Abbreviations
- ACARS: Aircraft Communication Addressing and Reporting System
- ADS-B: Automatic dependent surveillance - broadcast
- CMU: Communication Management Unit
- CDU: Control Display Unit
- FMS: Flight Management System
- ATC: Air Traffic Control
- AOC: Aeronautical Operational Control
- AAC: Airline Administrative Control
- NOTAM: Notice to Airmen
- VHF: HIGH Frequency
- VDL: VHF Data Link
- MAC: Message Authentication Code
- AES: Advance Encryption Standard
- SHA: Secure Hash Algorithm
- CA: Certificate Authority
- ICAO: International Civil Aviation Organisation
- IPsec: Internet Protocol Security
In this report the importance of using the ACARS system in the communication between the aircrafts and the ground units such as "Air traffic control (ATC), aeronautical operational control (AOC) and airline administrative Control (AAC)". (2) Also, the need of securing the communication channel against passive and active attackers will be identified and analysed.
The ACARS system is employed to transmit data both from aircraft to ground and from ground to aircraft. The data transmitted from the aircraft to the ATC will communicate requests and receipts for clearances and instructions when the aircraft is on the floor, through the phases of take-off and landing and lastly during the time the aircraft is in the air.
The ACARS is system is also used for communication between the aircrafts and the AOC and AAC ground units. The data transmitted between these three entities is approximately various areas of the aircraft, weather information and observations, NOTAMS, flight plan and any diversion from the flight plan, technical performance, possible system failures and any special information about the flight and its passengers. ACARS system to transmit data to the ground receivers, the FMC hardware is utilized on newer aircrafts or the CDU on older ones.
The communication is accomplished by using the FMS unit and a tiny printer in the aircrafts and similar hardware on the ground. The FMS transmits the info to the satellite or a ground antennas, about the altitude of the aircraft. After either the satellite or the antenna will transmit the info through the communication network to the appropriate ground unit by using a private network.
Due to the reason why these data are necessary and should not be altered or even sometimes monitored by unauthorised users the security of the communication channel and the info ought to be the priority of the airlines. For doing that the data transmitted should always maintain the three major aspects of information security that are:
- Confidentiality
- Integrity
- Availability
During the first years of the aviation industry communication channels were only needed between your ATC and the pilots. There were no ways to transmit data regarding the aircraft's avionic systems, engines and integrity, due mainly to the reason why that there is not such advanced technology, on both the communication channels and on the aircrafts. The sole communication channel available was the VHF channels that inside our days is minimal trusted protocol.
As the aircrafts developed, the boundaries were extended, and led to a rapid increase in air traffic. To be able to co-op with this, the aircrafts manufacturers decided to enhance the quality and level of the systems aboard the aircrafts in order to protect them from mid-air collisions and also help the ATCs to manage the traffic easier. As soon as that the aviation instruments on board the aircraft changed from analogue to digital, a breakthrough was achieved, leading many companies to develop software and hardware that allowed the improvement of the communication and data transmission between your aircrafts and the bottom. Along with these improvements, the aircrafts critical systems could actually continuously provide the data recorder information regarding their condition. In this phase the CPDLC originated in order to reduce the "acoustic misunderstandings" (6) provided accountability and made the communication "easier, more efficient and safer to transmit and receive long messages" (6). Although in my own opinion this technique would make the communication between the pilots and the ATC easier and safer, it wasn't widely used because of security threats like "message manipulation or injection" (6) which were not possible to be detected. Also, a significant backdoor to the machine in my view was that there is no authentication leading to eavesdropping or "spoof clearances (6).
For the improvement of safety and to be able to enhance the accident investigations, the authorities decided that it would be helpful, that these data should be transmitted to the bottom and to be able to enhance the communications between the aircrafts and the ATCs, a new system was developed, to create ACARS. Along with it new techniques of communication and data transmission were introduced that allowed the aircraft, ATCs and airline's headquarters to communicate with the other person by sending short texts.
ACARS was introduced during the 80s and since the years passed it became very popular among the airlines. It allowed direct communication between aircrafts and ATCs for requesting and acquiring instructions and clearances. The ability of communicating between your aircraft and the AOC and AAC was introduced, that allowed the exchange of information about the elements, possible issues with the aircrafts systems, NOTAMs, passenger information, etc.
