back to article Radio Frequency fingerprinting of aircraft ADS-B transmitters? Boffins reckon they've cracked it

A group of academics reckon they've found a way to uniquely fingerprint aeroplanes’ Automatic Dependent Surveillance-Broadcast (ADS-B) tracking transmitters – though an aviation infosec boffin says more research is needed to verify the new technique. In a paper titled “Real-World ADS-B signal recognition based on Radio …

  1. Barrie Shepherd

    uniquely fingerprint aeroplanes

    If you need to mask/spoof the ADS-B just have multiple ADS-B units on the plane and swop them around in flight.

    Or go ADS-B silent.

    Or have I lost the plot?

    1. teknopaul Silver badge

      Re: uniquely fingerprint aeroplanes

      silent doesn't help unless you are off the radar.

      borrowing a unit from a registered/known commercial aircraft might work.

      1. Anonymous Coward Silver badge
        Mushroom

        Re: uniquely fingerprint aeroplanes

        You wouldn't want to swap them though. Can you imagine a civilian/commercial aircraft being recognised as a military one with a spoofed callsign?

      2. Anonymous Coward
        Anonymous Coward

        Re: uniquely fingerprint aeroplanes

        Modern air traffic control radar rarely uses "skin paints", relying almost solely on the aircraft broadcasting its identity through its transponder, and military aircraft have a variety of ways of degrading these radars to the point of uselessness.

        Military radars are a different matter entirely, of course.

    2. Foxglove

      Re: uniquely fingerprint aeroplanes

      You could have multiple transponders on an aircraft, but if the fingerprinting can identify one it can identify all.

      So potentially you would need to manufacture a new transponder to fit to each airframe every time you wanted to avoid tracking by this method.

      Certainly not beyond the means of the military if they want to spaff the cash.

      You could go ADS-B (maybe Mode A/C too) silent, but primary radar will pick you up so spoofing secondary radar might have some value in giving you a free pass.

      1. Paul Hovnanian Silver badge

        Re: uniquely fingerprint aeroplanes

        "So potentially you would need to manufacture a new transponder to fit to each airframe every time you wanted to avoid tracking by this method."

        So all you general aviation pilots: Beware of slightly used transponders popping up on the used equipment market.

    3. lglethal Silver badge
      Windows

      Re: uniquely fingerprint aeroplanes

      Or have I lost the plot?

      I read that as "Or have I lost the pilot?" and my first thought was you might have a few more worrying problems then the ADS-B if you've lost the pilot....

      I blame lack of coffee...

  2. TXITMAN

    So ADS-B transmitters that send a callsign and ICAO code can be fingerprinted. Yes it is true. Also many aircraft carry two transponders so there is that. This smells like a research project in search of cash. More research is needed, hahah, AKA send more money.

  3. Anonymous Coward Silver badge
    Facepalm

    Maybe new to ADS-B, but a long-established technique in other fields.

    I know of ham radios from 15 years ago which could fingerprint incoming signals to identify (and block) "IQ-zero" operators. It involved looking at signal rise rate, deviation variations, frequency difference (ie PLL offset), ... Just didn't involve "AI" back then, so obviously this new research is completely different.

  4. KittenHuffer Silver badge

    My guess ....

    .... would be that this technique relies on the fact that the components within the transponder sub-system for each aircraft are unique in that the components will always have tiny variances to other 'identical' components, and that the technique is identifying the tiny variations that these components generate.

    My first thought would be that any change of any component in the transponder sub-system would cause the 'signature' to change.

    The next thought would be that the variance in components in your 'detector' might be enough that the signatures learnt on one system might not transfer to other 'duplicate' sytems. So it might just be necessary to teach each detector separately.

  5. Lee D

    "collecting signals from a total of 5 aircraft,"

    Are you bloody kidding me?

    My FlightAware account run from a basic RTL-SDR on a Raspberry Pi gets that amount of different aircraft on the screen AT ALL TIMES, let alone for the research of a paper. 1000's a day - light aircraft, airline traffic, commercial, private, etc. coming in and out of range, doing everything from circling learners to high-altitude straight routes that just plough through my range within a few seconds.

    You're going to need to do a mite more testing than 5 aircraft to make that work, and if all you need are RTL-SDR traces, ask anyone on FlightAware who seems to be picking up far more aircraft than you are every minute.

    1. hittitezombie

      Exactly! Fine tuning your detection based on a cherry-picked data doesn't mean you can do the same when you have hundreds of thousands of data points.

