Conference PaperPDF Available

Economy Class Crypto: Exploring Weak Cipher Usage in Avionic Communications via ACARS


Abstract and Figures

Recent research has shown that a number of existing wireless avionic systems lack encryption and are thus vulnerable to eavesdropping and message injection attacks. The Aircraft Communications Addressing and Reporting System (ACARS) is no exception to this rule with 99% of the traffic being sent in plaintext. However, a small portion of the traffic coming mainly from privately-owned and government aircraft is encrypted, indicating a stronger requirement for security and privacy by those users. In this paper, we take a closer look at this protected communication and analyze the cryptographic solution being used. Our results show that the cipher used for this encryption is a mono-alphabetic substitution cipher, broken with little effort. We assess the impact on privacy and security to its unassuming users by characterizing months of real-world data, decrypted by breaking the cipher and recovering the keys. Our results show that the decrypted data leaks privacy sensitive information including existence, intent and status of aircraft owners.
Content may be subject to copyright.
Economy Class Crypto: Exploring Weak Cipher
Usage in Avionic Communications via ACARS
Matthew Smith1, Daniel Moser2, Martin Strohmeier1, Vincent Lenders3, and
Ivan Martinovic1
1Department of Computer Science, University of Oxford, United Kingdom
2Department of Computer Science, ETH Z¨urich, Switzerland
3armasuisse, Switzerland
Abstract. Recent research has shown that a number of existing wireless
avionic systems lack encryption and are thus vulnerable to eavesdropping
and message injection attacks. The Aircraft Communications Addressing
and Reporting System (ACARS) is no exception to this rule with 99%
of the trac being sent in plaintext. However, a small portion of the
trac coming mainly from privately-owned and government aircraft is
encrypted, indicating a stronger requirement for security and privacy
by those users. In this paper, we take a closer look at this protected
communication and analyze the cryptographic solution being used. Our
results show that the cipher used for this encryption is a mono-alphabetic
substitution cipher, broken with little eort. We assess the impact on
privacy and security to its unassuming users by characterizing months
of real-world data, decrypted by breaking the cipher and recovering the
keys. Our results show that the decrypted data leaks privacy sensitive
information including existence, intent and status of aircraft owners.
1 Introduction
Aviation is undergoing a period of modernization which is expected to last until
at least 2030, with the International Civil Aviation Organization (ICAO) aiming
to reduce emissions, increase safety and improve eciency of air transport [11].
This program seeks to replace ageing avionic systems with newer solutions, a
significant section of which revolves around avionic data links.
The main data communications system in current use is the Aircraft Com-
munications Addressing and Reporting System (ACARS). A general purpose
system, it has become the standard to transfer a wide range of information; for
example, it is often used by crews to request permission from air trac control
(ATC) to fly a particular part of their route. Although ACARS will be replaced
at some point in the future, this migration is unlikely to be completed within
the next 20 years [11]. In the meantime, the vast ma jority of commercial aircraft
and business jets must use ACARS for their data link needs.
Like many current wireless air trac communication technologies, ACARS
was designed several decades ago when security was not considered a main ob jec-
tive. Consequently, it did not include any form of encryption during its original
standardization. Due to the technological advantage that aviation held over most
potential threat agents, this fact did not raise significant attention over two
decades. In recent years, however, cheap software defined radios (SDRs) have
changed the threat landscape [21]. Using low-cost hardware and software down-
loadable from the internet, the capability to eavesdrop on ACARS has become
The impact of this changing threat on security and privacy of the data link are
manifold: among other possibilities, adversaries can track sensitive flight move-
ments of private, business or government aircraft; confidential information such
as financial or health information can be read and compromised; and potentially
safety-related data such as engine and maintenance reports can be modified.
As users of ACARS became aware of its practical insecurity and demanded
improvements to the confidentiality of their data, several cryptographic solutions
were developed to provide a short-term fix but then these became long-term
solutions. Only one of these solutions, a proprietary approach, is extensively
used. Unfortunately, it has many serious design flaws — the most serious being
that it is a mono-alphabetic substitution cipher — which negate any potential
security and privacy gain. Indeed, as we argue in this work, this type of solution
provides a false sense of security for ACARS users and consequently does more
harm for their reasonable expectations of privacy than no solution at all.
In this paper, we present our findings on a specific security vulnerability of the
aviation data link ACARS. Our contributions are as follows:
We show that the current most commonly used security solution for ACARS
is highly insecure and can be broken on the fly. We analyze the shortcomings
of the cipher used in this solution and its implementation.
We quantify the impact on dierent aviation stakeholders and users. We
analyze the extent of the privacy and security breach to its unassuming users,
in particular owners of private and business jets, and government aircraft.
From this case study, we provide lessons for the development of security
solutions for existing legacy technologies, particular in slow-moving, safety-
focused critical infrastructure sectors.
The remainder of the paper is structured as follows: We consider privacy
aspects in aviation in Section 2 and our threat model in Section 3. Section 4
describes the workings of ACARS before we illustrate steps taken to break the
cipher in question in Section 5. The impact of the weakness of the cipher is
explained in Section 6. In Section 7, we discuss the lessons learned from this
case and make recommendations for the future. Section 8 covers the related work,
Section 9 covers legal and ethical considerations, before Section 10 concludes.
2 Privacy in Aviation
This section discusses a widely used mechanism with which an aircraft owner
can protect their privacy, and the privacy expectations of private aircraft.
2.1 Blocked and Hidden Aircraft
Whilst no provision exists to restrict the sharing of flight information relating
to commercial aircraft, it does for smaller, private aircraft. Schemes such as the
Federal Aviation Administration’s (FAA) Aircraft Situation Display to Industry
(ASDI) register allow aircraft owners to restrict the tracking of their aircraft [9].
Some years ago, the scheme changed requiring that for a block to be imple-
mented, a “valid security concern” must be demonstrated [6]. This included a
“verifiable threat” against an individual, company or area, illustrating the se-
vere privacy requirements of such entities. Since then, the scheme has been once
more relaxed to allow any non-commercial aircraft owner to register a block [8];
even so, we claim that any aircraft owner is making a clear eort to protect their
privacy in requesting a block.
ASDI is a data feed produced by the FAA and oered to registrants such as
flight tracking websites. The FAA oers two levels of block for this feed — either
at the FAA dissemination level, or at the industry level [7]. With the former,
information about the aircraft is not included in the ASDI feed at all, whereas
for the latter, the requirement to not share the data lies on the registrant. The
requesting aircraft owner can choose which level of block to use, however if none
is stated, the FAA defaults to the FAA-level block.
In practice, an ASDI-blocked aircraft will display either no information at
all, or only rudimentary information such as the registration, on flight tracking
websites. If an aircraft uses the FAA-level ASDI block then information about
it can usually only be sourced from third-party databases such as
(see Section 4.5 for more details). If an aircraft does not appear even in such
third-party sources, we consider them ‘unknown’.
