Integrity and Authenticity of ADS-B Broadcasts

Thabet Kacem, Duminda Wijesekera, Paulo Costa

George Mason University
4400 University Dr.
Fairfax, VA 22030
[tkacem, dwijesek, pcosta]@gmu.edu

Abstract-We propose a novel approach to provide presents our proposed key distribution scheme. Section 6
authenticity and integrity of Automatic Dependent describes the testbed and initial experimentation. Section 7
Surveillance-Broadcast (ADS-B) messages. We employ a key­ describes related work and Section 8 has our conclusions.
management schema for authentication and rely on a keyed­

2. ADS-B BACKGROUND
hashed message authentication code (HMAC) for integrity.
Our approach avoids scalability and compatibility issues, as we
neither change the packet format nor its size. ADS-B is expected to replace existing standards for
communication between aircrafts and Air Traffic Control
T ABLE OF CONTENTS (ATC) towers that currently use Primary Surveillance Radar
(PSR) and Secondary Surveillance Radar (SSR)s. PSR uses
1. INTRODUCTION .•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•. 1
the time lag for a pulse to be reflected back to estimate the
2. ADS-B BACKGROUND ......................................... 1 approximate position of an aircraft. SSR communicates with
3. CATEGORIZING ADS-B ATTACKS ••••••••••••••••••••••• 2 the aircraft transceiver in order to determine its position and
4. APPROACH ••••••••••••••••••••••••••••••••••••••••••••••••••••••••• 2 relay navigation instructions. However, the latter requires

5. KEY DISTRIBUTION •.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•. 4 collaboration from the pilot and may be subject to human
errors. ADS-B alleviates some of these shortcomings by
6. EVALUATION ••••••••••••••••••••••••••••••••••••••••••••••••••••• 4
providing a more flexible, automated, and cost-effective
7. RELATED WORK •.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•. 6 alternative. ADS-B is already used in Europe, Canada,
8. CONCLUSION ..................................................... 7 Australia and is to be implemented in the NextGen project
REFERENCES .•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•. 7 [5].

BIOGRAPHY 7
ADS-B Out and ADS-B In.
.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.•.

ADS-B operates in two modes,

In the first, aircrafts broadcast their position periodically at
1090 MHz frequency. ADS-B packets are composed from
1. INTRODUCTION
two parts: an 8 bit-long preamble used for synchronization
Automatic Dependent Surveillance-Broadcast (ADS-B) is and 56 or 1 12 bit-long data that is modulated using Pulse
being promoted as the future standard for air traffic Position Modulation (PPM) at 1 Mbit per second. These
surveillance [ 1] where each aircraft determines its position packets are encapsulated inside the so-called Mode S
via satellite then periodically broadcasts it. Despite its many Extended Squitter frames. ADS-B In is used to receive
advantages, many published work [2] and hackers [3] argue updates from aircrafts by the ATC tower or nearby aircrafts.
that ADS-B is insecure due to its clear text transmission and Unlike ADS-B Out, its installation is not mandatory.
lacking of authentication or integrity checking. Attacks that
exploit these vulnerabilities include eavesdropping and Figure 1 illustrates a usage scenario of ADS-B in air traffic
message injection, while a few of these have been proposed control where an ATC tower is connected by physical links
in simulated environment [4] showing that ADS-B to all ADS-B towers with radar coverage in all desired
vulnerabilities could be exploited using inexpensive areas. Aircrafts broadcast their positions periodically, which
equipment. are intercepted either by one of the ADS-B towers or by an
ATC tower within range, if any.
Although many publications show how to exploit these
vulnerabilities, few describe implemented solutions capable An aircraft operating in the ADS-B Out mode broadcasts
of thwarting possible attacks. We propose an approach to ADS-B packets embedded in Mode S Extended Squitter
provide integrity and authentication by using a keying (ES) frames following the format described in Figure 2. As
mechanism and a Keyed HMAC. We implemented our shown, a Mode S frame starts with the 8 bits fixed preamble
integrity preserving extensions on a testbed against some used for synchronization followed by a 5 bit-long DF
message injection attacks. Format field indicating the used protocol. If its value is
equal to 17 expressed in decimal, it indicates that ADS-B is
The rest of the paper is organized as follows. Section 2 used and the length of the frame is 1 12 bits. The 3 bits
presents background information about ADS-B. Section 3 capability field indicates the subtype of the protocol
describes or taxonomy to classify ADS-B attacks. Section 4, referenced by the DF format. Next is the 24-bit International

