You might have seen that British Airways recently suffered a significant breach, in which a lot of customer data was stolen. As with many of these large-scale phishing attacks, payment processing was targeted by malicious code being injected through third party resources - a great write up can be found over at RiskIQ.
Unfortunately, this is not the only way in which airlines leak payment data. Many airlines have a habit of transmitting full sets of credit card data in-the-clear via ACARS, an avionic data link. We touched upon this in an arXiv paper some time ago, and they go a little something like this (with details redacted, of course):
We saw numerous instances of this from a handful of airlines, with only one doing it consistently. We are not sure who the cards belong to, or why they are being sent over ACARS, but they tend to be larger transactions, having local currency values above £500.
We should probably briefly explain what ACARS is. The Aircraft Communications Addressing and Reporting System (ACARS) is a general purpose ground-to-air data link used heavily by airlines to manage fleets and in some cases, interact with air traffic control.
It is served over Very High Frequency (VHF), satellite (SATCOM) and High Frequency (HF) links, which makes it incredibly easy to collect with an RTL-SDR and acarsdec or JAERO. You can start gathering ACARS messages for about £10, and you can do it very well for around £150.
It's been in use in some form since the late 1970s, but more recently usage has become varied and far beyond original intentions. As well as the serious usage, it is often used to get updates on sports results, or other goings on. A random example from collected messages might be:
What does this mean for security? Well, not much and not great. There is no standardised security, so by default everything is sent in the clear. An industry standard in the form of ACARS Message Security (AMS) does exist but we are yet to see it used.
We have seen some efforts at 'encryption', but these were astoundingly weak - think substitution ciphers, a single digit numbers static keys, and all keys shared across all aircraft. We wrote a bit about this here.
And so we come back to our original point about credit card details. We cannot quite figure out why card details are sent via ACARS, but we do know that this is more widespread than our original observation; other members of the community have seen it at scale. Check Simon Proud's Twitter thread below out for more information.
We disclosed to the airline we saw regularly sending this data, and they made changes to fix it. However, it seems that this is endemic in ACARS usage, and it is not going away. And other airlines are still at it, and it does not take much to collect this data.
It doesn't stop there - airlines send lots of other less sensitive passenger data via the link, too. Passenger lists, free-text messages containing crew names, and in some cases medical information or visa related issues.
Clearly, sending private data via ACARS needs to stop - malicious observers would not even need to insert code into websites to steal credit card data in this instance.
It seems to be caused by a vast gulf of understanding and practice between the point of design and the point of use. Engineers and designers know the shortcomings, but this isn't communicated through to crew or company. Until we address that, achieving reasonable security and privacy in many aviation data links will be fraught.
If you found this kind of stuff interesting, we have written about privacy issues on ACARS a lot. You can find more information on our publications page and our most recent paper can be found here.
This demo is a companion piece to our paper  presented at the 10th International Conference on Cyber Conflict (CyCon X). It shows the target airports of a large number of governments from around the world.
It has been known for several years now, that the Automatic Dependent Surveillance-Broadcast (ADS-B) technology allows anyone with a £10 software-defined radio (such as a cheap RTL-SDR dongle) to track the position of any ADS-B-equipped aircraft around the world. We want to stress that anyone can do this without much technical knowledge, there are many projects available such as dump1090, which are very accessible and popular with a large crowd of plane enthusiasts.
In combination with aircraft meta data freely available on the Internet, we argue that this sort of open-source intelligence (OSINT) leads to a shift in expectations for the operational privacy of governments around the world. While their movements are generally not a secret and often obtainable by other means (e.g., news reports), the automated and large-scale analysis of flight movements can unearth long-term relationships with destinations and countries.
As an illustrative example of the possibilities of modern aircraft tracking, above is the above Figure. It aggregates all observed non-European government aircraft visits at European airports from 1 January 2016 through 30 June 2017. The different colours indicate top origin region of the tracked aircraft.
The demo below covers all our collected government flight data from 1 July 2017 to 29 May 2018, you can visualise it by day or in aggregate, both on a map or in tabular form. The underlying data is provided by the OpenSky Network. The data primarily consists of sightings at airports on a given day (visualised as circles), where available it additionally shows the flight path between two airports, i.e. both origin and destination.
The full demo is also available over at Tableau Public.
As described in our paper, one can easily detect multilateral meetings using such data, for example on the 22nd of February 2018, when at least 16 government aircraft arrived in Brussels for the European Council's Informal meeting of the 27 heads of state or government the next day.
As you can observe clearly, there is currently no reasonable expectation of movement privacy even for relatively powerful government actors. ADS-B certainly has made the tracking of aircraft even easier, but other technologies from Mode S to ACARS also allow the simple tracking of aircraft, which is something we will cover in future posts.
 Utilizing Air Traffic Communications for OSINT on State and Government Aircraft
Martin Strohmeier, Matthew Smith, Daniel Moser, Matthias Schäfer‚ Vincent Lenders, and Ivan Martinovic
In Cyber Conflict (CYCON)‚ 2018 10th International Conference on. IEEE. May, 2018.
Tl;dr: Not that we know of. At least not deployed anywhere outside a lab. Some proposals have been floated, however.
