Undermining Privacy in the Aircraft Communications Addressing and Reporting System (ACARS)
Authors: Matthew Smith (Department of Computer Science, University of Oxford:), Daniel Moser (Department of Computer Science, ETH Zurich:), Martin Strohmeier (Department of Computer Science, University of Oxford:), Vincent Lenders (armasuisse:), Ivan Martinovic (Department of Computer Science, University of Oxford:)
Volume: 2018
Issue: 3
Pages: 105–122
DOI: https://doi.org/10.1515/popets-2018-0023
Abstract: Despite the Aircraft Communications, Addressing and Reporting System (ACARS) being widely deployed for over twenty years, little scrutiny has been applied to it outside of the aviation community. Whilst originally utilized by commercial airlines to track their flights and provide automated timekeeping on crew, today it serves as a multi-purpose air-ground data link for many aviation stakeholders including private jet owners, state actors and military. Such a change has caused ACARS to be used far beyond its original mandate; to date no work has been undertaken to assess the extent of this especially with regard to privacy and the various stakeholder groups which use it. In this paper, we present an analysis of ACARS usage by privacy sensitive actors—military, government and business. We conduct this using data from the VHF (both traditional ACARS, and VDL mode 2) and satellite communications subnetworks. Based on more than two million ACARS messages collected over the course of 16 months, we demonstrate that current ACARS usage systematically breaches location privacy for all examined aviation stakeholder groups, explaining the types of messages used to cause this problem. We illustrate the challenges with three case studies—one for each stakeholder group—to show how much privacy sensitive information can be constructed with a handful of ACARS messages. We contextualize our findings with opinions on the issue of privacy in ACARS from 40 aviation industry professionals. From this, we explore recommendations for how to address these issues, including use of encryption and policy measures.
Keywords: aviation privacy, ACARS, avionic systems
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.