Andrei Costin, a Cypriad hacker, gave an unnerving demonstration outlining the weaknesses of air traffic control systems today at the Black Hat hacking conference in Las Vegas. Costin showed he could use just $2,000 worth of store-bought electronics to convince an ADS-B, the FAA’s preferred air traffic control system, that a non-existent plane was coming in for a landing.
CNN reports that Costin’s “Ghost Plane” presentation was possible because air traffic control systems commonly used in airports have no way of verifying where messages are coming from, meaning they are, in essence, gullible. Air traffic controllers can’t tell if a plane is real or not other without seeing it or performing a time-consuming cross-check.
According to Agence France Press, Costin invited his audience to imagine a worst-case scenario, saying, “Imagine you inject a million planes; you don’t have that many people to cross-check. You can do a human resource version of a denial of service attack on an airport.”
A denial of service attack is a commonly used hacker strategy whereby a target is overwhelmed with data to the point that it can no longer function properly.
As if that wasn’t bad enough, InformationWeek reports that Costin also demonstrated his ability to collect flight specific data like velocity and position. He pointed out that if this data was used maliciously towards Air Force One the shortcomings of the Air Traffic Control systems could quite quickly become a geopolitical issue.
“Why does Air Force One show itself?” Costin asked. “It is a very high profile target and you don’t want everyone to know it is flying over your house.”