AUDIE CORNISH, HOST:
From NPR News, this is ALL THINGS CONSIDERED. I'm Audie Cornish.
MELISSA BLOCK, HOST:
And I'm Melissa Block.
The Federal Aviation Administration is in the midst of a multibillion-dollar upgrade of the air traffic control system. The new system will be highly automated, relying on GPS instead of radar to locate planes, and it's designed to allow air traffic controllers and pilots to pack more planes, helicopters and eventually drones into the skies.
But as NPR's Steve Henn reports, some computer security experts are concerned that the new system is vulnerable to hackers.
STEVE HENN, BYLINE: So I'm standing here on the tarmac of the San Carlos Airport, and I see one, two, three, four planes all in the air.
(SOUNDBITE OF A PLANE)
HENN: This airport is in the heart of Silicon Valley. It's just south of Oracle's headquarters. Oracle's founder, billionaire Larry Ellison, keeps a fleet of jets here. And the skies over the field are packed. We are just south of San Francisco's international airport. There are six airports within 30 miles.
UNIDENTIFIED MAN: Clear.
MIKE EYNON: We'll take off out here. We'll fly up over San Francisco toward Petaluma.
HENN: Mike Eynon is a private pilot and a computer security expert.
EYNON: We'll be with air traffic control the entire way so that we'll be on their scopes, registered with a unique transponder code.
HENN: The current air traffic control system relies on radar. When we're up, air traffic control pings Mike's plane and a transponder built into his plane answers back, telling controllers where he is and who he is. This call and response system has been in place for decades, but it's slow. It's not as accurate as GPS. Radar ground stations take up a lot of space and are expensive to maintain, and pilots can turn their transponders off.
The old system's getting overwhelmed. In fact, when Mike and I go flying, the skies over San Francisco are so crowded we aren't allowed into the air space. So instead, we head west over the Santa Cruz Mountains.
EYNON: Great view from up here. We can see the Pacific to San Francisco.
HENN: Because of problems like congestion, the FAA is replacing radar with a new system called NextGen which will be phased in over the next eight years. The corner stone of that system is something called ADS-B. That stands for Automatic Dependent Surveillance-Broadcast.
Basically, planes will be equipped with GPS and will constantly send out little radio broadcasts announcing who they are and where they are to the world. And recently, ADS-B has caught the attention of hackers.
BRAD HAINES: All this research was to try to prove to myself that air travel is still safe. I basically failed at that.
HENN: Brad Haines is a slightly built Canadian computer consultant with multicolored hair. Online, everyone knows him as RenderMan. He's basically a hacker. And it turns out ADS-B signals look a lot like little bits of computer code. But unlike traffic on the internet, these signals are unencrypted and unauthenticated. And for computer security geeks like RenderMan, these are huge red flags. He realized he could spoof these signals and create fake ghost planes in the sky.
HAINES: The threats can be things, like, if I can inject 50 extra flights onto an air traffic controller's screen, they're not going to know what's going on.
HENN: Now, this hack won't make planes fall out of the air but...
HAINES: If you could introduce enough chaos into the system for even an hour, you know, that hour will ripple through the entire world's air traffic control.
HENN: Now, RenderMan didn't actually do this, but he demonstrated publically that he could. And last month, at a hacker conference in Vegas, he gave a talk spelling out exactly how to do it. More than 4,500 miles away in France, Andrei Costin, a Romanian grad student, realized the same thing. Working independently, he built a little radio hooked to a computer that created fake ADS-B signals in a lab.
ANDREI COSTIN: This technology by now cost U.S. 1.1 billion U.S. dollars.
HENN: Costin says he spent less than $2,000 to break open a billion-dollar system. And it's not just Romanian grad students and Canadian hackers who've expressed concern about the security of the next generation of air traffic control. Last year, Air Force major Donald McCallie, studying cyber warfare at the Air Force Institute of Technology, wrote about these same kinds of attacks and concluded the system was, quote, "on a collision course with history," end quote.
But until now, the FAA has been reluctant to respond. They haven't released data from their own security testing, and the agency's initial response, both to the Air Force paper and the more recent hacks, has been muted.
EYNON: The FAA seems to almost be taking the stance of security through obscurity, which only works for a short period of time.
Pilot Mike Eynon knows something about security. He's co-founder of Silver Tail Systems, a computer security firm that's been backed by the CIA.
I always am a firm believer in making the system transparent and having others actually help you make the system more secure by understanding it.
HENN: But in the past week, the FAA has become a bit more forthcoming. Officials there say as NextGen's been phased in, it's never recorded a spoofed or ghost plane in the sky over the U.S. And they say even if a hacker did create a ghost plane, there are systems in place that would automatically catch it and weed out the fake signal before it could confuse air traffic controllers or pilots.
Still, researchers, from RenderMan to Air Force major Donald McCallie, would like the agency to be more transparent about how its testing this multibillion-dollar system the public will soon rely on to keep it safe. Steve Henn, NPR News, Silicon Valley.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.