See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/321736587

ADS-B vulnerabilities and a security solution with a timestamp

Article  in  IEEE Aerospace and Electronic Systems Magazine · November 2017

DOI: 10.1109/MAES.2018.160234

CITATIONS READS
14 977

3 authors, including:

Yoohwan Kim Sungchul Lee

University of Nevada, Las Vegas University of Nevada, Las Vegas
78 PUBLICATIONS   1,179 CITATIONS    20 PUBLICATIONS   110 CITATIONS   

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Sungchul Lee on 27 November 2018.

The user has requested enhancement of the downloaded file.

Feature Article:
ADS-B Vulnerabilities and a Security Solution with a
Timestamp
Yoohwan Kim, Ju-Yeon Jo, Sungchul Lee, University of Nevada, Las Vegas, NV, USA
INTRODUCTION
Automatic Dependent Surveillance-Broadcast (ADS-B) is the foun-
dation of NextGen Air Traffic Control (ATC) system, and all aircraft
must be equipped with it by January 1, 2020. Despite the importance
of ADS-B, it has been developed without security considerations
and is subject to various types of attacks. A trustworthy ADS-B sys-
tem will make the NextGen system more reliable and make air trans-
portation safer. But current safety measures are inadequate and many
research proposals are not yet practical or cost-effective.
We developed a practical method that can reject virtually all
spoofed ADS-B messages by monitoring the signal propagation
time between senders and receivers. To measure the actual propaga-
tion time, the method uses a small timestamp value; hence, we call
it “ADS-B with Timestamp” (ADS-BT). ADS-BT monitors the dis-
crepancy between the time of flight based on the timestamp values
and the time of flight based on the location data. In spoofed ADS-
B messages, the discrepancy between the two diverges over time,
which allows us to identify spoofed ADS-B messages accurately.
In this article, we discuss the security vulnerabilities of ADS-
B, challenges of developing ADS-B security schemes, and current
approaches. We then describe the concept of our proposed ADS-
BT and show how it can reliably reject attack packets.
ADS-B OPERATION
ADS-B uses a Global Navigation Satellite System, typically a
global positioning system (GPS), to determine the aircraft's posi-
tion. It then periodically broadcasts the aircraft's position, speed,
and altitude to ground stations or other aircraft in the vicinity [1]
(see Figure 1).
While there are three types of ADS-B transmission frequen-
cies, i.e., 1090 MHz Extended Squitter (ES), 978 MHz Universal
Access Transceiver (UAT), and the very high frequency (VHF)
data link between 108 and 137 MHz, the 1090 ES is considered the
most cost-effective because it is an extension of the existing Mode
Authors' address: University of Nevada, Las Vegas, Computer
Science, 4505 Maryland Parkway, Las Vegas, NV 89154 USA,
E-mail: (Yoohwan.Kim@unlv.edu).
Manuscript received October 30, 2016, revised May 29, 2017,
and ready for publication August 20, 2017.
Review handled by W. Walsh.
0885/8985/17/$26.00 © 2017 IEEE
52 IEEE A&E SYSTEMS MAGAZINE NOVEMBER 2017
DOI. No. 10.1109/MAES.2018.160234
S transponder functions [2]. Mode S-capable transponders reply
with a globally unique 24-bit aircraft identifier to the ground-based
radar upon interrogation. Its data rate is 1 Mbps and the frame size
is either 56 or 112 bits. Mode S transponders also send out un-
solicited transmissions once per second to enable Airborne Col-
lision Avoidance System (ACAS), called Mode S Short Squitter
(56-bit), but this frame only contains the 24-bit aircraft identifier
(ID), not the location information. On the other hand, 1090 ES uses
Extended Squitter (112-bit), which contains a 56-bit data field for
the ADS-B data (i.e., location data) which provides the location
accuracy of about 5.1 meters. This frame is continuously broadcast
approximately twice per second (every 0.4 to 0.6 seconds) from
all aircraft. The format of 112-bit ADS-B Position Squitter frame
is shown in Figure 2. The 56-bit location data within the ADS-
B packet is not the raw GPS data. To reduce the size of the raw
GPS data, ADS-B uses a transformation method called Compact
Position Reporting (CPR) where the data is broken into two pieces
and put in two packets (odd and even). To decode the location,
the receiver must receive both ADS-B packets. This requirement
introduces a further delay in decoding and results in an increased
discrepancy between the true location and the decoded location.
ADS-B is considered the central component of the NextGen
and ADS-B transmitters must be installed in all aircraft by January
1, 2020 [3]. It will replace radar as the primary surveillance meth-
od used by ATC. Although prices are dropping [4], ADS-B devices
are still quite expensive. The typical cost for ADS-B Out devices
ranges from $2,000 to $5,000, and ADS-B In devices from $300 to
$1,000 [4], [5]. The percentage of aircraft equipped with ADS-B
receivers is nevertheless steadily increasing, as they are to become
mandatory for most aircraft around the world by 2020. Roughly
70% of all commercial passenger aircraft (80% in Europe, 60% in
the U.S.) are equipped with an ADS-B transponder [6].
ADS-B SECURITY CONCERNS
ADS-B VULNERABILITY
ADS-B has been developed without security considerations and
is therefore subject to various types of attacks [7]. Since ADS-B
does not have any encryption or authentication measures, an at-
tacker can eavesdrop on the communication easily [1], [8], alter
legitimate messages, or inject nonlegitimate messages into the
communication system. Injecting multiple bogus messages can
cause ghost aircraft flooding on the controller's surveillance sys-
tem, which can lead to a Denial-of-Service (DoS) condition [7]. It
can also show numerous ghost aircraft on a cockpit display, forcing
pilots to change their course and/or velocity. Attackers can also de-
lete messages by transmitting jamming signals, which causes air-
craft disappearance, or modify messages by transmitting conflict-