Blocking aircraft in this way is particularly relevant as air trac manage-
ment is modernized. Most continents are in the process of mandating that new
surveillance technologies be fitted to aircraft flying in classified airspace. These
will automatically report flight data, thus meaning that schemes such as ASDI
blocks will become a key factor in private aircraft user privacy.
2.2 Privacy Expectations
We consider these aircraft which make an eort to hide their activities to be
privacy sensitive. More specifically, we consider them sensitive with respect to
existence, intention, and status. These three categories are defined as follows:
Existence: Observing an aircraft in the collection range. Simply receiving
a message from an aircraft is enough to reveal its existence.
– Intention: ACARS messages that reveal what the aircraft will do in the
future of its flight; for example, when and where it will land.
– Status: Information which describes the current activities of the aircraft.
This includes current location, its flight origin, or the flight altitude.
By restricting appearance on flight tracking websites, users of these aircraft
make a concerted eort to hide information belonging to each of these categories.
Thus, ACARS messages revealing such information can be considered a breach
of these privacy expectations.
3 Threat Model
As the basis of our model, we consider an honest-but-curious attacker who is
passive with respect to the medium but actively decrypts messages: they collect
ACARS messages and aim to break the cipher and decrypt messages that use it.
An attacker of this capability could achieve their aims for a relatively low
financial outlay. A low-cost computer such as a Raspberry Pi is sucient to
run the collection, connected to a 10 RTL-SDR stick. Using freely available,
open source software and a standard VHF airband antenna available for under
150, an attacker will be able to collect ACARS messages from aircraft. The
ease-of-use and availability of SDRs has in turn created an active community
which produces a range of free and open-source tools. Avionic communications
are no exception, with several tools available to decode ACARS messages, for
example. This has brought previously hard-to-access avionic communications
into the domain of relatively low-skilled users.
We consider a typical attacker to operate from a single location with the
aforementioned equipment, collecting and attempting to decipher messages over
a number of months. A more capable attacker would be able to deploy multiple
collection units across a larger geographic area in order to increase the message
collection rate and the number of unique aircraft observed. As demonstrated
below, this will increase the rate at which the analyzed cipher can be broken.
Intention also aects the magnitude of threat — an honest-but-curious at-
tacker is likely to be small scale, while threat agents with specific motives could
aord a larger-scale collection. Indeed, tracking aircraft movements as part of
insider trading has been used in the past (e.g., [10]), which will require a wider
collection network to increase the chance of sightings.
4 Aircraft Communications Addressing and Reporting
In this section, we describe ACARS, its message structure and methods of trans-
mission, the use cases in aviation, and finally, the existing security mechanisms.
Table 1: Comparison of ACARS delivery sub-networks
Mode Coverage Frequency Link Speed
HF Worldwide 2-30 MHz4Up to 5.4 kbps5
‘Plain Old’
over land 131 MHz 2.4 kbps
VHF Data
Link mode 2
over land, limit-
ed deployment
136 MHz 30 kbps
SATCOM Worldwide, except
polar regions
L-Band (1-2 GHz) uplink
C-Band (6-8 GHz) downlink
Either 10kbps or
up to 400kpbs6
4.1 ACARS at the Physical Level
ACARS is widely utilized around the world as an avionic communications sys-
tem. Deployed in 1978, it provides support for airlines and ATC to communicate
with the vast majority of commercial aircraft [13]. For example, airlines transfer
flight plans via ACARS, while ATC issues clearances for particular routes.
ACARS has three delivery methods — High Frequency (HF), satellite (SAT-
COM) and Very High Frequency (VHF) [14]. VHF is further subdivided into
‘Plain Old’ ACARS (POA) and VHF Data Link Mode 2 (VDLm2) ACARS, the
latter using a general purpose aviation data link. SATCOM ACARS is oered
via the Iridium and Inmarsat satellite constellations, each with slightly dierent
options and service levels. The key properties are summarized in Table 1.
A high-level diagram of VHF ACARS is shown in Fig. 1a, with SATCOM
ACARS depicted in Figure 1b. Messages are transmitted between an aircraft
and ground stations managed by service providers. Generally, service providers
handle the infrastructure apart from the aircraft and endpoints. For ACARS,
endpoints can either be ATC in order to manage air trac, or airline adminis-
tration who use ACARS for fleet operational purposes.
4.2 ACARS Messages
All versions of ACARS have the same message structure built around a free text
element which forms the largest part of the message (see Fig. 2). Although the
system character set is ASCII, Aeronautical Radio Inc. (ARINC) standard 618
notes that most parts of the network are only compatible with a reduced ASCII
set [2]. However, to guarantee all parts of the network can handle the message
content, the even further reduced Baudot character set would need to be used,
eectively limiting the set to A-Z,0-9,,-./, and some control characters.
Of particular interest is the ‘label’ field which allows the Communications
Management Unit (CMU) to route ACARS messages to the correct endpoint in
the aircraft network [14]. Most labels are standardized in ARINC 620, though
4Depending on atmospheric conditions, HF frequencies are reassigned regularly.
5This depends on the baud rate and keying used.
6Exact speeds vary depending on service, here 10 kbps is provided by the Inmarsat
ClassicAero service, with the higher rate provided by their SwiftBroadband service.
(a) VHF ACARS infrastructure (b) SATCOM ACARS infrastructure
Fig. 1: High-level diagrams of ACARS modes used in our data collection.
(a) Uplink message format (b) Downlink message format
Fig. 2: ACARS message structures for uplink (air-to-ground) and downlink
(ground-to-air) based on ARINC 618 [2]. Field sizes in ASCII characters/bytes.
parts of the label space are user defined, including the labels used by the en-
crypted messages discussed in this paper [3]. The ICAO registration and flight
ID fields are useful for identifying the origin of messages. ICAO registrations are
unique to an aircraft, allowing identification across flights. In contrast, flight IDs
are tied to a single flight and often only used properly by commercial aircraft.
4.3 Uses of ACARS
As mentioned above, ACARS has gradually developed from being used for a
narrow set of tasks to being the most general-purpose data link available in
aviation. These tasks can broadly be split into two groups — air trac control
and airline operational/administrative messages.
Air trac control messages are used to ensure that the aircraft can fly on its
route safely. This usually takes the form of clearances and informational data.
Clearance is needed for an aircraft to fly a particular route, and is organized by
ATC. This usually takes place using voice communications, but in congested or
remote regions voice channels are dicult to use. ACARS can be used instead,
even when voice cannot. Informational data takes the form of reports on relevant
flight data such as weather and aerodromes.
Airline operational and administrative messages form a significant part of
ACARS trac. These messages use the free-text nature of ACARS, with mes-
sages ranging from automated, structured reporting to text messaging between
crew and ground operators. Lists of passengers transferring to other flights, main-
tenance issues and requests for aid of disabled passengers are common sights,
though exact usage varies between airlines. It is also common for flight plans to
be served over ACARS, which a pilot will then input into the flight computer.
