What's new
Van's Air Force

Don't miss anything! Register now for full access to the definitive RV support community.

ADS-B and Anonymity

B

BKK117

Member
I'm sure some of you have the same concerns that I have about the FAA having a complete and permanent record of every movement your airplane makes. It's been said that they "have no plans to use ADS-B for enforcement" but color me skeptical. If you transmit your N number continuously then the FAA and anyone else can track every movement you make or ever made for that matter.

Since my livelihood is airline flying it occurs to me that I will be risking a lot if I unwittingly run afoul of one of the thousands of regulations while I'm flying my RV-8. With ADS-B transmitting exactly who I am and what I'm doing, well, they've never had that amount of resolution and data before.

Navworx advertises a "stealth" mode on the ADS600-EXP when you squawk 1200 but I just installed a Garmin G3X system with a GDL-39R and have no idea how they would interface.
I've been back and forth with Garmin about this and they are saying their GTX 327 and a GDL 84 combination would support a anonymous mode. Not an inexpensive solution to say the least.

So, any of you smart folks out there with G3X systems have a solution?

Thanks in advance...
BK
20150127_142832_zpsqad6bqaz.jpg

RV-8
 
Brought to you by the same folks ....

....who promised to never use social security numbers for identification

....and that your contributions to SS would be set aside for your future use.
 
Vern said:
....who promised to never use social security numbers for identification

....and that your contributions to SS would be set aside for your future use.
Click to expand...

...and, "If you like your current medical insurance plan, you can keep it!"
 
With a mode-S transponder, you would have to remove your hex code (or turn it off) for true anonymity as well as disabling ADSB-out.

Dynon Skyview makes it pretty easy to do both of those, not sure about other equipment.
 
Greg,
Just so there isn't future confusion If you remove the ICAO (hex) code from the transponder it will not turn on (even as a Mode-C or Mode-A) and there is no way to turn off ADS-B out.
 
If this actually comes to fruition as we know it now, I'm sure it wouldn't take much to disable ADS-B out with a flick of a switch, per say. Most GA flights aren't in mandatory ADS-B zones anyway. So flick it on when needed and flick it off when you don't want to be tracked. -Disable or code change- I'm sure this will become a common practice.
 
dynonsupport said:
Greg,
Just so there isn't future confusion If you remove the ICAO (hex) code from the transponder it will not turn on (even as a Mode-C or Mode-A) and there is no way to turn off ADS-B out.
Click to expand...

Sure there is - I have a breaker for that! :D
 
If anonymity is important to you, you must run a Mode-C transponder and a UAT.

A Mode-S transponder transmits your ICAO code with every radar reply even if it is not an ADS-B OUT transponder, and there is no allowed anonymous code or lack of transmitting this. Per the FAR, you cannot disable the transponder in flight except in "non controlled airspace" (class G) if there is one in the plane. So, if you have a Mode-S transponder, from any manufacturer, you will be transmitting an ICAO code.

If you have a UAT, you can put it in anonymous mode while your Mode-C continues to operate. That feature was designed in from day one of ADS-B and is available in many UAT units. The challenge is that for most new aircraft, and even in some retrofits, this method of compliance costs more than just a Mode-S transponder.

FAR 91.215:
(c) Transponder-on operation. While in the airspace as specified in paragraph (b) of this section or in all controlled airspace, each person operating an aircraft equipped with an operable ATC transponder maintained in accordance with §91.413 of this part shall operate the transponder, including Mode C equipment if installed, and shall reply on the appropriate code or as assigned by ATC.
Click to expand...
 
Last edited:
I too have concerns about others collecting info about you and your whereabouts without your knowledge. I'd heard that even without ADS-B, there are small and cheap Mode S receivers that can gather the same info. One company named PASSUR has setup Mode S receivers nearly collocated with ATC radar to obtain info on all planes using Mode S transponders, including those trying to block their N-numbers through the BARR program, and selling the information to FBOs and others. By knowing your departure point, destination point and aircraft type, PASSUR can predict how fuel you're likely to need upon landing, especially for turboprops and jets. They try to sell that to FBOs for marketing purposes. How's that for big brother, and that's not even the government?