This post was inspired by the recent report by the US Congress Government Accountability Office on ADS-B, which was discussed in many articles around the web, such as this one, for example: GAO: Pentagon, FAA Lag In Addressing ADS-B Risks
Let’s have a look at the source, these are quotes from the GOA’s actual document, citing some of our work: 
While NORAD and DOD officials told us that they will benefit from information provided by ADS-B technology, NORAD, DOD, and professional organizations’ documents and officials also noted that electronic warfare-and cyber-attacks—and the potential divestment of secondary-surveillance radars as a result of reliance on ADS-B—could adversely affect current and future air operations.
Further on the vulnerabilities:
According to the article in the 2015 Institute of Electrical and Electronics Engineers publication, adversaries could use a cyber-attack to inject false ADS-B messages (that is, create “ghost” aircraft on the ground or air); delete ADS-B messages (that is,make an aircraft disappear from the air traffic controller screens); and modify messages (that is, change the reported path of the aircraft).
Finally, this is all we get to know about the solutions to the problem:
The article states that jamming attacks against ADS-B systems would be simple, and that ADS-B data do not include verification measures to filter out false messages, such as those used in spoofing attacks. FAA officials stated that the agency is aware of these possible attacks, and that it addresses such vulnerabilities by validating ADS-B data against primary- and secondary-surveillance radar tracks.
So, we are not allowed to know what’s in store from the authorities’ side and how well it works. The systems security community often classes this as Security through obscurity. To be fair, this approach probably has a place somewhere in legacy critical infrastructures controlled by a few entities and vendors. It doesn’t really make one trust the system any more but that’s the deal.
So, realistically, what are they talking about here?
Most likely, we are talking about cross-validation with other, partially redundant, ATC surveillance technologies. Candidates include Primary Radar (PSR), Secondary Radar (SSR, Mode A, C, S) and (Wide Area) Multilateration. The idea is that if ADS-B is actually being attacked, one could easily see this on these redundant technologies by either automatically or manually verifying ADS-B targets with them.
And yes, that works. The problem is that this wasn’t the plan. ADS-B was supposed to be the sole surveillance technology in most airspaces. The old and expensive, less accurate radar technologies were supposed to be retired. Well, no more, the FAA has stated as much just a couple of weeks ago: FAA No Longer Expected To Retire Radars
The other problem: while (in some cases much) more difficult to pull of, at least SSR and also multilateration are well within the capabilities of a typical attacker. If you verify compromised data with other compromised data, you’re just as lost as before, although the complexity has certainly risen.
At the end of the day, these are probably still the best and most realistic options, where they are available and closest to answering the question of whether a real-world IDS exists: If you properly tune your surveillance distributions systems and trackers and actually test them against such attacks (something for which we argue very strongly), they at least become non-trivial.
Outside of these existing mitigation options, we have proposed and tested several transparent approaches that use the actual ADS-B messages to detect attacks, mostly based on physical layer data . While such systems cannot provide 100% security -- that could only be delivered by a new protocol which includes cryptography -- but just like IDS used in traditional networks, it’s a whole lot better than nothing. The details of these schemes shall be discussed in future blog posts on this topic. If you are interested right now, you can also check out our Publications page.
 Martin Strohmeier, Vincent Lenders, Ivan Martinovic. On the Security of the Automatic Dependent Surveillance-Broadcast Protocol, In IEEE Communications Surveys & Tutorials. Vol. 17. No. 2. Pages 1066 − 1087. 2015.
 Martin Strohmeier. Security in Next Generation Air Traffic Communication Networks, PhD Thesis, University of Oxford 2016.
One popular question that we encounter regularly is whether air forces around the world use ADS-B on their aircraft. After all aircraft transponders are originally a military invention to identify friends from foes and the well-known benefits of ADS-B equipage in civil airspaces also apply to military aircraft. On the other hand, both cost and security reasons have been cited for not wanting to use ADS-B on sensitive aircraft. So, what is the deal right now, less than two years before the 2020 equipage deadline in Europe and the US?
In short, yes, air forces do use ADS-B, at least partially, but there are massive usage differences between countries.
This is from our recent paper at the 36th Digital Avionics Systems Conference . We collected ADS-B and Mode A/C/S data from over 6000 aircraft operated by militaries all over the world (with a strong focus on Europe/the US) using the The OpenSky Network. The key plot on how air forces around the world use ADS-B is the following:
As we can see, the military ADS-B adoption rate varies between around 10% in Israel to 90% in Saudi Arabia.
The same, a bit more detailed, for some selected countries:
Here, you see the share of aircraft which use Mode S only or additional technologies such as ACAS, or ADS-B, or all three.
Finally, we know that military aircraft can switch off ADS-B when they choose to. This happens regularly, some only really seem to use it en-route in “safe” airspaces but switch it off for their approach to make it ever so slightly harder to see where they land (well, not really but that’s a story for another blog post). But for that, and other information such as ADS-B equipage per aircraft type, you can read the full paper.
 Matthias Schäfer, Martin Strohmeier, Matthew Smith, Markus Fuchs, Vincent Lenders, Marc Liechti and Ivan Martinovic. OpenSky Report 2017: Mode S and ADS-B Usage of Military and other State Aircraft. In IEEE/AIAA 36th Digital Avionics Systems Conference. September 2017.
You can find all our publications on Aviation Security on our Publications page.
Welcome to our blog! We'll be using this part of the website to talk about a range of things: news, research papers and anecdotes we come across in our work. We probably won't have a regular schedule of updates to begin with so sign up to our RSS feed below to keep up to date.