ADS-B signals on the military side can include classified aircraft position data. On the commercial side, that could be sensitive, valuable financial data. Breaches of one or many aircraft simultaneously might compromise national security, privacy and physical safety in the air or on the ground.
Joe Kirschbaum, GAO’s director of defense capabilities and management, led a January study team that tracked and identified flaws in various ADS-B-fitted U.S. military aircraft. In a February interview, he underscored the inherent dangers both in the FAA’s and U.S. Defense Department’s foot-dragging on compliance and, particularly, the seemingly scarce ADS-B threat mitigation solutions for military aircraft. He called the glacial movement on both fronts “problematic.”
The Pentagon, he said, has not ensured its FAA-mandated implementation of NextGen “is accompanied by effective security measures and capabilities.” At root the two agencies have been “ignoring the security goal in favor of the [2020 ADS-B] mandate compliance.” Consequently, “The more military aircraft equipped with ADS-B without those security measures, the greater the operation security risk to those aircraft and the national defense.”
The redacted version of the GAO’s latest report has little on specific threat vectors. But Kirschbaum said a key concern is that “as ADS-B is integrated into aircraft avionics, it will have the same kinds of potential vulnerabilities as many other internet-based technologies in terms of potentially being activated or de-activated remotely and without permission.”
That includes the U.S. F-22 warplane. Citing a 2015 RAND Corp. study commissioned by the U.S. Air Force, GAO said the stealthy Raptor was among aircraft vulnerable to cyberattack.
ADS-B also is susceptible to aggressive electronic warfare. Given that the FAA is planning to divest radars as ADS-B is phased in, Kirschbaum said, “homeland defense could … be at risk, since the North American Aerospace Defense Command relies on information from FAA radars to monitor air traffic.”
The overarching concern, he explained, is that “the entire premise of ADS-B is that the information is not encrypted and therefore available to all to ensure safer navigation and air traffic control. Unfortunately, flying unencrypted introduces the kinds of vulnerabilities we highlighted in our January report.” These include spoofing, jamming, ghosting and the like. Among other tactics are inserting fake “ghost” aircraft.
That is why ADS-B security integration decisions and potential solutions to the problem “should have been on the top of the priority list for all concerned from the beginning.” Now, “even greater effort and disruption will have to result to rectify the problem.”
It is the third time in recent years that GAO has examined ADS-B regulatory and security shortcomings.
In a 2015 GAO report, four cybersecurity experts said firewalls aimed at protecting ADS-B “could be hacked like any other software and circumvented.”
In 2008, GAO warned about increased risk of compromise for ADS-B versus standard Mode S transponders in military “sensitive missions.”
Kirschbaum lauds the FAA and Defense for pursuing new technologies like ADB-S that “hold promise for efficiency and effectiveness,” but he criticizes them for the “insufficient attention paid to the security impacts and effects.”
Bolstering GAO’s latest findings are results of simulated cyberattacks on avionics systems by others, including private labs, academics and lone-wolf hackers. One was undertaken in 2016 by a Department of Homeland Security (DHS) team involving a legacy Boeing 757 airliner; a DHS cybersecurity investigator hacked into it easily.
Robert Hickey told reporters afterward, “I [performed] a remote, non-cooperative penetration.” Without his touching the aircraft and with no one aboard it, Hickey managed to remotely “establish a presence on the aircraft’s systems,” he said. Hickey noted the incursion did not encompass ADS-B, per se, but illustrated gateways available to adversaries.
Some ADS-B hackers likewise claim success acquiring position and other data with $100 handheld “point-and-capture” devices aimed at aircraft overhead.
Reactions from Defense and the FAA to the GAO and DHS hacks vary. The Pentagon, mindful of information security protocols, has not commented on the latest GAO findings. Defense officials declined to address numbers of fixed- and rotary-wing military airframes fitted with ADS-B, or countermeasures recommended as adjuncts for it.
The FAA’s website, meanwhile, acknowledges that while ADS-B data can be received by “any aircraft, vehicle or ground station equipped to receive ADS-B,” no specific encryption is specified.
An FAA communications official, when asked why this standard tool was not recommended or required for military or other mandated aviation sectors, said the agency doesn’t view risks to ADS-B as more serious than the electronic spoofing or intentional jamming risk “associated with … radar systems employed to separate aircraft today.” Besides, the U.S. air traffic system relies upon “redundancies and independent backup capabilities” as safeguards, this source added.
Responding specifically to the aircraft hack by DHS, the FAA said in a statement, “We have reviewed the findings of the [DHS] report and determined that they do not represent a threat, regardless of aircraft type, to the safety of aircraft operations.” Moreover, during the past decade, the FAA said it has “developed stringent cybersecurity standards and security protocols.”
For the burgeoning helicopter market, several firms are engaged in supplying ADS-B. For example, L3 Vertex under a U.S. Navy contract has been providing ADS-B to about 100 TH-57 Sea Rangers, a military version of the commercial Bell Jet Ranger 206. Though mainly used for training, the Rangers also are employed for photo, chase and utility missions. Like all rotorcraft, they require DO-260B ADS-B-compliant transponders and GPS receivers.
Another player is ACSS, an ADS-B equipment supplier for all aircraft segments. Eric Baumert, VP of sales, said safeguards for military ADS-B systems “must be compliant to the DOD’s DFARS 252.204-7012, i.e., the ‘Safeguarding Covered Defense Information and Cyber Incident Reporting’” protocol. The radio frequency interface and respective avionics equipment interface also must meet all industry regulations and specifications.
The firm ensures its software is scanned for virus and malicious code before releasing it. Products also aren’t connected to any aircraft networks, so they “can’t be accessed by any external influences.” Such processes mitigate threats, he concluded.
A version of this article was originally published on sister publication Rotor & Wing International.