Turning your transponder to standby gives you the anonymity but defeats the purpose of ADS-B. My ADS-B in only GDL-39 on my G3X gave me a heads up on overflying traffic that I was climbing into, while VFR enroute without flight following, last weekend causing me to leveloff until the other plane passed and therefore avoid a close encounter of the 1st kind.
 
Last edited:
Correct me if I'm wrong but that looks like a GTX320 Mode A/C transponder in your panel in which case you aren't broadcasting anything other than squawk code and altitude :confused:
 
With a mode A/C transponder and GDL88 with the "anonymous mode" armed the identifying code is randomized so when squawking 1200 they don't know who you are.
 
I think there's a bit of a collision here - on one hand, the desire is to see other traffic, but if participating (ADSB out), to be anonymous.

Based on how this program has been rolled out, I must say that I have zero confidence in anything the FAA promises at this point as far as features and how the system will be used (read, that UAT on 1200 will be a truly random and anonymous code in the system; instead, I suspect that while it may be scrambled or encrypted, the FAA, if pressed, would retain the ability to decrypt it). Between now and 2020, I really do think the idea of an anonymous squawk will be ditched.

Dan
 
Is this true?

Dynonsupport, can you verify or de-bunk these rumors?

Rumor No. 1 I had heard that the anonymous mode for UATs is only going to be allowed until 2020 then you cant use it anymore.

Rumor No 2. If you fly IFR, you cant use anonymous mode which makes sense.
 
The UAT spec says the anonymous mode can only work when squawking 1200. Any other squawk and it has to transmit the real ID.
 
Operable transponder

Right, and as the pilot in command, I will determine whether my transponder is "operable". If is somehow doesn't look operable, then it ain't. I don't drink Koolaid.
Don
 
rvator51 said:
Rumor No. 1 I had heard that the anonymous mode for UATs is only going to be allowed until 2020 then you cant use it anymore.

Rumor No 2. If you fly IFR, you cant use anonymous mode which makes sense.
Click to expand...

Anonymous is allowed "forever". There is no FAR that sunsets the use of it.

As mentioned, anonymous is only allowed when you are otherwise allowed to squawk 1200. You were never anonymous in IFR anyway.
 
donoltman said:
Right, and as the pilot in command, I will determine whether my transponder is "operable". If is somehow doesn't look operable, then it ain't. I don't drink Koolaid.
Don
Click to expand...

For ADS-B it says equipped, not operable.

If you're willing to flout the FARs, just spin in a random ICAO code.
 
DanBaier said:
I think there's a bit of a collision here - on one hand, the desire is to see other traffic, but if participating (ADSB out), to be anonymous.

Based on how this program has been rolled out, I must say that I have zero confidence in anything the FAA promises at this point as far as features and how the system will be used (read, that UAT on 1200 will be a truly random and anonymous code in the system; instead, I suspect that while it may be scrambled or encrypted, the FAA, if pressed, would retain the ability to decrypt it).
Click to expand...

Before we go too far down the tin foil hat route, have you read the RTCA doc that describes how the random number is generated? It's a combo of your location and the time at which you engaged the anonymous mode. The random generation of this is done inside the UAT. There's no way to reverse this back to your aircraft ICAO code. For there to be a backdoor to this, the FAA would need to be convincing every manufacturer of a UAT to implement a backdoor that is contrary to the public TSO. It's also trivial for someone to test the code generated against the public TSO and verify that the published algorithm is the one being used.

There's no conflict with transmitting an anonymous but statistically unique ID while also getting traffic in. The ground stations still see you, and they have a number for you to send you specific data, but that number changes every time you fly so it can't be worked backwards to identify you. Other planes don't care who you are, just that you are there at that moment.

--Ian Jordan
 
Last edited:
For those interested in how the anonymous code is generated- From DO-282B:

2.2.4.5.1.3.2 Self-Assigned Temporary Address of Transmitting Aircraft

An ?ADDRESS QUALIFIER? value of ONE (binary 001) shall indicate that the message is an ADS-B Message from an aircraft that is not receiving ATC services, and that the ?ADDRESS? field holds the transmitting aircraft?s self-assigned ownship temporary address. The self-assigned temporary address shall be generated as follows:

Let:

ADDRP= the ICAO 24-bit address that has been assigned to the aircraft;
ADDRT= the temporary address that is to be generated;
M(1)=the 12 least significant bits (LSBs) of the ownship ?LATITUDE? field (per ?2.2.4.5.2.1) the first time the temporary address option is selected;
M(2)=the 12 least significant bits (LSBs) of the ownship ?LONGITUDE? field (per ?2.2.4.5.2.1) the first time the temporary address option is selected;
M(3)=4096 ? M(1) + M(2); and
TIME=the number of seconds that have elapsed since UTC midnight the first time the temporary address option is selected, represented as a 24-bit number.