In the early many years of aviation, the computers were not very capable in intercepting or manipulating a message that was transmitted and therefore there was little need for that system to be secure. As the years pass and computers became stronger, alongside the understanding of people, possible unauthorised monitoring of message transmission or even manipulating the messages transmitted between the aircrafts and the bottom was a threat to aviation. In order to solve this issues, security mechanisms were positioned in order to protect the communication channels and the info transmitted.
The security mechanisms placed, are updated regularly to be able to maintain the info secure against new threats and attackers. The issue of maintaining a secure communication channel is now greater, due to the reason that the expense of hardware that allow you to monitor the info transmitted by aircrafts are very cheap and easily accessible. This together with the increasing knowledge of folks about how to utilize them the wrong way and with the intention to cause harm for various reasons, makes the task of the people trying to safeguard these systems, very hard and crucial for the safety of the passengers and aircraft crew lives.
As the workload for the pilots in command increased greatly because of the increased traffic, reduction of the crew members in aircrafts and the necessity to maximize profit without undermining safety and to be able to protect the pilots from making mistakes or forget to complete the steps needed for the safe conduct of any flight, researchers were working on a fresh way of communication between the aircraft and the ground operations. That software was ACARS and was developed in the 1980s.
"ACARS is an electronic datalink system" (3) which allows the pilots, ATC and the airlines headquarters to switch short messages no matter of the positioning of the aircraft across the world. To be able to make that happen the aircraft is equipped with an avionics computer which is called Communications Management Unit (CMU), a control display unit (CDU) and a printer. The CMU was "designed to be able to send and receive digital messages" (3) regarding areas of the flight, instructions and clearances from the ATC, weather forecasts, NOTAMs and information to and from the company's headquarters regarding the aircraft's performance and special needs about the passengers.
In order to achieve the degree of communication needed, the ACARS system is using different types of communication media. The two media used to communicate between your aircraft and the bottom by using satellites when the aircrafts are at higher altitudes and radio antennas at lower altitudes. Before the first implementations of the ACARS system, the communication between your aircrafts and the ground was performed by VHF voice channels. As the technology advanced, new way of communication were developed. Through the first periods of implementation of the ACARS system the ARINC organisation, developed a service a allowed for the VHF communication service to be upgraded by a new service that allowed the use of "digital telex formats" (3) to the VHF communication channel. During the 90s this led to the standardization of your VHF Digital Link. As the implementation of the ACARS software by airliners became widespread, new services were developed in order to make the communication channels better. SITA company, during this phase had developed a huge ground communication network that was connecting places across the world. To be able to further enhance the capabilities of ACARS, SITA integrated their ground communication network to be able and cooperate with ACARS already existing communication channels between aircraft and ground. In my judgment the ACARS system was designed very cleverly because it was able to cooperate with various kinds of aircraft communication's equipment such as "VHF, Inmarsat, sitcom, iridium satellite, VDL and high frequency data link" (6).
More detailed, SITA were able to merge both VHF and VDL air to ground communication channel alongside the ground network it had already developed and also to offer an end to get rid of communication channel between aircrafts and ground functions no matter the kind of flights. Both short haul and long haul routes were supported.
Figure. 1 ACARS Setup (9)
ACARS security is very important for the safe conduct of flights. Two different kinds of security were implemented. The first one was called DSP-based architecture and is only capable to protect ACARS messages during transmission from the aircraft to the bottom, leaving the ground network unprotected and risking attacks from hackers open.
For that reason, there can be an end to end security architecture was proposed and developed. In order for the security of the ACARS system to be complete it will have to maintain confidentiality, integrity and availability to the information transmitted all the time, both in the communication channel between the aircraft and the bottom and also in the ground network.
On the end to end solution proposed in the article "The Approach of ACARS Data Encryption and Authentication" (5), The proposed security will be using symmetric and asymmetric cryptography, a hybrid system that can solve the issues of using one among the methods of cryptography, along with digital signatures to provide enough "privacy and integrity" (5) to the messages. The problems that came up with the symmetric cryptography were that in order to talk to each other, a key needed to be exchanged between the sender and the recipients of the message. This original key was made to be known just by the sender and the recipient of the message in order to safeguard it from unauthorized users. This proved to be very difficult to keep up secure because of the large numbers of users that are employing ACARS to communicate. Alternatively, asymmetric cryptography could solve this problem but it required the utilization of a big size keys that led to a rather massive amount bandwidth required just for the exchange of the keys that kept secure the communication, which was a problem due to the limited amount of bandwidth the ACARS system was designed to require.
