Detecting Hacker Aircraft Using Artificial Intelligence
Introduction
Air travel is the world’s current most efficient and rapid transportation network that is essential for facilitating business, trade, travel, and economic growth. Every single day, more than 128,000 flights take off around the world serving upwards of 12 million passengers. In order to moderate and coordinate this large amount of traffic in the air, a wide-scale radar technology was previously used. However, in recent years, a modern aviation communications technology was developed called ADS-B (Automatic Dependent Surveillance-Broadcast) that beat out radar in speed, reliability, and efficiency for communications management. Despite the overwhelming benefits provided by this new technology, it does have its setbacks. One of ADS-B’s main flaws is its lack of security. ADS-B transmissions are unencrypted and unauthenticated making them vulnerable to ground-based cyber attacks such as spoofing which could ramify wide-scale repercussions such as flight delays and even mid-air collisions. As a pilot myself concerned with the safety of air travel, I decided to extensively research this topic and take action by developing a low-cost device called Fly Catcher that detects spoofed aircraft in real-time. This article is meant to elucidate my research process by explaining the functionality of ADS-B and its use cases and then transitioning over to the development process of Fly Catcher and analyzing its utility for ADS-B spoofing detection.
Visit the Project
Project Link: https://github.com/ANG13T/fly-catcher
Research Paper: Read the Research Paper Here
Radar Systems in Aviation
Radar stands for Radio Detecting and Ranging and was originally developed during World War 2. Radar works by transmitting electromagnetic waves and determining the distance between the target object and the source of the electromagnetic wave. Systems do this by appreciating the fact that electromagnetic energy travels through at a constant speed very close to the speed of light (300000 km/s) and adheres to the same principles of an echo. By calculating the time of the transmitted pulses, radar can be used to derive values such as heading, altitude, direction, ground track, and speed of the target object.
A basic radar system consists of a transmitter, antenna, and receiver. The transmitter emits radio waves to be sent and modulates those waves to form a pulse train. Then, the antenna takes the pulse train from the transmitter and emits it into the air where it is directed at a receiver. Once the radio waves are sent to the receiver, the receiver amplifies and demodulates the received RF signals to output.
There are two main types of radar systems — Primary and Secondary.
Primary Radar
Primary radar uses echoes of radio waves reflected back from the target in order to calculate the time taken between when the wave was transmitted to when it was returned. The direction of the transmitted signal reveals the bearing of the target and the time difference can be used to calculate the range since the speed of radio waves through an air medium is constant. When RF pulses from a primary radar transmitter are sent, any object that interacts with the pulse will reflect it back and scatter energy. The reflected energy received back from a primary radar antenna is then used to calculate relevant information about the object. Within aviation, primary radar systems are used to detect dangerous weather conditions, measure the distance of an aircraft above a terrain (used for radio altimeters), and Doppler navigation (an old form of GPS mainly used for rotary-wing aircraft).
Secondary Radar
Secondary radar operates on a different paradigm than primary radar as it does not take into consideration the reflected pulses. The way secondary radar operates is by sending out a signal to a target which then activates the transponder on the target triggering the target’s transponder to send a signal back to the radar system. Secondary radar is often used for longer-range communication purposes compared to primary radar.
Secondary Radar is often used to coordinate Secondary Surveillance Radar (SSR) which is used to determine an aircraft’s range and direction by transmitting a series of pulses from a ground station and then waiting for a response from the target aircraft’s onboard systems. The onboard systems on the target aircraft decode the pulses it receives from the ground station and transmit a response via a pulse on an adjacent frequency.
Another application of Secondary Radar is for Distance Measuring Equipment (DME) which provides line-of-sight distance measurements between a target aircraft and a ground station. It has been standardized by the ICAO for short to medium radio air distance navigation purposes, and works by measuring the delay of an RF pulse emitted by an aircraft’s transmitter and then returned back to the aircraft by the ground station once the information is processed.
