Satellite-Based Air Traffic Control Is Wide Open to Injection and Spoofing

TLDR: Recent research presented at DEF CON 2024 exposes the lack of authentication and encryption in satellite-based air traffic control protocols like ADS-C. By using low-cost software-defined radios, attackers can eavesdrop on global flight telemetry and inject arbitrary, malicious flight data into ground station systems. This research proves that critical aviation infrastructure is vulnerable to trivial denial-of-service and position spoofing attacks that bypass existing security assumptions.

Aviation security has long relied on the assumption that the physical complexity of satellite communications provides a natural barrier to entry. That assumption is dead. Martin Strohmeier’s recent research at DEF CON 2024 demonstrates that the protocols governing satellite-based air traffic control, specifically Automatic Dependent Surveillance-Contract (ADS-C), are fundamentally broken from a security perspective. These systems lack basic cryptographic primitives, meaning they have no mechanism to verify the identity of the sender or the integrity of the data being transmitted.

The Mechanics of the Vulnerability

The core issue is that ADS-C, much like its terrestrial counterpart ADS-B, operates on the principle of trust. Aircraft transmit telemetry data—including position, altitude, speed, and navigational intent—to ground stations via satellite links. Because these protocols were designed for reliability and availability rather than security, they do not implement authentication.

An attacker does not need to compromise a satellite to exploit this. They only need to be within the footprint of the satellite beam to receive the downlink or have enough transmission power to reach the satellite for an uplink. The research shows that a standard RTL-SDR setup is sufficient to eavesdrop on thousands of aircraft simultaneously. Once the attacker understands the protocol structure, they can move from passive observation to active signal injection.

Building the Transmitter

The barrier to entry for an active attack is surprisingly low. By utilizing JAERO, a popular tool for demodulating and decoding ACARS and ADS-C signals, researchers were able to capture and analyze the message structure. The attack flow involves crafting a valid ADS-C message that mimics the format expected by the Air Traffic Service Unit (ATSU).

Because the protocol lacks a handshake that verifies the physical location of the transmitter, the ground station accepts the injected data as legitimate. The following conceptual flow illustrates how an attacker can disrupt the connection:

# Conceptual packet injection flow for ADS-C
# 1. Capture legitimate downlink to identify active aircraft/ATSU session
# 2. Craft malicious ADS-C report with spoofed position
# 3. Modulate using A-BPSK to match the satellite link frequency
# 4. Transmit via high-gain antenna towards the target satellite

The demo shown during the talk confirmed that an attacker can inject arbitrary flight data, such as false emergency status flags or spoofed coordinates, which are then processed by the ground station’s flight management systems. This effectively negates the safety benefits of the system by introducing false information into the air traffic controller's view.

Real-World Implications for Researchers

For those of us performing penetration tests or security research, this highlights a massive blind spot in critical infrastructure. If you are assessing an environment that integrates with aviation telemetry, you cannot assume the data source is authenticated. The impact of an exploit here is not just data leakage; it is the potential for large-scale denial-of-service or the manipulation of situational awareness for air traffic controllers.

During an engagement, you should look for dependencies on these unauthenticated protocols. If an application or dashboard relies on ADS-C data to make operational decisions, it is vulnerable to the same injection techniques demonstrated here. The cost to replicate this attack is minimal, often requiring less than a few thousand dollars in hardware, including a high-gain dish and a software-defined radio.

The Defensive Reality

Defending against this is difficult because the protocols themselves are the problem. There is no "patch" for a protocol that lacks authentication at the architectural level. While ground stations can implement anomaly detection to flag impossible flight paths or sudden, illogical changes in telemetry, this is a reactive measure. True security requires a transition to encrypted and authenticated communication channels, which is a massive undertaking for global aviation infrastructure.

Until that transition happens, the reality is that the sky is not as secure as the industry claims. The research serves as a stark reminder that when we prioritize efficiency and global coverage over security, we create vulnerabilities that are trivial to exploit. If you are interested in the technical specifics of how these signals are manipulated, the full paper from the SpaceSec workshop provides the necessary depth on the signal processing side. Stop assuming that the complexity of the medium is a substitute for actual security controls. Start testing the data integrity of the systems you rely on, because someone else already has.