ing ADS-B messages against legitimate ADS-B messages. ADS-B
requires two message frames to decode the location (even and odd
frames) and by transmitting a fake message for each legitimate
message, the decoding process can be easily fooled. By combining
these attacks, attackers can cripple the ATC operation and bring a
great danger to air transportation.
WHY IS THE ADS-B SECURITY IMPORTANT?
Accurate location data through ADS-B enables a more efficient
use of the airspace for aircraft separation and directional guidance,
Figure 1.
ADS-B operation.
NOVEMBER 2017 IEEE A&E SYSTEMS MAGAZINE 53
and allows ATC to accommodate more traffic. If the location data
is untrustworthy, the ATC capability will be significantly reduced.
Unfortunately, the aforementioned attacks significantly degrade
the effectiveness of the NextGen ATC system. Currently, the air-
craft locations are tracked by primary and secondary surveillance
radar. But once NextGen is fully deployed, the system will rely on
the ADS-B, so the trustworthiness of the ADS-B data is critical to
air traffic safety.
Moreover, there is a trend to integrate the ACAS and ADS-B
data. ACAS allows airplanes to avoid collision by probing each
other and measure the probe-response time delay [9], [10], but it
has some limitations, i.e., short distance, low accuracy, slow up-
date rate, and high cost. ADS-B, on the other hand, offers higher
accuracy, finer grain aircraft separation, longer range, lower cost,
and ubiquity from 2020, which will lead to higher dependence on
the ADS-B.
ADS-B Vulnerabilities and a Security Solution with a Timestamp
Figure 2.
Current ADS-B message format.
Even without attacks, ADS-B lacks a secondary mechanism that
can confirm the location in case of a transmitter malfunction. There
have been a number of device malfunctions reported in ACAS and/
or other avionics systems that have led to dangerous situations [11],
[12]. Such unverified ADS-B data can cause a significant hazard in
air transportation or inefficiency in ATC. Now, with the prolifera-
tion of the unmanned aircraft system (UAS) and their integration
to the National Airspace System, the role of ADS-B is becoming
increasingly important as a growing number of UAS will employ
ADS-B [13], [14]. The ADS-B devices in UAS pose a special chal-
lenge as they may use lower quality electronics, suffer from less
rigorous maintenance, and malfunctions can be overlooked. This
could cause wrong ADS-B data to be transmitted inadvertently.
Without a mechanism to correct these problems, the unverified
ADS-B data could cause a significant hazard to air transportation. It
is important to correct these shortcomings as the number of ADS-B
units will grow continuously due to Federal Aviation Administra-
tion (FAA) installation requirements for ADS-B.
CHALLENGES FOR DEVELOPING ADS-B SECURITY
METHODS
First, the ADS-B frequency space is already crowded with not only
ADS-B but also with Mode-S radars and transponders. Due to the
limited bandwidth capacity, increasing the ADS-B packet size with
any kind of security data is very difficult. Second, a protocol stan-
dard change in ADS-B will require retrofitting the existing devices,
including onboard ADS-B devices, ACAS with embedded ADS-B,
ADS-B ground stations, and the radar systems. This will require sig-
nificant investment of money and time, making it impractical. Third,
the solutions that do not require a protocol standard change tend to
be bulky and expensive, making it less suitable for on-board use.
SOLUTIONS FOR ADS-B SECURITY
A number of security methods on ADS-B have been studied,
but it has been challenging to apply them to a practical use due
to various shortcomings. In achieving ADS-B security, there are
two groups of approaches, i.e., secure broadcast authentication and
secure location verification [15]. Secure broadcast authentication
54 IEEE A&E SYSTEMS MAGAZINE NOVEMBER 2017
can protect the communication and prevent the attacks in a broad-
cast network. It includes noncryptographic schemes on the physi-
cal layer and cryptographic methods. Secure location verification
authenticates the claimed location using the data from the senders
and other ADS-B participants.
SECURE BROADCAST AUTHENTICATION WITH
CRYPTOGRAPHY
Cryptography is one of the common methods to secure commu-
nications in wireless networks, which requires distribution of en-
cryption keys to the participants of ADS-B systems. One of the
proposed methods is the use of public key cryptography with a
challenge/response format [16]. Retroactive key publication is a
variation of public key cryptography, which sends a partial public
key with every message [17]. The receivers can buffer all the mes-
sages and decrypt them using the collected public key. A recent
study suggests the use of Staged Identity-Based Encryption, which
uses receiving parties' identities as public keys for encryption [15].
However, cryptographic methods generally require a large space
within the ADS-B message frame to store the encrypted data or
hash values, making them rather impractical.
SECURE BROADCAST AUTHENTICATION WITH
NONCRYPTOGRAPHY
Noncryptographic schemes are used to identify suspicious activi-
ties. Fingerprinting identifies what they are based on the unique
characteristics of devices such as the operating system, drivers,
clocks, and radio circuit [18]. There are three possible techniques
that may be employed in ADS-B, namely software-based finger-
printing, hardware-based fingerprinting, and channel/location-
based fingerprinting [19]. Software-based fingerprinting uses
distinctly different patterns or behavior of software operating on
equipment. Hardware-based fingerprinting is to identify devices
based on unique hardware differences such as differences in turn-
on/off transient, modulation of a radio signal, and clock skew.
Channel/location-based fingerprinting is based on received signal
strength, channel impulse response, or the carrier phase. However,