      My eyebrows went into orbit when I saw the number of aircraft they were working with. This is a very unreliable paper.

  6. Anonymous Coward
    Anonymous Coward

    Are they saying the transmitter can be fingerprinted?

    If its the transmitter itself then if something has been observed ID'ing itself as a military aircraft, then later is transmitting that its a red cross flight carrying widows and orphans to a hospital.... I guess that's the thing you are looking for, its spoofed.

    And the fingerprint is unique to a single transmitter - somehow. Components in the radio set itself? Combination with aerial tuning?

    You'd still need a history database of squawks vs fingerprints though and the squawks aren't terribly high powered AFAIK (I'm no expert on this), meaning you could only observe them from short ranges over your own territory.

    I suppose the military just need a "clean" set that has never been seen before - bit more complex than just doing a software setting, but still doable if your mission is really super critical on surprise.

    Interesting concept though.

    1. Cuddles Silver badge

      Re: Are they saying the transmitter can be fingerprinted?

      "And the fingerprint is unique to a single transmitter - somehow. Components in the radio set itself? Combination with aerial tuning?"

      All of the above, presumably. The idea doesn't sound particularly surprising really. Nothing is perfect, so every transmitter is going to have slightly different characteristics in terms of noise and so on. The only question is how practical it is to distinguish them in a real world with weak signals and all kinds of other noise around.

      "You'd still need a history database of squawks vs fingerprints"

      This seems to be the main problem with the idea. Assuming you can get a good enough signal for the fingerprinting to work, it doesn't actually tell you what is transmitting, it only allows you to identify unique transmitters. So unless you've previously identified what the transmitter is attached to and suddenly it starts claiming to be something else, you don't gain anything much of use.

      It also ties in to the above point. Since the fingerprint is characteristic of the whole transmitting system, it would be trivial to change it. You don't need to do things like swapping transponders between different planes as others have suggested, simply changing the length of a single wire would likely be enough to produce a completely new fingerprint. Swap a card, alter a voltage slightly, knock the antenna with a hammer... almost anything is going to change how noise and other factors vary.

      So it's kind of a neat idea, and relatively impressive if it can actually be made to work at all in the real world. But it seems to be of fairly little use in pratical terms, and likely trivial to work around if it actually did start being used.

  7. elwe

    If the world's more advanced militaries haven't already done so, you can bet they are now investing in developing ADS-B transmitters that don't just generate a simple signal, but can spoof the underlying characteristics of another transmitter. So those late to the party will see the ADS-B signal saying the Air Astana flight from Sharm El Sheikh to Almaty is approaching Tehran, will fingerprint the signal as being an Air Astana air frame and by the time they work out where the bombs landing on Tehran came from the flight will have left Iranian airspace...

    1. Anonymous Coward
      Anonymous Coward

      It can go the other way too...

      Ukraine International Airlines Flight 752 in 2020 or Iran Air Flight 655 in 1988.... both were shot down because despite transmitting correctly, both were suspected of being a fake ID...

  8. Danny 2 Silver badge

    Not So Secret Squirrel

    There were illegal rendition (kidnap&torture) flights and illegal munitions flights passing through Prestwick, and we protested them. The police were always asking us how we knew about them, and we never told them but it can't hurt now. We were told by ATCers and plane spotters.

    In real time being able to spoof an ID maybe crucial, but if you are doing it regularly then your arse is parsley. People talk, they just do.

  9. Anonymous Coward
    Anonymous Coward

    radio hams

    been using this technique for decades to ID troublemakers on the repeaters

  10. Henry Wertz 1 Gold badge

    cell phone anti-cloning

    Title sounds unrelated but it's not!

    With AMPS (analog) cell phones, the call was analog but if you made an outgiong call it would send (digitally but unencrypted) the phone's ESN, and what # to call; one could get the ESN (electronic serial number) off an existing phone, clone it into another, at which point it was making calls on the original phone owner's dime. Apparently cloning was a real pain especially in Detroit and Miami; some of these markets actually incorporated some kind of RF fingerprinting technology, clone the phone and the cloned phone would just get a recording saying to call some 800# for the phone co's anti-fraud department.

    I would think the tolerances were much tighter now (especially given it's airplane safety equipment) than like a Motorola Startac, but... *shrug*. I imagine it must have been picking up (using late 1980s technology) small differences in caps, resistors, and oscillators on the individual phone that make it sound just a tiny bit different when it keys up, sends call info (and possibly characteristics of the sound during the call, if it took a call or two to block a phone?) I assume the ADS-B transmissions would have some variations to pick up on, from the plane having small variations in voltage, ripple current, miscellaneous RF noise possibly affecting the ADS-B transmitter a small amount, plus whatever variations the actual radios might have.