4.4 Security in ACARS
Although ACARS has no security system mandated or included in its original
standard, fully-featured ‘add-on’ systems are available. These adhere to the AR-
INC 823 standard, ACARS Message Security (AMS) [4], an example of which is
Secure ACARS, from Honeywell Inc. [16] — this oers security through a num-
ber of common cryptographic algorithms and tools. Outside of this, ARINC are
promoting a common implementation in Protected ACARS [19]. AMS provides
message authentication, integrity and confidentiality protection mechanisms, us-
ing modern cryptographic methods. However, implementations are proprietary
and subject to little scrutiny beyond internal testing.
Despite the existence of these security suites, deployment is limited. No of-
ficial statistics exist and since all implementations are proprietary, performing
security analysis on them is dicult. In the course of the analysis carried out in
this paper, we could not clearly identify any regular use of AMS-based solutions.
Furthermore, these systems typically cost extra on top of the standard ACARS
service charge which an aircraft operator will pay — this has slowed uptake and
created reluctance from the operators to use it. It has also prompted the use and
practical deployment of more temporary security solutions, as explored in this
paper. To the best of our knowledge, these schemes have no publicly available
documentation with regards to implementation.
4.5 Real World Analysis
We utilized three methods of obtaining real-world air trac data, in line with the
capabilities of an honest-but-curious attacker as defined in our threat model. All
data collection was done at sites in Continental Europe, with 1,634,106 messages
collected in total.
VHF Collection. VHF collection is possible with low investment using the
equipment described in Section 3, which can be fed into the ACARSDec de-
coder.7This allows the decoding of ‘Plain Old’ ACARS signals transmitted
around 131 MHz.
Satellite Collection. Collection of L-band SATCOM is similarly achievable
with minimal equipment and setup. For example, an L-band (1-2 GHz) horn
antenna pointed towards the INMARSAT 3F2 satellite can be fed into band-
pass filter and low-noise amplifier. Using an RTL-SDR stick and the open-source
JAERO decoder8the ACARS message data can be then be recovered. To collect
C-band uplink messages more costly antenna would be required.
Third Party Data Sources. In order to compare collected data to a publicly
available source, flight tracking websites such as Flightradar249allow verification
of many aircraft being in the air or the flights they have completed. However, it
is susceptible to government-mandated filtering as explained in in Section 2.1.
To get more comprehensive records on aircraft, one can use the
database [12]. This provides ICAO registration information and records on air-
craft not available on the flight tracker. To the best of our knowledge, this is the
most complete and up-to-date publicly available aircraft registration database.
Beyond this, ACARS data has been collected and disseminated on the in-
ternet for a number of years. A wide range of ACARS decoders existed in the
early 2000s, though most apart from acarsd10 appear to no longer be main-
tained. Indeed, the acarsd website lists a range of webservers using the software
to produce public ACARS feeds. Some services, such as AvDelphi11 go further,
oering ACARS feeds and tools to understand the messages for a fee.
5 Cryptanalysis of the ACARS Cipher
As our first contribution, we analyze the proprietary cipher used in ACARS
communications. Our curiosity was piqued when we noted that some aircraft
transmit scrambled ACARS messages, sent primarily with labels ‘41’, ‘42’ and
‘44’ and prefixed by two numbers.12 In order to decrypt these messages, we follow
several classic cryptanalytic steps. We first describe how character substitutions
can be recovered before moving to analyze the properties of the cipher.
5.1 Recovering Character Substitutions
Inspecting the available ciphertext, we note that all messages ciphered under
this label are prefixed by two digits, from 01 to 09. We refer to this as the key
identifier. When messages are grouped by these digits, repeating characters in
the same position across messages can be seen. From the similar set of characters
used between messages of the same key identifier, this implies the use of a sub-
stitution cipher as well as an underlying common structure between messages.
12 Labels ‘41’ and ‘42’ are primarily used in SATCOM and label ‘44’ is most common
in VHF — as such we focus our analysis in this way.
Next, frequency analysis can be used to compare the per-character distri-
bution for each key identifier against all messages in our dataset. Since the
encrypted messages are a small portion of our overall message set, we expected
the character distribution of the underlying plaintext to be similar to the overall
ACARS character distribution. Examples of these frequency distributions are
shown in Figure 3. We can see two clear peaks, which we match to peaks for fre-
quency analysis per key identifier. This provides a starting point for decryption.
Fig. 3: Character frequency distribution across all received ACARS messages
(top) and messages of one key identifier (bottom).
This knowledge can be combined with the fact that some messages sent on the
same labels are in plaintext and of similar length. Using the substitutions gained
from frequency analysis, we see that the majority of the messages are of a similar
structure — later identified as a status update. A labelled plaintext status report
message can be seen in Figure 4, in which we identified the fields based on meta-
information and structure. Using this, we recover other substituting characters
using domain knowledge as explained in the remainder of this section.
5.2 Character Recovery Heuristics
Since we have a limited set of ciphertexts but now possess knowledge about the
underlying structure of one message type and content of the fields, we can use
heuristics to recover the remaining characters.
Recovering Coordinates. As the second field in plaintext messages is a coor-
dinate field, we use this to retrieve a number of substitution characters exploiting
the position of the receiver. Since the reported coordinates are limited to ±2-4
degrees longitude and latitude from a receiver, the options for the first two digits
Fig. 4: Plaintext status report message sent under label ‘44’.
and direction letter (i.e. Nfor north) are restricted. This becomes less reliable if
the collection location lies on a point of 0longitude or latitude.
Message Prefixes. For some message types, the first field follows the structure
of a three-letter code followed by two digits which we refer to as a message
prefix; in the plaintext example of Fig. 4, this is POS02. Looking at all plaintext
messages received, one three-letter code is significantly more common. Combined
with already known letters, this reveals further substitution characters.
Airport Codes. As indicated in Figure 4, two of the fields are ICAO airport
codes. Based again on the collection location, we can determine that local airport
codes are more likely and use this as a heuristic for recovering substitutions;
for example, if the collection range solely covers a part of the United States,
one of the airport codes is likely to begin with K. We also exploit partially
decrypted messages containing airport codes — which are publicly available —
by comparing various possible airport codes with a common encrypted character,
revealing many further alphabetic characters.
SATCOM Meteorological Messages. Not all character substitutions can
be recovered from the reporting messages as used above. However, aircraft re-
ceive periodic meteorological data over the SATCOM uplink to inform the pilots
about the weather on their destination airport. Such messages take the form of
Pilot Weather Reports (PIREP), Notice to Airmen (NOTAM), Meteorological
Aerodrome Reports (METAR) and Terminal Aerodrome Forecasts (TAF). Each
has a consistent structure and contains regularly occurring phrases, which al-
lows for character recovery when compared with plaintext obtained from other
5.3 Key Recovery
Based on our observations, many of these messages use a limited set of ASCII
characters, namely digits 0-9, characters A-Zand symbols ,.*-:/? and whites-
pace which falls between the Baudot and limited ASCII sets defined in ARINC
620 [3]. With this in mind, using 2690 messages, from the Baudot set of 44
characters per key we recovered 377/396 (95.2%) of the substitutions across the
Table 2: Number of unique aircraft using the cipher by manufacturer and model.