This hybrid system that was proposed, made use of a key derivation algorithm called Elliptic Curve Diffie-Hellman which is using an elliptic curve and certain points in order to find the private key. Utilizing the elliptic curve combined with the private key, it was able to generate the public key of both aircraft and the ground station (sender and recipient). Employing this technique, the communication channel was secure because it was very hard for the attacker to find the private key "even although exchange of public key is intercepted" (5). For the receiver to be able to decrypt and use the private key a "key derivation function is needed" which in this case is the MAC.
In order to provide encryption to the data transmitted the AES algorithm can be used in mixture with the SHA 256 algorithm. The quantity 256 following the SHA acronym means the length of the "random binary sequence that is employed as the key for the AES" (5) algorithm.
Due to the reason why of the limited bandwidth that ACARS was created to be using, the message data transmitted and the necessary data transmitted to provide security should be compressed as much as possible. To carry out so every letter, number or symbol will have to be encoded to a 6bit stream during the encryption phase. In order for the recipient to be able to decode it and browse the correct message, the MAC of the encrypted data should be read and become decrypted for an ACARS readable character. Also, the right MAC value should be calculated in order for the message to be authenticated.
During the testing phase of the above end to get rid of security mechanism, eavesdropping was possible to be done but no actual data were able to be read, because of the AES that was used in the encryption of the message, so confidentiality was achieved. Privacy was also achieved because if the message was manipulated, the MAC value could have been changed and the recipient could have detected the change in value. Finally for the digital signature to be correct, the assumptions that the CA was trustworthy needed to be made.
Wireless Communication Security
Due to the reason that the key communication channel between the aircraft and the ground stations will be wireless, some necessary aspects of security will will have to exist to be able to able to say that the channel is secure.
According to the authors of the article (7), for a security protocol be acceptable, it must meet some requirements. The first one is the "mutual entity authentication" which can provide security by identifying the sender and the receiver. Also, the Asymmetric algorithms are very critical according to my estimation, about the key distribution that allows the sender and the receiver authenticate one another messages. Next in order to avoid unauthorised people to access the communication channel, both parties must consent to the keys used and also to have the ability to confirm them when needed along with being able to control them, maintain the "key freshness" (7) so no replay attacks could be performed and to protect secrets of old communications in the event an unauthorised person gains usage of a session key. All of the above aspects, in my view are critical in order to keep up privacy in the communication channel.
According to this article (7) which I agree with, some compromises should be taken in order to have the security options tailored to the needs of your systems. In our case the ACARS system was designed to have a little amount of load in transmitting data and therefore and "IPsec with fixed pre-shared keys" (7) would be very useful because it has limited data exchanged to be able to provide security. On the other hand, "protocols predicated on asymmetric cryptosystems" (7) have the ability to provide better security but in an increased data load cost.
Wireless Communication Threat Model
In order to be able to provide better solutions in the wireless communication channel, we should be able to identify the threat that are possible to be faced during the transfer of data. To carry out so we must have a threat model that is tailored to our needs.
In order to make a threat model, we should also know the adversaries' capabilities. In the case of wireless networks in line with the article (8) authors, which will be the the one which ACARS uses, the adversary usually "has the capacity to receive and transmit data" (8), should be able to monitor the network and in order to do the previous two, he will need to have knowledge on how the network was setup. Commonly, if the attacker can eavesdrop a wireless, he will have the ability to "inject traffic" (8) in to the network. All of the above capabilities in my thoughts and opinions are depended to the data he has also to the money he's willing to spend to become able to perform such tasks.
The main attacks he is capable of doing to a wireless network is due to "spoofing attacks" (8), "replay attacks" (8) which I believe is easily solved by the freshness facet of security, "eavesdropping" (8) compromise or introduction of nodes, "wireless jamming" (8) and lastly a "denial of service" (8) attack by increasing extremely the load of the network.
ACARS Security per Honeywell
Per Honeywell, ACARS is using a message security system that is able to provide message authentication, confidentiality and data integrity, which are the basic aspects that require to be protected. Predicated on an ICAO document regarding the security plan a public key infrastructure and other cryptographic algorithms are being used in order to protect the data transmitted.
More specifically, in line with the "ARINC specification 823" (4) the security of the messages is split in two different parts. The first part was published on 2007 possesses everything about the framework of the security, such as algorithms, protocols and message formats. The next parts are about the key management of this security mechanism and was published 1 year later and contains information regarding the key life cycle and the what sort of certificate is managed.
Furthermore, two different security provisions were developed and each of them had different characteristics about the mechanisms found in order to protect the data transmitted.
