Hack in the Box 2013 Notes


One of the problems I faced while preparing my talk for HITB 2013 Amsterdam, was that many background knowledge on aviation and aircraft systems was necesary in order to understand what I am going to explain. On most security conferences, the talks target well known systems and networks so all the necessary knowledge is already known by the attendees but in this case it is not the situation.

As I have a time limit, and I can't give all the details on the aviation systems, protocols and terminology employed, I would like to explain in advance some of those elements, so the attendees can better understand the talk and its contents.

Most of this data is directly extracted from the Wikipedia, and additional references are provided at the end. This post does not mean to be extensive, but just to give some basic background and offer some resources for further learning to whom may be interested in going deeper.


ADS-B stands for Automatic Dependent Surveillance-Broadcast and, in short, is aimed to replace the radar as the primary surveillance method for aircraft control. ADS-B is part of the so called "Next Generation Air Transportation System (NextGen)", and together with other systems is aimed to improve the air traffic control systems with new technologies.

ADS-B consists of two different services: ADS-B Out and ADS-B In.

ADS-B Out periodically broadcasts information about each aircraft, such as identification, current position, altitude, and velocity, through an on-board transmitter. ADS-B Out provides air traffic controllers with real-time position information that is, in most cases, more accurate than the information available with current radar-based systems. With more accurate information, ATC (Air traffic control) will be able to position and separate aircraft with improved precision and timing.

ADS-B In is the reception by aircraft of FIS-B (Flight Information Services-Broadcast) and TIS-B (Traffic Information Services-Broadcast) data and other ADS-B data such as direct communication from nearby aircraft. With ADS-B, information is sent to aircraft using ADS-B In, which displays all aircraft in the area, even those not equipped with ADS-B technology.

ADS-B will be replacing radar as the primary surveillance method for controlling aircraft worldwide. The ADS-B system can also provide traffic and government generated graphical weather information through TIS-B and FIS-B applications. ADS-B enhances safety by making an aircraft visible, realtime, to ATC and to other appropriately equipped ADS-B aircraft with position and velocity data transmitted every second. ADS-B data can be recorded and downloaded for post-flight analysis.

Unlike some services being currently offered by companies, there will be no subscription fees to use ADS-B or its various benefits. The aircraft owner will pay for the equipment and installation, while the Federal Aviation Administration (FAA) will pay for administering and broadcasting all the services related to the technology.


Other aviation system that will be mentioned on my HITB 2013 talk will be ACARS, which stands for Aircraft Communications Addressing and Reporting System, and is used for exchanging text messages between aircrafts and ground stations via radio (VHF) or satellite. On the ground ACARS is used by ATC and airlines mainly. Finally, in order to send and receive messages the Ground Service Providers offer world wide coverage either via VHF or satellite communications.

One of the initial applications for ACARS was to automatically detect and report changes to the major flight phases referred as OOOI (Out of the gate, Off the ground, On the ground, and Into the gate). At the start of each flight phase, a digital message is transmitted to the ground containing the flight phase, the time at which it occurred, and other related information such as amount of fuel on-board or flight origin and destination. These messages are used to track the status of aircraft and crews.

Soon the industry started to upgrade the on-board maintenance computers in the 1990s to support the transmission of maintenance-related information in real-time through ACARS. This enabled airline maintenance personnel to receive real-time data associated with maintenance faults on the aircraft.

All of the processing described above is performed automatically by the ACARS MU and other associated avionic systems, without flight crew intervention.

Later, airlines began adding new messages to support new applications (weather, winds, clearances, connecting flights, etc.) and ACARS systems were customized to support airline-unique applications, and unique ground computer requirements. This resulted in each airline having its own unique ACARS application operating on its aircraft.

A person or a system on-board may create a message and send it via ACARS to a system or user on the ground, and vice versa. Messages may be sent either automatically or manually.

Ground End Systems and Providers

The ground end system is the destination for downlinks and the source of uplinks. Generally, ground end systems are either government agencies such as CAA/FAA, an airline operations headquarters, or, in the case of small airlines or general aviation consumers, a subscription based solution.

The role of the datalink service provider (DSP) is to deliver a message from the aircraft to the ground end system, and vice versa.

Since the ACARS network is modeled after the point-to-point telex network, all messages come to a central processing location. Then the DSP routes the message to the appropriate end system using its network of land lines and ground stations.

There are currently two primary service providers of ground networks in the world (ARINC and SITA), although specific countries have implemented their own network with the help of either ARINC or SITA. Until recently, each area of the world was supported by a single service provider. This is changing, and both ARINC and SITA are competing and installing networks that cover the same regions.

ADS-B and ACARS security

Those two protocols are well known on the security community since long, and many studies and talks have been previously done on those subjects. At HITB 2013 I will not focus on those system vulnerabilities or security feaures, I will just use them as another resource to achive further targets. On the References below you will find additional extensive information about the security issues previously found on those protocols.

Software Defined Radio

As explained on the GNU Radio FAQ, a software radio is a radio system which performs the required signal processing in software instead of using dedicated integrated circuits in hardware. The benefit is that since software can be easily replaced in the radio system, the same hardware can be used to create many kinds of radios for many different transmission standards; thus, one software radio can used for a variety of applications.

A basic SDR system may consist of a personal computer equipped with a sound card, or other analog-to-digital converter, preceded by some form of RF front end. Significant amounts of signal processing are handed over to the general-purpose processor, rather than being done in special-purpose hardware.

SDR Software

The SDR software performs all of the demodulation, filtering (both radio frequency and audio frequency) and signal enhancement (equalization and binaural presentation). Uses include every common amateur modulation: morse code, single sideband modulation, frequency modulation, amplitude modulation, and a variety of digital modes such as radioteletype, slow-scan television, and packet radio.

A good starting point on SDR and SDR related software is the website of the GNU Radio project, a free and open-source software development toolkit that provides signal processing blocks to implement software radios. The project URL can be found on the References at the end.

SDR Hardware

There is a broad range of hardware solutions for radio amateurs and home use. There are professional-grade transceiver solutions, home-brew solutions and starter solutions.

The GNU Radio using primarily the Universal Software Radio Peripheral (USRP) uses a USB 2.0 interface, an FPGA, and a high-speed set of analog-to-digital and digital-to-analog converters, combined with reconfigurable free software.

That's all!

As I said this is not an extensive guide on any of the mentioned topics, but it should provide enough background to those willing to attend my talk, so you find easier to follow all the contents of the talk.

See you at HITB Amsterdam 2013!





ADS-B/ACARS Security


If you are interested in the topic and want to discuss anything or be aware of future posts, do it through twitter.