978-1-4799-5380-6/15/$31.00 ©2015 IEEE

 Sa elM e categorizes the attacks based on the difficulty of launching
them, including the mobility of the attacker radio. The
taxonomy is as follows:

�
•
• Medium difficulty attacks: Contains attacks where
the attacker generates malicious data to be injected
.»
(Ce in a random or pseudo-random fashion and does
not move the transmitter radio.
Alrpj �l'f • Advanced attacks: attacker leverages advanced
flight simulator software to generate and transmit

� � �
malicious packets via a stationary radio.
• Expert attacks: ADS-B packets are generated using
a flight simulator program and a moving
transmitter (e.g., one placed in an aerial vehicle).

4. APPROACH

Our solution provides authenticity and integrity for ADS-B

Tower Tow r
packets by using Hashed-based message authentication code
Figure 1: Real-life scenario of ADS-B operations (HMAC) whose strength depends on the hashing algorithm
and the length on the hash key [9]. The implementation of
our approach, detailed in section 6, covers both ADS-B In
Civil Aviation Organization (lCAO) identifier, which
and ADS-B Out. In the latter, we integrate the HAMC bits
uniquely identifies an aircraft. This is followed by 56 bits of
prior to transmission.
ADS-B data and by a 24 bits Cyclic Redundancy Check
(CRC).
Given that when used inside 1090 Extended Squitter frames
the ADS-B format does not leave any unused space, we
The ADS-B data depends on the value of the 5-bit TC field.
have three options to enhance security:
The Squitter Airborne Position in the data field corresponds
h
to the 5t Binary Data Store (BSD) register. Bits 6 and 7,
1. Change the packet format of ADS-B [6] in order to
represented respectively by "S", indicate the surveillance
accommodate the security data. It has the disadvantage
status and bit 9, represented by "A", indicates if antennas
of requiring a new standards and equipment to replace
are used. The altitude takes the next 12 bits followed by the
existing ones.
"T" flag specifying if the Coordinated Universal Time
(UTC) is used. The I-bit "F" flag indicates if even or odd
2. Truncate the HMAC digest and replace the CRC field
Compact Position Report (CPR) format is used. This is
that uses 24 bits of the ADS-B packet. However, hash
followed by 17-bit long CPR encoded latitude and longitude
truncation would increase collisions risk thus affecting
fields.
the efficiency of the approach.

Every transmission contains two ADS-B messages, even

3. Send extra packets leveraging different sub-types of the
and odd, so that the receiver can unambiguously decode the
global position, which should be within 5 meters of the true
encoded position. Details of CPR encoding appear in [6].

3. CATEGORIZING ADS-B ATTACKS

The main capability of ADS-B is to provide enhanced

aircraft positions, thereby improving situational awareness
and ensuring proper separation between aircraft.
Nevertheless, the protocol has been criticized by several
security experts (e.g. [7], [2] and [4]) for transmitting
packets without integrity and authentication schemes.
Commonly cited attacks include Man-in-the-middle, replay
and Denial of Service (DoS). Some have simulated these
attacks in testbed environments to highlight the protocol's
security flaws [4]. However, most of these attacks either do
not follow a clear taxonomy or employ one that does not
encompass most known attacks. In previous work [8] we
Figure 2: ADS-B Packet Format
addressed this issue by proposing a taxonomy that

2
 packet format with free bits such as in [ 10]. This
solution suffers from poor scalability due to the need of
transmitting more data than required.