The first one is called ATN/OSI Security and it was described in the ICAO document 9880. This kind of security foresight used digital signatures which uses the Elliptic Curve Diffie-Hellman cryptographic algorithm combined with a SHA256 to be able to create and verify the signatures. As for Message authentication, it uses hashed MAC with a 32bit MAC length. An integral agreement is used in order to share the public key that will then be used in order for the recipient to have the ability to derive the secret key and also decode the message sent.
The second one is called ACARS Security ARINC 823. That one also uses the digital signatures in order to sign the message and the specifications of the digitals signatures act like the first security foresight, making use of the elliptic curve Diffie-Hellman algorithm coupled with a SHA256 for the signature generation and verification. Again, for the message authentication a hashed MAC is being used but in this case the space of the MAC is not standard. Maybe it's 32 bit, 64 bit or even 128 bit, with the default one to be the 32 bit. The primary difference between the two security foresights is the fact that the previous didn't require a confidentiality mechanism to be in place. Alternatively, that one uses for encryption and AES128 cipher algorithm that is principally used to encrypt and decrypt the messages. Finally, the key establishment mechanism is comparable on both security foresights, and therefore both of these use an elliptic curve Diffie-Hellman with SHA256 algorithm to supply the communication channel with a secret key agreement, shared public key and the derivation of the trick key.
Threats
As the technology is improved, the computers are more powerful, leading in the implementation of better security mechanisms but also in increasing amount of computing power that possible attackers have in their hands. This along with the ability given to the general public to be able to track the flights using the ADS-B can have possible backdoors that can threaten the safety of the flights. The main use of this surveillance technology is perfect for the improvement of the safety and efficiency of the flights. This technology also lead to the creation of your web application and smartphone application, that gave the capability to anyone to have the ability to track any aircraft on earth that had this technology active. A person with an inexpensive hardware setup could receive the information sent to the ground by the aircrafts.
If an attacker is able to intercept these signals, he is able to perform passive attacks like eavesdropping the communications or furthermore, block the response from the ATC (jamming) and finally send his response back (message injection), could result in the attacker to have the ability to perform an active attack and penetrate the aircrafts navigation system. Another possible attack according the article (6) this attacks could cause the "virtually modifying the trajectory associated with an aircraft" (6). After the attacker, has gained usage of the aircraft systems, they can receive information via the ACARS system. In case the ACARS system is not protected correctly, the attacker can exploit the systems and either insert false information to the avionics or maybe attach a virus or malware and also have a constant usage of the aircrafts avionics and information.
Furthermore, the attacker could access the FMS he will be able to mess with the navigation and flight planning such as waypoints, altitudes, speeds, alternate the destination airport of the flight etc. This may lead to the attacker being in complete control of the aircraft, with the pilots not being able to do much in order to get back the control of the aircraft.
Although the ACARS system was updated regularly and the ACARS AMS originated in order to provide end to get rid of security, many airlines decided to not utilize it and instead "provide some security by obscurity" (6), which according to my view could lead in more risks and better security because no person has tested the security algorithms that are being used and therefore if there is any vulnerability in the security algorithm, the business will never be aware of it, leaving the communication channel open to zero day attacks.
The cost of the hardware had a need to complete this attack is not high. Using online shopping web applications or other sellers, the possible attacker will be able to buy the necessary hardware such as FMS hardware, air to ground transmitters, ACARS manager hardware and other hardware, in order to perform such an attack. Through the use of one of the very most known flight simulator software, combined with the necessary hardware and finally by exploiting any vulnerabilities in the security of ACARS and FMS systems, they can have the ability to gain control of the aircraft with low priced.
There are extensive ways the attacker could gain access or perform attacks against the aircrafts. These ways may include attacks via the internet by exploiting bugs in web applications, vulnerabilities against software, SQL injections to databases or other vulnerabilities that aren't fixed in mobile applications.
There are two different threat models in line with the authors of this article "On perception and reality in the wireless air traffic communication security" (6). Both different threat models will be the "traditional aviation threat model" (6) and the "Modern threat model" (6). The primary difference between both of these according the article are that the "software-defined radios" are accessible to the public and along with these to possible attackers and the change between analogue instruments and digital instruments, with the second ones to provide the ability to the users to transmit more data in electronic form. These could lead to a rise in the abilities hackers "to eavesdrop, modify and inject data on the communications channel.
