Cybersecurity

Next gen aircraft ID system vulnerable, watchdog finds

Shutterstock image. Air Traffic Control. Image credit: hxdbzxy / Shutterstock.com 

Urgent cybersecurity concerns remain unresolved related to new technology that will pinpoint locations for all aircraft flying in U.S. domestic airspace by 2020, according to the Government Accountability Office.

In particular, hostile nations, as well as unauthorized individuals and groups, could use the detailed, real-time data broadcast from in-flight military aircraft for a variety of mischief or worse , according to a new report from GAO on the system.

The public version of the report released by GAO didn't go into detail about those specifics, but since the technology -- known as Automatic Dependent Surveillance-Broadcast (ADS-B) Out -- uses an aircraft's avionics equipment to broadcast the aircraft's position, altitude and velocity to ground, air or space-based receivers, the potential for pirating those signals remains an unsolved problem, said the report.

As part of the Federal Aviation Administration's NextGen air transportation system modernization program, the ADS-B Out system is meant to make it easier for third parties to access that data for use in tracking and identifying aircraft without having to maintain their own private databases.

Through ADS-B, the FAA is looking to modernize ground-based radar systems with a satellite-based system for automated aircraft position reporting, navigation and digital communications. ADS-B provides more precise locations of aircraft in the air and on the ground at airports, has a greater coverage area than traditional radar, helps reduce risk of collisions and provides pilots with real-time warnings and better location coverage in bad weather.

The FAA has mandated that all aircraft using U.S. domestic airspace must be equipped with ADS-B by Jan. 1, 2020.

Since the technology's promise is in having it in all aircraft using domestic airspace, military aircraft have to be equipped also, which has for years concerned the Department of Defense and other agencies about the capabilities.

With current technology, according to GAO, the public can track individual aircraft by receiving aircraft's ICAO address (which can include different codes such as aircraft type, as well as an aircraft's 24-bit electronic identification code), transponder or "Squawk" code as well as altitude though networked receivers that can use the data to calculate and identify the latitude and longitude of an aircraft's position. With some legwork, interested parties such as foreign intelligence entities, terrorists and criminals can already identify and track aircraft using existing technology, according to the study.

ADS-B, however, would make that flight data, and more, almost instantly available on military aircraft, and some of that data for some of those aircraft is classified.

Along with concerns with the FAA's plan to decommission legacy radar systems as it shifts to ADS-B, the military is also concerned that the broadcast information of military flights is vulnerable to cyber intrusion and manipulation by nation states, individuals and groups.

"In addition, a number of assessments conducted by DOD, FAA, and others have identified security concerns inherent in ADS-B Out technology that could leave aircraft, tactical air traffic control systems, and FAA radars vulnerable to electronic warfare- and cyber-attacks by individuals, groups, or nation-state actors … and other types of interference," said the study.

So far, the study said, the FAA and DOD have been concentrating on getting the equipment installed and have yet to address security concerns it poses for military aircraft. DOD has suggested masking military identifiers, allowing military pilots to turn off ADS-B and other solutions. So far, DOD and the FAA haven't approved any mitigation, according to the report.

The FAA and Defense Department's Lead Service Office have been working on a memorandum of understanding on how to address the security concerns, but they haven't yet produced it.

The two offices had said last April they intended to issue a finalized memo by last June. However, in May, GAO said DOD officials said their completion date for the document had slipped to February 2018.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.