Our solution provides authentication and integrity checks in

ADS-B messages while avoiding the drawbacks of the
aforementioned solutions. This is achieved by assembling as
many ADS-B packets as needed to split the HMAC digest
among the different CRCs of these packets. Then, we apply
HMAC on the payloads of the assembled packets and split
the digest among the packets. We also include a numbering
mechanism to recognize the order of the portions of the
digest. This ensures that the whole HMAC can be
reconstructed at the receiver for integrity verification. \
For example, consider a 128-bit HMAC digest as shown in
Figure 3. Transmitting 128 bits requires 3 transmissions, i.e.
Figure 3: Integration of HMAC in ADS-B packets
3 odd and 3 even ADS-B messages, shown respectively as
p I, p2 and p3. Consequently, we wait until all 6 messages
are available before applying the HMAC to their payloads compute the HMAC of a group of messages and distribute it
excluding the CRe. The last step is to split this digest into 6 among them and the time to verify the authenticity of ADS­
components, e 1, 0 1, e2, 02, e3 and 03 respectively, and B messages based on their HMAe. We had 3600 rounds in
replace the CRC of each ADS-B message by one of the dj's the simulation, corresponding to the number of ADS-B
prior to transmitting all the messages in sequence while messages being sent, and we focused only on the processing
preserving the timing delays between them. delay affected by the sending rate of messages.
Nevertheless, transmission delays are not affected by these
One major tradeoff to be considered when implementing our delays. We represented it as a random uniformly distributed
solution is the message transmission frequency. In this case, variable within a certain range. Figure 4a corresponds to the
the delay in buffering 6 packets to compute the HMAC and case where ADS-B messages are sent every second while
in attaching the HMAC would delay the transmission
Figure 4b corresponds to the case where ADS-B messages
process. The incurred delays are a lesser price to pay in
are sent every 0.5 second. The difference between the two
order to secure ADS-B operations - way better than not figures is that the processing delay in Figure 4a is greater
having security at all. than the one of Figure 4b. The transmission delays are
uniformly distributed in first case between 0 and 4 and
We developed a Monte Carlo Simulation in order to
between 0 and 2 in the second case. This is due to the
estimate the distribution of these delays. The delay for each
frequency of sending ADS-B messages which increases the
ADS-B message is broken down into transmission delays
processing time to generate and distribute the HMAC
and processing delays. While the former represents the time
portions among different message at the sender side and to
it takes for an ADS-B message from an aircraft to reach the
validate the corresponding messages at the receiver.
ADS-B tower, the latter represents the time it takes to

� rllt •

4a 4b

Figure 4: Expected delays when sending ADS-B packets

3
 � ... -

Sa 5b 5c

Figure 5: ADS-B delay with vs without security and corresponding jitter

Therefore, it can be concluded from the simulation that

increasing the ADS-B message sending rate would reduce
Min Max Mean the incurred processing delays.

1 msg/sec 0.78 3.82 1.5 5. KEY DISTRIBUTION

2 msgs/sec 0.84 1.98 0.5 Our second contribution is the key distribution. We assume
that prior to the approach, every air-vehicle approaching an
airfield obtains permissions. A simplified example is
Table 1: Jitter variation
illustrated in Figure 6, where the red circle corresponds to
The next step is to compare the simulated end-to-end delays, zone A, which is under control of ATC Tower A, while the
which is comprised of transmission delay and processing blue circle corresponds to zone B under the control of ATC
delay, when ADS-B is used without versus with security Tower B. The dotted line represents the proposed trajectory
and to compute the corresponding jitter which corresponds of the aircraft. We assume that at the time of granting
to the average variation introduced by our security scheme. permissions, the aircraft will be given a set of keys to be
This is shown in Figure 5, where Figure 5a and Figure 5b used, one for each zone on the planned flight path. Because
respectively show with and without hashing. the ATC that governs every zone is geographically well­
defined, the aircraft can choose the appropriate key.
In order to determine the effect of transmission rate on jitter,
we compute the jitter while changing the transmission rate 6. EVALUATION
to be 1 ADS-B message per second or 2 ADS-B messages
We now describe the testbed, illustrated in Figure 7. The
per second. Table 1 shows the minimum, the maximum and
first component of the testbed is the Track Source, which
the mean jitter for every experiment. It shows that
periodically generates position updates from different
increasing the transmission rate decreases the jitter.
aircrafts. Once created, most of the tracks are simulated and
become persistent in a database, while a few are emulated
,."",-- - ...... .....
'" using a radio. In the latter case, there are at least three