Also, let ?⊕? denote the modulo 2 bit-by-bit addition (or ?exclusive OR?) operation.

a. If the transmitting aircraft?s ICAO 24-bit address ADDRP is available, then the temporary address ADDRT shall be the modulo 2, bit-by-bit summation of the permanent address and M(3), that is:
ADDRT = ADDRP ⊕ M(3).

b. If the aircraft?s 24-bit ICAO address ADDRP is not available, then time of day shall be used as an additional randomizer. In that case, the temporary address ADDRT shall be the modulo 2, bit-by-bit summation of TIME and M(3), that is,
ADDRT = TIME ⊕ M(3).

Note: Analysis indicates that the probability of two aircraft in the same operational area having identical ICAO 24-bit Aircraft Address of TIS-B or ADS-R Target Aircraft values should be well below the observed probability of having duplicate ICAO 24-bit addresses owing to installation errors.
Click to expand...
 
So... begs the question, why didn't they allow mode S to generate a random ICAO code for 1200 squawking VFR aircraft below 18K' MSL like with a 978 MHz UAT?
 
dynonsupport said:
If you're willing to flout the FARs, just spin in a random ICAO code.
Click to expand...

If you are flying VFR, wouldn't this be legal? Later you mention random codes being generated by the UAT when squawking 1200. Why would it be any different if one manually put in a random ICAO versus having the UAT generate one?

-Dj
 
deej said:
If you are flying VFR, wouldn't this be legal? Later you mention random codes being generated by the UAT when squawking 1200. Why would it be any different if one manually put in a random ICAO versus having the UAT generate one?

-Dj
Click to expand...

I don't believe a truly random ICAO would be legal - but if you conform to the protocol outlined above (most particularly, to using the initial binary 1 digit that indicates to the system that it's pseudo-random and self-assigned) then while it may or may not be legal, there would not be any way the system could tell the difference. You would have to know which first character combinations were available to include the self-assigned bit 1 (do the Boolean logic and binary/hex math) and then the other digits could truly be random.

EDIT - reading through it again, it appears that the self-identifier bit 1 is in a different field called the ADDRESS QUALIFIER. If you can locate that field and set it to 1, then the rest of the ADDRT could indeed be randomized. The trick is knowing how the ADDRT and ADDRESS QUALIFIER are combined into the final number that becomes the hex code. Or perhaps it does NOT become part of the hex code, but is just a separate transmitted field?

My breaker on the panel is starting to look better and better.
 
Last edited:
dynonsupport said:
For those interested in how the anonymous code is generated- From DO-282B:
Click to expand...

As a guy who designs/writes code and deals with a little crypto (probably more than the average programmer, but not a full-time cryptographer) I would point out that scenario (a) listed above is in fact not anonymous but is only obfuscated. Since the permanent address is used to calculate the temporary code and is simply xor'd with a number derived from lat lon, it's not too hard to figure out the original perm addr, especially since the permanent codes are a finite set of data (downloadable from FAA aircraft registry database).

Scenario (b) is in fact much more difficult to trace back to the original aircraft because it simply doesn't use the original perm address.

I'm not certain which scenario is being discussed in this thread.
 
Jamie,
I'm not a cryptographer either, but can you explain how you can reverse the data without knowing the lat/long used? While the data set is known, it's also large, and there is no reason the aircraft needs to be a USA aircraft, so the full 24 bits are effectively in play.

For example:
A05B1F and A05B1E are both valid USA ICAO codes.

If my M(3) ends with a 1, then the random code for the first one will end with a 0, and the second will end with a 1. However, change the M(3) to a 0, and the two codes swap. How do you know which is right without knowing M(3)?

You can't know the ICAO without knowing M(3), so M(3) is your private key, and that key is based on lat/long at the time of engagement which is known only to you and changes every flight (or even within a flight).