Names have been removed for anonymity.
Manufacturer A B C D E
Model A-1 A-2 A-3 B-1 B-2 B-3 C-1 D-1 E-1
Avg. Manuf Year 2008 2008 2014 2014 2010 2012 2010 2002 2011
No. per Model 118 56 12 11 3 2 111
No. per Manuf. 186 16 111
nine keys. For limited ASCII, with there being 97 substitutions for each key, we
recovered 661/873 (75.7%) substitution characters across the nine keys. How-
ever, we can decode and read most received messages, implying the Baudot set
is closer to the actual character set. By extending the collection range or period,
we will be able to recover the remaining characters.
Theoretically, the ACARS alphabet size of 127 oers a potential space of
127! keys. For reasons unknown to us, only 9 of these 3 10213 possibilities are
used — and they are clearly marked. Furthermore, these keys are shared across
all aircraft using this cipher. This significantly reduces the diculty of recovery
by quickly providing sucient known plaintext for each key.
6 Impact Analysis
Even without recovering every single substitution, the nature of the cipher en-
ables us to still read practically all message content. Indeed, recovering the full
keys is a matter-of-time process, simply requiring more messages. This process
could be sped up significantly by having many sensors distributed over a wide
geographic area, increasing the collection from unique aircraft. In this section,
we demonstrate why the weakness of the cipher is a significant problem: the data
it should protect is naturally considered private by many of its users.
6.1 Usage Analysis
Our observations indicate that it is exclusively ‘business jet’ type aircraft that
use this encryption. In Table 2 we provide a breakdown of these aircraft by
manufacturers alphabetically for anonymity purposes. Manufacturers A and B
make up the vast majority of the aircraft transmitting these kinds of messages.
In Table 2 we also give a breakdown of models by manufacturer, in which we
see that models A-1, A-2, A-3 and B-1 make up the majority of aircraft using
this weak cipher. These models are of varying ages, some of which were built
within the last two years. On top of this, aircraft appear to either send encrypted
messages or not, with no crossover.
In looking for a connection, we found that all models use Primus suite avionics
equipment from Honeywell, Inc., pointing towards the source of the cipher. As
such, we believe that any aircraft choosing this suite will be aected by the weak
cipher, should they opt to use it. Given the use of a small set of global keys, users
Table 3: Absolute and relative distributions of flight tracking website blocks on
aircraft transmitting encrypted messages.
Data Set Not Blocked Blocked Unknown Total
VHF 5 (10%) 41 (84%) 3 (6%) 49
SATCOM 10 (6%) 93 (60%) 53 (34%) 156
of many dierent aircraft models might have the illusion of privacy when in fact
this security solution is breakable. Furthermore, we have seen no attempts at
key distribution or rekeying over the course of several months; the substitution
characters recovered from the first collected data work on our most recent data,
6.2 Blocked Aircraft
Although the pool of aviation stakeholders aected is relatively small, the privacy
impact is significant simply due to the nature of aircraft using the cipher. This is
illustrated by the number of aircraft concealing their existence on flight tracking
websites as described in Section 6.2. In Table 3 we see the distribution of ASDI
blocks on flight tracking websites for aircraft using this encryption. For ‘not
blocked’ aircraft we can see location and flight history, whereas ‘blocked’ are
aircraft with some level of ASDI block, i.e. missing flight history or information.
We use flight tracking websites for this purpose since they utilize ASDI data;
whilst direct ASDI access would be preferable, steps to obtain the feed appear
to be outside of the public domain.
We can see that in the VHF set, 90% of the aircraft seen to be using this
encryption are making a concerted eort to hide their existence, whereas in the
SATCOM set a similar fraction of 94% do the same. This implies that those
aircraft are particularly privacy-conscious and using a weak cipher like the one
seen here undermines their desire to protect their sensitive information. For
example, we observed several ASDI-blocked military-owned jets (United States
and Netherlands) using this encryption.
6.3 Security and Privacy Implications of the Message Content
After establishing that the vast majority of encrypting aircraft have a great
interest in hiding existence, intent and status of the aircraft, we now consider
the content of the encrypted messages and analyze its sensitivity. We collected
a total of 2690 messages from encrypting aircraft.
Status Reports. From the 2690 encrypted messages collected, 29.5% are status
reports (as seen in Fig. 4). Although we have no ocial documentation on these
messages, from the message format we can deduce with certainty the fields for
coordinates, ICAO airport codes, date, current time and ETA. Decrypting these
messages reveals a significant amount of potentially private data. As indicated
above, many of the aircraft which we have observed transmitting status reports
are at least subject to ASDI blocks. We observed that 63.3% of aircraft sending
this type of message use an ASDI block, with an even higher percentage of
all status reporting messages (90.3%) coming from these aircraft. As such, the
blocked aircraft we observed made more use of encrypted position reports than
visible aircraft and are undermined greatly by their insecurity.
Airport Information. As part of status reporting messages, both the depar-
ture and arrival airports are provided. This reveals a great deal of information on
routing, particularly for blocked aircraft. Using this section of the message, not
only can we determine the existence of an aircraft but also its intention. Across
all status reporting messages, we identified 151 airport codes over 50 country
codes, using 1569 instances. From these, 12.6% of instances were from the coun-
tries in which data was collected. We claim that using this data, a threat actor
can learn a significant amount of information about the aircraft from a single
message. By using sensors deployed to cover as great an area as possible, this
could allow the tracking of target aircraft without having to cover their entire
Free Text Messages. As with airport information, free text messages — es-
pecially those relating to flight plans — have the potential to reveal a significant
amount of information about an aircraft from a single message. Through this,
we saw some examples of using the cipher to protect this type of message. We
received 555 free-text messages, 184 of which were related to flight plan ad-
ministration, with 150 of these revealing the departure/arrival airports. In two
instances, in searching for flight plans, previous flight plan information seemingly
used by that aircraft were also transmitted.
Meteorological Reporting. Meteorological reports (METAR) are encrypted
by a smaller section of the aircraft, primarily over satellite ACARS. We observed
1395 encrypted METAR messages from 125 aircraft, all of which came from
satellite collection. Of these, 21.6% of aircraft were ASDI blocked. Whilst the
scope for privacy sensitive information is limited, METAR, can also reveal arrival
7 Discussion
As protocols are in use for many decades and are surpassed by technical progress
and new user requirements, the temptation for quick fixes is great. In aviation,
data links evolved to serve applications for which they were not initially intended
(e.g., ACARS for ATC [13]) and requirements changed to include confidentiality
to enable privacy for its users. Unfortunately, the presently deployed attempt to
protect ACARS does not meet these requirements as we have shown.
