For some odd reason, flight tracking has been in the news. Perfect time for the first post here, with an infosec/flight tracking crossover that couldn't be more topical.

Usual caveat: None of this should be construed as some sort of value statement, it's just me providing the facts from a security researcher's point of view.

First there's a new article published at the 10th OpenSky Symposium (and online today at https://www.mdpi.com/2673-4591/28/1/7). It discusses how some owners of private jets have been trying to subvert public and crowdsourced data.

Great example provided below, an anonymous user trying to pass off Bernard Arnault's jet (of @laviondebernard fame) with transponder ID 395580 as a non-existing generic Air France aircraft. There were many more cases of astroturfing that we found. Full talk available now here: https://www.youtube.com/watch?v=KIz6M1YAI_g&list=PLNft4qtPGeqN0MtUc_k-R-H3wvxUN0WVq&index=4

But with everyone nowadays apparently an expert on flight tracking and blocking (taking over from epidemiology and military strategy it seems), it's some more science communication time: I want to submit two more articles for your reading pleasure.

1. Tracking aircraft is a fact of life in an era of cheap software defined radios. The ability to do so was a design decision for compatibility and safety done 30 years ago. It affects all stakeholders, unless you're the military and can switch all your comms off. Long analysis here in our 2018 paper: https://www.cs.ox.ac.uk/files/9919/eurosnp.pdf

It will also explain why all existing methods to prevent tracking are, sometimes hilariously, inept from a computer security perspective. This includes, but is not limited to web tracker blocking programmes (BARR, ASDI, LADD or whatever the flavour du jour is) and also the Privacy ICAO address (PIA) programme. They all are security through obscurity *at best*.

2. When the PIA was announced in 2019 it was clear it wouldn't do a single thing to make anybody more private. Sadly, it seems that FAA and NBAA never asked anyone familiar with computer security when designing this (we offered, no dice). So we started collecting data right when it went online in 2020 (before covid) to show it's useless.

You can read our analysis here, and it's been proven correct plenty of times in practice by now: https://cs.ox.ac.uk/files/13229/flying-in-private-mode.pdf
In short: It's like being the only one on a university campus on the TOR mixnet and using it to make a bomb threat in order to stop an exam. You'll stick out like a sore thumb and the police will have no trouble identifying you. [1]

Bernard Arnault realized correctly that the only privacy solution is to charter/fractional ownership. https://edition.cnn.com/2022/10/19/business/bernard-arnault-sells-private-jet-over-twitter-tracking/index.html

Again, this is not a value statement, it's just how the world is right now and it won't change anytime soon. Not with 100k cheap crowdsourced trackers globally and more by the day.

Tl;dr: Been droning on about aircraft privacy for over half a decade (NB: I was certainly not the only one!). Nobody cared. In 2022, shit hit the fan.

[1] https://www.forbes.com/sites/runasandvik/2013/12/18/harvard-student-receives-f-for-tor-failure-while-sending-anonymous-bomb-threat/