The only attack I see is knowing the LAT/LONG at the time of engagement. I guess there are some times where you might switch from non-anon to anon in flight and an external observer may be able to deduce this. However, if they are off by even one bit, the result will be wrong and there will not be a way to know that result is wrong because the output will be a valid ICAO code.

--Ian
 
It is a simple xor cipher which is easily broken, especially if the plain-text is known. And in this case, all of the potential plain-texts are known (one of the total set of ADDRP's for scenario 'a' for scenario 'b' the time).

https://en.wikipedia.org/wiki/XOR_cipher

Google is letting me down with finding ?2.2.4.5.2.1, do you have that available?
 
This just de-volved into who is the smartest guy in the room.
To the original airline employed poster, you are probably over thinking the risk.
You are likely not flaunting the regs while not at work. The FAA is not staffed with the number of people to track you and randomly violate you. A really flagrant violation like drinking, flying... then crashing... and running away; as happened recently, will give them probable cause to come after you.
Then they have the legal right to see every prescription you ever got at a nearby neighborhood pharmacy. Barring that, and you are certainly not that kind of pilot.... you might relax and enjoy the safety of ADS-B traffic reports and nexrad imaging of precip ahead of you.
 
Jamie said:
It is a simple xor cipher which is easily broken, especially if the plain-text is known. And in this case, all of the potential plain-texts are known (one of the total set of ADDRP's for scenario 'a' for scenario 'b' the time).

https://en.wikipedia.org/wiki/XOR_cipher

Google is letting me down with finding §2.2.4.5.2.1, do you have that available?
Click to expand...

Admittedly drifting off track here, but I also don't see how this would be 'trivial' to break. The potential plain-texts are known, but that does an attacker no good.

This is not a case of a key being used to encode multiple messages, in which case it would be subject to more types of attacks. This is a case of a key being used on a 'message' of the same size as the key. As long as the key is secure, this is essentially an unbreakable one-time pad.

From wikipedia:

"If the key is random and is at least as long as the message, the XOR cipher is much more secure than when there is key repetition within a message.[3] When the keystream is generated by a pseudo-random number generator, the result is a stream cipher. With a key that is truly random, the result is a one-time pad, which is unbreakable even in theory.

In any of these ciphers, the XOR operator is vulnerable to a known-plaintext attack, since plaintext \oplus ciphertext = key."

In this case, the key is both random, and as long as the message. The known-plaintext attack is not an option in this case, as it would require a physical back-door into your ADS-B system in order to inject the plaintext and recover the ciphertext; and if you had that, why even bother, just go straight for the target data.

I may be missing something, but I don't see the vulnerability.


Chris
 
Last edited:
Jamie said:
It is a simple xor cipher which is easily broken, especially if the plain-text is known. And in this case, all of the potential plain-texts are known (one of the total set of ADDRP's for scenario 'a' for scenario 'b' the time).

https://en.wikipedia.org/wiki/XOR_cipher

Google is letting me down with finding §2.2.4.5.2.1, do you have that available?
Click to expand...

As far as I know xor ciphers are totally secure as long as one part of the xor is truly random. Actually your google reference says that too: " With a key that is truly random, the result is a one-time pad, which is unbreakable even in theory." They are just not very practical due to the key length and randomness required and therefore only used in practice if you can distribute very long truly random key out of band (e.g. both parties have the same copy of a DVD with a 2GB key on it which is a type of cypher used by many militaries).

So the attack on this requires you to know at least part of the key which means part of the location and part of the time. So the question comes down to how difficult is it to predict at least some of the least 12 bits of lat and long and 24 bits of time which wraps every 192 days (you don't need all as even with a partial ICAO code you can correlate with e.g. airplanes registered in the region. That won't identify every transient airplane but most airplanes most of the time.)

Not quite sure what the lowest 12 bits represent as I am not that familiar with the Dynon encodings. E.g. is it the last 12 bits of an ASCII encoding of the GPS position (e.g. NMEA GGA sentence) which really only has 49 instead of 4096 as entropy and would be easy to attack or is it the last 12 bits in binary? What's the distance those 12 bits cover? E.g. can I look at airport lat/longs in the region and guess parts of those 12 bits assuming that you started that mode at an airport? How would I get an estimate at least for the day you started it. Maybe start with weekends?