// .�\. emulated nodes: a legitimate helicopter, the attacker, and the

I \ ADS-B server. Each of these nodes are created from a PC

{ \ running GNU Radio Software [ 1 1] and transmitted using a

I Ettus N200 [ 12] radio device. Both the helicopter's radio
,.---- ..... \ �c . ..
and the attacker's radio are connected to the ADS-B server's
/" ).\ . ... ..... Ta.;.··s·· . I
radio using a subminiature version A (SMA) Cables.
.... . /..........
I lane
.
\.�"-\' ..... /'
Once the helicopter receives the track to emulate, it extracts
//

, ----Zrnell
• the position information (altitude, longitude and latitude), as
\ ATC well as the aircraft ICAO before building the ADS-B
\ Tower I message to be sent. Similarly, we implemented message­
\. I
injection attacks in which malicious ADS-B messages were
"- /
,
..... ,.
/ broadcasted from the attacker to the ADS-B Server.
weA

Figure 6: Key Distribution Principle

4
The ADS-B server node receives ADS-B messages using of the bit number 22 in the ADS-B data, i.e. the "F flag"
the Gr-Air-Modes [ 13] module developed by Nick Foster, shown in Figure 2. In other words, for every HMAC digest
and stores them in the database. Finally, we developed a we need three transmissions consisting of two ADS-B
script that queries the database periodically for the recent messages each. Therefore, we use 2 bits to give every
location updates before plotting them in Google Earth in packet the value of 1, 2 or 3 in binary while using whether
order to create real-time radar coverage like display. the packet is even or odd to uniquely identify the position of
the fragment in the digest. Figure 9 illustrates this scheme,
Now we describe how we emulate our approach on this which includes the assumption that the even message
testbed. We start by the sender side before describing the always precedes the odd message in the six-message
receiving side. sequence used to generate the HMAC.

As shown in Figure 8, we take the position updates
generated from the track source and we feed them to two
replicas queues queueJ and queue2 respectively. The first
queue is used to assemble the payloads of the different
ADS-B packets that are fed to generate the HMAC. The
second queue is used to get the original payloads of the
ADS-B packets to be sent after the HMAC components are
computed and appended.
Next, Generate HMAC phase takes 6 packets at a time, 3
even and 3 odd, concatenate them as one packet and
compute the HMAC. Then, Split HMAC into 6 portions
while adding the numbering. This is illustrated in Figure 9
where every fragment of the HMAC is 24 bit-long because
it substitutes the CRC in the ADS-B packet.
A straightforward computation would yield a digest of 128
bits; where each portion has 24 bits, making the total
available space 144 bits. However, adding 6 numbers to
identify the order of the fragment requires 18 bits in total (3
bits each) whereas the remaining space is only 16 bits.
Therefore, with this design we can either have a proper
numbering mechanism or lose 2 bits from the HMAC.
We solved this problem by using the ADS-B property that
classifies every packet as even or odd according to the value
The last component of the testbed is the sending node that
builds and transmits hashed packets. During this phase, we
extract the six HMAC fragments, which are numerically
ordered. These were already created so we now extract the
corresponding six ADS-B payloads from queue2. Then, we
send these messages, in sequence, with even and odd
alternations. We modified the Gr-Air-Modes module, to
assemble every three transmissions from the same sender
while considering the timing constraints.
When the ADS-B packets arrive to the receiver, we first
check the identity of the aircraft by retrieving the ICAO.
Based on that infonnation, we store the packet in a
HasbMap [ 14] where the keys are the ICAOs and the
mapped value is a queue containing the ADS-B packets in
the order of their arrival. New keys in the HasbMap are
created on a need basis, i.e. when it is the first time to
receive packets from a certain aircraft. Afterwards, every
sixth element of each queue is extracted and the payload is
separated from the HMAC. As shown in Figure 10, different
fragments of the HMAC are assembled according to their
order while computing the HMAC digest from the
assembled payloads as well thus creating another HMAC
digest. Finally, we compare the two values and if they
match, we continue the processing of the messages;
otherwise, we discard the packets in question.

