A group of academics reckon they’ve found a way to uniquely fingerprint aeroplanes’ Automatic Dependent Surveillance-Broadcast (ADS-B) tracking transmitters – though an aviation infosec boffin says more research is needed to verify the new technique.
In a paper titled “Real-World ADS-B signal recognition based on Radio Frequency Fingerprinting,” three Chinese researchers describe what they said was a method of identifying unique transmitters fitted to aircraft – regardless of what identity code the equipment is broadcasting.
“We propose and design a novel RFF recognition scheme based on Contour Stellar Images and deep learning. We designed an ADS-B original signal capture and labelling method and verified this method by using a 1090MHz baseband signal collected by RTL-SDR, collecting signals from a total of 5 aircraft,” wrote the researchers in their paper [PDF].
This could pose a problem for nation states hoping to disguise military and government aircraft as benign civilian traffic. Some countries, however, take a more robust approach to preventing open-source surveillance of their operations.
Meet the new aviation insecurity, same as the old aviation insecurity: Next-gen ACAS X just as vulnerable to spoofing as its predecessor
ADS-B is the tech that powers many popular airline flight tracking websites such as Flight Radar 24 and Flightaware, among others. ADS-B transmitters works by broadcasting the aircraft’s GPS location along with a unique identifier, issued by the registering country’s authorities. Crucially, it is not authenticated; anyone can broadcast an ADS-B signal posing as anyone else.
By broadcasting a different unique identifier one can spoof that aircraft’s identity and pose as another aeroplane, something used by various countries as part of military operations.
Through applying a convolutional neural network (CNN) to ADS-B data gathered from five aircraft, researchers Haoran Zha, Qiao Tian and Yun Lin, all from China’s Harbin Engineering University, reckoned they were able to successfully differentiate and classify each aircraft’s ADS-B RF emissions. Raw signals were transformed into contour stellar images for training the CNN and eventually live classification of each aircraft’s unique fingerprint.
An RTL-SDR open source radio captured the signals used by the researchers, with the Alexnet and GoogLeNet CNNs used to crunch the data.
Pinch of salt needed here, though
British researcher Matt Smith of Oxford University’s aviation cybersecurity department wasn’t blown away by the findings, telling The Register: “It’s certainly an interesting approach and one we haven’t seen before. However, there are some important questions which would need to be answered before we can properly assess the method.”
Apart from the small number of aircraft in the sample, said Smith, there was no indication that the 500 signals harvested from all five aircraft had been captured while the aeroplane was in flight, or from different locations and ranges.
“How stable is the fingerprint in different reception environments? Mode S is a notoriously congested channel,” he added, referring to the RF name for the technology ADS-B uses in its signals.
Smith concluded: “The approach is certainly… something new, but we need to see more analysis on larger datasets to understand how effective it can be. It would also be important to explore the performance of such a system when faced with realistic Mode S packet rates.”
It may be abortive for now, but if the technique is expanded and verified to be capable of working in near-real time, it could pose an extra headache for nation states and others looking to camouflage their aircraft among others. ®