Having a mode-s transponder I am quite worried about this. You can go to plane finder type in my N number select historic flights and you will see EVERY flight I made since I finished my RV-8. That does not only prevent me from exaggerating a little bit when talking about my flying over a beer :D but I really don't want everybody to know how I spend my spare time. To be honest I am less worried about the FAA then other uses but don't see an easy way of fixing it.

Oliver
 
Last edited:
glad you guys are picking up this issue!

and i wouldn't worry too much about FAA (or even NSA-type agencies, even though this is also an interesting - although for this site maybe too political - subject *LOL*)...

the problem is the easy sniffing/recording and storing of the data combined with the ground/internet based networking, which basically enables an all-access tracking system without controls or restrictions.

the true risks IMHO which apply to the average decent-citizen rv-owner/builder come from NIMBY's that fight your local airports, divorce lawyers, envious neighbours or competitors, bankers, credit rating agencies, co-runners for public office all the way to targeted advertising firms and so forth...
or think back to the all-of-a-sudden public/media shaming of bizjets after the financial crisis as another example where a system like this is less than desired for the cause of aviation.

this privacy issue comes on top of the actual security issues (spoofing of targets, free targeting info etc...)
just goes to show that the ads-b stuff was engineered with the mindset from 20 years ago, totally not state of the art and in line with modern times.

even with facebook etc... you have somewhat decent control about how and when you are announcing your position. google and ad networks may be a bit the exception here, but there are relatively easy defenses against them as well.

should be interesting how things develop...
 
flyvans.com said:
the true risks IMHO which apply to the average decent-citizen rv-owner/builder come from NIMBY's that fight your local airports, divorce lawyers, envious neighbours or competitors, bankers, credit rating agencies, co-runners for public office all the way to targeted advertising firms and so forth...
Click to expand...

All of which would be a non-issue if the FAA acted like every state in the union does with automobile license plates, and keep the owner's name, address, etc., private instead of allowing anyone and everyone access to it.

Guess that genie is out of the bottle, though. Thanks, FAA.
 
RV7A Flyer said:
All of which would be a non-issue if the FAA acted like every state in the union does with automobile license plates, and keep the owner's name, address, etc., private instead of allowing anyone and everyone access to it.

Guess that genie is out of the bottle, though. Thanks, FAA.
Click to expand...

I once asked the FAA aircraft registration branch why their records are publicly searchable and viewable. This was the response (egregious misspelling repeated for posterity):

FAA said:
Are records are made public for safety. sf
Click to expand...

I don't understand how making pilot/aircraft owner records public contributes to "safety".

Perhaps the way to get it fixed is to talk to our congresscritters?
 
rmartingt said:
Perhaps the way to get it fixed is to talk to our congresscritters?
Click to expand...

Only way it will change is the same way license plate information got changed to be private: something horrible like a murder where the victim is tracked down by tail number.

Congress? AHAHAHAHAHAHA! That's funny, man... :)
 
RV7A Flyer said:
Only way it will change is the same way license plate information got changed to be private: something horrible like a murder where the victim is tracked down by tail number.

Congress? AHAHAHAHAHAHA! That's funny, man... :)
Click to expand...

More likely when a Senator gets tracked to his girlfriend using ADS-B data as the security blackout lists maintained by the FAA doesn't apply to privately run ADS-B collection networks and his flight are not blocked out any more.... .
 
strategy

Seems that I'll be installing a power switch on my navworx that I can use when outside of Mode-C space. Also a good reason to keep my ADSB in for weather, and my Zaon for collision avoidance.
 
dtw_rv6 said:
Seems that I'll be installing a power switch on my navworx that I can use when outside of Mode-C space. Also a good reason to keep my ADSB in for weather, and my Zaon for collision avoidance.
Click to expand...

As previously discussed, it is illegal not to run an installed ADSB-out in any controlled airspace.
 
Sure they do

flightlogic said:
The FAA is not staffed with the number of people to track you and randomly violate you.
Click to expand...

Sure they do. Give a candy bar and a Monster to a room full of 16 year old programmers and you have a pretty cheap line of code that will automate your violations...we already have that in effect across America as I type this.
 
You must log in or register to reply here.
Back
Top