The traditional threat model is utilized from when the first varieties of communication were implemented in aviation. As years passed the communication channels were improved and the amount of data that was transmitted increased rapidly. The authors of the article "characterize this article as naЇve" (6) of the reasons of "inferior technological capabilities and financial capabilities, requirement of inside knowledge and the utilization of analog communication. " (6). I could trust their opinion because I believe indeed the threat model is very old and due to the new technologies, combined with the low cost of a setup that may allow to hinder the communications of an aircraft, the risk will be higher.
The second threat model is the present day threat model. It offers major changes from the first one because of the "increased digitalisation and automation" (6) of the aircraft's communication channels. Also, the "increased technological capabilities" (6) such as cheap hardware may lead to possible attacks that could not be performed when the first threat model was developed. Finally, people could easily gain "aviation knowledge" (6) from the internet, flight simulator software, which could improve the seriousness of the attacks that could be performed. For the aforementioned reasons and from my own experience with aviation knowledge and flight simulator software, I'd concur that this model is more current and much more tailored to recognize the threats that today's aircraft face.
Concluding on the above-mentioned information, the aviation world and more specifically the security of the aircrafts, crews and passengers are definately not safe. It is because even with the security measures that already are researched, the airlines do not always implement them. Also, the technology required and the price of acquiring such technology helps it be easier for attackers to execute either passive or active attacks against aircrafts. These when combined with knowledge of an attacker can lead to great threats contrary to the aircrafts.
In order to maintain the aviation world safe, "the necessity to reassess the chance of attacks under realistic system models and the development of appropriate countermeasures" (6) should be determined and embraced along with new end to get rid of security implementations are proposed and when approved implemented by airlines. Such security mechanisms must be tested to become totally sure all vulnerabilities are patched which it will do not have a backdoor which could allow an attacker to execute an attack.
In my judgment in order to be able to make sure that a security mechanisms that will be placed is completely secure, we must first learn our adversaries, understand their capabilities, intentions, motive and upon all knowledge and financial state. Next, we should understand what passive and active attacks an adversary is capable of doing. If we have the ability to understand the above areas of our adversaries, then we should understand what needs to be done to be able to prevent them from launching an attack from the aircraft- ground communication's channel and ground network.
By having the necessary data about the adversaries and the protection mechanisms that people can implement, then we should evaluate those already implemented and find ways to improve them.
References
- Smith, M. , M. Strohmeier, V. Lenders, and I. Martinovic. "Within the security and privacy of ACARS. " (016 Integrated Communications Navigation and Surveillance (ICNS)): 1-27. Web. 15 Feb. 2017.
- Aircraft Communications, Addressing and Reporting System. " Aircraft Communications, Addressing and Reporting System - SKYbrary Aviation Safety. N. p. , n. d. Web. 14 Feb. 2017.
- "Aircraft Communications Addressing and Reporting System (ACARS). " Aircraft Communications Addressing and Reporting System (ACARS). N. p. , n. d. Web. 14 Feb. 2017.
- Olive, Michael. ACARS Message Security (AMS) as a Vehicle for Validation of ICAO Doc. 9880 Part IV-B Security Requirements. Proc. of ICAO ACP WG-M Meeting, Belgium, Brussels. N. p. : n. p. , n. d. 1-12. Print.
- Yue, M. , and X. Wu. "The Approach of ACARS Data Encryption and Authentication. " 2010 International Conference on Computational Intelligence and Security (2010): 556-60. Web. 10 Feb. 2017.
- Strohmeier, Martin, Matthias Schafer, Rui Pinheiro, Vincent Lenders, and Ivan Martinovic. "On Perception and Reality in Wireless Air Traffic Communication Security. " IEEE Transactions on Intelligent Transportation Systems (2016): 1-20. Web.
- Akram, Raja Naeem, Konstantinos Markantonakis, Keith Mayes, Pierre-Francois Bonnefoi, Damien Sauveron, and Serge Chaumette. "Security and performance comparison of different secure channel protocols for Avionics Wireless Networks. " 2016 IEEE/AIAA 35th Digital Avionics Systems Conference (DASC) (2016): n. pag. Web.
- Akram, Raja Naeem, Konstantinos Markantonakis, Royal Holloway, Sharadha Kariyawasam, Shahid Ayub, Amar Seeam, and Robert Atkinson. "Challenges of security and rely upon Avionics Wireless Networks. " 2015 IEEE/AIAA 34th Digital Avionics Systems Conference (DASC) (2015): n. pag. Web.
- Network Graphic. Digital image. ATC Data Link News. N. p. , n. d. Web. 17 Feb. 2017.