Radio Frequency fingerprinting of aircraft ADS-B transmitters? Boffins reckon they've cracked it A group of academics reckon they've found a way to uniquely fingerprint aeroplanes’ Automatic Dependent Surveillance-Broadcast (ADS-B) tracking transmitters – though an aviation infosec boffin says more research is needed to verify the new technique. In a paper titled “Real-World ADS-B signal recognition based on Radio …
Modern air traffic control radar rarely uses "skin paints", relying almost solely on the aircraft broadcasting its identity through its transponder, and military aircraft have a variety of ways of degrading these radars to the point of uselessness.
Military radars are a different matter entirely, of course.
You could have multiple transponders on an aircraft, but if the fingerprinting can identify one it can identify all.
So potentially you would need to manufacture a new transponder to fit to each airframe every time you wanted to avoid tracking by this method.
Certainly not beyond the means of the military if they want to spaff the cash.
You could go ADS-B (maybe Mode A/C too) silent, but primary radar will pick you up so spoofing secondary radar might have some value in giving you a free pass.
"So potentially you would need to manufacture a new transponder to fit to each airframe every time you wanted to avoid tracking by this method."
So all you general aviation pilots: Beware of slightly used transponders popping up on the used equipment market.
Maybe new to ADS-B, but a long-established technique in other fields.
I know of ham radios from 15 years ago which could fingerprint incoming signals to identify (and block) "IQ-zero" operators. It involved looking at signal rise rate, deviation variations, frequency difference (ie PLL offset), ... Just didn't involve "AI" back then, so obviously this new research is completely different.
.... would be that this technique relies on the fact that the components within the transponder sub-system for each aircraft are unique in that the components will always have tiny variances to other 'identical' components, and that the technique is identifying the tiny variations that these components generate.
My first thought would be that any change of any component in the transponder sub-system would cause the 'signature' to change.
The next thought would be that the variance in components in your 'detector' might be enough that the signatures learnt on one system might not transfer to other 'duplicate' sytems. So it might just be necessary to teach each detector separately.
"collecting signals from a total of 5 aircraft,"
Are you bloody kidding me?
My FlightAware account run from a basic RTL-SDR on a Raspberry Pi gets that amount of different aircraft on the screen AT ALL TIMES, let alone for the research of a paper. 1000's a day - light aircraft, airline traffic, commercial, private, etc. coming in and out of range, doing everything from circling learners to high-altitude straight routes that just plough through my range within a few seconds.
You're going to need to do a mite more testing than 5 aircraft to make that work, and if all you need are RTL-SDR traces, ask anyone on FlightAware who seems to be picking up far more aircraft than you are every minute.
If its the transmitter itself then if something has been observed ID'ing itself as a military aircraft, then later is transmitting that its a red cross flight carrying widows and orphans to a hospital.... I guess that's the thing you are looking for, its spoofed.
And the fingerprint is unique to a single transmitter - somehow. Components in the radio set itself? Combination with aerial tuning?
You'd still need a history database of squawks vs fingerprints though and the squawks aren't terribly high powered AFAIK (I'm no expert on this), meaning you could only observe them from short ranges over your own territory.
I suppose the military just need a "clean" set that has never been seen before - bit more complex than just doing a software setting, but still doable if your mission is really super critical on surprise.
Interesting concept though.
"And the fingerprint is unique to a single transmitter - somehow. Components in the radio set itself? Combination with aerial tuning?"
All of the above, presumably. The idea doesn't sound particularly surprising really. Nothing is perfect, so every transmitter is going to have slightly different characteristics in terms of noise and so on. The only question is how practical it is to distinguish them in a real world with weak signals and all kinds of other noise around.
"You'd still need a history database of squawks vs fingerprints"
This seems to be the main problem with the idea. Assuming you can get a good enough signal for the fingerprinting to work, it doesn't actually tell you what is transmitting, it only allows you to identify unique transmitters. So unless you've previously identified what the transmitter is attached to and suddenly it starts claiming to be something else, you don't gain anything much of use.
It also ties in to the above point. Since the fingerprint is characteristic of the whole transmitting system, it would be trivial to change it. You don't need to do things like swapping transponders between different planes as others have suggested, simply changing the length of a single wire would likely be enough to produce a completely new fingerprint. Swap a card, alter a voltage slightly, knock the antenna with a hammer... almost anything is going to change how noise and other factors vary.
So it's kind of a neat idea, and relatively impressive if it can actually be made to work at all in the real world. But it seems to be of fairly little use in pratical terms, and likely trivial to work around if it actually did start being used.
If the world's more advanced militaries haven't already done so, you can bet they are now investing in developing ADS-B transmitters that don't just generate a simple signal, but can spoof the underlying characteristics of another transmitter. So those late to the party will see the ADS-B signal saying the Air Astana flight from Sharm El Sheikh to Almaty is approaching Tehran, will fingerprint the signal as being an Air Astana air frame and by the time they work out where the bombs landing on Tehran came from the flight will have left Iranian airspace...
There were illegal rendition (kidnap&torture) flights and illegal munitions flights passing through Prestwick, and we protested them. The police were always asking us how we knew about them, and we never told them but it can't hurt now. We were told by ATCers and plane spotters.
In real time being able to spoof an ID maybe crucial, but if you are doing it regularly then your arse is parsley. People talk, they just do.
Title sounds unrelated but it's not!
With AMPS (analog) cell phones, the call was analog but if you made an outgiong call it would send (digitally but unencrypted) the phone's ESN, and what # to call; one could get the ESN (electronic serial number) off an existing phone, clone it into another, at which point it was making calls on the original phone owner's dime. Apparently cloning was a real pain especially in Detroit and Miami; some of these markets actually incorporated some kind of RF fingerprinting technology, clone the phone and the cloned phone would just get a recording saying to call some 800# for the phone co's anti-fraud department.
I would think the tolerances were much tighter now (especially given it's airplane safety equipment) than like a Motorola Startac, but... *shrug*. I imagine it must have been picking up (using late 1980s technology) small differences in caps, resistors, and oscillators on the individual phone that make it sound just a tiny bit different when it keys up, sends call info (and possibly characteristics of the sound during the call, if it took a call or two to block a phone?) I assume the ADS-B transmissions would have some variations to pick up on, from the plane having small variations in voltage, ripple current, miscellaneous RF noise possibly affecting the ADS-B transmitter a small amount, plus whatever variations the actual radios might have.
I'm not sure if you would have to pick up the transmission from multiple angles etc. for this to be reliable; presumably with the cell phone RF fingerprinting, it was not requiring seeing the phone signal from a bunch of angles etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