these methods require sophisticated devices and higher manufac-
turing cost, and have a nonzero false positive ratio due to their
statistical approach.
SECURE LOCATION VERIFICATION
These techniques include multilateration, group verification, dis-
tance bounding, Kalman filtering, data fusion, traffic modeling,
using received signal strength or angle of arrival of signal. Mul-
tilateration technique can geometrically calculate an unknown
location from a precise distance between four or more known lo-
cations [20]. The time difference of arrival can be obtained from
several antennas in different locations that receive the same signal
at different times. Another way of utilizing multilateration is group
verification. It verifies the location claimed by a nongroup aircraft
using multilateration by a group of aircraft [7]. Distance bounding
finds the upper bound of locations by sending a challenge to the
receiver and getting a response [7]. The upper bound is calculated
based on the speed of radio wave. The actual location can be cal-
culated using the differences in distance among the measurements
from the various ground stations. Other methods use received sig-
nal strengths and calculate the source location or use directional
antenna to triangulate [7]. However, most of these methods require
real-time communication and additional bandwidth. The commu-
nication link itself can be attacked, and more importantly, they can-
not function as a standalone unit. Increased manufacturing cost and
lack of backward compatibility make them less practical. Another
method based on Doppler frequency shift compares the predicted
Doppler shift amount with the actually observed one, and identi-
fies spoofed ADS-B frames from the discrepancy [21], [22]. This
method can work alone without a third party assistance, but will
require a hardware modification.
Kalman filtering is already used to filter and smoothen GPS
position data in messages in ADS-B [23]. It is an important tool
for filtering out noisy signals and smoothing over missing data for
multilateration approach. Data fusion verifies the data obtained
within the system by comparing it with the data coming from other
independent sources, e.g., the fusion of ADS-B and radar. Traffic
modeling can be created from historical data and machine learn-
ing methods to detect deviations from normal ADS-B behavior
[7]. The technique can also be applied to establish red flags for
intrusion detection system so that the technically and physically
impossible data are reasonably dropped to reduce the strain on the
ADS-B system and prevent spoofing or DoS attacks. While these
algorithms offer cost-effective screening method, they cannot be
used by themselves to verify ADS-B signal completely.
CURRENT PRACTICE AND LIMITATIONS
FAA APPROACHES FOR ADS-B SECURITY
FAA currently uses the ground infrastructure to evaluate the in-
tegrity of the received ADS-B messages using three methods: 1)
Comparison with the radar tracking data, 2) Multilateration with
Time Difference Of Arrival (TDOA) at multiple ground stations,
and 3) Ranging to a ground station based on the UAT signal char-
NOVEMBER 2017 IEEE A&E SYSTEMS MAGAZINE 55
Kim, Jo, and Lee
acteristics. While they offer ADS-B data filtering capability to
some degree, it is not complete for a number of reasons.
1. Radar system data: The location accuracy of radar is much
coarser (5 to 300 meters) than ADS-B (up to 5.1 meters) and it
is infrequently updated (6 to 12 seconds) due to its mechani-
cal rotation. This introduces a significant delay and inaccuracy.
Therefore, not all ADS-B data can be verified effectively us-
ing radar surveillance data. Furthermore, it is envisioned that
the ADS-B system can eliminate the use of radar in the future.
Continued use of radar systems can diminish the benefit of
ADS-B.
2. There are about 650 ADS-B ground stations in the U.S., and
they are equipped with TDOA measurement features [24].
They are very accurate down to a few nanoseconds (roughly
equivalent to a few feet in distance), so in theory, the multilat-
eration should be able to filter out all invalid packets. However,
as explained before, ADS-B requires an even and odd packet
pair to decode the CPR data. During this time, the aircraft
could have moved significantly. In a crowded airspace with
a lot of ADS-B transmission, packet losses due to collisions
among ADS-B packets are quite common. If one of the pair
is lost, the receiver must get another from the next 10 packets.
This process can introduce a lot of error, possibly hundreds of
meters of error. If there are bogus ADS-B messages within the
error range, it is difficult to verify their accuracy.
3. UAT signals offer some verification capability with timing of
the signal, but it still has some limitations: 1) it only allows for
a roughly 1 Hz range update rate; 2) it only allows transmission
timing variations of up to 500 nanoseconds (ns) off Coordinat-
ed Universal Time; and 3) it may have significant multipath er-
rors [25]. Besides, it can cover only the systems using UAT, but
not the more common ones based on Mode S ES 1090 MHz.
Finally, the verified signal may be safely used by the ATC, but
not by the aircraft in the air. To make the filtered ADS-B data avail-
able to them, it should be rebroadcast over Automatic Dependent
Surveillance-Rebroadcast (ADS-R) or Traffic Information Sys-
tem-Broadcast (TIS-B), which consumes significant bandwidth
and also causes a delay. As these protocols do not have any security
measure either, they could also be attacked, which leaves the vic-
tim aircraft to sustain an attack continuously. So, a reliable onboard
ADS-B security system is still needed.
NEW CHALLENGES FOR UTM
The proliferation of UAS introduces a new problem for ADS-B
signal verification. Although Beyond Visual Line of Sight (BV-
LOS) flights are not approved yet, it will bring a lot of benefit to
UAS community once approved. In the UAS Traffic Management
(UTM) for BVLOS operation, ADS-B will be essential for track-
ing purposes.
However, the current methods are not effective in UTM environ-
ment. Small UASs generally fly at lower altitudes than large manned
aircraft and their transmission power is very limited (e.g., less than
1 watt), so it is difficult for ground stations to receive their ADS-B
ADS-B Vulnerabilities and a Security Solution with a Timestamp

