Why Your Next Drone or Aircraft Security Audit Needs an ADS-B Sniffer

TLDR: Automatic Dependent Surveillance-Broadcast (ADS-B) is a critical aviation protocol that lacks basic authentication and encryption, allowing attackers to inject fake aircraft data into the 1090 MHz frequency. This research demonstrates how to build a low-cost, Raspberry Pi-based detector that uses a convolutional neural network to distinguish between legitimate and spoofed signals. Pentesters and researchers should treat ADS-B as an untrusted data source and implement signal-level verification to prevent ghost aircraft from compromising situational awareness.

Aviation security is often treated as a black box, but the underlying protocols are surprisingly transparent. ADS-B is the primary technology used by pilots and air traffic control to monitor aircraft, yet it operates on the 1090 MHz frequency without any form of cryptographic verification. If you can transmit a signal on that frequency, you can effectively tell the world that a plane exists where it does not. This is not a theoretical vulnerability found in a lab; it is a fundamental design flaw in a system that relies on the assumption that all participants are honest.

The Mechanics of ADS-B Spoofing

The ADS-B protocol is built on the principle of trust. An aircraft receives its position from the Global Navigation Satellite System and broadcasts that data via a transponder. Because there is no handshake or authentication, any ground-based device capable of transmitting on 1090 MHz can inject packets that look identical to those sent by a legitimate aircraft.

Attackers can perform several types of operations here. Jamming is the most primitive, where the frequency is flooded with noise to deny service. However, the more interesting attack vector is spoofing. By crafting custom packets that mimic the Mode S protocol, an attacker can create a "ghost" aircraft. This ghost appears on the displays of other aircraft and ground stations, potentially triggering collision avoidance systems or causing confusion in air traffic management.

Building a Detection System

Detecting these anomalies requires a shift from simple packet parsing to signal analysis. The Fly Catcher project provides a blueprint for a portable, Raspberry Pi-based detection system. The hardware stack is straightforward: a FlightAware Pro Stick Plus SDR, a 1090 MHz antenna, and a Raspberry Pi.

The software side is where the real work happens. By using dump1090, you can decode the raw radio signals into JSON format. Once you have this stream, you can feed it into a machine learning model to classify the signals. The research presented at DEF CON 2024 utilizes a dense neural network built with TensorFlow to perform binary classification: is this signal legitimate, or is it a spoofed injection?

The model looks for inconsistencies in the telemetry. A legitimate aircraft follows predictable flight paths and altitude changes. A spoofed signal often exhibits abrupt jumps in coordinates or impossible altitude variations that deviate from the expected flight envelope.

# Example of the model architecture used for classification
model = tf.keras.Sequential([
    tf.keras.layers.Dense(64, activation='relu', input_shape=(feature_count,)),
    tf.keras.layers.Dense(64, activation='relu'),
    tf.keras.layers.Dense(1, activation='sigmoid')
])
model.compile(optimizer='adam', loss='binary_crossentropy', metrics=['accuracy'])

Practical Implications for Pentesters

If you are conducting a security assessment on an aviation-related target or an IoT system that integrates with flight data, you must account for the lack of integrity in ADS-B. During an engagement, do not assume that the data appearing on your dashboard is accurate. If you are testing a system that consumes ADS-B feeds, your test plan should include injecting malformed or contradictory data to see how the system handles it.

The impact of a successful exploit is significant. Beyond the obvious safety risks, the ability to manipulate situational awareness can be used to bypass geofencing or to mask the movement of unauthorized assets. When you are looking at OWASP IoT Top 10 risks, consider how the lack of secure communication channels in protocols like ADS-B fits into the broader category of insecure ecosystem interfaces.

Defensive Strategies

Defending against this requires moving beyond the protocol itself. Since you cannot patch the ADS-B protocol to add authentication without replacing the entire global infrastructure, the solution lies in multi-modal verification. Ground stations should correlate ADS-B data with secondary surveillance radar or multilateration (MLAT) to verify that the reported position matches the physical signal origin.

For researchers and developers, the focus should be on signal-level fingerprinting. By analyzing the Received Signal Strength Indicator (RSSI) and other radio frequency characteristics, you can create a unique profile for each transmitter. If a signal suddenly appears with a different RSSI fingerprint than the one previously associated with that specific ICAO aircraft address, it is a strong indicator of a spoofing attempt.

The aviation industry is moving toward more secure alternatives, but the legacy of unauthenticated broadcast protocols will persist for years. As a researcher, your role is to identify where these systems are being integrated into modern, connected environments and to highlight the risks of trusting data that has no origin verification. Start by setting up your own ground station, collecting data, and training your own models to understand the baseline behavior of the aircraft in your area. Once you see the noise, you will start to see the potential for manipulation everywhere.