Lesson 19 — ADS-B Spoofing and the Man-in-the-Middle Attack#
ADS-B broadcasts every aircraft’s position in the clear, with no encryption or authentication, which means anyone in the data path can hide real planes, invent fake ones, and the controller’s screen has no way to tell.
Learning Outcomes
By the end of this lesson, you should be able to:
Explain how ADS-B works, including the frequency, data content, and broadcast model used.
Identify the specific properties of ADS-B that make it vulnerable to spoofing and suppression.
Describe a man-in-the-middle (MITM) attack and map its three roles (ground truth, attacker, and receiver) to the live demo.
Use the demo to suppress real aircraft and inject synthetic tracks, observing that the controller’s screen shows no indication of tampering.
Analyze the ADS-B vulnerability using the CIA Triad, identifying which property is violated by each attack type.
Describe at least two technical defenses against ADS-B spoofing and explain their trade-offs.
What Is ADS-B?#
Automatic Dependent Surveillance-Broadcast (ADS-B) is the primary technology used worldwide to track aircraft in flight. Every commercial airliner, most general aviation aircraft, and many military platforms equipped with a Mode S transponder broadcast their own position continuously, without radar interrogation.
Where the Data Comes From#
ADS-B is called dependent surveillance because the aircraft does not get detected from the outside; it reports itself. On board, a GPS receiver computes the aircraft’s position, speed, and heading. That data is then formatted into a Mode S message and broadcast via radio:
Fig. 1. ADS-B broadcast flow: one transmitter, any number of receivers — including adversaries.
The broadcast contains:
ICAO 24-bit hex address (unique aircraft identifier)
Latitude and longitude
Altitude (barometric and/or GPS)
Ground speed and track angle (heading)
Vertical rate (climbing/descending)
Callsign / flight number
The Frequency and Range#
ADS-B Out transmits on 1090 MHz, a frequency in the L-band chosen for relatively long range with modest antenna size. A typical airborne ADS-B transmitter reaches ground stations and other aircraft at ranges up to 250 nautical miles at cruise altitude. At low altitude, terrain masking reduces range significantly.
ADS-B Key Facts
Property |
Value |
|---|---|
Frequency |
1090 MHz (L-band) |
Modulation |
Pulse Position Modulation (PPM) |
Message length |
112 bits (long squitter) |
Update rate |
≈ 2 messages/second (position), ≈ 1/sec (velocity) |
Encryption |
None |
Authentication |
None |
Range (airborne) |
Up to ~250 nm |
Why ADS-B Replaced Radar (Mostly)#
Traditional secondary surveillance radar (SSR) interrogates aircraft: it sends a signal, the transponder replies, and the radar measures round-trip time to find range. ADS-B flips this model: the aircraft broadcasts continuously, and passive ground receivers simply listen. This eliminates the rotating antenna and the associated cost, complexity, and angular resolution limitations.
The trade-off: when the aircraft is responsible for reporting its own position, the system trusts what the aircraft says. SSR at least required the signal to physically bounce from a real aircraft. ADS-B requires only that a 1090 MHz message be formatted correctly.
The Security Problem#
Broadcast in the Clear#
ADS-B was designed in the 1990s with one overriding goal: improve situational awareness in congested airspace. Security was not a primary design requirement. The protocol is:
Unauthenticated: Any transmitter can claim any ICAO address and any position.
Unencrypted: Every receiver in range receives every message without restriction.
Passive: The receiving infrastructure never validates that the transmitting aircraft exists.
This means that the controller’s screen displays exactly what the 1090 MHz environment contains, which is not necessarily what the real sky contains. The two can diverge without generating any alert.
The Threat Model#
There are two broad attack categories:
Suppression (hiding real aircraft) An adversary intercepts the legitimate ADS-B feed before it reaches the display system and removes selected messages. To the controller, those aircraft simply disappear, as if they descended below radar coverage or turned off their transponders.
Injection (inserting fake aircraft) An adversary transmits well-formed Mode S messages with fabricated ICAO addresses and positions. The display system processes them identically to real aircraft. A swarm of fake tracks is indistinguishable from a real formation.
Both attacks exploit the same root cause: the protocol trusts data without verifying its origin.
The Man-in-the-Middle Attack#
Three-Party Model#
A man-in-the-middle (MITM) attack is one in which an attacker positions themselves between a legitimate data source and a legitimate receiver, intercepting and optionally modifying data in transit.
Fig. 2. The MITM model: the attacker intercepts the 1090 MHz feed, alters it, and passes the result to the controller’s screen. No warning is generated.
The controller’s screen receives data from the feed. If the attacker controls the feed, the controller sees whatever the attacker allows, with no indication that any modification has occurred.
