Detecting Hacker Aircraft Using Artificial Intelligence

19 min readNov 25, 2023

Introduction

Air travel is the world’s current most efficient and rapid transportation network that is essential for facilitating business, trade, travel, and economic growth. Every single day, more than 128,000 flights take off around the world serving upwards of 12 million passengers. In order to moderate and coordinate this large amount of traffic in the air, a wide-scale radar technology was previously used. However, in recent years, a modern aviation communications technology was developed called ADS-B (Automatic Dependent Surveillance-Broadcast) that beat out radar in speed, reliability, and efficiency for communications management. Despite the overwhelming benefits provided by this new technology, it does have its setbacks. One of ADS-B’s main flaws is its lack of security. ADS-B transmissions are unencrypted and unauthenticated making them vulnerable to ground-based cyber attacks such as spoofing which could ramify wide-scale repercussions such as flight delays and even mid-air collisions. As a pilot myself concerned with the safety of air travel, I decided to extensively research this topic and take action by developing a low-cost device called Fly Catcher that detects spoofed aircraft in real-time. This article is meant to elucidate my research process by explaining the functionality of ADS-B and its use cases and then transitioning over to the development process of Fly Catcher and analyzing its utility for ADS-B spoofing detection.

Visit the Project

Project Link: https://github.com/ANG13T/fly-catcher

Research Paper: Read the Research Paper Here

Radar Systems in Aviation

Radar stands for Radio Detecting and Ranging and was originally developed during World War 2. Radar works by transmitting electromagnetic waves and determining the distance between the target object and the source of the electromagnetic wave. Systems do this by appreciating the fact that electromagnetic energy travels through at a constant speed very close to the speed of light (300000 km/s) and adheres to the same principles of an echo. By calculating the time of the transmitted pulses, radar can be used to derive values such as heading, altitude, direction, ground track, and speed of the target object.

A basic radar system consists of a transmitter, antenna, and receiver. The transmitter emits radio waves to be sent and modulates those waves to form a pulse train. Then, the antenna takes the pulse train from the transmitter and emits it into the air where it is directed at a receiver. Once the radio waves are sent to the receiver, the receiver amplifies and demodulates the received RF signals to output.

There are two main types of radar systems — Primary and Secondary.

Primary Radar

Primary radar uses echoes of radio waves reflected back from the target in order to calculate the time taken between when the wave was transmitted to when it was returned. The direction of the transmitted signal reveals the bearing of the target and the time difference can be used to calculate the range since the speed of radio waves through an air medium is constant. When RF pulses from a primary radar transmitter are sent, any object that interacts with the pulse will reflect it back and scatter energy. The reflected energy received back from a primary radar antenna is then used to calculate relevant information about the object. Within aviation, primary radar systems are used to detect dangerous weather conditions, measure the distance of an aircraft above a terrain (used for radio altimeters), and Doppler navigation (an old form of GPS mainly used for rotary-wing aircraft).

Secondary Radar

Secondary radar operates on a different paradigm than primary radar as it does not take into consideration the reflected pulses. The way secondary radar operates is by sending out a signal to a target which then activates the transponder on the target triggering the target’s transponder to send a signal back to the radar system. Secondary radar is often used for longer-range communication purposes compared to primary radar.

Secondary Radar is often used to coordinate Secondary Surveillance Radar (SSR) which is used to determine an aircraft’s range and direction by transmitting a series of pulses from a ground station and then waiting for a response from the target aircraft’s onboard systems. The onboard systems on the target aircraft decode the pulses it receives from the ground station and transmit a response via a pulse on an adjacent frequency.

Another application of Secondary Radar is for Distance Measuring Equipment (DME) which provides line-of-sight distance measurements between a target aircraft and a ground station. It has been standardized by the ICAO for short to medium radio air distance navigation purposes, and works by measuring the delay of an RF pulse emitted by an aircraft’s transmitter and then returned back to the aircraft by the ground station once the information is processed.

