2 - Physical Link: Passive Keyless Entry & Start; Air Traffic Surveillance Flashcards
ways to open your car or start your engine
4 ways
Old-school metallic keys
Immobilizers
Active keyless entry
Passive keyless entry & start (PKES)
Passive Keyless Entry & Start (PKES)
Security
RFID chip is used to detect if key is close or inside the car
Authentication:
Cryptographic key authentication with challenge-response protocol
Messages can be relayed from one location to another in
order to make one entity appear closer to the other
Countermeasure: Distance Bounding
Needs high clock rates to measure delay accurate enough
Needs fast and constant processing times
Expensive!
Air Traffic Surveillance Today
Primary Surveillance Radar (PSR)
Secondary Surveillance Radar (SSR)
Very old technology: dates back to World War II
Insufficient accuracy, enormous cost of operation
Primary Surveillance Radar (PSR)
rotating antenna high-frequency signal echo
Bearing of the antenna gives the direction, round-trip time (RTT) gives the distance
No information about altitude and identity of the target!
Secondary Surveillance Radar (SSR)
Aircraft’s transponders respond to ground stations
Cooperative: aircraft without transponder are invisible!
Bearing of the antenna gives the direction, RTT gives the distance, payload gives ID or altitude of the target
Air Traffic Surveillance Tomorrow
Higher update rates and more precise position/velocity data required to allow for higher traffic density
World-wide renewal of air traffic surveillance until 2020
Paradigm shift: From ground-based surveillance to
dependent (i.e. on-board) systems
Main goals are cost-efficiency and accuracy
Key component
- Automatic Dependent Surveillance – Broadcast (ADS-B)
ADS-B System Architecture
Aircraft determine their position using GNSS (e.g. GPS)
broadcast information (position, velocity, or ID) periodically
Messages received by aircraft/ground stations in proximity
To transmit ADS-B messages, a special message format of the old SSR Mode S is used
- ADS-B messages simply embedded in SSR Mode S messages
- Aircraft are already equipped with SSR Mode S transponders, so only upgrade needed for ADS-B
→ much cheaper!
ADS-B Deployment Status
Programs worldwide for implementation of ADS-B
Mandatory by 2017 in Europe and 2020 in US
Around 60% of all commercial aircraft are already equipped with ADS-B
Data provided by ADS-B not yet certified
Even some military aircraft are equipped with ADS-B
ADS-B Security
Nothing
No encryption, no authentication
ADS-B can be received by everyone and live data is publicly available
All kinds of physical/link layer attacks possible
Arbitrary ADS-B messages can be crafted in software (e.g. with Python) and transmitted with an SDR
Fake ADS-B messages injected into 1090 MHz channel
Messages are sent at realistic rates and contain realistic positions of a simulated flight
Ghost Aircraft Injection/Flooding
Ghost Aircraft Injection/Flooding
Ghost Aircraft Injection
(ADS-B spoofing using flight simulator)
Ghost Aircraft Flooding
- Instead of injecting one ghost aircraft, many are injected
- Results in denial of service
- Bottleneck of this attack is bandwidth of the channel
Last resort: Multilateration (MLAT)
Multilateration (MLAT)
ADS-B deployed along with wide-area multilateration (WAM)
MLAT is cooperative and independent, i.e. aircraft needs to cooperate but location is determined ground-based
MLAT Principle:
- synchronized antennas receive signal from aircraft and a
central processing unit calculates aircraft’s position using the time difference of arrival (TDOA) (a.k.a triangulation)
MLAT For Security
MLAT can be applied to ADS-B messages
Location verification
- Position reported in ADS-B message should be compared to the result of MLAT → fake position messages can be detected
It is very hard to deceive MLAT since it uses a physical
property (TDOA) of the signal
Pro:
MLAT detection needed for filtering can be used without changing existing infrastructure
Con:
- MLAT is very expensive due to high requirements on hardware (e.g. tight synchronization)
