ADS-B data is useful, but you must know it’s limitations and vulnerabilities. The “MH Double Whammy” of MH370 and MH17 showed the limitations of ADS-B data. However I came across a tweet by fellow MH370 geek, Jeff Wise:

Which quoted the following tweet:

https://twitter.com/VerkanVall/status/722280456473939969

The tweet by VerkanVall raised my eyebrow, so I looked at the Reddit link. The article showed a Reddit user, CopperNickus posting about an aircraft in FlightRadar24 being in 2 places at the same time. I guess some have used this information to point out that MH370 was an insurance scam and that the aircraft never disappeared and was then used as the aircraft for MH17… yes, we’ve heard enough of those silly theories.

So I tweeted to both Jeff and VerkanVall, about the possibility of “1 aircraft being in 2 places at the same time” as a result of a ModeS Hex code duplicate. To which the reply I got was:

https://twitter.com/VerkanVall/status/722468505765806080

Well, perhaps I need to explain myself further. 140 character limit can be extremely limiting, hence this article.

Every aircraft with ADS-B is fitted with a Mode-S transponder with a unique Hex Code/address. This is what the ADS-B receiver gets, and compares it with a database to obtain the aircraft’s registration. This is usually permanently assigned, but sometimes transponders gets swapped out for maintenance, and the hex codes are re-programmable to ensure an aircraft transmits the correct hex code.

Unfortunately sometimes, in areas where mode-S isn’t mandatory, when transponders are swapped out the hex codes aren’t reprogrammed, and we can get some duplicate cases. One such duplicate case, is having 2 aircraft with the same hex codes flying.

Anyone wanting to analyze anything with publicly available ADS-B data must be aware of its limitations. This hex duplicate problem isn’t normally an issue, but it can lead the uninformed to be misled. Observing FlightRadar24 over time, I have seen hex duplicate errors, and I’ve seen aircraft registration errors. Aircraft registration errors is usually due to slow database update by regulators upon receiving hex code updates.

Coming back to 1 airplane being in 2 places at the same time, let me pull the following from the Reddit article:

I already posed the same question in the original post: “So is this explained by errors at FR24, programming errors at MAS, or fraudulent activities?”

I’ve seen no other evidence of data faults at FR24. That would imply that they are altering ADS-B data after it arrives. If that’s the case, you should probably toss out the MH370 ADS-B data. And faulty data theories are popular regarding the Inmarsat data as well.

No other evidence? “Back then”, such an error would not be indicated as such by the likes of FlightRadar24, but nowadays such errors are made known to the reader. Do I have evidence? Oh yes, sure! Why wouldn’t I… right? Let me show you the case of Hex Code 8A04FF:

PK-GAF-Dupe1
Both PK-GAF and PK-GNN us known to use Hex Code 8A044F

This case is actually well known among Indonesian ADS-B geeks. Now have a look at this instance:

PK-GAF-Dupe2
This clearly shows the same aircraft at 2 places at the same time

But then, the replay is only available for one of the 2 flights. Is there a case for both replays being available? Sure…

PK-GAF-Dupe3
Another case of the same duplicate in the air at once.

This time, both are available for replays. And ironically, just as I was writing this, FlightRadar just recorded 2 PK-GAFs flying.

PK-GAF-Dupe4
This happens daily here… in case you’re wondering.

This is nothing more than a Hex Code duplicate screw up. Nothing more. There’s no conspiracy and there is nothing malicious here. Conclusion: ADS-B/Mode-S HEX DUPLICATES HAPPENS EVERY DAY! 

Everyday? Surely it’s only an Indonesian (and Malaysian problem)? Afterall, Indonesia is an “unsafe country” right?  Well, in 2011, EASA saw this as a potential problem and issued an Airworthiness Directive on the issue. Also in 2011, the United States Air Force also realized this issue, and mentioned it in a document:

6.2.4 Impact of duplicate 24 bit ICAO addresses

To increase security, DoD and government aircraft transponders are not required to have fixed 24 bit ICAO addresses. This exception to policy has introduced human error into the ADS-B technology. It has been noted in European airspace, where ADS-B is already being used that U.S. military aircraft are routinely flying with duplicate 24 bit ICAO codes.

As the FAA brings ADS-B and NextGen upgrades online in the U.S. it is likely that we will see these same conflicts occur here. Research in this area should explore how FAA controllers and the NextGen system will handle duplicate codes and if this exception could be used by an attacker to further exploit the system.

The USAF is well aware of this and maintains that the ability to change the ICAO hex addresses be maintained in order to prevent ADS-B from being used as a static aircraft reconnaissance method to assemble an order of battle. The document even discusses the possibility of injecting ghost aircraft into the ADS-B system.

Ground Station Target Ghost Inject: A Ground Station Target Ghost Inject is an attack that injects an ADS-B signal into a ground station. This attack requires an adversary to craft and encode a 112 bit message that conforms to the ADS-B messaging protocol. As a result, the adversary can cause illegitimate (i.e., ghost) aircraft to appear on the ground controller’s console. A Targeted Ghost Inject attack is categorized as a Medium-High difficulty because it requires the ability to craft and transmit an ADS-B message that mirrors legitimate traffic. The impact of this type of attack can range from annoyance to high safety implications.

Ground Station Multiple Ghost Inject: A Ground Station Multiple Ghost Inject is an attack that injects ADS-B signals into a ground station. The attack is similar to the Ground Station Target Ghost Inject, with the exception that multiple targets are injected into the system. An adversary can use this type of attack to overwhelm the surveillance system and create mass confusion for the ground controller. The Ground Station Multiple Ghost Inject attack is categorized as a Medium-High difficulty because it requires the ability to automate the transmission of crafted messages, multiple transmitters and coordination of message transmissions.

Now feel free to accuse MH370 ADS-B readings as a ghost injected flight for all I care, but this article shows that duplicate ICAO hex code aircraft addresses happens, and are still happening, and that these are usually innocent errors bearing no conspiracy nor malicious intentions.

Leave a Reply