintain access to airspace worldwide, he says.

AMC doesn’t pass any classified data over the link. Nor would it use ACARS for sensitive-but-unclassified information relating to cargo or passengers until stronger security is in place. "It’s an operations security issue," Kassander says. The service doesn’t want to telegraph intent. "If you throw in information that may be available on ACARS, AOC-type messages [relating to cargo and origin/destination], you can start to put together a picture of what types of operations may be going on." Although AMC wanted a security solution yesterday, it puts a high priority on interoperability, on getting a standard that all vendors can build to.

To address the security issue, AFRL initiated the Secure ACARS program in 2001, choosing Honeywell as the prime contractor in a competitive Dual Use Science and Technology (DUST) procurement. The program also followed existing International Civil Aviation Organization (ICAO) standards and recommended practices (SARPs) for implementing public key cryptography, Cobb says.

The AFRL program culminated in an end-to-end flight test in May 2005, which integrated Honeywell’s security software into the company’s Mk II communications management unit (CMU), operated from a test pallet in the back of a company King Air C90.

The technology was tested over a period of about four hours. "A lot of data was sent back and forth to test performance and data compression," Cobb says. The embedded software provides confidentiality, integrity and authentication.

Honeywell also developed a ground system, which could handle one aircraft in a single secure session. According to AFRL, the company received a contract from the U.S. government’s Technical Support Working Group to develop a robust ground server supporting at least 1,000 simultaneous sessions. Honeywell expects to perform final tests of the revamped software in late spring. It has obtained a patent for its method of encryption and compression over the ACARS data link, says Kauffman. "We’re in discussions with AEEC about providing this technology, so that others could use it and put it into a standard," he adds. This information would include specs, such as application programming interfaces and the functions that have to be performed in order to permit the development of interoperable, compatible implementations, Kauffman says. He adds that Honeywell has seen interest from the defense and space, air transport and regional, and business/general aviation markets.

Public Key Crypto

The industry is supporting "public key" cryptography as the approach to authentication. Honeywell uses commercially available public key algorithms which meet the "Suite B" guidelines of the U.S. National Security Agency, to set up secure sessions. The key sizes used with these algorithms are as specified by ICAO for compatibility with other aviation security solutions.

In an aeronautical application of public key technology, the air side and the ground side would have separate key pairs. The airplane, for example, would have two keys: the so-called "public key," which is known and published to a database, and a private key, known by the user, alone. As long as the private key is kept private, Kauffman explains, "the public key can be known to anyone, and it doesn’t compromise security."

If the aircrew wants to send a secure message, it first would request a secure session, says Cobb. The air side would use its private key to digitally sign the initial request, and the ground side would use the aircraft’s corresponding public key to verify the request. Honeywell’s approach allows this process to be conducted automatically or manually.

Honeywell says its approach can provide the real-time authentication, integrity and confidentiality services required to protect airline proprietary and military sensitive-but-unclassified messages. It says the technology "operates within the existing ACARS communications infrastructure," independent of the underlying wireless medium, whether VHF, HF or satcom. The approach can "coexist and integrate with legacy ACARS equipment currently installed on aircraft, in DSP [data link service provider] facilities, and in airline, military and third-party ground operations centers," Honeywell states. According to the company, a secure session typically would be initiated during routine ACARS startup, while the aircraft is parked at the gate. The secure session could be maintained from gate to gate.

Public key technology would not be used to encrypt the actual messages. Once a secure environment is established, more efficient, "symmetric keys" are generated at each end to exchange messages securely. Unlike the public and private key pairs, which can be set to last as long as several years, symmetric keys are one-time tools. The Honeywell approach also allows the user to define which messages will be encrypted and which won’t, Cobb says.

Public key encryption also involves the use of certificate authorities, third parties who are entrusted to hold an organization’s or individual’s public key and issue digital certificates binding the public key with the owner’s identity. The certificate contains the name of the owner of the key–for example, XYZ airline, tail number 123–and the owner’s public key. The certificate authority then signs this software identifier digitally, Kauffman explains. This allows anyone receiving a message from the entity named in the certificate to trust that the identity and the key are properly "married together." Public key encryption is so strong that the certificates can be published to an on-line directory server or even a phone book, Kauffman says. Members of the DSEC group are debating whether to have an airline-wide public key infrastructure (PKI), Murri says. Perhaps the large carriers could have their own infrastructure and the smaller ones share a common PKI.

The authentication process may seem cumbersome, but it simplifies the logistics of distributing encryption keys when there is a large number of users, Cobb explains. "If you want to send somebody information, and you have their public key–which is publicly available–you can send it without having a copy of the shared secret key. You don’t have to distribute shared secret keys to everybody involved."

Remaining Issues

One of the issues still to be addressed is whether the Honeywell solution is extensible to non-Honeywell CMUs. The main question is whether other suppliers’ hardware has enough processing power to handle the additional processing load, Cobb says. If Southwest Airlines, which already uses Honeywell CMUs, chose at some time to adopt an eventual Honeywell solution, it would not be too much of a stretch, Murri says. "The biggest issue would be legacy airlines with older equipment."

AFRL hopes to start a project this summer to evaluate the portability of the Honeywell software to other hardware. "Before we get too far down the road, we want to demonstrate the feasibility to put this onto all the other types of aircraft [with the ACARS link]." It may be necessary to bring in other vendors, he adds.

Another issue is whether to pursue end-to-end encryption, where a message is encrypted all the way from the airplane to the final recipient at an Air Force unit or airline operations center. This secures both the air-to-ground and the ground-to-ground link. Or the service could settle for encrypting only the air-to-ground link, a method called DSP-based encryption. Honeywell’s approach supports either architecture.

A combination of end-to-end and DSP security would be ideal, says AMC’s Kassander. (End-to-end for internal traffic and DSP-based for messages to ATC, vendors and other third parties.) AMC does not have a plan or requirement to encrypt routing information, which would involve a separate military ground network. And the DSP-based approach does at least protect the air-to-ground link, which is the easiest to intercept. The AEEC group faces the same question and has decided it needs to accommodate both approaches, Murri says.