Drawbacks of Radar Systems
Although radar systems are useful for transmitting information within a specific range and under ideal conditions, radars tend to not perform well under bad weather conditions which reduced their maximum range. Moreover, radars are composed of parts that tend to get worn out fast requiring extensive maintenance. They also operate on high power levels and cannot be used with modern technological communication systems. Taking these cons into consideration, aeronautical communication engineers proposed a new system that relied on satellite navigational technology called ADS-B as a modern alternative to traditional radar systems.
What is ADS-B?
ADS-B stands for Automatic Dependent Surveillance-Broadcast. It is an advanced surveillance technology used to broadcast pertinent information about an aircraft to other aircraft and ground stations. The purpose of developing ADS-B was to create a modern and viable low-cost replacement for traditional radar systems that would allow ATC to monitor airplanes with much larger precision. Aircraft equipped with ADS-B transmits information on either the 978 MHz or 1090 MHz frequency. We will be focusing on 1090 MHz because it is used by Mode C transponders and Traffic Collision Avoidance Systems (TCAS).
How does ADS-B Work?
ADS-B functions by using a combination of satellites, transmitters, and receivers to provide live data coverage to flight personnel and ground control groups about the location and speed of planes above the ground. ADS-B Out signals ate transmitted by aircraft to receivers located on the ground or on other aircraft via line-of-sight. When ADS-B Out signals are received by ATC ground stations, they are used to display the status of air traffic. ADS-B signals are also received by other planes near the transmitting aircraft to avoid mid-air collisions and provide situational awareness. After ADS-B signals are processed by a receiving plane, information about the telemetry data of the aircraft such as the lateral position (longitude and latitude), velocity, altitude, flight number, and other relevant information are displayed on the receiving aircraft’s Cockpit Display of Traffic Information (CDTI). ADS-B data can also be displayed through a wide variety of web and mobile applications such as ForeFlight for instant and convenient visualization.
Moreover, satellites overhead the aircraft send highly precise timing readings allowing airplanes equipped with GNSS or GPS receivers to calculate their own position and velocity. After this information is obtained, airplanes that have an ADS-B Out broadcast their telemetry to ground-based ADS-B receivers and to other aircraft in the sky via a digital datalink on the 1090MHz frequency.
The Benefits of ADS-B
- ADS-B ensures the safety of air traffic by providing flight crews with situational awareness of a real-time common surveillance image that is highly precise and updated in real-time
- ADS-B also provides a highly accurate position of an aircraft which allows controllers to guide aircraft with small separation standards reducing overall clearance time and improving ATC flow management
- ADS-B also allows for an increased capacity of aircraft ATC can coordinate because of its reduced separation standards while also maintaining the integrity of each position report
Frequencies
ADS-B Out can operate on two different frequencies 1090 MHz and 978 MHz. Although both meet modern requirements, there are some differences that should be taken into account:
1090 MHz
The 1090 MHz frequency is associated with the Mode A, C, and S transponder options and contains integrated ADS-B functionality allowing it to process more ADS-B information called the extended squitter (aka 1090ES). Operators flying 18,000 feet and above are required to have 1090ES equipment onboard.
978 MHZ
978 MHz frequency operates on ADS-B equipment known as Universal Access Transceivers (UAT). UAT has a very similar functionality to the 1090 MHz, but regulations around it are different. It can only be accessed within the United States, so pilots looking to fly elsewhere should consider a transponder operating on 1090 MHz.
The Benefits of ADS-B over Conventional Radar Systems
- Unlike conventional radar, ADS-B is able to keep track of aircraft on the ground, so it can accurately monitor airplanes on taxiways and runways
- ADS-B is also accurate even when an airplane is located overhead of a remote area where there is minimal radar coverage
- ADS-B is much more precise and faster than radar
Equipment for ADS-B
Ground Components
- ATC must have ADS-B ground stations
- ADS-B ground stations must include an ADS-B receive antenna with a clear line of sight toward the horizon
- ADS-B receiver
- Power Supply
- Communications Link
- Physical and Data Security
Components for ADS-B Out
- GNSS receiver and antenna onboard the airplane
- ATC must have transponders to transmit ADS-B Out messages to aircraft
Components for ADS-B In
- ACAS and TCAS antennas are used to receive ADS-B messages from other aircraft
- CDTI to display target aircraft information to the flight crew
Data Types Sent Via ADS-B
An ADS-B frame is 112 bits long and is segmented into five main sections.