How the Demo Models This#
The live demo implements exactly this three-party model with real data:
Panel |
Role |
Data Source |
|---|---|---|
Ground Truth (blue, top-left) |
The real sky |
Live ADS-B from airplanes.live, refreshed every 5 seconds |
Attacker’s Tap (red, center) |
The intercepted feed |
Same live data, with your modifications applied |
Controller’s Screen (green, bottom-left) |
What ATC trusts |
The modified feed (attacker’s tap, minus the flagging) |
Real aircraft appear red on the Attacker’s Tap and green on the Controller’s Screen. Aircraft you suppress turn orange on the Attacker’s Tap (you can still see what you removed) and disappear entirely from the Controller’s Screen. Injected fakes appear orange on the Attacker’s Tap and green on the Controller’s Screen, indistinguishable from real traffic.
Under the Hood: Demo Architecture vs. Real Attack#
The diagram below compares what is actually happening inside the demo to how a real MITM attack on ADS-B would be physically wired. The key observation is that the demo compresses multiple real-world steps into a single JavaScript function call, and it adds two panels (Ground Truth, Attacker’s Tap) that have no counterpart in an actual attack.
Fig. 3. Demo architecture (left) versus the real MITM attack it models (right). Dashed connectors link equivalent components. The Ground Truth and Attacker’s Tap panels are teaching aids that exist only in the demo; a real attacker has no visibility window and a real controller sees no indication of tampering.
Two simplifications the demo makes relative to a real attack:
The demo fetches from
airplanes.live, which has already decoded the 1090 MHz RF. A real attack requires a software-defined radio receiver and ADS-B decoder sitting on the physical data path.The demo applies suppression and injection inside a single
render()call that executes in your browser. A real MITM proxy sits on the network between the ADS-B decoder and the display system, intercepting and rewriting the data stream before it reaches the controller.
Only the Controller’s Screen panel corresponds to something that exists in the real world: the ATC display system that the controller trusts.
Demo Walkthrough#
Open the ADS-B Spoofing Demo and work through the following steps in order. The goal is to build intuition for each attack type before considering defenses.
Step 1: Orient Yourself#
When the demo loads, the live feed polls airplanes.live for all aircraft within 90 nautical miles of the Colorado Springs / USAFA area. Allow 5–10 seconds for aircraft to appear.
Look at the status bar at the bottom: it shows Real aircraft, Shown to controller, Hidden by you, and Fakes injected. Initially, all counts should match; no tampering is active.
Observe that the Ground Truth map (top-left) and Controller’s Screen (bottom-left) show identical traffic. They are synchronized and will stay locked together as you pan and zoom.
Step 2: Suppress a Single Aircraft#
Click on any aircraft on the Attacker’s Tap map (center panel). A popup card appears showing ICAO hex address, callsign, altitude, speed, and heading.
Click “✖ Suppress this aircraft”.
Watch the status bar: Hidden by you increments; Shown to controller decrements.
Compare the Ground Truth map and the Controller’s Screen. The suppressed aircraft is amber on Ground Truth (reveal-mode flag) and gone from the Controller’s Screen.
To restore: click the aircraft on the Attacker’s Tap (it still appears in orange there) and click “↩ Restore this aircraft”.
Step 3: Blank a Sector#
The Blank Sectors panel suppresses every aircraft inside a circle you define, simulating a zone denial attack.
Click “📍 Click attacker map to set center”, then click a location on the center map.
Set a radius (12 km is the default).
Add a label and click “Add zone”.
Watch an entire area go dark on the Controller’s Screen while remaining visible on Ground Truth.
Note that the attacker still sees the real traffic (orange aircraft), but the controller sees nothing.
The protection sector tool (lower half of the Blank Sectors panel) does the same thing using a 10° wedge radiating from USAFA, modeling a geometry-based suppression keyed to a known ground site.
Step 4: Inject a Swarm#
The Inject Swarm panel creates synthetic tracks that exist only in the feed.
Select Orbit mode.
Click “📍 Click attacker map to set center” and place an orbit center over open airspace.
Set radius = 6 km, count = 8, speed = 300 kt, altitude = 20,000 ft.
Click “Inject swarm”.
Eight fake aircraft appear on both the Attacker’s Tap and the Controller’s Screen, orbiting the center point. The controller cannot distinguish them from real traffic.
Try Line mode to fly a fake formation from one point to another. Enable Loop to keep them cycling indefinitely.
Step 5: Deploy the Deception Package#
The Deception Package runs a coordinated two-part attack with one click:
It blanks all real traffic near USAFA with an 18 km suppression zone.
It simultaneously injects 8 fake aircraft flying inbound from the northwest at 600 kt / 45,000 ft.
On the Controller’s Screen: the real local traffic has vanished and a fast-moving 8-ship formation is inbound. The Ground Truth map shows the opposite. The real aircraft are still there; the fake formation does not exist.
This is the point of the demo. The controller has no ground truth to compare against. The screen looks authoritative.
Step 6: Reveal the Tampering#
Toggle “Reveal the tampering” (bottom bar). Hidden real aircraft turn amber on the Controller’s Screen, making the distortion visible. This toggle would not exist in a real attack; it is a teaching aid.
CIA Triad Analysis#
The CIA Triad (Confidentiality, Integrity, Availability) provides a structured framework for analyzing cyber attacks. All three properties are relevant to ADS-B.
