Blog: Aviation Cyber Security
DEF CON 28: Introduction to ACARS
This post is a companion to the DEF CON 28 video available here https://www.youtube.com/watch?v=NFS6qNAi0B8
What is ACARS?
ACARS (Aircraft Communications Addressing and Reporting System, pronounced ‘ay-cars’) which is an avionics system used to for sending text messages between ground and airborne stations.
This is a light touch on the topic but I’ll cover the history of it, how it’s transmitted, what it’s used for in current airline operations, how to decide decode and decipher it, and explore where the potential security issues with it are.
Really, what ACARS is now is a data link and this has become really important in keeping up the efficiency and safety of aircraft.
ACARS printout. Source: Wikipedia / Russavia
History of ACARS
At the start of the jet age of commercial passenger airline flying in the 1960s, communication was pretty basic. It was voice only between aircraft and the ground.
Airlines did, and still do, pay their flight crews by “block time” which is the moment from the doors close and the aircraft taxis out, to the moment the doors open again at the arrival gate. I think it’s probably derived from when the ground crew pull the chocks or blocks out from the wheels to allow the aircraft to move.
In the 60s and 70s, crews would radio their off-block times to a human on the ground, who would transcribe that into a Teletype machine and send that on to the airline’s base. Remember that airlines routinely fly into airports where there’s no direct representation of that airline on the ground so some form of remote communication is needed back to HQ.
Looking for “efficiency” (a euphemism for not paying crews any more than they need to) ACARS was developed as a kind of automatic time clock system, sending the details of the out, off, on, and in times by radio.
Because radio is line of sight only, ARINC (those who developed the standard) built out a network of ground based transmitters to send, receive, and relay these messages around and this whole concept hasn’t changed too much to this day.
Source: Wikipedia / Kierant
ACARS transmission methods
Plain old ACARS (POA) is broadly what it was back in 1978. It uses VHF radio and a network of ground transmitters to send these messages around.
A later evolution is ACARS over Aviation VHF Link Control (AOA) which is a terrible mash of acronyms – IT, meet aerospace! This still uses VHF line of sight radios, but on a different frequency, to give a slightly higher bandwidth.
For areas outside of direct ground contact, like over the Atlantic, High Frequency Data Link (HFDL) can also be used, but it’s very slow.
Nowadays we have SATCOM which is increasingly the transmission mode of choice for many airlines and aircraft.
There is some experimentation with using the cellular GSM networks as an ACARS platform too, but it’s only in use with one European carrier to my knowledge.
There are several classes of “node” in the ACARS network – the aircraft themselves, ground stations like the airlines, and air traffic control as we’ll see later. In order to route a message from an aircraft flying over, for example, Spain, back to the airline HQ in the U.K., a datalink service provider is paid to pick up, route and deliver these messages.
You have two to choose from: SITA and Rockwell. Rockwell bought ARINC Inc (including the ACARS network) back in 2013 so you might see ARINC/Rockwell used interchangeably.
As we’ve said, plain old ACARS and ACARS over AVLC, use VHF radios so need direct line of sight (and this includes the Earth being round) to a ground station. Aircraft are often flying pretty high up (35,000 feet or more) so actually the range of a single transmitter is still quite large, but you can see from SITA’s coverage that there are lots of gaps over oceans, Africa, and places aircraft tend not to fly much like the north of Canada.
Running all these transmitters and maintaining the communications links between them is still pretty expensive though.
Satellite coverage is also dependent on where you are in the world, although to a lesser degree. Inmarsat have coverage between plus and minus 80 degrees latitude, although Iridium have more, lower, satellites so can offer polar coverage too.
There are only 15 HF transmitters stations in the world, but they have long reach and are located for polar and oceanic coverage.
Costs are a bit opaque, but one Asian carrier was paying the equivalent of $1000 per megabyte on their HFDL service. AOA and POA is still not home broadband prices though!
There is an old adage that for airplanes, you add another zero onto the end of what seems a sensible price :)
Plain old ACARS – POA
Original ACARS uses a signal with each bit encoded as a half bit sine wave on top of the carrier which you can see in this nice waterfall image that most software defined radio tools will generate for you. Minimum shift keying gives you a total of 2.4kbps throughput.
The modem will briefly listen for 50ms to avoid transmitting at the same time as others, send a starting tone and then the serial data. You can hear this as a fairly distinctive old-school-style modem noise.
As it’s VHF and line of sight, each geographic region uses a different frequency, and this is per datalink service provider, so ARINC (Rockwell) in Europe is a different frequency (131.725MHz) to SITA in Europe. The aircraft’s modem will usually automatically switch between them based on its known position.
VHF Data Link mode 2, so AOA, is an enhancement that uses phase shift keying modulation to give a slightly higher bandwidth throughput of 31.5kbps.