messages. (There are only 650 ADS-B ground stations in the U.S.
and the distance from the UAS to the ground stations may be dozens
of miles.) Conventional radar systems cannot track them effectively
either. UASs also fly shorter distances and more densely populated
in the airspace than their manned counterparts, potentially as close
as hundreds of feet. Therefore, a more fine-grain control and more
frequent location update are necessary for their traffic control. How-
ever, ADS-B ground stations are intended only for high-flying com-
mercial aircraft and are too sparsely located for UAS. Their purpose
is to separate aircraft by 5 to 10 nautical miles, not hundreds of feet
as required in UTM. Thus, it is difficult to use multiple ground sta- Figure 3.
tions for UASs with low-power ADS-B transmitters. Furthermore, ADS-B frame transmission.
the rebroadcast scheme also introduces a further delay, which is not
desirable for UASs flying in close proximity. frames, it will be ignored. Second, the locations in those frames
To cope with the special requirements in UTM, we need an must follow a reasonable path. If the locations are random, the
onboard ADS-B verification method that can immediately filter frames can be easily rejected.
out attack messages without being dependent on expensive and/or In a legitimate ADS-B transmission, an ADS-B device receives
bulky hardware. For BVLOS operation of UAS, we cannot allow the GPS signal, calculates the current location, encodes the ADS-B
a high false positive or false negative ratio due to a high collision data, creates the message frame, and transmits it over the air. Let
risk, which requires a very reliable method. Tsender be the time for this internal processing, i.e., from the time of
GPS signal reception to the time of departure for the ADS-B mes-
sage. The time to reach the destination is denoted by Tpropagation (see
OUR PROPOSED METHOD: ADS-BT Figure 3). In other words, the total transmission delay (Ttransmission)
is defined as,
THE BASIC CONCEPT
A radio wave travels at a constant speed, i.e., at the speed of light. Ttransmission = Tsender + Tpropagation
Therefore, for a given distance, the time-of-flight can be precisely
determined. Since all ADS-B frames contain the sender's GPS Figure 4 shows a situation with two legitimate aircraft. Let Ls1
coordinates, we can calculate the corresponding time-of-flight be the sender's current location, and Lr1 be the receiver's location.
between the sender and receiver. In a naïve approach, we can com- The propagation delay in seconds for the distance (Ls1, Lr1) in me-
pare the following two and check if there is any discrepancy. ters is determined as,
1. Observed time-of-flight: Time at sender (ts) → Time at receiver Tpropagation ( Ls1 , Lr1 ) = dist ( Ls1 , Lr1 ) / 299,792, 458
(tr)