It is thus critical to take away several lessons from this study. We strongly
believe similar cases can be found not only in the wider aviation scenario but in
many safety-focused critical infrastructures using legacy communication systems.
1. As the discussed solution has been greatly obscured, we could not obtain
the exact time when it was first deployed but the age of the aircraft using
it points to the mid-2000s. This in turn means this solution has been in use
for at least 10 years without proper independent analysis. Integrating the
security community early on could have avoided the deployment of inferior
2. The described attack serves to illustrate the dangers of attempting to pro-
duce cryptosystems without due peer-review or use of well-known secure
primitives — indeed in this case, without any reasonable primitives at all.
This is especially the case in this situation where the nature of ACARS limits
the cryptographic solution due to characterset, message size and bit rate. In-
deed, proposals such as Secure ACARS use AES, which is standardized and
widely tested [16]. To draw parallels outside of the aviation scenario, WEP
encryption suered a similar fate in that an attempt to devise a security solu-
tion was critically impaired simply by misusing cryptographic primitives [5].
However in the case of WEP, the primitives themselves were sound — in the
system discussed in this paper, even the primitives were not sound.
3. Developing — and deploying — solutions without such expertise can indeed
be harmful. A solution that provides no eective protection has two distinct
negative eects: First, it undermines the development and use of better so-
lutions. In the case of ACARS, a demonstrably secure solution based on
ACARS Message Security would be standardized and use reasonable prim-
itives, but users who want data link confidentiality have opted exclusively
for the discussed cipher be it for cost or marketing reasons. Secondly, it pro-
vides its users with a false sense of security. Believing in the hardness of the
encryption may lead operators to rely on the confidentiality they seek and
potentially even modify their behavior.
Based on these lessons, we recommend that this security solution should
not be used further. With little cryptographic knowledge or resources, message
content can be recovered in real time. At the very least, manufacturers should
discontinue the inclusion of it in future systems. Ideally, it would be patched
out or replaced with a more secure option on existing aircraft and avionics. For
users relying on this cipher and seeking better protection, we propose that they
demand an established solution such as Secure ACARS which is a more complete
security suite.
8 Related Work
Contrary to large parts of the aviation community, the military is aware of
security issues in ACARS, see, e.g., [17] where the clear-text nature of ACARS
is considered an important weakness. Furthermore, [15] demonstrates eorts to
manage the lack of security through encryption, highlighting the requirement for
privacy in the military context. In both, ACARS defaulting to clear-text drives
users to require some measure of security. As shown in our work, this led to a
weak cipher being used widely.
The role of ACARS security has occasionally been discussed outside of aca-
demic research. In [1], the authors note the challenges of deploying Secure
ACARS, as well as its development process with the US military. Elsewhere, [22]
claims to use ACARS to upload malware onto a flight management computer.
From this we can see that ACARS is used across aviation, and given the claims
of exploitation, the case for encryption is strong.
In [18] and [19] issues caused by the lack of security on standard ACARS
are discussed. Particularly in the latter, the authors highlight that crews rely
on information sent via ACARS, which could have safety implications. In [23], a
security solution is presented but it has not seen production or further analysis
of its security properties. As demonstrated these steps are crucial for eective,
lasting security.
User perceptions are also notable: [20] shows that out of hundreds of pilots,
users of general aviation, and air trac controllers, who were asked about the
integrity and authenticity of ACARS, most believed the protocol oered some
kind of protection.
9 Legal and Ethical Considerations
Due to the sensitive nature of this work, we have ensured that it has been
conducted in a manner which upholds good ethical and legal practice. At the
start of the work we obtained ethical approval process to sensitive messages and
we followed a responsible disclosure process with Honeywell, Inc. We adhered to
all relevant local laws and regulations.
We have further chosen not to name the aircraft manufacturers and models
aected, as this could unduly impact the users of the aected aircraft before
there is a chance to address the problem. Furthermore, we have outlined the
steps taken to break the cipher but decided to omit further details and example
messages in order to avoid making such an attack straightforward to replicate.
Overall, we believe it is crucial that all aviation users are aware of weak security
solutions protecting their communications so that they do not fall prey to a false
sense of security but instead can take the necessary steps to protect themselves.
10 Conclusion
In this paper we have demonstrated the shortcomings of a proprietary encryption
technique used to protect sensitive information relating to privacy-aware aircraft
operators. More specifically, we have shown that it cannot meet any security
objective. As such we recommend its users are made fully aware that it does not
provide actual protection; thus, users should either seek a more robust security
solution or avoid using ACARS for sensitive material.
We demonstrated the privacy issues arising due to this, since the cipher is pri-
marily used to transmit locations and destinations by aviation users attempting
to hide their existence and intentions. We show the cipher’s weakness consis-
tently undermines the users’ eorts to hide their positional reporting, or protect
message content which might be valuable to an attacker.
Consequently, we claim that when such solutions are deployed in practice
it does more harm than good for users who require confidentiality from their
data link. It is crucial that the aviation industry takes the lessons learned from
this case study and addresses these problems before they are widely exploited
in real-world attacks.
This work has been funded by armasuisse under the Cyberspace and Information
research program. Matthew Smith has been supported by the Engineering and
Physical Sciences Research Council UK (EPSRC UK), as part of the Centre for
Doctoral Training for Cyber Security at the University of Oxford. Daniel Moser
has been supported by the Zurich Information Security and Privacy Center. It
represents the views of the authors.
[1] C. Adams. Securing ACARS: Data Link in the Post 9/11 Environment.
Avionics Magazine:24–26, June 2006.
[2] Aeronautical Radio Inc. (ARINC). 618-7: Air/Ground Character-Oriented
Protocol Specification. Technical Standard. 2013.
[3] Aeronautical Radio Inc. (ARINC). 620-8: Datalink Ground System Stan-
dard and Interface Specification. Technical Standard. 2014.
[4] Aeronautical Radio Inc. (ARINC). 823-P1: DataLink Security, Part 1 -
ACARS Message Security. Technical Standard. 2007.
[5] N. Borisov, I. Goldberg, and D. Wagner. Intercepting Mobile Communi-
cations: The Insecurity of 802.11. In Proceedings of the 7th Annual Inter-
national Conference on Mobile Computing and Networking (MobiCom),
[6] Federal Aviation Administration. Access to Aircraft Situation Display
(ASDI) and National Airspace System Status Information (NASSI). 2011.
url:https: / / www . federalregister . gov / documents / 2011 /03 / 04 /
2011 - 4955 / access - to - aircraft - situation - display - asdi - and -
national - airspace- system - status - information- nassi (visited on
[7] Federal Aviation Administration. Access to Aircraft Situation Display
to Industry (ASDI) and National Airspace System Status Information
(NASSI) Data. 2012. url:
2012/05/09/2012- 11251/access-to- aircraft-situation- display-
to- industry- asdi- and- national- airspace-system- status (visited
on 11/11/2016).
