Sunday, July 21, 2019
Importance of Using the ACARS System
Importance of Using the ACARS System Abbreviations ACARS: Aircraft Communication Addressing and Reporting System ADS-B: Automatic dependent surveillance broadcast CMU: Communication Management Unit CDU: Control Display Unit FMS: Flight Management System ATC: Air Traffic Control AOC: Aeronautical Operational Control AAC: Airline Administrative Control NOTAM: Notice to Airmen VHF: Very High Frequency VDL: VHF Data Link MAC: Message Authentication Code AES: Advance Encryption Standard SHA: Secure Hash Algorithm CA: Certificate Authority ICAO: International Civil Aviation Organisation IPsec: Internet Protocol Security In this report the importance of using the ACARS system in the communication between the aircrafts and the ground units such as Air traffic control (ATC), aeronautical operational control (AOC) and airline administrative Control (AAC). (2) Also, the need of securing the communication channel against passive and active attackers will be identified and analysed. The ACARS system is used to transmit data both from aircraft to ground and from ground to aircraft. The data transmitted from the aircraft to the ATC will communicate requests and receipts for clearances and instructions when the aircraft is on the ground, during the phases of take-off and landing and finally during the time the aircraft is in the air. The ACARS is system is also used for communication between the aircrafts and the AOC and AAC ground units. The data transmitted between these three entities is about various aspects of the aircraft, weather information and observations, NOTAMS, flight plan and any diversion from the flight plan, technical performance, possible system failures and any special information regarding the flight and its passengers. ACARS system to transmit data to the ground receivers, the FMC hardware is used on newer aircrafts or the CDU on older ones. The communication is accomplished by using the FMS unit and a small printer in the aircrafts and similar hardware on the ground. The FMS transmits the data to either a satellite or a ground antennas, regarding the altitude of the aircraft. After either the satellite or the antenna will transmit the data through the communication network to the appropriate ground unit using a private network. Due to the reason that these data are crucial and must not be altered or even sometimes monitored by unauthorised users the security of the communication channel and the data should be the top priority of the airlines. To achieve that the data transmitted should always maintain the three major aspects of information security which are: Confidentiality Integrity Availability During the early years of the aviation industry communication channels were only needed between the ATC and the pilots. There were no ways to transmit data regarding the aircrafts avionic systems, engines and integrity, mainly due to the reason that there was not such advanced technology, on both the communication channels and on the aircrafts. The only communication channel available was the VHF channels that in our days is the least trusted protocol. As the aircrafts developed, the boundaries were extended, and led to a rapid increase in air traffic. In order to co-op with this, the aircrafts manufacturers decided to improve the quality and quantity of the systems aboard the aircrafts in order to protect them from mid-air collisions and also help the ATCs to manage the traffic easier. From the moment that the aviation instruments on board the aircraft changed from analogue to digital, a breakthrough was achieved, leading many companies to develop software and hardware that allowed the improvement of the communication and data transmission between the aircrafts and the ground. Along with these improvements, the aircrafts critical systems were able to continuously provide the data recorder information regarding their condition. During this phase the CPDLC was developed in order to minimize the acoustic misunderstandings (6) provided accountability and made the communication easier, more efficient and safer to transmit and receive l ong messages (6). Although in my opinion this system would make the communication between the pilots and the ATC easier and safer, it wasnt widely used because of security threats like message manipulation or injection (6) that were not possible to be detected. Also, a major backdoor to the system in my opinion was that there was no authentication leading to eavesdropping or spoof clearances (6). For the improvement of safety and to be able to improve the accident investigations, the authorities decided that it would be helpful, that these data should be transmitted to the ground and in order to improve the communications between the aircrafts and the ATCs, a new system was developed, which is called ACARS. Along with it new techniques of communication and data transmission were introduced that allowed the aircraft, ATCs and airlines headquarters to communicate with each other by sending short texts. ACARS was introduced during the 80s and as the years passed it became very popular among the airlines. It allowed direct communication between aircrafts and ATCs for requesting and receiving instructions and clearances. The ability of communicating between the aircraft and the AOC and AAC was introduced, that allowed the exchange of information about the weather, possible issues with the aircrafts systems, NOTAMs, passenger information, etc. In the early years of aviation, the computers were not very capable in intercepting or manipulating a message that was transmitted and therefore there was little need for that system to be secure. As the years pass and computers became stronger, together