The X.25 routing protocol is used to send packets between data terminals, which sort of matches up to the lowest three layers of the OSI model (although it predates TCP/IP by some considerable time).
Because of the use of X.25, there is a global single frequency of 136.975MHz, although as with POA it’s VHF so still line of sight.
ACARS over SATCOM
Several satellite communications service providers offer ACARS services including Inmarsat and Iridium.
Both have global coverage, but as Inmarsat uses geostationary satellites there is no reception between plus and minus 80 degrees latitude as we can see in the coverage map.
Iridium uses a larger constellation of lower flying birds to give complete coverage even over polar regions.
There are different bandwidth and frequency options, and services, from each provider but certain frequencies like L-band are better at penetrating water. Although aircraft tend to fly above clouds and weather this is not usually a problem but in the tropics, humid air can block signals.
It is possible to intercept “ground to air”, that is ground to satellite to aircraft, communications using a suitable antenna and software as the signal is transmitted over a wide area. But you will not be able to see aircraft to ground as you’re not in a middle position (unless you’re in space). The data is relayed from the ground stations back into the DSP networks and then onto its destination.
“Classic” aero services are quite bandwidth limited (10kbps) but we’ve probably all been on aircraft with inflight Wi-Fi now, so SATCOM broadband can be quite decent and it’s this latter capability that is being used in modern e-enabled aircraft to collect huge amounts of live data for analysis and predictive maintenance.
There are also options to transmit ACARS over long wave, high frequency, transmitters and this is reserved for oceanic and polar regions. There are actually only 15 transmitter sites and speeds are super slow, and this probably also explains the costs.
There is an early test of using the cellular networks to provide ACARS services in Europe and this actually re-uses a piece of equipment found on many aircraft already, which is a wireless quick access recorder or wireless digital flight data acquisition unit. These devices capture lots of data in flight and then relay it back to the airline once they’re on the ground over a 3G network.
Aircraft will often maintain multiple communications links and for a transatlantic flight, an aircraft may actually have and use all three options at various stages of the flight.
A communications management unit (CMU) is used to route ACARS traffic between the various avionics systems and these physical links. An airline may also change the cost preferences depending on how much they pay for various services.
This CMU has access to lots of important avionics including the display unit that pilots interact with, the flight management computer (both for reporting location, and for setting height or heading as we’ll see later), and for acquiring lots of maintenance data. Believe it or not there are also genuine printers in the flight deck too!
Quick look at SELCAL
Aircraft are assigned a 4 letter code, which is converted into audio tones, and it alerts the crew to listen to the radio.
During trans-Atlantic or polar flights where radio communication is infrequent, and to avoid crews from having to monitor radios for an extended time, SELCAL was introduced where the air traffic controller can trigger an alert light or sound in the cockpit, and the crew then jump on the radio to listen for the actual message.
Each aircraft is assigned a four digit code and the first pair of letters sent, then the second, which is a bit like DTMF dialling tones. As you can see there aren’t that many possible combinations so there is reuse and it’s important that crews verify the actual transmission was really meant for them.
Now when there is an ACARS message, the crew will hear a chime noise and see “datalink message” on their displays which they can then read.
Future Air Nav System (FANS)
ACARS is at its basis simply a text message service between two parties. This concept is now being used in air traffic control, rather than a controller using voice radios to instruct pilots on what to do, this is sent via ACARS message.
This has the benefits of efficiency, which means more aircraft can be accommodated in a given space, but also safety in that there is no confusion in hearing about what altitude to fly to, or what heading etc.
Both Boeing and Airbus developed their own standards, but these were merged to give rise to FANS 1 / A as we have today. A FANS installation on an aircraft requires certification and minimum latency requirements – messages will be rejected after 30 seconds.
FANS is composed of two important services which are both sent over ACARS (and this could be VHF or SATCOM) – controller pilot data link communication (CPDLC) and automatic dependent surveillance – contract (ADS-C).
Controller Pilot Data Link Communications (CPDLC)
Air traffic can send pilots instructions to clime to a particular altitude or steer a heading.
Before this can happen, pilots log on to a specific controller which then shows that the data link is ready.
Every instruction sent by ATC requires a POSITIVE confirmation by the pilot – you cannot simply send a message and remote control the plane!
Different regions still have different CPDLC adoptions, so Europe has en-route services, whereas parts of the USA only have pre-departure. If you’ve ever had to note down and read back a complicated departure clearance you’ll realise how useful this is in not only time saving but in making sure it’s correct.
You might be familiar with ADS-B which is the position notification signal sent out on 1090 MHz which contains GPS position and altitude, and is picked up by services like Flightradar24 and ADSBExchange. These are periodically sent out by the aircraft when it’s illuminated by primary radar.