2. Calculated time-of-flight from GPS coordinates: Location at Let ts1 be the GPS data reception time at location Ls1, and tr1 be
sender (ls) → Location at receiver (lr) the ADS-B reception time at Lr1. Then,

If they don't match, the ADS-B frame may have been spoofed. tr1 – ts1 = Tsender ( Ls1 ) + Tpropagation ( Ls1 , Lr1 )
However, because of the internal processing time and various er-
rors, the time-of-flight values may not match. As each ADS-B de-
Therefore, the unknown value, Tsender (Ls1), can be calculated
vice has different operating characteristics, the internal processing
trivially. For subsequent pairs of locations, (Ls2, Lr2), (Ls3, Lr3), etc.,
time is different for each device. So, the time-of-flight comparison
we observe a similar relationship as,
alone cannot be used for identifying a spoofed ADS-B message
and we will need a more elaborate approach. Our method is based tr 2 – ts 2 = Tsender ( Ls 2 ) + Tpropagation ( Ls 2 , Lr 2 )
on the premise that an attacker can spoof the GPS coordinates in
the ADS-B messages but not the time-of-flight correctly in mul-
tiple frames. Out of the four input data above, the time at sender tr 3 – ts 3 = Tsender ( Ls 3 ) + Tpropagation ( Ls 3 , Lr 3 )
(ts) is currently not available in ADS-B, so Automatic Dependent
Surveillance-Broadcast with Timestamp (ADS-BT) introduces a
For all ADS-B frames from a specific ADS-B Out device (i.e.,
new timestamp field to record the time of transmission.
having the same aircraft ID), the Tsender value should be relatively
stable, so we get,

DETECTING ATTACK Tsender ( Ls1 ) ≈ Tsender ( Ls 2 ) ≈ Tsender ( Ls 3 ) ≈ …

There are a few assumptions about the attacks. First, the attacker
needs to send multiple ADS-B frames with the same aircraft ID be- If Tsender values fluctuate beyond a tolerance range, we can infer
cause if just one ADS-B frame is received without any subsequent that the data in the ADS-B message is wrong. Why does it fluctu-

56 IEEE A&E SYSTEMS MAGAZINE NOVEMBER 2017

 Kim, Jo, and Lee

Figure 4. Figure 5.
Time-of-flight for ADS-B signal. Spoofed flight path.

ate under attack? Figure 5 shows a situation with one legitimate
aircraft and one spoofed aircraft.
In Figure 5, an attacker creates a fake path and broadcasts its
fake locations, s1, s2, s3, etc. A legitimate aircraft is receiving the
fake messages at locations, r1, r2, r3, etc. Let a1 be the attacker's
true but unknown location, and we assume that the attacker inserts
the timestamp values observed at his true location. When a legiti-
mate aircraft receives these bogus messages, it tries to confirm the
propagation delays as usual.
tr1 – ts1 = Tsender ( Ls1 ) + Tpropagation ( Ls1 , Lr1 )
of-flight based on the locations (Ls1, Lr1). As both are impossible
physically, we can immediately reject them.
Case 2) tr1 – ts1 > Tsender (Ls1 ) + Tpropagation (Ls1 , Lr1 )
Let us define the rates of change for the distances in two ADS-B
frames, one for true distances (CRs) and the other for fake distances
(CRa). Except for some special cases, they are different.
T ( L , L ) T ( L , L )
CRs =   propagation s 2 r 2 ≠   propagation a 2 r 2  = CRa
Tpropagation ( Ls1 , Lr1 ) Tpropagation ( La1 , Lr1 )

Since CRa is what is actually observed, the following relation-

tr 2 – ts 2 = Tsender ( Ls 2 ) + Tpropagation ( Ls 2 , Lr 2 ) ship holds for the second ADS-B frame.

tr 2 – ts 2 = Tsender ( La1 ) + Tpropagation ( La 2 , Lr 2 )