with the knowledge of people, possible unauthorised monitoring of message transmission or even manipulating the messages transmitted between the aircrafts and the ground was a threat to aviation. In order to solve this issues, security mechanisms were placed in order to protect the communication channels and the data transmitted. The security mechanisms placed, are updated regularly in order to maintain the information secure against new threats and attackers. The difficulty of maintaining a secure communication channel is becoming greater, due to the reason that the cost of hardware that allow you to monitor the information transmitted by aircrafts are very cheap and easily accessible. This together with the increasing knowledge of people on how to use them the wrong way and with the intention to cause harm for various reasons, makes the work of the ones trying to protect these systems, very difficult and crucial for the safety of the passengers and aircraft crew lives. As the workload for the pilots in command increased greatly due to the increased traffic, reduction of the crew members in aircrafts and the need to maximize profit without undermining safety and in order to protect the pilots from making mistakes or forget to complete the necessary steps for the safe conduct of a flight, researchers were working on a new way of communication between the aircraft and the ground operations. That software was ACARS and was developed in the 1980s. ACARS is a digital datalink system (3) that allows the pilots, ATC and the airlines headquarters to exchange short messages no matter of the location of the aircraft around the world. In order to achieve that the aircraft is equipped with an avionics computer which is called Communications Management Unit (CMU), a control display unit (CDU) and a printer. The CMU was designed to be able to send and receive digital messages (3) regarding aspects of the flight, instructions and clearances from the ATC, weather forecasts, NOTAMs and information to and from the companys headquarters regarding the aircrafts performance and special needs about the passengers. In order to achieve the level of communication needed, the ACARS system is using different types of communication media. The two media used to communicate between the aircraft and the ground by using satellites when the aircrafts are at higher altitudes and radio antennas at lower altitudes. Before the first implementations of the ACARS system, the communication between the aircrafts and the ground was performed by VHF voice channels. As the technology advanced, new way of communication were developed. During the first periods of implementation of the ACARS system the ARINC organisation, developed a service that a allowed for the VHF communication service to be upgraded by a new service that allowed the use of digital telex formats (3) to the VHF communication channel. During the 90s this led to the standardization of a VHF Digital Link. As the implementation of the ACARS software by airliners became widespread, new services were developed in order to make the communication channels more efficient. SITA company, during this phase had developed a large ground communication network that was connecting places around the world. In order to further enhance the abilities of ACARS, SITA integrated their ground communication network to be able and cooperate with ACARS already existing communication channels between aircraft and ground. In my opinion the ACARS system was designed very cleverly because it was able to cooperate with many types of aircraft communications equipment such as VHF, Inmarsat, sitcom, iridium satellite, VDL and high frequency data link (6). More detailed, SITA managed to merge both VHF and VDL air to ground communication channel together with the ground network it had already developed and to provide an end to end communication channel between aircrafts and ground operations no matter the type of flights. Both short haul and long haul routes were supported. Figure .1 ACARS Setup (9) ACARS security is very important for the safe conduct of flights. Two different types of security were implemented. The first one was called DSP-based architecture and is only capable to protect ACARS messages during transmission from the aircraft to the ground, leaving the ground network unprotected and risking attacks from hackers open. For that reason, there is an end to end security architecture was proposed and developed. In order for the security of the ACARS system to be complete it will have to maintain confidentiality, integrity and availability to the information transmitted at all times, both in the communication channel between the aircraft and the ground and also in the ground network. On the end to end solution proposed in the article The Approach of ACARS Data Encryption and Authentication (5), The proposed security will be using symmetric and asymmetric cryptography, a hybrid system that could solve the problems of using just one of the methods of cryptography, along with digital signatures to provide adequate privacy and integrity (5) to the messages. The issues that came up with the symmetric cryptography were that in order to communicate with each other, a key had to be exchanged between the sender and the recipients of the message. This unique key was designed to be known just by the sender and the recipient of the message in order to protect it from unauthorized users. This proved to be very difficult to maintain secure due to the large number of users that are using ACARS to communicate. On the other hand, asymmetric cryptography was able to solve this problem but it required the use of a large size keys that led to a rather large amount of bandwidth requi red just for