[8] Federal Aviation Administration. Access to Aircraft Situation Display
to Industry (ASDI) and National Airspace System Status Information
(NASSI) Data. 2013. url:
2013/08/21/2013- 20375/access-to- aircraft-situation- display-
to- industry- asdi- and- national- airspace-system- status (visited
on 11/11/2016).
[9] Federal Aviation Administration. Limiting Aircraft Data Displayed via
Aircraft Situation Display to Industry (ASDI) (Formerly the Block Air-
craft Registration Request (BARR) Program). 2016. url:https://www. (visited on 11/11/2016).
[10] D. Gloven and D. Voreacos. Dream Insider Informant Led FBI From
Galleon to SAC. 2012. url:
2012-12- 03/dream- insider- informant-led-fbi- from- galleon-to-
sac (visited on 11/11/2016).
[11] International Civil Aviation Organization. Global Air Navigation Plan
Fourth Edition. Tech. rep. Montreal: International Civil Aviation Orga-
nization, 2013, pp. 1–20. url: / publications /
[12] R. D. Kloth. 2016. url:http : / / www . airframes . org/
(visited on 11/11/2016).
[13] R. T. Oishi and A. Heinke. Air-Ground Communication. In C. R. Spitzer,
U. Ferrell, and T. Ferrell, editors, Digital Avionics Handbook, pp. 2.1 –2.3.
CRC Press, 3rd ed., 2015.
[14] R. T. Oishi and A. Heinke. Data Communications. In C. R. Spitzer, U.
Ferrell, and T. Ferrell, editors, Digital Avionics Handbook, pp. 2.7 –2.13.
CRC Press, 3rd ed., 2015.
[15] C. Risley, J. McMath, and B. Payne. Experimental Encryption of Aircraft
Communications Addressing and Reporting System (ACARS) Aeronauti-
cal Operational Control (AOC) Messages. In 20th Digital Avionic Systems
Conference. IEEE, Daytona Beach, 2001.
[16] A. Roy. Secure Aircraft Communications Addressing and Reporting Sys-
tem (ACARS). US Patent 6,677,888. Jan. 2004.
[17] A. Roy. Security Strategy for US Air Force to Use Commercial Data Link.
In 19th Digital Avionics Systems Conference. IEEE, Philadephia, 2000.
[18] M. Smith, M. Strohmeier, V. Lenders, and I. Martinovic. On the Security
and Privacy of ACARS. In Integrated Communications Navigation and
Surveillance Conference (ICNS). Herndon, 2016.
[19] P. E. Storck. Benefits of Commercial Data Link Security. In Integrated
Communications, Navigation and Surveillance Conference (ICNS).IEEE,
Herndon, 2013.
[20] M. Strohmeier, M. Sch¨afer, R. Pinheiro, V. Lenders, and I. Martinovic. On
Perception and Reality in Wireless Air Trac Communication Security.
IEEE Transactions on Intelligent Transportation Systems, 2016.
[21] M. Strohmeier, M. Smith, M. Sch¨afer, V. Lenders, and I. Martinovic. As-
sessing the Impact of Aviation Security on Cyber Power. In 8th Interna-
tional Conference on Cyber Conflict (CyCon). NATO CCD COE, Tallinn,
[22] H. Teso. Aircraft Hacking: Practical Aero Series. Presented at The Fourth
Annual Hack in the Box Security Conference in Europe (HITB). Amster-
dam, NL, Apr. 2013.
[23] M. Yue and X. Wu. The Approach of ACARS Data Encryption and Au-
thentication. In International Conference on Computational Intelligence
and Security (CIS). IEEE, 2010.
... • ACARS: ACARS has become a recent target to obtain tracking information about aircraft, caused by its increased popularity for transmission of relevant data such as flight plans and the ease of receiving ACARS data links via novel software-defined radio means. As shown in [96,97,99], ACARS presents a highvalue target, as location data sent via satellite can be received far out of the line-of-sight required for other technologies. Further, data that allow for the identification of aircraft movements and locations are regularly transmitted without effective encryption. ...
... On both data links, they showed that sensitive information ranging from credit card data and medical records to passenger lists was transmitted. In a related study [96], the authors show that there is a clear demand for privacy by ACARS users as some of them use mono-alphabetic substitution ciphers in an attempt to protect their communication. Naturally, this approach is highly insecure and leaks both tracking information and personal data. ...
... have shown examples where these schemes can be broken quickly and trivially [96]. While recent proposals for novel data link technology, such as L-DACS and Aero-MACS, do consider encryption as a standard measure (e.g., [66]), they do not entail readily available solution since the technology is still in its early development phase. ...
Air-ground communication in aviation uses many air traffic control technologies, data links, and wireless communication protocols. Security research has shown that attackers can exploit fundamental deficiencies that exist as of today in all of these categories. In this chapter, we analyze the current situation of the aviation airground link in a comprehensive manner. We collect reported security and privacy incidents and stratify them by major airground link technologies. We then discuss academic research that has proposed potentital countermeasures. To this end, we create a novel taxonomy and propose future directions for aviation security research.
... A subset has been shown to be exploitable under laboratory conditions using widely accessible software-defined radios (SDRs) and software tools (e.g. [10], [43], [46]). ...
... Unfortunately, security research into avionics, such as in [10], [43], [46] and [47], has shown that the threat is not addressed by safety-oriented design. Instead, this kind of design deals with random mechanical, electronic, or human failure, rather than deliberate and targeted attempts to subvert the system. ...
Conference Paper
Full-text available
Many wireless communications systems found in aircraft lack standard security mechanisms, leaving them vulnerable to attack. With affordable software-defined radios readily available, a novel threat has emerged which allows a wide range of attackers to easily interfere with wireless avionic systems. Whilst these vulnerabilities are known, predicting their ultimate effect is difficult. A major factor in this effect is how flight crew respond, especially whether their extensive training in fault handling helps them to manage attacks. To investigate this we conducted a user study, inviting 30 Airbus A320 type-rated pilots to fly simulator scenarios in which they were subjected to attacks on their avionics. We use wireless attacks on three safety-related systems, based on existing literature: Traffic Collision Avoidance System (TCAS), Ground Proximity Warning System (GPWS) and the Instrument Landing System (ILS). To analyze their response, we collected control input data coupled with closed and open interview responses. We found that all three attack scenarios created significant control impact and disruption through missed approaches, avoidance maneuvers and diversions. They further increased workload, distrust in the affected system, and for each attack, at least a third of our participants switched off the system entirely-even if they were important safety systems. All pilots felt the scenarios were useful, with 93.3% feeling that simulator training for wireless attacks could be valuable.
