This document discusses security issues with the Automatic Dependent Surveillance-Broadcast (ADS-B) system used for air traffic surveillance. ADS-B broadcasts airplane location and other information in unencrypted plain text, allowing anyone to track or impersonate aircraft. The authors analyzed the firmware update process for a Stratus transponder and iPad app to identify ways to inject malicious firmware that could cause mid-air collisions by transmitting incorrect location data. They captured firmware updates and are analyzing the binaries to understand encryption and find encryption keys to modify the firmware. Future work involves further analyzing the onboard memory and firmware to decrypt it fully and modify it for attacks.
Thyroid Physiology_Dr.E. Muralinath_ Associate Professor
Spy vs SPI: Hacking the Stratus ADS-B Transponder
1. Spy vs. SPI
Hacking the Stratus ADS-B Transponder
Mayank Dhiman
Brown Farinholt
Edward Sullivan
March 13, 2014
2. Old school technology: Real-time Air Traffic
Surveillance
● Radar-based
● Since the 1970s
● Provides location information
● Many disadvantages
○ Not very accurate for the
altitude
○ Airplanes have to send their
altitude to the ATC
○ Not real-time, sends
information after a delay
○ Pilots don’t get much benefit
e.g., which planes are nearby
4. The Future: ADS-B ADS-B = Automatic Dependent
Surveillance-Broadcast
ADS-B Out: Your plane broadcasts its GPS
coordinates (determined with a GPS device)
to ground stations and other planes
ADS-B In: Your plane receives broadcasted
messages from other planes (about their
locations) and from ADS-B towers (about
weather, etc.)
1090 MHz
5. The Stratus and the Foreflight App
GPS Satellite Broadcast
ADS-B Towers
Other ADS-B Equipped Planes
ADS-BBroadcasts:
iPad joins the
unprotected wifi network
created by the Stratus
Your plane
Stratus sits on
dashboard of your plane
Foreflight app on iPad
displays cool interface
for GPS, weather, maps,
and locations of nearby
planesLocationinfo
Weatherinfo,otherplanes
6. How ADS-B packets are sent
● Plain-text
● No time-stamp
● Error-code “protected”
● Broadcast
● Contain “trivial” information like altitude,
precise location and unique identifier of the
airplane
7. Which means...
● No message authentication
● No message secrecy
● No message integrity
● Basically, anybody with a device which can
talk ADS-B OUT can pose as any airplane
12. The Ugly
● Trivial to make the MH370 plane reappear
● Attacker needs a device which can talk at
the 1090 MHz frequency
● Attacker knows ADS-B packet format
● Attacker knows the airplane unique ID
● Attacker is located at a little bit above the
ground level
● Can start broadcasting ADS-B OUT packets
15. The Firmware Update Process
2. iPad joins the
unprotected wifi network
created by the Stratus
1. Stratus sets up an
unprotected wifi network
5. Foreflight App fetches
a firmware update for
the Stratus (usually via
satellite link).
3. Foreflight App asks
the Stratus about it’s
current version
4. Stratus replies back
with current version
number
6. Foreflight App pushes
the firmware update
17. Potential Attacks
● Our focus:
- Replace legitimate firmware with malicious firmware
● Other attacks:
- Spoof GPS data to Stratus traffic
- Spoof ADS-B IN to Stratus traffic
- Spoof Stratus to iPad traffic
- Fuzzing the ADS-B device with bad GPS/ADS-B IN data
- Physical Attacks (Swap iPad/Stratus)
- Jamming/DoS (Throw noise at Stratus at 1090 MHz)
- Bricking the device (Send bad data as part of firmware update process)
18. Threat Model (for Firmware Attacks)
● Attacker has reverse engineered the firmware update
process
● Attacker is able to construct a malicious firmware
● Attacker is within the wifi-range of the Stratus to push a
firmware update
19. Proposed Malicious Firmware
● Gets activated after a certain amount of time
● Sends out bad/in-correct GPS location and
altitude to nearby planes via ADS-B OUT
● Shows in-correct locations and altitudes of
nearby planes to the pilot via ADS-B IN
● End Goal: Cause Mid-Air Collision
20. Initial Firmware Analysis
- Ripped from the Foreflight app (iPad)
- Two chunks of data, packaged (encrypted..?)
- Where might it be unpackaged?
21. Flash Dump: Active Reading
- Micron Serial NOR Flash Memory
- ARM and Flash speak SPI
22. SPI (Serial Peripheral Interface)
- Simple data transfer protocol
- Master (ARM) and slave (Flash)
Chip Select
MISO
Clock
MOSI
23. Bus Pirate
- data protocol interpreter (can speak SPI)
- replace ARM with
Bus Pirate
- READ commands
24. Issues with Active Reading
- Resetting the ARM entirely disables board
- Providing external power to Flash
- Desoldering Flash from Stratus
33. Good News First?
● Good understanding of what happens
internally during a firmware update
● Several reads during update after writing,
possibly containing clues (read: keys)
34. Future Work aka More To Do!!
● All firmware on 512 MB flash encrypted?
○ Look for keys in short messages
○ Examine code in ARM chip’s 1 MB
onboard flash
○ JTAG debugging protocol
○ Onboard flash might be read/write
protected
○ Electron microscopy
● Once we get the unencrypted firmware …
○ Ready, set, IDA!
● Continue work on other potential attacks
37. NextGen
● FAA (Federal Aviation Administration)
Initiative to improve on Air-Traffic Control
● Shorten routes
● Reduce Traffic Delays
● Avoid Grid-Locks
● Save fuel and time
● Implementation in various steps by 2020