the exchange of the keys that kept secure the communication, which was a problem due to the limited amount of bandwidth the ACARS system was designed to require. This hybrid system that was proposed, made use of a key derivation algorithm called Elliptic Curve Diffie-Hellman which is using an elliptic curve and certain points in order to find the private key. By using the elliptic curve along with the private key, it was able to generate the public key of both the aircraft and the ground station (sender and recipient). By using this technique, the communication channel was secure because it was very difficult for the attacker to find the private key even though the exchange of public key is intercepted (5). For the receiver to be able to decrypt and use the private key a key derivation function is needed which in this case is the MAC. In order to provide encryption to the data transmitted the AES algorithm is used in combination with the SHA 256 algorithm. The number 256 after the SHA acronym means the length of the random binary sequence that is used as the key for the AES (5) algorithm. Due to the reason of the limited bandwidth that ACARS is designed to be using, the message data transmitted and the necessary data transmitted to provide security should be compressed as much as possible. In order to do so every letter, number or symbol will have to be encoded to a 6bit stream during the encryption phase. In order for the recipient to be able to decode it and read the correct message, the MAC of the encrypted data will have to be read and be decrypted to an ACARS readable character. Also, the correct MAC value will have to be calculated in order for the message to be authenticated. During the testing phase of the above end to end security mechanism, eavesdropping was possible to be done but no actual data were able to be read, due to the AES that was used in the encryption of the message, so confidentiality was achieved. Privacy was also achieved because if the message was manipulated, the MAC value would have been changed and the recipient would have detected the change in value. Finally for the digital signature to be correct, the assumptions that the CA was trustworthy had to be made. Wireless Communication Security Due to the reason that the main communication channel between the aircraft and the ground stations will always be wireless, some necessary aspects of security will always have to exist in order to able to say that the channel is secure. According to the authors of the article (7), in order for a security protocol be acceptable, it must meet some requirements. The first one is the mutual entity authentication which is able to provide security by identifying the sender and the receiver. Also, the Asymmetric algorithms are very critical according to my opinion, regarding the key distribution that will allow the sender and the receiver authenticate each other messages. Next in order to prevent unauthorised people to access the communication channel, the two parties must agree to the keys used and to be able to confirm them when needed along with being able to control them, maintain the key freshness (7) so no replay attacks could be performed and also to protect secrets of old communications in the case that an unauthorised person gains access to a session key. All the above aspects, in my opinion are critical in order to maintain privacy in the communication channel. According to the article (7) which I agree with, some compromises should be taken in order to have the security options tailored to the needs of your systems. In our case the ACARS system was designed to have a small amount of load in transmitting data and therefore and IPsec with fixed pre-shared keys (7) would be very helpful because it has limited data exchanged in order to provide security. On the other hand, protocols based on asymmetric cryptosystems (7) are able to provide better security but in a higher data load cost. Wireless Communication Threat Model In order to be able to provide better solutions in the wireless communication channel, we must be able to identify the threat that are possible to be faced during the transfer of data. In order to do so we must have a threat model that is tailored to our needs. In order to create a threat model, we must also know the adversaries capabilities. In the case of wireless networks according to the article (8) authors, which are the one that ACARS uses, the adversary usually has the ability to receive and transmit data (8), should be able to monitor the network and in order to do the previous two, he must have knowledge on how the network was setup. Commonly, if the attacker is able to eavesdrop a wireless, he will be able to inject traffic (8) into the network. All of the above capabilities in my opinion are depended to the knowledge he has and to the money he is willing to spend in order to be able to perform such tasks. The main attacks he can perform to a wireless network has to do with spoofing attacks (8), replay attacks (8) which I believe is easily solved by the freshness aspect of security, eavesdropping (8) compromise or introduction of nodes, wireless jamming (8) and finally a denial of service (8) attack by increasing extremely the load of the network. ACARS Security per Honeywell Per Honeywell, ACARS is using a message security system that is able to provide message authentication, confidentiality and data integrity, which are the basic aspects that need to be protected. Based on an ICAO document regarding the security plan a public key infrastructure and other cryptographic algorithms are used in order to protect the data transmitted. More specifically, according to the ARINC specification 823 (4) the security of the messages is split