Drawbacks of Radar Systems

Although radar systems are useful for transmitting information within a specific range and under ideal conditions, radars tend to not perform well under bad weather conditions which reduced their maximum range. Moreover, radars are composed of parts that tend to get worn out fast requiring extensive maintenance. They also operate on high power levels and cannot be used with modern technological communication systems. Taking these cons into consideration, aeronautical communication engineers proposed a new system that relied on satellite navigational technology called ADS-B as a modern alternative to traditional radar systems.

What is ADS-B?

ADS-B stands for Automatic Dependent Surveillance-Broadcast. It is an advanced surveillance technology used to broadcast pertinent information about an aircraft to other aircraft and ground stations. The purpose of developing ADS-B was to create a modern and viable low-cost replacement for traditional radar systems that would allow ATC to monitor airplanes with much larger precision. Aircraft equipped with ADS-B transmits information on either the 978 MHz or 1090 MHz frequency. We will be focusing on 1090 MHz because it is used by Mode C transponders and Traffic Collision Avoidance Systems (TCAS).

How does ADS-B Work?

ADS-B functions by using a combination of satellites, transmitters, and receivers to provide live data coverage to flight personnel and ground control groups about the location and speed of planes above the ground. ADS-B Out signals ate transmitted by aircraft to receivers located on the ground or on other aircraft via line-of-sight. When ADS-B Out signals are received by ATC ground stations, they are used to display the status of air traffic. ADS-B signals are also received by other planes near the transmitting aircraft to avoid mid-air collisions and provide situational awareness. After ADS-B signals are processed by a receiving plane, information about the telemetry data of the aircraft such as the lateral position (longitude and latitude), velocity, altitude, flight number, and other relevant information are displayed on the receiving aircraft’s Cockpit Display of Traffic Information (CDTI). ADS-B data can also be displayed through a wide variety of web and mobile applications such as ForeFlight for instant and convenient visualization.

Moreover, satellites overhead the aircraft send highly precise timing readings allowing airplanes equipped with GNSS or GPS receivers to calculate their own position and velocity. After this information is obtained, airplanes that have an ADS-B Out broadcast their telemetry to ground-based ADS-B receivers and to other aircraft in the sky via a digital datalink on the 1090MHz frequency.

The Benefits of ADS-B

ADS-B ensures the safety of air traffic by providing flight crews with situational awareness of a real-time common surveillance image that is highly precise and updated in real-time
ADS-B also provides a highly accurate position of an aircraft which allows controllers to guide aircraft with small separation standards reducing overall clearance time and improving ATC flow management
ADS-B also allows for an increased capacity of aircraft ATC can coordinate because of its reduced separation standards while also maintaining the integrity of each position report

Frequencies

ADS-B Out can operate on two different frequencies 1090 MHz and 978 MHz. Although both meet modern requirements, there are some differences that should be taken into account:

1090 MHz

The 1090 MHz frequency is associated with the Mode A, C, and S transponder options and contains integrated ADS-B functionality allowing it to process more ADS-B information called the extended squitter (aka 1090ES). Operators flying 18,000 feet and above are required to have 1090ES equipment onboard.

978 MHZ

978 MHz frequency operates on ADS-B equipment known as Universal Access Transceivers (UAT). UAT has a very similar functionality to the 1090 MHz, but regulations around it are different. It can only be accessed within the United States, so pilots looking to fly elsewhere should consider a transponder operating on 1090 MHz.

The Benefits of ADS-B over Conventional Radar Systems

Unlike conventional radar, ADS-B is able to keep track of aircraft on the ground, so it can accurately monitor airplanes on taxiways and runways
ADS-B is also accurate even when an airplane is located overhead of a remote area where there is minimal radar coverage
ADS-B is much more precise and faster than radar

Equipment for ADS-B

Ground Components

ATC must have ADS-B ground stations
ADS-B ground stations must include an ADS-B receive antenna with a clear line of sight toward the horizon
ADS-B receiver
Power Supply
Communications Link
Physical and Data Security

Components for ADS-B Out

GNSS receiver and antenna onboard the airplane
ATC must have transponders to transmit ADS-B Out messages to aircraft

Components for ADS-B In

ACAS and TCAS antennas are used to receive ADS-B messages from other aircraft
CDTI to display target aircraft information to the flight crew

Data Types Sent Via ADS-B

An ADS-B frame is 112 bits long and is segmented into five main sections.