The use of HasbMaps is important because the receiver is

I ri-=r IIIIII
qtef2

8
Hehcoptertsl AD�B5eMr
TooSclm
I SMA Cable
I
I

1% IIIIII
Ql fJ

Figure 8: Instance of the approach at the sender side

Figure 7: ADS-B Testbed

5
 HMAC Fragment

2 bits 22 bits _PI.- .1 1'1 ...."

pJ
"l.od4 Q\ "lod� 01
P l __ .) r·1._ ..
Figure 9: HMAC fragment within the ADS-B "zodG 01 "Zoclll 01
packet Pl._ ,1 Pl ...... ..
"Jodcl nOOd
� <>!

likely to get packets from different senders, including

malicious transmitters. A HashMap is more efficient than
using queues because searching for scrambled ADS-B
messages from different origins would be time and memory
consuming. Searching for elements using HashMaps is
known to be more efficient.

Also, there are some situations in which one or more ADS­

B packets from the same sender are not received within a
time period or are lost in transmission, making it not _.V.lld
'-------I -.
possible to validate the authenticity and integrity of the
sender. In that case, we drop the already received packets.
After comparing the computed HMAC against the received Figure 10: Instance of the approach at the receiver

one, we delete the corresponding entries in both HashMaps side

to avoid excessive growth of the size of the HMAC which
may affect the search efficiency.
Finally, we benchmarked our application in order to collect
the end-to-end delay of ADS-B message at the sender side.
This is shown inn Figure 1 1 which shows spikes at times
mUltiple of 3 while it is negligible for the rest. This could be
understood because most of the heavy computation,
including collecting payloads, computing HMAC digest and
splitting it, is done once every three messages as explained
in previous sections to obtain a 128 bit HMAC digest.
7. RELATED WORK
In [ 15], Sampigethaya et al. proposed a framework to secure
ATC related operations using ADS-B. This work discusses
a clear threat model and several possible solutions to
address those threats. However, no experimental support is
provided.
that ATC related operations should not solely rely on ADS­
B data, and must be complemented by appropriate security
checks.
Similarly, McCallie [7] presented a taxonomy of attacks and
discussed their difficulty of implementation versus their
impact. However, the authors presented general guidelines
that should be taken into considerations instead of proposing
concrete solutions to prevent these attacks.
Pan et al. [ 10] presented a PKI-based system that leverages
Elliptic Curve Cipher (ECC) and X.509 certificate to thwart
replay-like attacks. This work has been realized on VAT
instead of 1090 Extended Squitter (ES) because of its longer
message size.
In addition, ADS-B data along with timestamp are used to

Costin and Francillon [2] implemented several attacks on a

simulated ADS-B environment built using GNU Radio and
Matlab. Although the attacks were successful in
demonstrating ADS-B flaws, proposed solutions such as the
use of lightweight public key Infrastructure (PKI) are briefly
discussed. Although they state that signature data would be
buffered over several ADS-B messages, no concrete design
and implementation were provided.

Schafer et al. [4] demonstrate the possibility of exploiting

ADS-B vulnerabilities to carry out different attacks. The
authors presented a threat model consisting of the different
attacks before describing their implementation in their own
testbed. However, they do not propose or implement
countermeasures against the attacks. Instead, they conclude Figure 11: Experimental Results