    I'm not sure if you would have to pick up the transmission from multiple angles etc. for this to be reliable; presumably with the cell phone RF fingerprinting, it was not requiring seeing the phone signal from a bunch of angles etc.

    1. Anonymous Coward Silver badge

      Re: cell phone anti-cloning

      Are you certain that the network wasn't just saying "hmm, two simultaneous calls, in different places, on one phone. Something fishy here"?

      Not saying that they didn't have more advanced detection methods, but sometimes the simplest things work best.

  11. herman Silver badge

    Five transponders

    They analyzed a grand total of five transponders. While the technique has merrit, no matter how you slice it, 5 is not a sufficient data set. Pre-covid, there were about 100 aircraft within RTL-SDR ADS-B range of my house at any time.

    1. Alan Brown Silver badge

      Re: Five transponders

      5 is not sufficient for robust analysis, but it's a starting point for doing that

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Beijing probes security at academic journal database
    It's easy to see why – the question is, why now?

    China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.

    In its announcement of the investigation, the China Cyberspace Administration (CAC) said:

    Continue reading
  • Xi Jinping himself weighs in on how Big Tech should deploy FinTech
    Beijing also outlines its GovTech vision and gets very excited about data

    China's government has outlined its vision for digital services, expected behavior standards at China's big tech companies, and how China will put data to work everywhere – with president Xi Jinping putting his imprimatur to some of the policies.

    Xi's remarks were made in his role as director of China’s Central Comprehensively Deepening Reforms Commission, which met earlier this week. The subsequent communiqué states that at the meeting Xi called for "financial technology platform enterprises to return to their core business" and "support platform enterprises in playing a bigger role in serving the real economy and smoothing positive interplay between domestic and international economic flows."

    The remarks outline an attempt to balance Big Tech's desire to create disruptive financial products that challenge monopolies, against efforts to ensure that only licensed and regulated entities offer financial services.

    Continue reading
  • Always read the comments: Beijing requires oversight of all reader-generated chat
    'Editing and review' teams will be required to read everything and report dissent

    The Cyberspace Administration of China has announced a policy requiring all comments made to websites to be approved before publication.

    Outlined in a document published last Friday and titled "Provisions on the Administration of Internet Thread Commenting Services", the policy is aimed at making China's internet safer, and better represent citizens' interests. The Administration believes this can only happen if comments are reviewed so that only posts that promote socialist values and do not stir dissent make it online.

    To stop the nasties being published, the policy outlines requirements for publishers to hire "a review and editing team suitable for the scale of services".

    Continue reading
  • China is trolling rare-earth miners online and the Pentagon isn't happy
    Beijing-linked Dragonbridge flames biz building Texas plant for Uncle Sam

    The US Department of Defense said it's investigating Chinese disinformation campaigns against rare earth mining and processing companies — including one targeting Lynas Rare Earths, which has a $30 million contract with the Pentagon to build a plant in Texas.

    Earlier today, Mandiant published research that analyzed a Beijing-linked influence operation, dubbed Dragonbridge, that used thousands of fake accounts across dozens of social media platforms, including Facebook, TikTok and Twitter, to spread misinformation about rare earth companies seeking to expand production in the US to the detriment of China, which wants to maintain its global dominance in that industry. 

    "The Department of Defense is aware of the recent disinformation campaign, first reported by Mandiant, against Lynas Rare Earth Ltd., a rare earth element firm seeking to establish production capacity in the United States and partner nations, as well as other rare earth mining companies," according to a statement by Uncle Sam. "The department has engaged the relevant interagency stakeholders and partner nations to assist in reviewing the matter.

    Continue reading
  • Chinese startup hires chip godfather and TSMC vet to break into DRAM biz
    They're putting a crew together, and Beijing's tossed in $750m to get things started

    A Chinese state-backed startup has hired legendary Japanese chip exec Yukio Sakamoto as part of a strategy to launch a local DRAM industry.

    Chinese press last week reported that Sakamoto has joined an outfit named SwaySure, also known as Shenzhen Sheng Weixu Technology Company or Sheng Weixu for brevity.

