ADS-B Security Vulnerabilities & Mitigations

What It Is

ADS-B (Automatic Dependent Surveillance-Broadcast) is the surveillance technology that forms the backbone of modern air traffic management. Every equipped aircraft continuously broadcasts its identity, GPS-derived position, altitude, velocity, and other flight parameters on 1090 MHz. Air traffic control receives these broadcasts to track aircraft. Other aircraft receive them for traffic awareness (ADS-B In). And ground-based receiver networks operated by Flightradar24, FlightAware, and similar services receive them — which is how real-time flight tracking became publicly available.

ADS-B was mandated by the FAA for US airspace from January 2020. EASA requires Mode S transponders with ADS-B Out capability in European airspace. Australia, India, China, and most other major aviation nations have similar mandates in various stages of implementation. ADS-B is now the primary surveillance mechanism for air traffic control in areas without radar coverage, and a major supplement to radar in areas that have it.

The security problem is built into the design. ADS-B broadcasts are unencrypted, unauthenticated, and transmitted in a standardized format that is publicly documented. Any radio receiver tuned to 1090 MHz can decode them. Any transmitter on that frequency can inject messages that are indistinguishable from legitimate aircraft broadcasts. This was a deliberate design choice made in the 1990s to maximize interoperability and minimize cost, at a time when the threat of deliberate exploitation was considered remote.

How It Works

ADS-B Out transmits a 112-bit message (Extended Squitter, ES) twice per second containing the aircraft's ICAO 24-bit address, call sign, position (latitude/longitude from onboard GPS), barometric and geometric altitude, ground speed, heading, and vertical rate. The signal propagates line-of-sight from the aircraft, receivable at distances of 200-400 km depending on altitude and terrain.

ADS-B In is the complementary receiving function. Aircraft with ADS-B In can display nearby traffic on cockpit displays, providing situational awareness similar to TCAS but with position and identification rather than just bearing and range. TIS-B (Traffic Information Service-Broadcast) supplements ADS-B by broadcasting positions of non-ADS-B aircraft (tracked by radar) to ADS-B In equipped aircraft, providing a more complete traffic picture.

Vulnerabilities

Ghost Aircraft Injection

An attacker with an SDR (Software Defined Radio) costing under $30 and open-source software can broadcast ADS-B messages that create phantom aircraft on ATC displays and on the cockpit traffic displays of ADS-B In equipped aircraft. These ghost aircraft appear identical to real traffic — complete with realistic ICAO addresses, call signs, positions, and trajectories. Research has demonstrated this attack repeatedly in laboratory settings, and the theoretical capability to inject ghost aircraft into live ATC systems is well-documented. The implications are severe: false collision avoidance alerts, ATC workload saturation, and potential manipulation of traffic separation.

Position Spoofing

An attacker can broadcast ADS-B messages using a real aircraft's ICAO address but with a false position. ATC systems receiving both the legitimate and spoofed messages may display the aircraft at the wrong location or show conflicting tracks. This can be combined with GPS spoofing to create a consistent false picture — the aircraft's own GPS shows a wrong position, and the ADS-B broadcast (derived from that GPS) confirms it to ATC.

Denial of Service

Flooding the 1090 MHz frequency with high-power transmissions degrades or blocks ADS-B reception for all aircraft and ground stations in the area. Unlike GPS jamming, which requires relatively modest power to overpower the weak satellite signals, ADS-B jamming must overcome the relatively strong signals from nearby aircraft transponders — but against ground stations receiving distant aircraft (200+ km), the power requirement drops significantly.

Eavesdropping and Tracking

Because ADS-B broadcasts are unencrypted and contain persistent aircraft identifiers (ICAO 24-bit address), any receiver can track specific aircraft in real time. This is the technology behind Flightradar24 and similar services — and also the technology that enables adversaries to track military aircraft (when transponders are active), VIP flights, and sensitive movements. Some operators (military, heads of state) selectively disable ADS-B to avoid tracking, which creates its own safety issues in mixed airspace.

Mitigations

Multilateration Cross-Check

Wide-Area Multilateration (WAM) uses networks of ground receivers to independently determine an aircraft's position by measuring the time difference of arrival (TDOA) of its transponder signals at multiple receivers. This position is computed from the physics of radio propagation — not from the ADS-B message content. By comparing the WAM-calculated position against the ADS-B reported position, ground systems can detect message injection (ghost aircraft have no physical signal to multilaterate) and position spoofing (the TDOA position does not match the broadcast position). WAM is deployed at many European airports and en-route sectors.

Machine Learning Anomaly Detection

Research institutions and ANSPs are developing ML-based systems that analyze ADS-B traffic patterns for anomalies. These systems learn normal traffic behavior — flight paths, speed profiles, altitude transitions — and flag messages that deviate from expected patterns. A ghost aircraft that appears instantaneously, moves at physically impossible speeds, or follows no known route triggers an alert. Eurocontrol and the FAA have both funded research programs in this area, with prototype systems in testing.

TIS-B and Radar Backup

Traditional primary and secondary radar systems provide independent surveillance that does not depend on ADS-B. In radar-covered areas, ATC can compare ADS-B tracks against radar returns to verify consistency. TIS-B (Traffic Information Service-Broadcast) rebroadcasts radar-derived traffic information to aircraft, providing a second data source for traffic awareness that is not dependent on ADS-B messages from other aircraft.

Future: ADS-B v3 Authentication

The long-term solution is message authentication — cryptographically signing ADS-B messages so that receivers can verify they originate from a legitimate transponder. ADS-B version 3 specifications include provisions for authentication, but no encryption standard has been finalized. The challenges are significant: backward compatibility with millions of installed transponders, key management across international boundaries, the computational constraints of adding cryptography to a system designed for minimal processing, and the 112-bit message length limit that leaves little room for authentication data. The timeline for ADS-B authentication deployment is measured in decades rather than years.

Relevance to Airspace Risk

ADS-B vulnerabilities intersect with GPS threats in dangerous ways. An aircraft that has been GPS-spoofed broadcasts its false position via ADS-B, propagating the error to ATC and to other aircraft. In the Middle East spoofing events, ADS-B data showed dozens of aircraft simultaneously positioned at incorrect locations — it was the ADS-B data itself (via Flightradar24) that first made the scale of the spoofing campaign visible to the public. ADS-B is simultaneously the most transparent surveillance system in aviation history and the most vulnerable to manipulation.

Current Status

ADS-B mandates are in effect across most of the world's major airspace. The security vulnerabilities are acknowledged by regulators, the aviation industry, and the research community. Mitigations are being deployed (WAM, anomaly detection, radar cross-check) but the fundamental weakness — unencrypted, unauthenticated broadcasts — will persist for the foreseeable future. The aviation community has effectively accepted this risk as manageable because radar backup exists in most high-traffic areas, and the operational benefits of ADS-B outweigh the security concerns given current threat levels.

Limitations

• —No encryption or authentication in current ADS-B (v0/v1/v2) — fundamental design gap
• —Ghost aircraft injection requires only commodity hardware ($30 SDR)
• —ADS-B v3 authentication is years to decades from deployment
• —Multilateration only works in areas with dense ground receiver networks
• —Position depends on GPS — GPS spoofing propagates through ADS-B to ATC
• —Eavesdropping cannot be prevented without encryption

Related