... In this process, all wireless technologies have come under scrutiny, as they almost in their entirety lack fundamental security mechanisms [57]. A subset has been shown to be exploitable under laboratory conditions using widely accessible software-defined radios (SDRs) and software tools (e.g., [9], [50], [54]). ...
... Unfortunately, security research into avionics [9], [50], [54], [55] has already shown that the threat is not fundamentally addressed by safety-oriented design, which deals with random mechanical, electronic, or human failure, rather than deliberate and targeted attempts to subvert the system. Similar to conventional security threats by passengers or pilots, attackers can negatively influence the safety of an aircraft, if they are able to replicate failures of the wireless avionics systems. ...
Full-text available
Many wireless communications systems found in aircraft lack standard security mechanisms, leaving them fundamentally vulnerable to attack. With affordable software-defined radios available, a novel threat has emerged, allowing a wide range of attackers to easily interfere with wireless avionic systems. Whilst these vulnerabilities are known, concrete attacks that exploit them are still novel and not yet well understood. This is true in particular with regards to their kinetic impact on the handling of the attacked aircraft and consequently its safety. To investigate this, we invited 30 Airbus A320 type-rated pilots to fly simulator scenarios in which they were subjected to attacks on their avionics. We implement and analyse novel wireless attacks on three safety-related systems: Traffic Collision Avoidance System (TCAS), Ground Proximity Warning System (GPWS) and the Instrument Landing System (ILS). We found that all three analysed attack scenarios created significant control impact and cost of disruption through turnarounds, avoidance manoeuvres, and diversions. They further increased workload, distrust in the affected system, and in 38% of cases caused the attacked safety system to be switched off entirely. All pilots felt the scenarios were useful, with 93.3% feeling that simulator training for wireless attacks could be valuable.
... However, the authors in [11] recently analyzed the current state of the transponder equipment of a sample of military and state aircraft, which is a pre-requisite for the present work. Similarly, several works have examined the state of privacy in aviation communication and highlighted the fundamental lack of confidentiality within the ADS-B and ACARS protocols [2], [12]- [15]. This is not limited to aviation; ships of various size and purpose use Automatic Identification System (AIS) to report their position in a similar way to ADS-B. ...
... Unfortunately, many such solutions are insecure, quickly broken and provide no more security than clear-text messages against any interested adversary. One such example is discussed by Smith et al. [12], who show that it is in wide use even in government and military aircraft. In our dataset, we found that 1.78% of the observed military and 11.36% of the observed government aircraft used this obfuscation method, a serious lapse of operational security. ...
... Tying these three stakeholders together is the question of whether, by using aircraft as they currently are (i.e. with very little capability to offer privacy) a stakeholder is simply waiving their right to privacy. We do not consider this to be the case since the aviation communication technologies which cause privacy leakage generally do not offer systems to protect them; in the few cases where such systems exist, they lack proper deployment or verification [39]. As ex- plored later in the paper, all existing mitigation options do not effectively solve the problem at hand. ...
... Other technologies also can lead to privacy issues; in [39], the usage of ACARS by private aircraft is shown to reveal information such as aircraft intention and status, despite attempts to broadcast them confidentially. To the best of our knowledge, however, this is the first study on the realworld impact on aviation privacy caused by aircraft tracking. ...
Conference Paper
Full-text available
This paper exploits publicly available aircraft meta data in conjunction with unfiltered air traffic communication gathered from a global collaborative sensor network to study the privacy impact of large-scale aircraft tracking on governments and public corporations. First, we use movement data of 542 verified aircraft used by 113 different governments to identify events and relationships in the real world. We develop a spatio-temporal clustering method which returns 47 public and 18 non-public meetings attended by dedicated government aircraft over the course of 18 months. Additionally, we illustrate the ease of analyzing the long-term behavior and relationships of aviation users through the example of foreign governments visiting Europe. Secondly, we exploit the same types of data to predict potential merger and acquisition (M&A) activities by 36 corporations listed on the US and European stock markets. We identify seven M&A cases, in all of which the buyer has used corporate aircraft to visit the target prior to the official announcement, on average 61 days before. Finally, we analyze five existing technical and non-technical mitigation options available to the individual stakeholders. We quantify their popularity and effectiveness, finding that despite their current widespread use, they are ineffective against the presented exploits. Consequently, we argue that regulatory and technical changes are required to be able to protect the privacy of non-commercial aviation users in the future.
... Recent work has shown that such a strong attacker setting is increasingly realistic [24]. Finally, while there is almost a complete lack of cryptographic measures in currently deployed ATC protocols, other instances of weak avionics cryptography have surfaced in the literature [41]. ...
... Despite the existence of ACARS security protocols, deployment is not implemented on a large scale. Furthermore, these systems typically require extra expenditure for aircraft operators [46]. ...
Full-text available
In addition to the importance of safety in civil aviation, the significance of cybersecurity in the aviation sector cannot be ignored, and this fact has often been highlighted owing to frequent cyber-attacks that denigrate victim(s) and also lead to political and economic controversies. Cybersecurity has recently received a major boost, with the shift of air navigation facilities from analog ground-based systems to digital space-based systems to accommodate the tremendous growth in air traffic density. Furthermore, most air navigation facilities have open designs that tend to overlook security concerns. In this regard, identifying a systematic methodology for aviation cybersecurity risk assessment is a key element in the identification of potential threats, and assessment of their likelihood and risk levels, whereby risks can be reduced to tolerable levels through appropriate mitigation measures. Existing review articles have not addressed cybersecurity in all the various aviation systems, and have not considered a systematic methodology for aviation cybersecurity risk assessment. This paper therefore presents a systematic qualitative and quantitative cybersecurity risk assessment methodology for legacy and next-generation critical infrastructure in aviation systems, such as air-ground communication, radio navigation aids, aeronautical surveillance, and system-wide information management (SWIM). Our analysis shows that the communication, navigation, and surveillance systems with the highest risk levels are very-high frequency voice communication, satellite-based navigation, and automatic dependent surveillance-broadcast, respectively, while those with the lowest risk levels are controller-pilot data link communication, ground-based radio navigation aids, and secondary surveillance radar, respectively. Furthermore, the risk level of potential cyber-attacks in SWIM is medium.
... However, CPDLC has no security mechanisms of its own as part of its design, and so inherits the security of the data links it runs on [11,37]. Research has shown that typically these links are also not secured, or when they are, security is weak [44,45]. Despite this, we cannot simply presume that attacks on these links will directly affect CPDLC due to its complexity and human component, as has been demonstrated for some ATC technologies in previous research [46]. ...
... • ACARS 99% of ACARS traffic is transmitted unencrypted and the small portion that is encrypted uses a mono-alphabetic substitution cipher, broken with little effort [21]. Plain text links are subject to simple data-injection attacks, potentially on a massive scale. ...