Bits 1–5 are a binary representation of a downlink format. For instance, civil aircraft use the downlink format of 17 which corresponds to 10001
in binary.
Bits 6–8 correspond to the transponder capability of the aircraft which is denoted by a decimal value between 0 and 7. The definitions for each value are attached below:
Bits 9–32 contain the ICAO aircraft address otherwise known as the Mode S transponder code or hex code. This address remains the same throughout the lifespan of the aircraft and serves as its unique identifier.
Bits 33–88 contain the type code and message contents of the ADS-B data packet. The type code status can be one of the following:
As for the message contents, a raw message is represented by a hexadecimal structure that contains aircraft telemetry values such as airborne position, surface position, velocity, status, and much more.
Bits 89–112 contain the 56-bit payload and 24-bit parity of the ADS-B data packet
Decoders for ADS-B
Many tools are available in order to decode the data sent within ADS-B packets. The most popular Mode S decoder is dump1090. dump1090 uses the RTL-SDR USB stick to retrieve the raw data values of each ADS-B message and decode them into a readable JSON format. It is a robust system with an extended range, includes network support for formats such as TCP and HTTP, can run single-bit error corrections using 24-bit CRC, and can utilize CPR coordinates for decoding the velocity of an aircraft.
Decoded ADS-B JSON Format
{
"hex":"4d211a",
"type":"adsc",
"flight":"XA1 ",
"r":"9H-VJR",
"t":"GLEX",
"alt_baro":39004,
"gs":497.0,
"track":14.02,
"baro_rate":-48,
"lat":-8.317165,
"lon":-179.660969,
"nic":0,
"rc":0,
"seen_pos":326.843,
"alert":0,
"spi":0,
"mlat":[],
"tisb":[],
"messages":2271040,
"seen":326.8,
"rssi":-49.5
}
hex
the 24-bit ICAO identifier of the aircrafttype
best source of current data for the aircraft flight
callsignr
aircraft registrationt
aircraft typealt_baro
aircraft barometric altitude in feetgs
ground speed in knotstrack
true track over the ground in degreesbaro_rate
rate of change of barometric altitude (feet/minute)lat
aircraft geoposition in decimal degreeslon
aircraft geoposition in decimal degreesnic
navigation integrity categoryrc
radius of containment (meters)seen_pos
updated time ago in seconds alert
flight status alertspi
flight status special position identificationmlat
list of fields derived from MLATtisb
list of fields derived from TIS-Bmessages
total number of Mode S messages receivedseen
last timing message was received in secondsrssi
recent average signal power (dbFs)
Online ADS-B Providers
In order to evade the cumbersome process of having to fetch and decode your own custom ADS-B data, a number of online services include their own ADS-B output logs in conjunction with flight visualizations to provide live coverage for normal consumers. The following is a list of some popular ADS-B provider services:
- ADS-B Exchange: this website collects ADS-B data from over 10,000 receivers worldwide and aggregates that data into a cohesive web display
- Plane.watch: a non-commercial ADS-B aggregation project run by a passionate community of SDR Enthusiasts
- RadarBox: a flight monitoring company that displays aircraft and pertinent flight information on a live map display
- ForeFlight: an integrated flight application that provides live coverage of aircraft and aeronautical data
- OpenSky Network: a non-profit associate that provides access to real-world air traffic control data
- RadarVirteul: a site that contains ADS-B information from feeding stations around the world including traffic around smaller airports
- FlightRadar24: a global flight tracking service that provides aircraft coverage around the world
- PlaneFinder: a live flight tracking service that provides data to industries with customized products for aviation and business
- ADSBHub: an ADS-B data sharing center and data source for enthusiasts and professionals interested in ADS-B
Custom ADS-B Receiver Setup
It is also possible to collect your own ADS-B data. If you want to build your own ADS-B receiver rig, you need to collect the following materials:
- SDR that can receive 1090MHz: There are a number of SDRs that are compatible with the 1090MHz frequency such as the RTL-SDR, FlightAware Pro Stick Plus, and the KereberosSDR
- 1090MHz antenna: You can either purchase a cheap 1090MHz rubber ducky antenna on Amazon, a vertical collinear antenna off of EBay, or make your own
- Computer with Linux: This can be any computer like a Raspberry or similar single-board computer or an x86
- FlightAware: You need software on your machine capable of visualizing the live ADS-B data you receive. FlightAware is a great option
- Cables: You need a USB cable to connect the SDR to the computer. You also need a coaxial cable to connect the antenna to the SDR
- Optional Materials: There are a lot of options for other equipment you can attach to your rig such as a 1090MHz bandpass filter or amplifier
It is possible to make alternative rigs that vary from this design, however, I found this setup to be the most intuitive for beginners and I use it as the foundation for the Fly Catcher which I will go further into depth about later on in this article.