[2020-06-22 07:47:12 EDT] [136.975] [-0.7/-22.9 dBFS] [22.2 dB] [-2.7 ppm] 4076E3 (Aircraft, Airborne) -> 230457 (Ground station): Command ATN checksum: 3b ec a4 7e ADS-C v2 Report: Event Report: Reported event: epp-flight-plan-change Report data: Position: Lat: 51 02' 27.4" north Lon: 000 45' 10.4" west Alt: 10880 ft Timestamp: 2020-06-22 11:47:10
But for FANS we need a bit more granularity and information, so ADS-C is used.
ATC can request an aircraft report its position or time when passing a certain altitude or a given waypoint. ADS-C will also show what waypoints the aircraft is currently programmed to fly too, so controllers can better and more efficiently sequence traffic for arrivals into busy airports.
ACARS message format
OK, so we know what ACARS is used for in broad terms, let’s take a closer look at how the messages are formatted.
In plain old ACARS all messages are broadcast to all devices (that are in range of the same transmitter at least) so there is a header that lists the destination aircraft registration. The receiver on an aircraft will discard any messages that are not destined for it.
In the header, there is a two character label field which indicates the type of data that the whole message contains. There’s no specific standard but there are some common ones like C1 which is a message for an onboard printer, and indeed some airlines will use different labels to indicate the same data.
The bulk of the transmission is taken up by the message text itself up to a maximum of 220 characters.
The character set is basic ASCII alpha numerics and some special characters only.
These could just be standard free text type messages, or they could be engineering and maintenance data.
Sequential messages are sent with an incrementing message number in the header, so C01, C02 for example.
ACARS mode: 2 Aircraft reg: .G- Message label: MA Block id: 9 Msg. no: U10A Flight id: VS ACARS mode: 2 Aircraft reg: .G- Message label: MA Block id: 0 Msg. no: U10B Flight id: VS ACARS mode: 2 Aircraft reg: .G- Message label: MA Block id: 1 Msg. no: U10C Flight id: VS
Because of the 220 character limit, larger messages (like maintenance data) are split across multiple ACARS transmissions but with a letter suffix to denote their position in the multi part message, for example U10A, U10B, U10C etc.
The next separate message from this aircraft would then be U11A and so on.
The last part of the message is a simple checksum, this is either ATN-32, which is a modified form of Fletcher’s checksum, or a CRC.
XXXXX (Aircraft, Airborne) -> YYYYY (Ground station): Command AVLC type: I sseq: 0 rseq: 1 poll: 0 X.25 Data: grp: 11 chan: 255 sseq: 1 rseq: 3 more: 0 Reasm status: skipped X.233 CLNP Data (compressed header): LRef: 0x0 Prio: 11 Lifetime: 100 Flags: 0xc0 PDU Id: 30 X.224 COTP Data: dst_ref: 0x808f sseq: 0 req_of_ack: 0 EoT: 1 Checksum: 64 8f CPDLC Downlink Message: Header: Msg ID: 0 Timestamp: 2020-06-19 12:31:20 Logical ACK: required Message data: CURRENT DATA AUTHORITY
The CDU on an aircraft will discard any message without a valid checksum and ask for a re-transmit if possible.
The checksum is designed to protect against distortion of the message in transit only (we are talking about radio data links here, often over long distances).
You’ll probably have noticed by now that all the examples of messages I’ve shown are actually human readable, and that’s because there’s no encryption of the data in standard ACARS at all.
Some aircraft though do send encrypted messages, and these are marked by the label type 44. There is a fantastic paper called Economy Class Crypto from the Oxford aviation security group that was able to decipher these messages through a combination of brute force and other inputs, such as knowing where an aircraft is.
ACARS mode: X Aircraft reg: ..DAxxx Message label: 44 Block id: 7 Msg. no: M20A Flight id: GSxxxx Message content:- 09GHj46c+B4BBBo444h86chhhcGe-Wc-W|Pc4,8sc8,Nhc8s8sc44B5N
What they were able to show is that there is a static cipher key in use across all these terminals, so it’s break once, decode everywhere. Fortunately it seems that this data is mostly engineering type data rather than anything sensitive, but operators of this equipment should be aware that their messages are not private.
As ACARS offers arbitrary text messaging, and is often made available through cabin crew terminals, it’s common to see company type data like our second message here. Fortunately this particular operator seems to be aware of the limits of ACARS’ privacy and hasn’t used names here, just seat numbers, but not everyone is this careful.
ACARS mode: X Aircraft reg: .G-EUxx Message label: 10 Block id: 2 Msg. no: M56A Flight id: xxxx Message content:- FTX01.FIC HI FROM DLYD xxx PAX IN 8D/F HAVE BEEN REBOOKED ON xxx/T. THEY WOULD RATHER/REQUIR ANY FLIGHT TO SCOTLAND TODAY BEST xxx
Software design levels
Software and hardware is written to design assurance levels. This is, I suppose, the code quality and testing that goes into that particular component depending on the risks that it poses to the aircraft. These hazard levels are documented in DO-178C.