6
craft an ECC digital signature. However, this approach 78-87, Aug. 20 1 1.
defines a new type of UAT messages while suggesting to [8] T. Kacem, D. Wijesekera, P. Costa, and A. Barreto,
use of DF24 if 1090 ES is used. That would require 5 extra "Security Requirements Analysis in ADS-B
messages for every ADS-B message in order to split and Networks," to appear soon at the Semantic
assemble the signature data. While the first alternative raises Technologies for Intelligence, Defense, and Security,
the issue of incompatibility because of the use of a new Fairfax, VA.
packet format, the second affects the scalability because it [9] H. Krawczyk, R. Canetti, and M. Bellare, "HMAC:
increases the volume of sent data by a factor of five. Keyed-Hashing for Message Authentication."
Available: https:lltools.ietf.org/html/rfc2 104.
Strohmeier et al. [ 16] presented a survey of possible ADS-B [ 10] W.-J. Pan, Z.-L. Feng, and Y. Wang, "ADS-B Data
attacks and eventual solutions. The paper discusses several Authentication Based on ECC and X.509 Certificate."
alternatives in details to secure ADS-B based on work that [ 1 1] GNU Radio. Available: www.gnuradio.org.
has been realized. These alternatives are grouped by type [ 12] "Ettus Research - Product Category," Available:
and range from hardware/software-based fingerprinting to https://www.ettus.com/product/category/USRP­
frequency hopping and public key cryptography systems. Networked-Series.
The authors discuss the pros and cons while evaluating the [ 13] N. Foster, "Gr-air-modes," 24-0ct-2014. Available:
difficulty, cost and scalability of every approach. This is an https://github.com/bistromath/gr-air-modes.
important reference work for the ADS-B security [ 14] "Hash table." Available:
community because it provides an outstanding literature http: //en.wikipedia.org/w/index.php?title=Hash_table
review of the existing efforts. &0Idid=63096778 5.
[ 15] K. Sampigethaya, R. Poovendran, and L. Bushnell,
8. CONCLUSION "A Framework for Securing Future eEnabled Aircraft
Navigation and Surveillance," in AIAA
We proposed a novel approach using HMAC to ensure the
Infotech@Aerospace Conference, American Institute
integrity of ADS-B operations. We also described the design
of Aeronautics and Astronautics, 20 14.
and implementation of an example of this approach on a
[ 16] M. Strohmeier, V. Lenders, and I. Martinovic, "On
testbed that we set up in order to send and receive ADS-B
the Security of the Automatic Dependent
packets.
Surveillance-Broadcast Protocol," arXiv: 1307.3664
ACKNOWLEDGMENT
[cs}, Jul. 20 13.
This work was supported in part by grant number 20 12-ST- BIOGRAPHY
104-000047 from the Department of Homeland Security.
Thabet Kacem is a PhD student in
Information Technology at George
REFERENCES
Mason University. He obtained his
[ 1] ICAO, "ADS-B implementation and operations Master degree in Computer Science
guidance document." Sep-20 1 1. at the University of the District of
[2] A. Costin and A. Francillon, "Ghost in the Columbia in 2010 after receiving his
Air(Traffic): On insecurity of ADS-B protocol and Bachelor degree in Computer
practical attacks on ADS-B devices," presented at the Science at the National School of
BlackHat 20 12. Computer Science at the University of Manouba in
[3] "Hackers, FAA Disagree Over ADS-B Tunisia in 2007. His research interests are cybersecurity
Vulnerability," Aviation International News. and security protocols.
Available: http://www.ainonline.com/aviation-
news/ainalerts/20 12-08-2 1Ihackers-faa-disagree-over­
ads-b-vulnerability. Duminda Wijesekera is professor of
[4] M. Schafer, V. Lenders, and I. Martinovic, Computer Science and a Co-director
"Experimental Analysis of Attacks on Next of the Center for Assurance Research
Generation Air Traffic Communication," in Applied and Engineering at George Mason
Cryptography and Network Security, Springer Berlin University, Fairfax, Virginia. During
Heidelberg, 20 13, pp. 253-271. various times, he has contributed to
[5] "NASA NextGen.". Available: research in security, multimedia,
http: //www.hq.nasa.govIofficelaero/asp/airspace/inde networks, systems, avionics, missile
x.htm. defense, command & control systems and theoretical
[6] A. Marshall, "ADS-B 1090 MOPS, Revision B.". computer science. He is a visiting research scientist at the
[7] D. McCallie, 1. Butts, and R. Mills, "Security analysis National Institute of Standards and Technology (NIST),
of the ADS-B implementation in the next generation was a visiting associate professor at the Naval
air transportation system," International Journal of Postgraduate School and a fellow at the Potomac
Critical Infrastructure Protection, vol. 4, no. 2, pp. Institute of Policy Studies in Arlington, VA.

7
 Paulo Costa (SM13) is Associate
Professor at George Mason
University. His teaching and
research interests comprise the
areas of probabilistic ontologies,
multi-sensor information fusion,
systems design and integration,
Bayesian reasoning, predictive
analysis, and Decision Theory. He
has extensive experience in tactical and operational
planning, and is an expert in requirements engineering
for complex systems. He has been an active member of
engineering societies such as IEEE, ISIF and the
International Council of Systems Engineering