Bits 1–5 are a binary representation of a downlink format. For instance, civil aircraft use the downlink format of 17 which corresponds to 10001 in binary.

Bits 6–8 correspond to the transponder capability of the aircraft which is denoted by a decimal value between 0 and 7. The definitions for each value are attached below:

Bits 9–32 contain the ICAO aircraft address otherwise known as the Mode S transponder code or hex code. This address remains the same throughout the lifespan of the aircraft and serves as its unique identifier.

Bits 33–88 contain the type code and message contents of the ADS-B data packet. The type code status can be one of the following:

As for the message contents, a raw message is represented by a hexadecimal structure that contains aircraft telemetry values such as airborne position, surface position, velocity, status, and much more.

Bits 89–112 contain the 56-bit payload and 24-bit parity of the ADS-B data packet

Decoders for ADS-B

Many tools are available in order to decode the data sent within ADS-B packets. The most popular Mode S decoder is dump1090. dump1090 uses the RTL-SDR USB stick to retrieve the raw data values of each ADS-B message and decode them into a readable JSON format. It is a robust system with an extended range, includes network support for formats such as TCP and HTTP, can run single-bit error corrections using 24-bit CRC, and can utilize CPR coordinates for decoding the velocity of an aircraft.

Decoded ADS-B JSON Format

{
  "hex":"4d211a",
  "type":"adsc",
  "flight":"XA1     ",
  "r":"9H-VJR",
  "t":"GLEX",
  "alt_baro":39004,
  "gs":497.0,
  "track":14.02,
  "baro_rate":-48,
  "lat":-8.317165,
  "lon":-179.660969,
  "nic":0,
  "rc":0,
  "seen_pos":326.843,
  "alert":0,
  "spi":0,
  "mlat":[],
  "tisb":[],
  "messages":2271040,
  "seen":326.8,
  "rssi":-49.5
}

hex the 24-bit ICAO identifier of the aircraft
type best source of current data for the aircraft
flight callsign
r aircraft registration
t aircraft type
alt_baro aircraft barometric altitude in feet
gs ground speed in knots
track true track over the ground in degrees
baro_rate rate of change of barometric altitude (feet/minute)
lat aircraft geoposition in decimal degrees
lon aircraft geoposition in decimal degrees
nic navigation integrity category
rc radius of containment (meters)
seen_pos updated time ago in seconds
alert flight status alert
spi flight status special position identification
mlat list of fields derived from MLAT
tisb list of fields derived from TIS-B
messages total number of Mode S messages received
seen last timing message was received in seconds
rssi recent average signal power (dbFs)

Online ADS-B Providers

In order to evade the cumbersome process of having to fetch and decode your own custom ADS-B data, a number of online services include their own ADS-B output logs in conjunction with flight visualizations to provide live coverage for normal consumers. The following is a list of some popular ADS-B provider services:

ADS-B Exchange: this website collects ADS-B data from over 10,000 receivers worldwide and aggregates that data into a cohesive web display
Plane.watch: a non-commercial ADS-B aggregation project run by a passionate community of SDR Enthusiasts
RadarBox: a flight monitoring company that displays aircraft and pertinent flight information on a live map display
ForeFlight: an integrated flight application that provides live coverage of aircraft and aeronautical data
OpenSky Network: a non-profit associate that provides access to real-world air traffic control data
RadarVirteul: a site that contains ADS-B information from feeding stations around the world including traffic around smaller airports
FlightRadar24: a global flight tracking service that provides aircraft coverage around the world
PlaneFinder: a live flight tracking service that provides data to industries with customized products for aviation and business
ADSBHub: an ADS-B data sharing center and data source for enthusiasts and professionals interested in ADS-B

Custom ADS-B Receiver Setup

It is also possible to collect your own ADS-B data. If you want to build your own ADS-B receiver rig, you need to collect the following materials:

SDR that can receive 1090MHz: There are a number of SDRs that are compatible with the 1090MHz frequency such as the RTL-SDR, FlightAware Pro Stick Plus, and the KereberosSDR
1090MHz antenna: You can either purchase a cheap 1090MHz rubber ducky antenna on Amazon, a vertical collinear antenna off of EBay, or make your own
Computer with Linux: This can be any computer like a Raspberry or similar single-board computer or an x86
FlightAware: You need software on your machine capable of visualizing the live ADS-B data you receive. FlightAware is a great option
Cables: You need a USB cable to connect the SDR to the computer. You also need a coaxial cable to connect the antenna to the SDR
Optional Materials: There are a lot of options for other equipment you can attach to your rig such as a 1090MHz bandpass filter or amplifier

It is possible to make alternative rigs that vary from this design, however, I found this setup to be the most intuitive for beginners and I use it as the foundation for the Fly Catcher which I will go further into depth about later on in this article.

Aircraft Telemetry

Lots of data values can be derived using ADS-B. The following telemetry values are examples of relevant information that can be obtained about aircraft using that system.

General Information:
Registration Code The alphanumeric registration code assigned by the country the aircraft was manufactured in

Database Flags database assignment flags such as military, PIA, and LAD

ICAO Type Code ICAO aircraft type code (ie. A380)

ICAO Type Description ICAO-type descriptions such as aircraft category, number descriptor, and prop / engine configuration

Squawk Code 4-digit octal code assigned to aircraft by ATC

Spatial Data:

Ground Speed speed of aircraft over the ground

Vertical Rate rate of climb or descent

Track the direction of aircraft traveling over the ground

GPS Position latitude and longitude coordinates of aircraft

Distance from ADS-B Antenna distance of aircraft from ADS-B receiver

Signals Data:

Data Source the data source of aircraft (ie. ADS-B, MLAT, and Mode S)

RSSI the signal strength of aircraft from ADS-B receiver

Message Rate rate of messages received from aircraft per second

Receivers number of ADS-B receivers

Last Position Time time since the position of the aircraft was last received

Last Seen Time time since the message from the aircraft was last received

FMS Data:

Selected Altitude the selected altitude in the aircraft’s FMS

Selected Heading the selected heading in the aircraft’s FMS

Wind Information:

Wind Speed calculated wind speed

Wind Direction calculated wind direction

Altitude Data:

Barometric Altitude pressure derived height of plane over mean sea level

Barometric Rate rate of climb or descent derived from barometric altitude

WGS84 Altitude geometric GPS-derived altitude

Geometric Rate rate of climb or descent shown on avionics

Altimeter Setting altimeter / QNH setting used by avionics

Directional Data:

Ground Track the direction of aircraft above the ground

True Heading aircraft’s nose heading relative to true North

Magnetic Heading aircraft’s nose heading relative to magnetic North

Magnetic Declination declination based on the World Magnetic Model

Track Rate rate of turn of ground track

Roll the roll angle of aircraft

Miscellaneous Info:

Navigation Mode enabled navigation mode labeled by aircraft (ie. autopilot, TCAS, approach, etc)

ADS-B Version the version of ADS-B installed on aircraft

Aircraft Category Code category code of aircraft often indicating the size

Vulnerabilities of ADS-B

The reliance on unencrypted data links by ADS-B systems causes it to be vulnerable to exploitation by ground-based attackers who can use cheap and accessible broadcast communications hardware and software to capture and alter ADS-B messages, delete transmissions, inject misleading data, and jam entire exchange channels. Listed below are some of the main cyber vulnerabilities of aircraft:

Eavesdropping

Eavesdropping occurs when a bad actor exploits the unencrypted nature of ADS-B data to intercept communications between a ground-based receiver and an aircraft

Message Deletion

Message deletion happens when a hacker compromises the frame assembly of the ADS-B protocol by removing message frames from transmissions, therefore, compromising the data integrity of the transmission

Message Injection

Message Injection is another avenue for compromising the data integrity of an ADS-B transmission where a hacker inputs unauthorized data into an ADS-B transmission