But since the attacker's true location is a1, the observed rela- = Tsender ( La1 ) + Tpropagation ( La1 , Lr1 ) × CRa
tionships are,

tr1 – ts1 = Tsender ( La1 ) + Tpropagation ( La1 , Lr1 ) However, the receiving airplane believes that the message is
coming from Ls2, and observes the following discrepancy in the
second frame.
tr 2 – ts 2 = Tsender ( La1 ) + Tpropagation ( La1 , Lr 2 ) tr 2 – ts 2 = Tsender ( Ls 2 ) + Tpropagation ( Ls 2 , Lr 2 )
= Tsender ( Ls1 ) + Tpropagation ( Ls1 , Lr1 ) × CRs
Since the locations Ls1 and La1 are different, we get
≠ Tsender ( Ls1 ) + Tpropagation ( Ls1 , Lr1 ) × CRa

tr1 – ts1 ≠ Tsender ( Ls1 ) + Tpropagation ( Ls1 , Lr1 )

In reality, the victim airplane does not know CRa or the loca-
tion of the attacker. All it can observe are tr2, ts2, Tpropagation (Ls1, Lr1),
tr 2 – ts 2 ≠ Tsender ( Ls 2 ) + Tpropagation ( Ls 2 , Lr 2 ) and Tpropagation (Ls2, Lr2). The only unknown values are Tsender, and the
discrepancy is manifested as an abnormal change in Tsender values.
So, in the case of an attack, we observe
There are special situations where the attacker can be at a lo-
cation with the same distance as the spoofed aircraft, but we will Tsender ( Ls1 ) ≠ Tsender ( Ls 2 ) ≠ Tsender ( Ls 3 ) ≠ …
ignore them for now. This discrepancy leads us to two cases.

A clever attacker may try to spoof the timestamp values to make

Case 1) tr1 – ts1 < Tsender (Ls1 ) + Tpropagation (Ls1 , Lr1 )
the Tsender values appear constant on the receiver side. He can get the
In this case, either the calculated Tsender value is negative and/or the victim's flight path from the victim's ADS-B messages and calculate
actual time-of-flight (= tr1 – ts1) is shorter than the calculated time- the time-of-flight between the fake location and the victim's new

NOVEMBER 2017 IEEE A&E SYSTEMS MAGAZINE 57

ADS-B Vulnerabilities and a Security Solution with a Timestamp
Figure 6.
Simulation screenshot.
location. However, spoofing works only for one victim airplane, as
it is physically impossible to fake the values for any other airplanes.
The attacker may also try to send out multiple bogus messages with
different timestamp values in a hope that some of them match, but
such a massive transmission can be detected and rejected easily due
to the discrepancy among the frames. No matter how many ghost
airplanes are injected, all of them can be identified simultaneously.
EVALUATION
To test the feasibility of the concept, we have developed a simula-
tion program and tested a variety of cases.
Figure 6 shows a screenshot that shows the airplane locations
and configuration parameters. In this simulation, all airplanes
transmit their location in every 0.5 seconds, and we ignore the
frame collisions. All airplanes are moving in random directions at
constant speed. We introduced a small amount of random error in
their broadcast locations. An attacker creates ghost airplanes either
from a fixed location or while moving. Figure 7 shows the trend of
Tsender values over multiple ADS-B frames. In the case of a legiti-
mate airplane's ADS-B, it fluctuates within a small range (several
meters in distance) due to the random errors. But in the case of
ghost airplanes, it either converges or diverges. If the difference
of the values between two frames is beyond a certain threshold
value, it can be considered a spoof. In this case, the Tsender values in
58 IEEE A&E SYSTEMS MAGAZINE NOVEMBER 2017
subsequent frames changed at the rate of about 60 meters (= 200
ns) per 0.5-second tick. This is a very large value and we can claim
it a spoof.
An attacker will probably create thousands of ghost airplanes
in order to make the ADS-B system useless. We simulated 100
ghost airplanes by the attacker. Additionally, to test the false posi-
tive ratio, we included 100 legitimate airplanes. In each scenario,
we ran the simulation 10 times and Figure 8 shows the results.
Since our method monitors the changes in Tsender values, it requires
multiple frames. We monitor three or more frames to see if the
change amount goes over a threshold value. Within 5 ticks (= 2.5
seconds), 99% of the fake airplanes are detected and eventually
all are detected within 25 seconds in case of a static attacker in
Figure 8a. In the case of a mobile attacker in Figure 8b, all fake
airplanes were detected within 20 seconds. In all cases, none of the
legitimate airplanes were affected, i.e., false positive ratio was 0%.
DISCUSSIONS
NEED FOR CLOCK HARDWARE SUPPORT
ADS-B doesn't need to maintain a synchronous clock among the
ADS-B devices. But to measure the time of arrival for the received
packets, it should maintain a local oscillator of above 100 MHz at
10 to 20 ppb accuracy (10 to 20 ns error per second). Fortunately
 Kim, Jo, and Lee

a low-cost GPS-disciplined oscillator

can easily provide such a high accura-
cy. This will increase the material cost
slightly over the current ADS-B devices,
potentially by $10 to $20.

