Security and Privacy

of Air Traffic Communication

​

Tatiana Polishchuk, KTS, LiU

AEAR group

​

​

Wireless Communication Technologies in ATC

​

* A figure by M. Strohmeier in Security in Next Generation Air Traffic Communication Networks - STATE OF THE ART paper

Wireless Communication Technologies in ATC

* A figure by M. Strohmeier in Security in Next Generation Air Traffic Communication Networks - STATE OF THE ART paper

• Security was not a part of their design
• Multiple attacks are reported yearly (~1000 according to EASA )
• Cheap and powerful tools (SDRs, UAVs) are easily available for intruders
• Mismatch between the aviation community and security research advances

Commercial Data Link Vulnerabilities

• ACARS - aircraft communications addressing and reporting system

​

• ACARS broadcasts are completely in the clear
• Sensitive data often sent to ground from aircraft, such as on-board security and/or safety information
• Aircraft maintenance issues, private passengers’ information
• No method of authentication implemented for AOC, ATS, and ATC messaging
• Amateur hackers and aviation enthusiasts are decoding ACARS messages and placing them on the Internet for public viewing

​

Community of Hobbyists: available equipment

​

• VHF Data Link modulation
• Straight forward to modulate and demodulate with a software defined radio (SDR)
• GNU-Radio project with open source SDR code
• Inexpensive transceivers are available to utilize
• Drones make it easier
• Without protection on the link, a hobbyist can successfully use an off the shelf radio

What we can do

• Study vulnerabilities of the system
• Analyse current security threads
• Propose countermeasures
• Provide an insight towards a genuine solution to protect the whole system

​

​

CYBSEC Pre-studies on CPDLC and TCAS

​

• Literature review
• Focus: air to ground (CPDLC)

Air to air (TCAS)

Threat model (IMPORTANT!)

• Countermeasures (ATM IS TO BE PROACTIVE)

​

Current research (CYBSEC)

​

• Study vulnerabilities of the selected technologies:

- CPDLC, VHF, TCAS, ACARS

• Analyse current security threads
• Propose countermeasures
• Compare and explore

​

​

​

Goals

​

• Build a bridge between the air traffic and research communities
• Increase awareness of ATM in the recent research advances

Controller Pilot Data Communication (CPDLC)

​

• Secondary communication channel
• Message-based (one-to-one, unlike VHF)
• Enables controllers to issue ATC clearances (level assignments, lateral deviations/vectoring, speed assignments, etc.), radio frequency assignments, and various free text requests for information
• Reduces mid-air collision risk
• Decreases voice traffic on radio frequencies

REF: A. Gurtov, T. Polishchuk, M. Wernberg. Controller–Pilot Data Link Communication Security. Sensors 2018, 18 (5), 1636; https://doi.org/10.3390/s18051636

Controller Pilot Data Communication (CPDLC)

​

• Based on Data Link Mode 2 (VDL2)
• frequency band: 118.000 - 136.975 MHz
• data rate: 31.5 kilobits (limited!)
• connects via: Aeronautical Telecommunications Network (Europe, continental) or Future Air Navigation System FANS-1/A (US and oceanic airspace)

CPDLC intro

CPDLC logon process

​

• Logon request is initiated by a/c crew
• 4-character ID of the Air Traffic Services Unit (ATSU)
• Automatic switching to another ATSU in flight

1. A/c ID (item 7 of flightplan)
2. Departure and destination a/d: (13 and 16)

​

CPDLC logon request message

CPDLC logon request message

Requirements for a secure communication system

​

• #1. Authentication - pilot (not the aircraft) is to be authorised
• #2. Confidentiality - usually provided by encryption
• #3. Integrity - questioning validity and trustworthiness
• #4. Non-repudiation -public-secret key pair
• #5. Availability - increased response time, timeouts, or denial of service

Possible attacks against CPDLC technology

​

• Eavesdropping - unauthorized party listens to the data w/o permission (no actions, special equipment needed)
• Jamming - denies the victim access to the service (noise, restricted capacity) - active attack, but easy to detect using directional receiver
• Flooding - blocking access to the service by sending multiple packets, leading to overload of the queue, standstill of the system
• Injection - sending unauthorized messages (not originated from the source) - severe attack, difficult to detect
• Alteration - modification or replacement of the legitimate data - severe attack
• Masquerading - attacker impersonates an authorized user and gains unauthorized rights

Threat Model for CPDLC

​

Threat modeling - is a process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. (from Wikipedia)

​

Threat model - exhaustive list of all possible types of attacks against a communication channel and/or its secure communication attributes