Jamming

Jamming occurs when a bad actor floods a frequency with random RF transmissions compromising the availability of the ADS-B service

Spoofing

A spoofing attack occurs when an attacker modifies their own custom ADS-B message by inserting fake data. This technique can be used to create ghost aircraft (fake aircraft shown in ADS-B receivers that don’t exist)

Fly Catcher Introduction

One way of preventing ADS-B attacks is to establish the proper countermeasurements to detect when these attacks occur, so authorities are notified when an attack is occurring the moment it happens. For my personal research, I decided to focus on aircraft spoofing and developing a project called Fly Catcher that is able to detect spoofing attempts in real time. Fly Catcher is a device and a web app that detects spoofed aircraft using a convolutional neural network trained on a dataset of verified and spoofed ADS-B signals. The implementation is a low-cost device made with the Raspberry Pi, a FlightAware RTL-SDR, and a 1090MHz antenna-based tailored for research that uses a Convolutional Neural Network to identify and flag suspicious signals.

Receiving ADS-B Signals for Research

Device Setup

The following is the list of materials I used to develop the device:

1090MHz Rubber Ducky Antenna
Raspberry Pi 3B
FlightAware Pro Stick Plus SDR
3.5 in TFT Screen
Portable Battery Charger
USB-C to Micro USB Cable
Custom 3D Printed Case (optional)
SD Card
Rasbian Operating System
4x 3/32 Screws
Python and Pip on Raspberry Pi
TensorFlow, Keras, and Pandas Libraries
FlightAware

Once I got my materials together, I configured the Raspberry Pi with the FlightAware SDR using the following tutorial:

https://flightaware.com/adsb/piaware/build/

Here is for verbatim the procedure I followed to get the device set up:
Gather all the necessary materials to construct the device

Install the Rasbian operating system to the Raspberry Pi with the SD Card
Connect the Flight Aware SDR to the Raspberry Pi using the Micro USB cable
Connect the 1090 MHz antenna to the Flight Aware SDR
Configure the 3.5-inch TFT Screen to the Raspberry Pi
Place the Device into the 3D Printed Case
Ensure Python and Pip are installed on the Raspberry Pi
Install dump-1090 FlightAware library on the Raspberry Pi to receive ADS-B information

The necessary files to make a replicate of this device are contained in the following GitHub repository:

Once the device is put together, it should look like the following:

Once the device is configured, you should be able to view the SDR’s processed ADS-B data via FlightAware’s web portal:

Feeder Statistics - FlightAware

Statistics for sites feeding ADS-B flight tracking data to FlightAware. Sites, users, countries, regions, and teams are…

flightaware.com

The data is also visualized in the radar display on the TFT screen once the Python script is executed on the device. You can also check the SDR information on the screen as well:

Data Collection Process for ADS-B Research

I used three different techniques for collecting ADS-B data for independent research: online sources, a ground receiver antenna at home, and an in-flight receiver configuration.

Online Sources

Online sources keep massive logs of ADS-B transmissions that occur around the world. In order to increase the breadth of data I had access to during my research process, I accessed multiple data sets logged in the following services for ADS-B data:

Ground Receiver at a Single Location

In addition to having data from online sources, I wanted to capture my own unique data as well. In order to do this, I left the Fly Catcher device at my house in a single location to collect live ADS-B data and log it into a CSV file. After an extended amount of time, I logged thousands of ADS-B messages to analyze.

1090MHz antenna of the device collecting data from my room

In-Flight Receiver

As a pilot, I wanted to take an extra step and expand the range of local ADS-B data I had access to. To do this, I brought the device with me to track live ADS-B data during the flight. This gave me ADS-B readings from an extended range as I flew to airports throughout Southern Los Angeles such as Santa Monica, Malibu, Torrance, DTLA, Burbank, and more.

Detecting for Spoofing

From the research and data collected from this experiment, I had three main takeaways for improving the detection of spoofed aircraft: aircraft telemetry indicators, RF Fingerprinting using the RSSI, and the configuration of a Neural Network to optimize the accuracy of the model.