Confidentiality#
Only authorized parties may access information.
ADS-B has no confidentiality. Every message is broadcast in the clear to any receiver in range. An adversary with a $20 SDR dongle and a laptop can capture every aircraft position in the region.
In some contexts this is intentional, since wide-area situational awareness depends on open reception. But it means an attacker can perform passive reconnaissance of airspace patterns, route preferences, and aircraft schedules without ever transmitting a single bit.
Violated by: passive monitoring of ADS-B traffic; traffic analysis.
Integrity#
Data has not been modified without authorization.
This is the primary vulnerability demonstrated in this lesson. An attacker who controls the feed can modify or fabricate track data without detection. The controller’s display has no mechanism to distinguish:
A real aircraft at position X from a fake message claiming an aircraft is at position X.
A legitimate suppression (aircraft turned off transponder) from a malicious suppression (attacker removed the message).
Integrity Is the Core ADS-B Vulnerability
The CIA property most severely violated by ADS-B spoofing is Integrity. The display system processes injected data identically to authentic data, and there is no cryptographic mechanism to detect the difference.
Note from Lesson 36: an integrity attack is more dangerous than an availability attack because it is silent. A system that goes offline is obviously broken. A system reporting false data looks normal while causing decisions to be made against a fabricated reality.
Availability#
Data is accessible to the right person at the right time.
Suppression attacks also affect availability: the controller can no longer access accurate position data for the aircraft being hidden. However, the more dangerous aspect is that the system continues to appear available, making the attacker’s job easier.
Attack Type |
CIA Property Violated |
Operator Awareness |
|---|---|---|
Passive monitoring |
Confidentiality |
None |
Inject fake aircraft |
Integrity |
None (fakes look real) |
Suppress real aircraft |
Integrity + Availability |
None (looks like normal dropout) |
Blank a sector |
Integrity + Availability |
Possible (large area dropout is anomalous) |
Defenses and Mitigations#
1. ADS-B Authentication (Proposed)#
The most direct fix is to add a digital signature to each ADS-B message. The aircraft would sign messages with a private key; receivers would verify the signature using a public key. Unsigned or incorrectly signed messages would be rejected.
Trade-off: Mode S messages are already packed into 112 bits. Adding a cryptographic signature requires either a larger message format (requiring new hardware globally) or a separate authentication channel. Retrofit costs and standardization timelines are substantial.
2. Multi-Sensor Fusion#
If an ADS-B position is cross-correlated with independent sensor data (primary radar returns, MLAT, or ADS-B from multiple ground stations), injected tracks that have no corresponding return elsewhere can be flagged.
Trade-off: Primary radar coverage is not universal; MLAT requires dense receiver networks. Coverage gaps remain.
3. Behavioral Anomaly Detection#
Aircraft tracks obey physical laws. A message claiming a 100 kt aircraft instantly jumped 50 km violates kinematics. Anomaly detection algorithms flag:
Position jumps inconsistent with reported speed
Sudden appearance/disappearance patterns inconsistent with radar coverage geometry
Tracks that appear without plausible origin or departure point
Trade-off: Sophisticated attackers can inject gradually-moving fakes that respect kinematic constraints (as demonstrated by the orbit and line-formation modes in the demo).
Military and Operational Implications#
ADS-B is not exclusively civilian. Many military transport aircraft use ADS-B Out for airspace integration and traffic separation, particularly in congested civil airspace. The vulnerabilities demonstrated here have direct operational relevance:
Denial of air picture: Suppressing ADS-B tracks in a theater removes aircraft from the common operating picture, degrading coordination without destroying any hardware.
False picture: Injecting fake formations could provoke response actions against non-existent threats, drawing attention and resources away from real activity. This is exactly the logic of the Deception Package in the demo.
Link to IADS (see Lesson 36): ADS-B spoofing is an example of a data integrity attack at the sensor/feed layer of an air defense network. In the IADS kill chain, corrupting the track data entering the C2 node breaks the Correlate step (Step 4) invisibly; the system continues operating against a false air picture without any indication of compromise.
GPS dependency: ADS-B depends on GPS for position. GPS spoofing (a separate but related attack) can feed incorrect coordinates to aircraft transponders, making the aircraft itself report a false position in a legitimate-looking ADS-B message. This combines two vulnerabilities into a single attack vector.
Key Takeaways#
ADS-B broadcasts aircraft position at 1090 MHz with no encryption or authentication. Any receiver can listen; any transmitter can inject.
A MITM attack sits between the data source and the display, modifying data in transit. The controller’s screen is the victim and sees whatever the feed contains.
Suppression hides real aircraft; injection invents fake ones. Both are silent; the display shows no warning.
The core vulnerability is a CIA Integrity failure: the display cannot distinguish authentic data from fabricated data.
Defenses include cryptographic authentication (comprehensive but expensive), multi-sensor fusion, MLAT, and behavioral anomaly detection; each approach has coverage gaps.
The attack model generalizes beyond aviation: any system that trusts broadcast data without authentication is vulnerable to the same class of attack.