ADVANTAGES OF ADS-BT
ADS-BT does not rely on cryptographic
processing, so the additional data is very
small and no cryptographic operation is
needed. It works without any third-party
stations and can detect bogus messages
with nearly 100% accuracy based on
the geometric property of mobile ob-
jects instead of probability. All ADS-BT
functions are implemented in the digital
domain (no signal strength measure-
ment, directional finder, or frequency
shift measurement), so it can be imple-
mented practically and cost-effectively.
Once the timing information is gath-
ered, the detection can be done slowly
in the background as it can detect the
fake aircraft within a reasonable period,
e.g., a few seconds. So, there is no need
for real-time processing and the detec-
tion algorithm can be implemented in Figure 7.
software on a slow computing platform, Trend of Tsender values.
which makes it cost-effective.

Figure 8.
Performances for spoofed message detection. (a) Static attacker. (b) Mobile attacker.

NOVEMBER 2017 IEEE A&E SYSTEMS MAGAZINE 59

ADS-B Vulnerabilities and a Security Solution with a Timestamp
Figure 9.
ADS-B vs. ADS-BT packet format. (a) Current ADS-B format. (b)
Proposed ADS-BT format.
TRANSITION TO ADS-BT
We find that 8-bit is enough for timestamp size. This value can
be integrated into the current ADS-B structure without increasing
the packet size. The current ADS-B uses the 112-bit mode-S ex-
tended squitter message format (Figure 9a). The last 24 bits are
used for Cyclic Redundancy Check (CRC) checksum, which can
be reduced to 16 bits without any noticeable degradation of the
error detection performance. It is known that the error checking
performances of CRC-16 and CRC-24 are virtually identical for
data smaller than 256 bits [26].
Thus the 8-bit timestamp value in ADS-BT can be safely em-
bedded in the first 8 bits of the CRC checksum (Figure 9b), which
keeps the ADS-BT data size same as ADS-B. Its first 5 bits are for
downlink format (DF), and the value of 17 is assigned to ADS-B.
As some of the DF values are not used currently, a new value (e.g.,
15) can be assigned to ADS-BT. This allows coexistence of ADS-
B and ADS-BT without any disruption. The devices that do not
understand the new downlink code can simply ignore the packet. A
device with a firmware upgrade can decode the ADS-BT message
using the new 16-bit CRC.
CONCLUSIONS
ADS-B is the foundation of NextGen ATC and a trustworthy
ADS-B system will make the NextGen system more reliable. In
this research we have developed the ADS-BT method that mea-
sures the time of flight for the message between the aircraft and
compares that with the time of flight derived from the distance
between the aircraft. To enable time measurements, the ADS-
B messages will include a timestamp value. In spoofed ADS-B
messages, there is a discrepancy between the times of flight,
which grows or shrinks over time continuously. By observing the
change, we can detect all spoofed ADS-B frames with very high
accuracy. Although ADS-BT requires some change in the ADS-B
packet format, it can coexist with the existing ADS-B. ADS-BT
can especially offer a practical location verification capability for
UAS traffic management. Although some upgrade effort is nec-
essary, the assurance attained by the adoption of ADS-BT may
outweigh the cost.
60 IEEE A&E SYSTEMS MAGAZINE NOVEMBER 2017
REFERENCES
[1] Fiorino, F. ADS-B ins and outs. FAA Safety Briefing, (Jul./Aug. 2014),
30–35
[2] Francis, R., Vincent, R., Noe, J.-M., Tremblay, P., Desjardins, D.,
Cushley, A., et al. The flying laboratory for the observation of ADS-B
signals. International Journal of Navigation and Observation, (Aug.
2011), 1–5.
[3] Smith, D. Getting compliant with the looming ADS-B mandate. Fly-
ing Magazine, Mar. 17, 2016. [Online] http://www.flyingmag.com/
getting-compliant-with-looming-ads-b-mandate.
[4] Anderson, C. Google producing low-cost ADS-B transponders for
drones. DIY Drones, Mar. 25, 2015. [Online] http://diydrones.com/
profiles/blogs/google-producing-low-cost-adsb-transponders-for-
drones.
[5] NexAir Avionics. ADS-B. [Online] http://www.nexairavionics.com/
hot-topics/ads-b.
[6] Flightrader24. How it works. [Online] https://www.flightradar24.
com/how-it-works.
[7] Strohmeier, M., Lenders, V., and Martinovic, I. On the security of
the automatic dependent surveillance-broadcast protocol. 2015 IEEE
Communications Surveys & Tutorials, Vol. 17, 2 (second quarter
2015), 1066–1087.
[8] Flightrader24. Live air traffic. Available: http://www.flightradar24.com.
[9] Federal Aviation Administration. Introduction to TCAS II, version
7.1. Feb. 28, 2011.
[10] TCAS Traffic Display—Airline Pilots Forum and Resource. [Online]
http://www.theairlinepilots.com/ forumarchive/flightsafety/tcastraf-
ficdisplay.php.
[11] Australian Government. Loss of separation between Airbus A330 VH-
EBO and Airbus A330 VH EBS. ATSB Transport Safety Report, Avia-
tion Occurrence Investigation, Mar. 5, 2015. [Online] https://www.
atsb.gov.au/media/5214362/AO-2013-161%20final.pdf.
[12] Hansen, A. Book review for Tracon by Paul McElroy. American Avia-
tion Historical Society, Celebrating over 60 Years of Service. [Online]
http:// www.aahs-online.org/bk_review.php?ibook=45.
[13] Moore, J. ADS-B for drones: Tiny transceiver developed. Aircraft
Owners and Pilots Association, May 4, 2016. [Online] https://www.
aopa.org/news-and-media/all-news/2016/may/04/nextgen-for-drones.
[14] Snow, C. New research: ADS-B and its use for small drone traffic
management. sUAS NEWS, Nov. 2, 2015. [Online] http://www. suas-
news.com/2015/11/new-research-ads-b-and-its-use-for-small-drone-
traffic-management.
[15] Hableel, E., Baek, J., Byon, Y., and Wong, D. S. How to protect ADS-
B: Confidentiality framework for future air traffic communication. In
Proceedings of the 2015 IEEE Conference on Computer Communica-
tions Workshops, Apr. 26, 2015–May 1, 2015, 155–160.
[16] Viggiano, M., Valovage, E., Samuelson, K., and Hall, D. Secure ADS-
B authentication system and method, U.S. Patent 7730307 B2, Jun.
1, 2010.
[17] Kwon, T., and Hong, J. Secure and efficient broadcast authentication
in wireless sensor networks. IEEE Transactions on Computers, Vol.
59, 8 (Aug. 2010), 1120–1133.
[18] Danev, B., Zenetti, D., and Capkun, S. On physical-layer identifica-
tion of wireless devices. ACM Computing Surveys, Vol. 45, 1 (Nov.
2012), 1–-29.