Aircraft Telemetry Indicators
Aircraft Telemetry Indicators (ATIs) which include information such as the aircraft’s position, altitude, and velocity, as well as its unique identifier code can be used to detect spoofed aircraft by comparing the telemetry data received by ATIs with the expected telemetry data for the specific aircraft type. By using this technique, it is possible to detect anomalies that may indicate the presence of a spoofed aircraft. The three main indicators that signaled a spoofed aircraft in my experiment were:

1. Inconsistent altitude and baro rate values: The altitude and baro rate values for each aircraft seem to vary widely and abruptly, which is not typical for genuine ADS-B data. For example, in the spoofed dataset, an aircraft has an altitude of 14981 feet and a baro rate of 51.96 feet per minute, which suggests a sudden and unrealistic change in altitude.

2. Inconsistent or unrealistic speed data: The ground speed values for each aircraft also seem to vary widely and abruptly, which is not typical for genuine ADS-B data. For example, an aircraft in the spoofed dataset has a ground speed of 992 knots, which is faster than the maximum speed of most commercial aircraft.

3. Lack of identification information: Although the data includes flight information such as flight number, aircraft type, and registration number, there is no information about the airline or operator of the aircraft, which is typically included in genuine ADS-B data.

4. Inconsistent or unrealistic position data: The latitude and longitude values for each aircraft also seem to vary widely and abruptly, which is not typical for genuine ADS-B data. For example, an aircraft in the spoofed data set has a latitude of -70.63 degrees, which is beyond the southernmost point of South America which is highly unrealistic.

Neural Network for Fly Catcher

To detect spoofed aircraft, I coded a neural network using the Tensorflow library with Python. The neural network takes into account all the ADS-B data fields and runs it through a model utilizing both training and testing datasets I developed via the data collection methods mentioned earlier. The neural network takes in ADS-B data provided and runs it through the model to give an informed binary classification (spoofed or not spoofed) prediction. The code is available for you to view on GitHub and can be viewed using Jupyter Notebook.

Using RF Fingerprinting to Detect Spoofing Attempts

Coordinates of Aircraft Displayed from CNN Output

By comparing the RSSI values of the ADS-B signals received from an aircraft against a database of known RF fingerprints, it is possible to determine whether the aircraft is legitimate or spoofed. This technique can be particularly effective in detecting spoofing attacks that involve the transmission of false ADS-B data from a ground station, as the RF characteristics of the signals will be different from those of a legitimate aircraft. I plan to incorporate this feature into further improvements to the project to improve the neural network model by utilizing the RSSI field of the JSON data value.

Future Enhancements

In terms of future expansion of the project, there are multiple avenues that could be pursued. One potential area of focus could be to refine the detection system to improve its ability to differentiate between different types of spoofing attacks. For example, some spoofing attacks involve the transmission of false GPS signals to manipulate an aircraft’s position, while others involve the use of false ADS-B signals to mimic the behavior of a
legitimate aircraft. Developing more sophisticated detection techniques for different types of spoofing attacks could further enhance aviation safety.

Another potential area for future expansion is to explore the use of machine learning techniques beyond CNNs for detecting spoofed aircraft. For instance, deep learning techniques such as recurrent neural networks (RNNs) and long short-term memory (LSTM) networks could be used to improve the detection accuracy of spoofed aircraft. Additionally, reinforcement learning techniques could be used to develop more adaptive and robust detection systems that can learn and adapt to new types of spoofing attacks over time.

Conclusion

Overall, I am very happy with how this project turned out. Although Fly Catcher can has lots of room for improvement, it is an example of how cheap components can be utilized to build a robust device that solves a relevant problem within the aviation industry! I hope this guide helped you get a better understanding of radio frequency cybersecurity, aircraft telemetry, and hardware development :)

Thanks for Reading!

View more of my work on GitHub: https://github.com/ANG13T
Follow my account on Instagram: instagram.com/angelina_tsuboi
See what I’m up to on Twitter: https://twitter.com/AngelinaTsuboi
Support my work on Cash App: https://cash.app/$AngelinaTsuboi