A Blip on the Radar, Sir - UFO!

Last week I enjoyed reading an article I ran across on AINonline. The article explained that security researchers had identified a potential vulnerability in the Federal Aviation Administration’s (FAA) Air Traffic Controller (ATC) Automatic Dependent Surveillance – Broadcast (ADS-B) program being deployed as part of the ATC NextGen modernization project.

Security researchers indicated that it is possible to spoof the presence of a fake aircraft by transmitting unencrypted and unauthenticated ADS-B signals on the frequencies used by the ADS-B system. A demonstration of the vulnerability was presented at this year’s DefCon conference in Las Vegas, Nevada. The researchers who identified and reported the vulnerabilities are well-known in the wireless communication vulnerability research space.

Given the amount of press I see on the nightly news about near-miss and actual collisions, this does not make me, as a frequent traveler, feel too comfortable.

Additionally, some of the statements in the article caused me genuine concern:

Quote 1: “The FAA said that the ADS-B system is secure and that fake ADS-B targets will be filtered from controllers’ displays. 'An FAA ADS-B security action plan identified and mitigated risks and monitors the progress of corrective action,' an FAA spokeswoman told AIN.”

Comment 1: If it “is secure”…then why “will” (note that this does not say “are”) fake targets be filtered at some point in the future. You really have to enjoy the marketing spin on that statement.

Quote 2: “A spokeswoman for key ADS-B contractor ITT Exelis explained, 'The system has received the FAA information security certification and accreditation. The accreditation recognizes that the system has substantial information security features built-in, including features to protect against…spoofing attacks. [This] is provided through multiple means of independent validation that a target is where it is reported to be.'"

Comment 2: The key words being “substantial information security features built-in.” Certification and accreditation does not mean security is 100% achieved. It simply means testing was performed and the product meets a certain level of expectations as far as security is concerned. Think of this as the organization or authorized delegate performing a series of test cases, identifying vulnerabilities and then fixing them. This testing is usually constrained to the amount of time and budget available to perform such analysis.

How does this relate to you as a reader? The drive and motivations of researchers and malicious attackers often outweigh the timelines and budgets imposed by product developers. Security is not as simple as undergoing a certification and accreditation process, it is an entire lifecycle that should be continuous.

See how Solutionary managed security services based on the patented ActiveGuard® service platform combine security intelligence and expertise to provide visibility, threat detection and event response.