Threat Actors

​

Another example of a threat model:

Possible attacks against TCAS technology

​

• Message modification (confidentiality, integrity)
• Message injection (availability, integrity)
• Message deleting (availability, integrity)
• Combination of the above

Counter measures

​

3 types of solutions = 3 ways to go

1. Local technological fixes (a lot of proposals within the community)
2. Genuine solutions (General for all communication technologies)
3. Procedural (redundancy, backup procedures, increased PERSONNEL AWARENESS TRAININGS) - NOW

​

1. Quick Fixes: Technological Security Advances

​

• Several proposals within the research community

ECC (Elliptic-Curve Cryptography) encryption (standard for military)

PACARS (commercial software for ACARS protection, ECC based)

LHIP (Host Identity Protocol for Lightweight networks)

​

Elliptic-Curve Cryptography encryption

​

• Uses small keys while providing the same level of security as encryption based on factoring of large prime numbers
• Requires less computational power for encryption/decryption of information
• Overhead lower than in the widely used RSA cryptosystem

​

​

​

• 161-bit ECC is roughly 5-10 times faster than 1024-bit RSA
• Drawback: certification problem (NSA placed a ban in 2015)- to be resolved

Protected ACARS

​

• Commercial software (by ARINC) for ACARS protection, ECC based
• Originally a military standard for FANS 1/A (USA)
• Currently supports also other standards (but not yet European ATN)
• Provides data confidentiality, integrity and authentication
• Easy to implement - no hardware modification needed
• May be added easily to Flight Management Systems (FMS) and Electronic Flight Bags (EFBs)
• Low overhead with ARINC 823-defined compression
• Drawbacks: costly and not well-documented

(lacks open access version)

​

Requirements for a secure communication system

​

• #1. Authentication - pilot (not the aircraft) is to be authorised
• #2. Confidentiality - usually provided by encryption
• #3. Integrity - questioning validity and trustworthiness
• #4. Non-repudiation -public-secret key pair
• #5. Availability - increased response time, timeouts, or denial of service

Flight Management System

​

Host Identity Protocol for Lightweight networks (LHIP)

​

• HIP - secure Internet protocol IETF standard
• Security level between Transport and Network layers
• HIT serves as secure identifier
• Allows multiple addresses
• Enhances mobility
• Packets sent via IPSec EPS (encrypted)
• 4-way handshake to set up a channel

Host Identity Protocol for Lightweight networks (LHIP)

​

• Incorporated tools for encryption
• Provides secure authorization
• Definitely meets the first 4 requirements for the secure communication and partially covers availability through filtering out unwanted traffic
• Guarantees protection against flooding and injection, but not jamming (can be taken care by direction finding)
• Overhead is relatively low (especially in LHIP and DietHIP versions)
• Drawback: the use of secure namespace for secure key safekeeping (DNS)

2. Genuine Solutions

​

1. Preserve Legacy Investments. Integrates with the existing devices and infrastructure.

​

2. Enable instant provisioning. Increases network transparency and manageability.

​

3. Segmenting Networks. Smaller, more manageable networks are more robust and secure.

4. Increased Operational Integrity and Availability. Visibility into network traffic enables diagnostics, debugging, and performance optimization.

5. Secure Remote Access. Highly constrained remote access that is simple to grant and revoke.

​

​

Example: Tempered Networks (IDN) (approved by Boeing)

3. Procedural solutions

• redundancy (not really working against massive well-planned attacks)
• backup procedures
• PERSONNEL AWARENESS TRAININGS (Human-in-the-loop: security training for airport personnel, controllers and pilots)

​

​

Outside of the box

• Borrow ideas from the related networking research: sensor networks, Internet of Things (should work for CPDLC)
• IEFT/IEEE standardized Internet protocols for Wireless Networks Security
• Virtual Private LAN Service (VPLS)

​

​

Counter measures

​

3 types of solutions = 3 ways to go

1. Local technological fixes (a lot of proposals within the community)

2. Genuine solutions (General for all communication technologies)

3. Procedural (redundancy, backup procedures, PERSONNEL AWARENESS TRAININGS)

​

Q: Which way do we choose now?

Future work

• Looking for a close dialog between the research and aviation authorities
• Outline the scope for future research
• What we propose to do:

Apply mathematical analysis to feasibility evaluation in one of the scenarios

(air-to-ground, air-to-air, ground-to-ground, other?)

Proceed with empirical evaluation and testing of the most promising approaches for selected technologies (security LAB in IDA)?

THANK YOU!

​

Questions/ Comments?

​