Although we’ve seen that ACARS is important for efficiency, both in air traffic and maintenance, it doesn’t directly impact on keeping an aircraft safe and airborne. This means that generally ACARS components are written to C or D levels of assurance.
ACARS in operation – pre-flight
Let’s step through then where ACARS is used in different phases of flight.
Airlines will provide routes to the pilots to help them in choosing a fuel efficient routing, or avoiding forecast weather, turbulence and icing. The airline itself, back at HQ, will often calculate the aircraft takeoff performance – the speeds like V1 and VR – based on the number of passengers, bags and cargo loaded and then send this directly to the aircraft for review and acceptance. Pilots will usually do their own numbers too as a cross reference.
As we mentioned briefly, air traffic control can provide departure clearances via ACARS which will be added to the flight management computer once checked by the pilots. The aircraft then fly a particular set of waypoints, heights and speeds after takeoff to minimise noise and improve efficiency of airspace.
The aircraft itself has a large number of sensors attached to things like doors, cargo hatches, door wells, and weight-on-wheel switches so it can work out what state it’s in. This is then used to send our out, of, on, and in data back to the airline.
ACARS in operation – cruise
The aircraft will continually be sending quite a lot of data back to the airline’s maintenance teams (and often the aircraft or engine manufacturer too) so that they can try and predict any maintenance needed.
The aircraft will also immediately report things like a tail strike or hard landing so the aircraft can be properly inspected at the next landing.
During cruise, air traffic control will be using ACARS and CPDLC to ask the pilots to change course, routing or headings as they need to keep everything safe and efficient.
CPDLC uses AOA, so uses X.25 routing. The source and destination addresses are 24 bit ICAO Mode-S identifiers which are unique per aircraft and are the same as the ones you can see in ADS-B transmissions, like on Flightradar24.
Ground stations also have an identifier and in this message, although I’ve redacted the aircraft, 29D1D7 maps to London Stansted airport.
4CAxxx (Aircraft, Airborne) -> 29D1D7 (Ground station): Command AVLC type: I sseq: 5 rseq: 6 poll: 0 X.25 Data: grp: 11 chan: 254 sseq: 3 rseq: 4 more: 0 Reasm status: skipped X.233 CLNP Data (compressed header): LRef: 0x0 Prio: 11 Lifetime: 100 Flags: 0xc0 PDU Id: 661 X.224 COTP Data: dst_ref: 0xce93 sseq: 2 req_of_ack: 0 EoT: 1 Checksum: 93 87 CPDLC Downlink Message: Header: Msg ID: 2 Msg Ref: 4 Timestamp: 2020-06-24 11:40:31 Logical ACK: required Message data: WILCO
In this case this is an acknowledgement from the aircraft to Stansted saying “WILCO” which is short for “will comply” or “I will do this” (this is different to a simple acknowledgement with no expectation that they need to do anything).
ACARS in operation – landing
Just prior to landing the aircraft will obtain the ATIS data – automatic terminal information service – which gives details on the runway in use, temperature, surface wind and so on. Traditionally this has been an audio broadcast but by using ACARS this data can be obtained earlier and help the crew prepare.
CPDLC is not used when immediate responses might be needed (remember it has a maximum of 30 seconds latency) so this will be ended with the arrivals and airport controller taking over via VHF voice.
The airline will also use position info to help prepare the gate and ground crew to turn the aircraft round as quickly as possible, obtain any maintenance reports so that they can change parts out, and then also be informed once the aircraft is on stand for payroll.
For plain old ACARS, although we have a larger number of frequencies, and two service providers, the frequencies are quite close together so we can use a software defined radio like the HackRF, RTL-SDR, or even a digital TV tuner to receive them all in one go.
For aerials, it is VHF so you will need line of sight to a ground station, but you will see lots of aircraft if they live over you. A telescopic one will do just fine and works ok just placed in my office window.
For AOA you’ll need dumpvdl2 by Tomasz Lemiech. This doesn’t have direct HackRF support but you can use it through SoapySDR.
You’ll need two SDR devices to receive and decode POA and AOA at the same time of course.
There is always a human in the loop, you cannot just send messages and control aircraft and there are many other mitigations too, like TCAS and ATC, to ensure safe separation between aircraft.
It’s important to note that these are not vulnerabilities on the part of Rockwell, ARINC or SITA per-se, it’s just that these protocols were designed a long time ago to pay pilots but have become used for something quite different! There is a working group looking to replace ACARS with IP but it does seem like we’re quite a way off that just yet.