Aircraft Telemetry
Lots of data values can be derived using ADS-B. The following telemetry values are examples of relevant information that can be obtained about aircraft using that system.
General Information:Registration Code
The alphanumeric registration code assigned by the country the aircraft was manufactured in
Database Flags
database assignment flags such as military, PIA, and LAD
ICAO Type Code
ICAO aircraft type code (ie. A380)
ICAO Type Description
ICAO-type descriptions such as aircraft category, number descriptor, and prop / engine configuration
Squawk Code
4-digit octal code assigned to aircraft by ATC
Spatial Data:
Ground Speed
speed of aircraft over the ground
Vertical Rate
rate of climb or descent
Track
the direction of aircraft traveling over the ground
GPS Position
latitude and longitude coordinates of aircraft
Distance from ADS-B Antenna
distance of aircraft from ADS-B receiver
Signals Data:
Data Source
the data source of aircraft (ie. ADS-B, MLAT, and Mode S)
RSSI
the signal strength of aircraft from ADS-B receiver
Message Rate
rate of messages received from aircraft per second
Receivers
number of ADS-B receivers
Last Position Time
time since the position of the aircraft was last received
Last Seen Time
time since the message from the aircraft was last received
FMS Data:
Selected Altitude
the selected altitude in the aircraft’s FMS
Selected Heading
the selected heading in the aircraft’s FMS
Wind Information:
Wind Speed
calculated wind speed
Wind Direction
calculated wind direction
Altitude Data:
Barometric Altitude
pressure derived height of plane over mean sea level
Barometric Rate
rate of climb or descent derived from barometric altitude
WGS84 Altitude
geometric GPS-derived altitude
Geometric Rate
rate of climb or descent shown on avionics
Altimeter Setting
altimeter / QNH setting used by avionics
Directional Data:
Ground Track
the direction of aircraft above the ground
True Heading
aircraft’s nose heading relative to true North
Magnetic Heading
aircraft’s nose heading relative to magnetic North
Magnetic Declination
declination based on the World Magnetic Model
Track Rate
rate of turn of ground track
Roll
the roll angle of aircraft
Miscellaneous Info:
Navigation Mode
enabled navigation mode labeled by aircraft (ie. autopilot, TCAS, approach, etc)
ADS-B Version
the version of ADS-B installed on aircraft
Aircraft Category Code
category code of aircraft often indicating the size
Vulnerabilities of ADS-B
The reliance on unencrypted data links by ADS-B systems causes it to be vulnerable to exploitation by ground-based attackers who can use cheap and accessible broadcast communications hardware and software to capture and alter ADS-B messages, delete transmissions, inject misleading data, and jam entire exchange channels. Listed below are some of the main cyber vulnerabilities of aircraft:
Eavesdropping
Eavesdropping occurs when a bad actor exploits the unencrypted nature of ADS-B data to intercept communications between a ground-based receiver and an aircraft
Message Deletion
Message deletion happens when a hacker compromises the frame assembly of the ADS-B protocol by removing message frames from transmissions, therefore, compromising the data integrity of the transmission
Message Injection
Message Injection is another avenue for compromising the data integrity of an ADS-B transmission where a hacker inputs unauthorized data into an ADS-B transmission
Jamming
Jamming occurs when a bad actor floods a frequency with random RF transmissions compromising the availability of the ADS-B service
Spoofing
A spoofing attack occurs when an attacker modifies their own custom ADS-B message by inserting fake data. This technique can be used to create ghost aircraft (fake aircraft shown in ADS-B receivers that don’t exist)
Fly Catcher Introduction
One way of preventing ADS-B attacks is to establish the proper countermeasurements to detect when these attacks occur, so authorities are notified when an attack is occurring the moment it happens. For my personal research, I decided to focus on aircraft spoofing and developing a project called Fly Catcher that is able to detect spoofing attempts in real time. Fly Catcher is a device and a web app that detects spoofed aircraft using a convolutional neural network trained on a dataset of verified and spoofed ADS-B signals. The implementation is a low-cost device made with the Raspberry Pi, a FlightAware RTL-SDR, and a 1090MHz antenna-based tailored for research that uses a Convolutional Neural Network to identify and flag suspicious signals.