    Sakamoto's last gig was as senior vice president of Chinese company Tsinghua Unigroup, where he was hired to build up a 100-employee team in Japan with the aim of making DRAM products in Chongqing, China. That effort reportedly faced challenges along the way – some related to US sanctions, others from recruitment.

    Continue reading
  • ZTE intros 'cloud laptop' that draws just five watts of power
    The catch: It hooks up to desktop-as-a-service and runs Android – so while it looks like a laptop ...

    Chinese telecom equipment maker ZTE has announced what it claims is the first "cloud laptop" – an Android-powered device that the consumes just five watts and links to its cloud desktop-as-a-service.

    Announced this week at the partially state-owned company's 2022 Cloud Network Ecosystem Summit, the machine – model W600D – measures 325mm × 215mm × 14 mm, weighs 1.1kg and includes a 14-inch HD display, full-size keyboard, HD camera, and Bluetooth and Wi-Fi connectivity. An unspecified eight-core processors drives it, and a 40.42 watt-hour battery is claimed to last for eight hours.

    It seems the primary purpose of this thing is to access a cloud-hosted remote desktop in which you do all or most of your work. ZTE claimed its home-grown RAP protocol ensures these remote desktops will be usable even on connections of a mere 128Kbit/sec, or with latency of 300ms and packet loss of six percent. That's quite a brag.

    Continue reading
  • Intel delivers first discrete Arc desktop GPUs ... in China
    Why not just ship it in Narnia and call it a win?

    Updated Intel has said its first discrete Arc desktop GPUs will, as planned, go on sale this month. But only in China.

    The x86 giant's foray into discrete graphics processors has been difficult. Intel has baked 2D and 3D acceleration into its chipsets for years but watched as AMD and Nvidia swept the market with more powerful discrete GPU cards.

    Intel announced it would offer discrete GPUs of its own in 2018 and promised shipments would start in 2020. But it was not until 2021 that Intel launched the Arc brand for its GPU efforts and promised discrete graphics silicon for desktops and laptops would appear in Q1 2022.

    Continue reading
  • TikTok US traffic defaults to Oracle Cloud, Beijing can (allegedly) still have a look
    Alibaba hinted the gig was worth millions each year

    The US arm of Chinese social video app TikTok has revealed that it has changed the default location used to store users' creations to Oracle Cloud's stateside operations – a day after being accused of allowing its Chinese parent company to access American users' personal data.

    "Today, 100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," the company stated in a post dated June 18.

    "For more than a year, we've been working with Oracle on several measures as part of our commercial relationship to better safeguard our app, systems, and the security of US user data," the post continues. "We still use our US and Singapore datacenters for backup, but as we continue our work we expect to delete US users' private data from our own datacenters and fully pivot to Oracle cloud servers located in the US."

    Continue reading
  • Former chip research professor jailed for not disclosing Chinese patents
    This is how Beijing illegally accesses US tech, say Feds

    The former director of the University of Arkansas’ High Density Electronics Center, a research facility that specialises in electronic packaging and multichip technology, has been jailed for a year for failing to disclose Chinese patents for his inventions.

    Professor Simon Saw-Teong Ang was in 2020 indicted for wire fraud and passport fraud, with the charges arising from what the US Department of Justice described as a failure to disclose “ties to companies and institutions in China” to the University of Arkansas or to the US government agencies for which the High Density Electronics Center conducted research under contract.

    At the time of the indictment, then assistant attorney general for national security John C. Demers described Ang’s actions as “a hallmark of the China’s targeting of research and academic collaborations within the United States in order to obtain U.S. technology illegally.” The DoJ statement about the indictment said Ang’s actions had negatively impacted NASA and the US Air Force.

    Continue reading
  • China's blockchain boosters slam crypto as Ponzi scheme
    Communists reckon Bill Gates and Warren Buffet got it right

    Executives at China's Blockchain-based Service Network (BSN) – a state-backed initiative aimed at driving the commercial adoption of blockchain technology – labelled cryptocurrency "the biggest Ponzi scheme in human history" in state-sponsored media on Sunday.

    "The author of this article believes that virtual currency is becoming the largest Ponzi scheme in human history, and in order to maintain this scam, the currency circle has tried to put on various cloaks for it," wrote Shan Zhiguang and He Yifan in the People's Daily.

    He Yifan is the CEO of startup Red Date Technology – a founding member and architect behind BSN – where he serves as executive director. Co-author Zhiguang Shan is chair of the BSN Development Alliance.

    Continue reading

Biting the hand that feeds IT © 1998–2022