in two different parts. The first part was published on 2007 and contains everything regarding the framework of the security, such as algorithms, protocols and message formats. The second parts are about the key management of this security mechanism and was published 1 year later and contains information regarding the key life cycle and the how a certificate is managed. Furthermore, two different security provisions were developed and each of them had different characteristics regarding the mechanisms used in order to protect the data transmitted. The first one is called ATN/OSI Security and it was described in the ICAO document 9880. This kind of security foresight used digital signatures which uses the Elliptic Curve Diffie-Hellman cryptographic algorithm combined with a SHA256 in order to generate and verify the signatures. As for Message authentication, it uses hashed MAC with a 32bit MAC length. A key agreement is used in order to share the public key that will then be used in order for the recipient to be able to derive the secret key and be able to decode the message sent. The second one is called ACARS Security ARINC 823. This one also uses the digital signatures in order to sign the message and the specifications of the digitals signatures are similar to the first security foresight, making use of the elliptic curve Diffie-Hellman algorithm combined with a SHA256 for the signature generation and verification. Again, for the message authentication a hashed MAC is being used but in this case the length of the MAC is not standard. It could be 32 bit, 64 bit or even 128 bit, with the default one to be the 32 bit. The main difference between the two security foresights is that the previous didnt require a confidentiality mechanism to be in place. On the other hand, this one uses for encryption and AES128 cipher algorithm that is mainly used to encrypt and decrypt the messages. Finally, the key establishment mechanism is similar on both security foresights, meaning that both of them use an elliptic curve Diffie-Hellman with SHA256 algorithm to provide the communication channel with a secret key agreement, shared public key and the derivation of the secret key. Threats As the technology is improved, the computers become more powerful, leading in the implementation of better security mechanisms but also in increasing amount of computing power that possible attackers have in their hands. This along with the ability given to the public to be able to track the flights using the ADS-B can have possible backdoors that can threaten the safety of the flights. The main use of this surveillance technology is for the improvement of the safety and efficiency of the flights. This technology also lead to the creation of a web application and smartphone application, that gave the ability to anyone to be able to track any aircraft in the world that had this technology active. Anyone with a cheap hardware setup could receive the information sent to the ground by the aircrafts. If an attacker is able to intercept these signals, he is able to perform passive attacks like eavesdropping the communications or furthermore, block the response from the ATC (jamming) and finally send his response back (message injection), could result in the attacker to be able to perform an active attack and penetrate the aircrafts navigation system. Another possible attack according the article (6) this attacks could result in the virtually modifying the trajectory of an aircraft (6). After the attacker, has gained access to the aircraft systems, he can receive information via the ACARS system. If the ACARS system is not protected correctly, the attacker will be able to exploit the systems and either insert false information to the avionics or just attach a virus or malware and have a constant access to the aircrafts avionics and information. Furthermore, the attacker could gain access to the FMS he will be able to mess with the navigation and flight planning such as waypoints, altitudes, speeds, alternate the destination airport of the flight etc. This will result to the attacker being in complete control of the aircraft, with the pilots not being able to do much in order to gain back the control of the aircraft. Although the ACARS system was updated regularly and the ACARS AMS was developed in order to provide end to end security, many airlines decided to not use it and instead provide some security by obscurity (6), which according to my opinion could lead in more risks and better security because no one has tested the security algorithms that are used and therefore if there is any vulnerability in the security algorithm, the company will never be aware of it, leaving the communication channel open to zero day attacks. The cost of the hardware needed to complete such an attack is not high. Using online shopping web applications or other sellers, the possible attacker will be able to buy the necessary hardware such as FMS hardware, air to ground transmitters, ACARS manager hardware and other hardware, in order to perform such an attack. By using one of the most known flight simulator software, combined with the necessary hardware and finally by exploiting any vulnerabilities in the security of ACARS and FMS systems, they can manage to gain control of the aircraft with low cost. There are many ways the attacker could gain access or perform attacks against the aircrafts. These ways may include attacks via the internet by exploiting bugs in web applications, vulnerabilities against software, SQL injections to databases or other vulnerabilities that are not fixed in mobile applications. There are two different threat models according to the authors of the article On perception and reality in the wireless air