Conference Paper
Full-text available
We analyse the impact of new wireless technology threat models on cyber power, using the aviation context as an example. The ongoing move from traditional air traffic control systems such as radar and voice towards enhanced surveillance and communications systems using modern data networks causes a marked shift in the security of the aviation environment. Implemented through the European SESAR and the US American NextGen programmes, several new air traffic control and communication protocols are currently being rolled out that have been in the works for decades. Unfortunately, during their development the shifting wireless technology threat models were not taken into account. As technology related to digital avionics is getting more widely accessible, traditional electronic warfare threat models are fast becoming obsolete. This paper defines a novel and realistic threat model based on the up-to-date capabilities of different types of threat agents and their impact on a digitalised aviation communication system. After analysing how the changing technological environment affects the security of aviation technologies, current and future, we discuss the reasons preventing the aviation industry from quickly improving the security of its wireless protocols. Among these reasons, we identify the existing tradition of the industry, the prevalence of legacy hard- and software, major cost pressures, slow development cycles, and a narrow focus on safety (as opposed to security). Finally, we analyse how this major technological shift informs the future of cyber power and conflict in the aviation environment by looking at tangible effects for state actors.
Conference Paper
Full-text available
The manner in which Aircraft Communications, Addressing and Reporting System (ACARS) is being used has significantly changed over time. Whilst originally used by commercial airliners to track their flights and provide automated timekeeping on crew, today it serves as a multi-purpose air-ground data link for many aviation stakeholders including private jet owners, state actors and military. Since ACARS messages are still mostly sent in the clear over a wireless channel, any sensitive information sent with ACARS can potentially lead to a privacy breach for users. Naturally, different stakeholders consider different types of data sensitive. In this paper we propose a privacy framework matching aviation stakeholders to a range of sensitive information types and assess the impact for each. Based on more than one million ACARS messages, collected over several months, we then demonstrate that current ACARS usage systematically breaches privacy for all stakeholder groups. We further support our findings with a number of cases of significant privacy issues for each group and analyze the impact of such leaks. While it is well-known that ACARS messages are susceptible to eavesdropping attacks, this work is the first to quantify the extent and impact of privacy leakage in the real world for the relevant aviation stakeholders.
Full-text available
More than a dozen wireless technologies are used by air traffic communication systems during different flight phases. From a conceptual perspective, all of them are insecure as security was never part of their design. Recent contributions from academic and hacking communities have exploited this inherent vulnerability to demonstrate attacks on some of these technologies. However, not all of these contributions have resonated widely within aviation circles. At the same time, the security community lacks certain aviation domain knowledge, preventing aviation authorities from giving credence to their findings. In this paper, we aim to reconcile the view of the security community and the perspective of aviation professionals concerning the safety of air traffic communication technologies. To achieve this, we first provide a systematization of the applications of wireless technologies upon which civil aviation relies. Based on these applications, we comprehensively analyze vulnerabilities, attacks, and countermeasures. We categorize the existing research on countermeasures into approaches that are applicable in the short term and research of secure new technologies deployable in the long term. Since not all of the required aviation knowledge is codified in academic publications, we additionally examine existing aviation standards and survey 242 international aviation experts. Besides their domain knowledge, we also analyze the awareness of members of the aviation community concerning the security of wireless systems and collect their expert opinions on the potential impact of concrete attack scenarios using these technologies.
Conference Paper
Full-text available
Beginning in the late 70's, the Aircraft Communications Addressing and Reporting System (ACARS) has evolved from a basic pilot time tracing system to a two-way communications system for Airline Operational Control (AOC), tracking aircraft movement, and providing critical performance information, such as engine health. In the 90's Air Traffic Services (ATS) and Air Traffic Control (ATC) two-way communications were added. Typical ATC Infrastructure has thoroughly addressed the security of the ground to ground data communications network. However, another area of Data Communications Information Assurance that should be investigated is the ground to cockpit link. This paper proposes a plan to investigate that link.
Conference Paper
With the increasing number of aircraft, the airlines and civil aviation organization are relying on ACARS (Aircraft Communications Addressing and Report System) for air traffic and control. Unfortunately, automated information exchange between aircraft and ground entity also increase the system vulnerability and may severely impacts the safety of a flight. This paper introduce a End-to-End architecture which employ message encryption and authentication to protect the security between aircraft and airlines and thus permit ACARS data link messages to be exchanged in a secure manner.
Conference Paper
With the increase in automation, airlines, military, and civil aviation organizations are relying on ACARS for air traffic and operational control. This paper proposes specific techniques to relieve ACARS frequency saturation using standard data compression algorithm. Additional solutions are provided to encrypt the ACARS protocol header without requiring any changes to the legacy ACARS equipment. The proposed Secure ACARS solutions will satisfy customer needs, improve the safety and reliability of the ACARS system and extend the usability of ACARS by conserving RF resources
Conference Paper
As civil controlled airspace moves toward requiring new communication capabilities, the military will need to equip their aircraft if worldwide, unrestricted airspace access is to be maintained. The USAF has built a Reconfigurable Cockpit and Avionics Testbed (RCAT) with VHF, HF and SATCOM data links and ground stations to demonstrate the utility of these data links. This facility has been used to evaluate techniques available to encrypt ACARS data link messages. This paper discusses the results of these demonstrations and documents the strengths and limitations of the "commercial-off-the-shelf" (COTS) equipment and infrastructure for security of military AOC messages. It also hopes to stimulate discussion among military users about requirements for their use of ACARS
Conference Paper
The ACARS data link security strategy presented in this paper is based on internationally accepted cryptographic standards. The proposed algorithms were approved by NSA for US government use. The use of standards and the PKI infrastructure will reduce the implementation cost due to the availability of COTS software and components. The proposed strategy will satisfy the authentication, cryptographic data integrity, and encryption needs of the USAF. It will permit the USAF to use a commercially available technology now for most of its command and control applications for air transport, thereby conserving scarce military communication resources for tactical applications
Conference Paper
The communication between the ground based air traffic controller and the air crew has been based on the use of VHF and HF for many years, and this is a mature technology. This communication has been based on the use of an analogue voice channel. The main purpose of this communication has been for air traffic control, with the aircraft moving from sector to sector,and having a handover from one controller to the next. This enables the air crew to report their position, call sign and status, and for the air traffic controller to give appropriate and timely instructions to the air crew. As the aircraft fly worldwide there has been a need to have standards, with the ICAO (International Civil Aviation Organisation) acting as the forum to aid the standardisation process. There have been a number of suggested changes to the communication with the aim of improving flight safety, and reducing the work load on the flight crew. This paper discusses the background to the VHF communication, some of the difficulties of the current systems and ways of providing interim solutions, and ways of changing the system to eliminate the problems
Securing ACARS: Data Link in the Post 9/11 Environment. Avionics Magazine
  • C Adams
C. Adams. Securing ACARS: Data Link in the Post 9/11 Environment. Avionics Magazine:24–26, June 2006.