Abstract
ARINC 429 is the most common data bus in use today in civil avionics. Despite this, the protocol lacks any form of source authentication. A technician with physical access to the bus is able to replace a transmitter by a rogue device, and receivers will accept its malicious data as they have no method of verifying the authenticity of messages.
Updating the protocol would close off security loopholes in new aircrafts but would require thousands of airplanes to be modified. An interim solution is required. We propose a hardware fingerprinting method for the ARINC 429 data bus, and analyze its performance in a sender authentication setting. Our approach relies on the observation that changes in hardware, such as replacing a transmitter or a receiver with a rogue one, modify the electric signal of the transmission.
In this paper we explore the feasibility of designing an intrusion detection system based on hardware fingerprinting. Our analysis includes both a theoretical Markov-chain model and an extensive empirical evaluation. For this purpose, we collected a data corpus of ARINC 429 data traces, which may be of independent interest since, to the best of our knowledge, no public corpus is available.
In our experiments, we show that it is feasible for an intrusion detection system to achieve a near-zero false alarms per second, while detecting a rogue transmitter in under 50 ms, and detecting a rogue receiver in under 3 s. This would allow a rogue component installed by a malicious technician to be detected during the pre-flight checks, well before the aircraft takes off. This is made possible due to the fact that we rely on the analog properties, and not on the digital content of the transmissions. Thus we are able to detect a hardware switch as soon as it occurs, even if the data that is being transmitted is completely normal.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aeronautical Radio INC.: Mark 33 digital information transfer system (DITS), May 2004. http://www.bosch-semiconductors.de/media/ubk. ARINC specification 429 part 1–17
Astronautics C.A. LTD: Astronautics EDCU Brochure (2019). http://www.astronautics.co.il/sites/default/files/edcu.pdf
Astronautics C.A. LTD: home page (2019). http://www.astronautics.com
Breunig, M.M., Kriegel, H.P., Ng, R.T., Sander, J.: LOF: identifying density-based local outliers. In: ACM SIGMOD Record, vol. 29, pp. 93–104. ACM (2000)
Brik, V., Banerjee, S., Gruteser, M., Oh, S.: Wireless device identification with radiometric signatures. In: Proceedings of the 14th ACM International Conference on Mobile Computing and Networking, pp. 116–127. ACM (2008)
Cho, K.T., Shin, K.G.: Viden: attacker identification on in-vehicle networks. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1109–1123. ACM (2017)
Choi, W., Jo, H.J., Woo, S., Chun, J.Y., Park, J., Lee, D.H.: Identifying ECUs using inimitable characteristics of signals in controller area networks. IEEE Trans. Veh. Technol. 67(6), 4757–4770 (2018)
Choi, W., Joo, K., Jo, H.J., Park, M.C., Lee, D.H.: VoltageIDS: low-level communication characteristics for automotive intrusion detection system. IEEE Trans. Inf. Forensics Secur. 13(8), 2114–2129 (2018)
Costin, A., Francillon, A.: Ghost in the air (traffic): on insecurity of ADS-B protocol and practical attacks on ADS-B devices. Black Hat USA, pp. 1–12 (2012)
Das, A., Borisov, N., Caesar, M.: Tracking mobile web users through motion sensors: attacks and defenses. In: NDSS (2016)
Dey, S., Roy, N., Xu, W., Choudhury, R.R., Nelakuditi, S.: AccelPrint: imperfections of accelerometers make smartphones trackable. In: NDSS (2014)
Ellis, K., Serinken, N.: Characteristics of radio transmitter fingerprints. Radio Sci. 36(4), 585–597 (2001)
Excalibur Systems: M4K429RTx test and simulation module (2019). https://www.mil-1553.com/m4k429rtx
Fuchs, C.M., et al.: The evolution of avionics networks from ARINC 429 to AFDX. Innov. Internet Technol. Mob. Commun. (IITM) Aerosp. Netw. (AN) 65, 1551–3203 (2012)
Gerdes, R.M., Mina, M., Russell, S.F., Daniels, T.E.: Physical-layer identification of wired ethernet devices. IEEE Trans. Inf. Forensics Secur. 7(4), 1339–1353 (2012)
Gilboa-Markevich, N., Wool, A.: Hardware fingerprinting for the ARINC 429 avionic bus. Technical report arXiv:2003.12456 [cs.CR] (2020). http://arxiv.org/abs/2003.12456
Holt Integrated Circuits INC.: ADK-3200: HI-3200 avionics data management engine evaluation board (2011). http://www.holtic.com/product/p/pb/15-adk-3200-hi-3200-avionics-data-management-engine-evaluation-board.aspx
Kneib, M., Huth, C.: Scission: signal characteristic-based sender identification and intrusion detection in automotive networks. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 787–800. ACM (2018)
Kohno, T., Broido, A., Claffy, K.C.: Remote physical device fingerprinting. IEEE Trans. Dependable Secure Comput. 2(2), 93–108 (2005)
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)
Lazarevic, A., Ertoz, L., Kumar, V., Ozgur, A., Srivastava, J.: A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the 2003 SIAM International Conference on Data Mining, pp. 25–36. SIAM (2003)
Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. Black Hat USA 2015, p. 91 (2015)
Moir, I., Seabridge, A., Jukes, M.: Data bus networks (chapter 3). In: Civil Avionics Systems, pp. 79–118. Wiley, Chichester (2013)
Murvay, P.S., Groza, B.: Source identification using signal characteristics in controller area networks. IEEE Signal Process. Lett. 21(4), 395–399 (2014)
Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)
Pimentel, M.A., Clifton, D.A., Clifton, L., Tarassenko, L.: A review of novelty detection. Sig. Process. 99, 215–249 (2014)
Robert Bosch GmbH: CAN specification, v2.0 (1991)
Smith, M., Strohmeier, M., Harman, J., Lenders, V., Martinovic, I.: A view from the Cockpit: exploring pilot reactions to attacks on avionic systems. In: Network and Distributed Systems Security (NDSS) Symposium. Internet Society, San Diego (2020)
Spitzer, C.R.: ARINC specification 429 mark 33 digital information transfer system (chapter 2). In: Avionics: Elements, Software and Functions. The Electrical Engineering Handbook Series. CRC Press, Boca Raton (2007)
Uluagac, A.S., Radhakrishnan, S.V., Corbett, C., Baca, A., Beyah, R.: A passive technique for fingerprinting wireless devices with wired-side observations. In: 2013 IEEE Conference on Communications and Network Security (CNS), pp. 305–313. IEEE (2013)
Xu, Q., Zheng, R., Saad, W., Han, Z.: Device fingerprinting in wireless networks: challenges and opportunities. IEEE Commun. Surv. Tutorials 18(1), 94–104 (2015)
Acknowledgments
This work was supported in part by a grant from the Interdisciplinary Cyber Research Center at Tel Aviv University. The authors would like to thank Astronautics C.A. LTD. for sharing their equipment and expert knowledge.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Gilboa-Markevich, N., Wool, A. (2020). Hardware Fingerprinting for the ARINC 429 Avionic Bus. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds) Computer Security – ESORICS 2020. ESORICS 2020. Lecture Notes in Computer Science(), vol 12309. Springer, Cham. https://doi.org/10.1007/978-3-030-59013-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-59013-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-59012-3
Online ISBN: 978-3-030-59013-0
eBook Packages: Computer ScienceComputer Science (R0)