Receiving ADS-B Signals for Research
Device Setup
The following is the list of materials I used to develop the device:
- 1090MHz Rubber Ducky Antenna
- Raspberry Pi 3B
- FlightAware Pro Stick Plus SDR
- 3.5 in TFT Screen
- Portable Battery Charger
- USB-C to Micro USB Cable
- Custom 3D Printed Case (optional)
- SD Card
- Rasbian Operating System
- 4x 3/32 Screws
- Python and Pip on Raspberry Pi
- TensorFlow, Keras, and Pandas Libraries
- FlightAware
Once I got my materials together, I configured the Raspberry Pi with the FlightAware SDR using the following tutorial:
https://flightaware.com/adsb/piaware/build/
Here is for verbatim the procedure I followed to get the device set up:
Gather all the necessary materials to construct the device
- Install the Rasbian operating system to the Raspberry Pi with the SD Card
- Connect the Flight Aware SDR to the Raspberry Pi using the Micro USB cable
- Connect the 1090 MHz antenna to the Flight Aware SDR
- Configure the 3.5-inch TFT Screen to the Raspberry Pi
- Place the Device into the 3D Printed Case
- Ensure Python and Pip are installed on the Raspberry Pi
- Install dump-1090 FlightAware library on the Raspberry Pi to receive ADS-B information
The necessary files to make a replicate of this device are contained in the following GitHub repository:
Once the device is put together, it should look like the following:
Once the device is configured, you should be able to view the SDR’s processed ADS-B data via FlightAware’s web portal:
The data is also visualized in the radar display on the TFT screen once the Python script is executed on the device. You can also check the SDR information on the screen as well:
Data Collection Process for ADS-B Research
I used three different techniques for collecting ADS-B data for independent research: online sources, a ground receiver antenna at home, and an in-flight receiver configuration.
Online Sources
Online sources keep massive logs of ADS-B transmissions that occur around the world. In order to increase the breadth of data I had access to during my research process, I accessed multiple data sets logged in the following services for ADS-B data:
Ground Receiver at a Single Location
In addition to having data from online sources, I wanted to capture my own unique data as well. In order to do this, I left the Fly Catcher device at my house in a single location to collect live ADS-B data and log it into a CSV file. After an extended amount of time, I logged thousands of ADS-B messages to analyze.
In-Flight Receiver
As a pilot, I wanted to take an extra step and expand the range of local ADS-B data I had access to. To do this, I brought the device with me to track live ADS-B data during the flight. This gave me ADS-B readings from an extended range as I flew to airports throughout Southern Los Angeles such as Santa Monica, Malibu, Torrance, DTLA, Burbank, and more.
Detecting for Spoofing
From the research and data collected from this experiment, I had three main takeaways for improving the detection of spoofed aircraft: aircraft telemetry indicators, RF Fingerprinting using the RSSI, and the configuration of a Neural Network to optimize the accuracy of the model.