[19] Zeng, K., Govindan, K., and Mohapatra, P. Non-cryptographic au-
thentication and identification in wireless networks. IEEE Wireless
Communications, Vol. 17, 5 (Oct. 2010), 56–62.
[20] Nijsure, Y., Kaddoum, G., Gagnon, G., Gagnon, F., Yuen, C., and
Mahapatra, R. Adaptive air-to-ground secure communication system
based on ADS-B and wide area multilateration. IEEE Transactions on
Vehicular Technology, Vol. 65, 5 (2016), 3150–3165.
[21] Ghose, N., and Lazos, L. Verifying ADS-B navigation information
through doppler shift measurements. In Proceedings of the IEEE/
AIAA 34th Digital Avionics Systems Conference (DASC), Sept.
2015.
[22] Park, P., Khadilkar, H., Balakrishnan, H., and Tomlin, C. High con-
fidence networked control for next generation air transportation sys-
tems. IEEE Transactions on Automatic Control, Vol. 59, 12 (Aug.
2014), 3357–3372.
NOVEMBER 2017 IEEE A&E SYSTEMS MAGAZINE 61
View publication stats
Kim, Jo, and Lee
[23] da Silva, J. L. R., Brancalion, J. F. B., and Fernandes, D. Data fusion
techniques applied to scenarios including ADS-B and radar sensors
for air traffic control. In Proceedings of the 12th International Con-
ference on Information Fusion, 2009 (FUSION '09), July 6–9, 2009,
1481–1488.
[24] Esler, D. Global advance of ADS-B. Aviation Week, Dec. 11, 2015. [On-
line] http://aviationweek.com/connected-aerospace/global-advance-ads-b.
[25] Lo, S., Chen, Y. H., Enge, P., Narins, M. Techniques to provide resil-
ient alternative positioning, navigation, and timing (APNT) using au-
tomatic dependent surveillance—Broadcast (ADS-B) ground stations.
In Proceedings of the 2015 International Technical Meeting of The
Institute of Navigation, Jan. 26–28, 2015.
[26] Maxino, T. C. and Koopman, P. J. The Effectiveness of Checksums for
Embedded Control Networks, IEEE Transactions on Dependable and
Secure Computing, Vol. 6, 1 (Jan. - Mar. 2009), 59–72.