On the Digging of Cyber Holes: The NextGen Air Traffic Control System

By Paul Rosenzweig
Thursday, January 3, 2013, 11:25 AM

The aphorism is a commonplace – if you find yourself in a hole, the first thing to do is to stop digging.  I sometimes wonder if our cyber developers understand that problem.

Today’s case in point is the NextGen air traffic control system (whose vulnerability was first pointed out to me by a student in my class this term at Northwestern, Nolan Peterson).

Last year, researchers at the University of Texas at Austin demonstrated a proof of concept capability to hijack an unmanned drone by spoofing its Global Positioning System (GPS) components.  In effect, the spoofing sent a false positioning signal to the drone.  Using less than $1000 worth of gear, the UT students were able to the satellite signal used by an unmanned aircraft to know where it is.  Because the spoofed data looks just like the data coming down from GPS satellites, the drone’s onboard computer doesn’t realize that its navigation data is wrong.  And, voila -- the attacker has complete control.

That’s scary enough when we think about the prospect of a small hijacked drone traveling in domestic airspace.  But what if the spoofers could hijack and airplane?  Fanciful as it seems the prospect will soon be reality.

NextGen is an initiative of the FAA – they plan to replace the existing radar-based air traffic control infrastructure with a system that relies exclusively on GPS signals.  The transition is supposed to be complete by 2025.    In many ways the prospect of a transition is fundamentally good.  The new technology will improve air safety (planes will know where they are more precisely) and efficiency (aircraft will be able to take shorter routes through airspace).   Money will be saved and less fuel will be burned.  NextGen is even good for the environment.

But buried in the good news is, it seems to me, a kernel of a problem.  Radar routing is inefficient because planes have to fly on designated radar routes.  But the hardware for radar broadcasting and reception can’t (that I know of) be spoofed.  Today, when planes fly using GPS they “double check” there location with radar.

Of course the entire plan behind NextGen is to eventually get rid of the radar system – an expensive 20th century relic, I guess.  But then we are completely dependent on GPS for control.

There are some countermeasures we could take, at least in theory to prevent spoofing airplanes.  GPS data could be encrypted – but it is so universally relied upon in the commercial sphere that the idea of encryption is probably a non-starter.  Moreover, GPS signals are notoriously weak – and thus easy to jam and/or replace.  So, likely the only answer will be some form of defensive measure – either systems that try to recognize when they are being spoofed or which cross check position against inertial navigation systems that are isolated from cyber attack.

These are not outside the realm of possibility.  But it seems the FAA still has some work to do, lest we fall down another cyber hole.