Aircraft Telemetry Indicators
Aircraft Telemetry Indicators (ATIs) which include information such as the aircraft’s position, altitude, and velocity, as well as its unique identifier code can be used to detect spoofed aircraft by comparing the telemetry data received by ATIs with the expected telemetry data for the specific aircraft type. By using this technique, it is possible to detect anomalies that may indicate the presence of a spoofed aircraft. The three main indicators that signaled a spoofed aircraft in my experiment were:
1. Inconsistent altitude and baro rate values: The altitude and baro rate values for each aircraft seem to vary widely and abruptly, which is not typical for genuine ADS-B data. For example, in the spoofed dataset, an aircraft has an altitude of 14981 feet and a baro rate of 51.96 feet per minute, which suggests a sudden and unrealistic change in altitude.
2. Inconsistent or unrealistic speed data: The ground speed values for each aircraft also seem to vary widely and abruptly, which is not typical for genuine ADS-B data. For example, an aircraft in the spoofed dataset has a ground speed of 992 knots, which is faster than the maximum speed of most commercial aircraft.
3. Lack of identification information: Although the data includes flight information such as flight number, aircraft type, and registration number, there is no information about the airline or operator of the aircraft, which is typically included in genuine ADS-B data.
4. Inconsistent or unrealistic position data: The latitude and longitude values for each aircraft also seem to vary widely and abruptly, which is not typical for genuine ADS-B data. For example, an aircraft in the spoofed data set has a latitude of -70.63 degrees, which is beyond the southernmost point of South America which is highly unrealistic.
Neural Network for Fly Catcher
To detect spoofed aircraft, I coded a neural network using the Tensorflow library with Python. The neural network takes into account all the ADS-B data fields and runs it through a model utilizing both training and testing datasets I developed via the data collection methods mentioned earlier. The neural network takes in ADS-B data provided and runs it through the model to give an informed binary classification (spoofed or not spoofed) prediction. The code is available for you to view on GitHub and can be viewed using Jupyter Notebook.
Using RF Fingerprinting to Detect Spoofing Attempts
By comparing the RSSI values of the ADS-B signals received from an aircraft against a database of known RF fingerprints, it is possible to determine whether the aircraft is legitimate or spoofed. This technique can be particularly effective in detecting spoofing attacks that involve the transmission of false ADS-B data from a ground station, as the RF characteristics of the signals will be different from those of a legitimate aircraft. I plan to incorporate this feature into further improvements to the project to improve the neural network model by utilizing the RSSI
field of the JSON data value.
Future Enhancements
In terms of future expansion of the project, there are multiple avenues that could be pursued. One potential area of focus could be to refine the detection system to improve its ability to differentiate between different types of spoofing attacks. For example, some spoofing attacks involve the transmission of false GPS signals to manipulate an aircraft’s position, while others involve the use of false ADS-B signals to mimic the behavior of a
legitimate aircraft. Developing more sophisticated detection techniques for different types of spoofing attacks could further enhance aviation safety.
Another potential area for future expansion is to explore the use of machine learning techniques beyond CNNs for detecting spoofed aircraft. For instance, deep learning techniques such as recurrent neural networks (RNNs) and long short-term memory (LSTM) networks could be used to improve the detection accuracy of spoofed aircraft. Additionally, reinforcement learning techniques could be used to develop more adaptive and robust detection systems that can learn and adapt to new types of spoofing attacks over time.
Conclusion
Overall, I am very happy with how this project turned out. Although Fly Catcher can has lots of room for improvement, it is an example of how cheap components can be utilized to build a robust device that solves a relevant problem within the aviation industry! I hope this guide helped you get a better understanding of radio frequency cybersecurity, aircraft telemetry, and hardware development :)
Thanks for Reading!
- View more of my work on GitHub: https://github.com/ANG13T
- Follow my account on Instagram: instagram.com/angelina_tsuboi
- See what I’m up to on Twitter: https://twitter.com/AngelinaTsuboi
- Support my work on Cash App: https://cash.app/$AngelinaTsuboi