traffic communication security (6). The two different threat models are the traditional aviation threat model (6) and the Modern threat model (6). The main difference between these two according the article are that the software-defined radios are widely available to the public and along with them to possible attackers and the change between analogue instruments and digital instruments, with the second ones to give the ability to the users to transmit more data in electronic form. These could lead to an increase in the abilities hackers to eavesdrop, modify and inject data on the communications channel. The traditional threat model is used from when the first forms of communication were implemented in aviation. As years passed the communication channels were improved and the amount of data that was transmitted increased rapidly. The authors of the article characterize the article as naÃÆ'Ã ¯ve (6) of the reasons of inferior technological capabilities and financial capabilities, requirement of inside knowledge and the use of analog communication. (6). I can agree with their opinion because I believe that indeed the threat model is very old and due to the new technologies, along with the low cost of a setup that could allow to interfere with the communications of an aircraft, the risk will be much higher. The second threat model is the modern threat model. It has major changes from the first one due to the increased digitalisation and automation (6) of the aircrafts communication channels. Also, the increased technological capabilities (6) such as cheap hardware could lead to possible attacks that could not be performed when the first threat model was developed. Finally, people could easily gain aviation knowledge (6) from the internet, flight simulator software, which could increase the seriousness of the attacks that could be performed. For the above reasons and from my own experience with aviation knowledge and flight simulator software, I would agree that this model is more up to date and more tailored to identify the threats that todays aircraft face. Concluding on the above-mentioned information, the aviation world and more specifically the security of the aircrafts, crews and passengers are far from safe. This is because even with the security measures that are already researched, the airlines do not always implement them. Also, the technology required and the cost of acquiring such technology makes it easier for attackers to perform either passive or active attacks against aircrafts. The above when combined with the knowledge of an attacker can lead to great threats against the aircrafts. In order to maintain the aviation world safe, the need to reassess the risk of attacks under realistic system models and the development of appropriate countermeasures (6) should be identified and embraced along with new end to end security implementations are proposed and if approved implemented by airlines. Such security mechanisms must be tested in order to be totally sure that all vulnerabilities are patched and that it will never have a backdoor that could allow an attacker to perform an attack. In my opinion in order to be able to be sure that a security mechanisms that will be placed is totally secure, we must first learn our adversaries, understand their capabilities, intentions, motive and upon all knowledge and financial state. Next, we must understand what passive and active attacks an adversary can perform. If we manage to understand the above aspects of our adversaries, then we must understand what has to be done in order to prevent them from launching an attack against the aircraft- ground communications channel and ground network. By having the necessary information about the adversaries and the protection mechanisms that we can implement, then we must evaluate those already implemented and find ways to enhance them. References Smith, M., M. Strohmeier, V. Lenders, and I. Martinovic. On the security and privacy of ACARS. (016 Integrated Communications Navigation and Surveillance (ICNS)): 1-27. Web. 15 Feb. 2017. Aircraft Communications, Addressing and Reporting System. Aircraft Communications, Addressing and Reporting System SKYbrary Aviation Safety. N.p., n.d. Web. 14 Feb. 2017. Aircraft Communications Addressing and Reporting System (ACARS). Aircraft Communications Addressing and Reporting System (ACARS). N.p., n.d. Web. 14 Feb. 2017. Olive, Michael . ACARS Message Security (AMS) as a Vehicle for Validation of ICAO Doc. 9880 Part IV-B Security Requirements. Proc. of ICAO ACP WG-M Meeting, Belgium, Brussels. N.p.: n.p., n.d. 1-12. Print. Yue, M., and X. Wu. The Approach of ACARS Data Encryption and Authentication. 2010 International Conference on Computational Intelligence and Security (2010): 556-60. Web. 10 Feb. 2017. Strohmeier, Martin, Matthias Schafer, Rui Pinheiro, Vincent Lenders, and Ivan Martinovic. On Perception and Reality in Wireless Air Traffic Communication Security. IEEE Transactions on Intelligent Transportation Systems (2016): 1-20. Web. Akram, Raja Naeem, Konstantinos Markantonakis, Keith Mayes, Pierre-Francois Bonnefoi, Damien Sauveron, and Serge Chaumette. Security and performance comparison of different secure channel protocols for Avionics Wireless Networks. 2016 IEEE/AIAA 35th Digital Avionics Systems Conference (DASC) (2016): n. pag. Web. Akram, Raja Naeem, Konstantinos Markantonakis, Royal Holloway, Sharadha Kariyawasam, Shahid Ayub, Amar Seeam, and Robert Atkinson. Challenges of security and trust in Avionics Wireless Networks. 2015 IEEE/AIAA 34th Digital Avionics Systems Conference (DASC) (2015): n. pag. Web. Network Graphic. Digital image. ATC Data Link News. N.p., n.d. Web. 17 Feb. 2017.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.