RF Fingerprinting ADS-B Signals for Security
At this years ICNP 2020 IEEE conference a paper titled "Real-World ADS-B signal recognition based on Radio Frequency Fingerprinting" (pdf file) was presented by researchers from Harbin Engineering University in China. The idea presented in the paper is to use RF "fingerprinting" techniques to uniquely identify and confirm that the ADS-B signal originates from the correct aircraft source.
RF fingerprinting works on the premise that every transmitter has small manufacturing variances that result in slightly different signals be transmitted, resulting in a unique "fingerprint" that can be traced to a particular transmitter. The idea here is to use these fingerprints to ensure that a known aircraft is indeed transmitting an ADS-B signal and the signal is not being transmitted from a fake spoofer. ADS-B is completely unencrypted and not authenticated, so spoofing of ADS-B signals may be a real security threat.
In the teams research they use an RTL-SDR to collect ADS-B signals from five different aircraft. They then use that data to create "Contour Stellar Images" and train a deep learning neural network which after training accurately identifies which aircraft a signal comes from.
In previous posts we've seen the idea of fingerprinting used by Disney research and others to identify electronic devices, to authenticate RF IoT devices and to identify handheld transmitters via CTCSS fingerprints.
MLAT and triangulation is useful but I think what this group is trying to do is useful for more than just uncovering a fixed spoof station. With a fingerprint, one could determine not only the integrity of the position report but also ensure that the aircraft at a particular position is in fact who he says he is and not a different aircraft.
For integrety you would need a (large) data base with the waveforms representing the footprints of all ADSB transmitter.
If changes in operation temperature (variation -54 to 71° C), pressure (between ground and >50 000ft), and of course shock and vibration, and the resulting aging of a transmitter will require more than one footprint remains to be seen.
While many ADSB transmitter may remain in an aircraft during the operational lieftime, others may be pulled and exchanged, e.g. between aircraft, or for repair when defective. If a transmitter is repaired the footprint may change again. Only the 24 Bit remains with an aircraft, as long as the registration remains, but not the ADSB transmitter.
If one looks at minute variances in individual system setups (RF, logic, etc) how are environmental changes accounted for? I mean, if you are looking at tiny variations, won’t those change with temperature and altitude/atmospheric pressure, things that I am told change a lot in aircraft …
I get what they are trying to do and understand the necessity but this data is going to be hella noisy as the kids say.
Another aspect of ensuring the integrity of ADSB packets is to time when each packet arrives at various ADSB receivers and work out whether the differences in time are consistent with the transmitter being in the location advertised by the packet(s), or that all receivers are receiving packets from the same location.