ACARS Vulnerabilities: How Aircraft Communications Systems Are Being Exploited
ACARS — the Aircraft Communications Addressing and Reporting System — has been the backbone of air-to-ground messaging for commercial aviation since the 1970s. It carries engine data, ATIS weather information, ATC clearances, and operational messages between aircraft and ground stations. The problem: ACARS was designed for reliability and interoperability, not security. Security researchers, including Hugo Teso whose 2013 DEF CON presentation demonstrated theoretical attack scenarios, have highlighted that ACARS communications are transmitted in plaintext, are unauthenticated, and can be injected with forged messages by anyone with appropriate radio equipment. The aviation industry has been aware of these vulnerabilities for over a decade — the question is what is being done about it.
ACARS communications are transmitted in cleartext without authentication — a known vulnerability that security researchers have demonstrated attack scenarios against since 2013.
What ACARS Is and Why It Matters for Security
ACARS (Aircraft Communications Addressing and Reporting System) is a digital datalink system providing text-based messaging between aircraft and ground stations via VHF radio, HF radio, or satellite. It carries:
- Engine health monitoring data (ACARS/ACMF): Real-time engine parameter data sent to maintenance monitoring systems
- ATIS/D-ATIS: Automated Terminal Information Service — weather and airport information to flight deck
- Pre-departure clearances (PDC): ATC route and clearance information delivered via ACARS to reduce frequency congestion
- Operational Control (OPS): Messaging between flight crew and airline operations centres — fuel, delays, maintenance
- ADS-C: Automatic Dependent Surveillance - Contract, providing position reports in oceanic airspace
- CPDLC: Controller-Pilot Data Link Communications — replacing voice ATC in certain airspace
ACARS Security Weaknesses and Demonstrated Attack Scenarios
The fundamental security weakness of ACARS is the absence of authentication and encryption in legacy implementations. VHF ACARS transmissions can be received by anyone with appropriate radio equipment and software-defined radio (SDR) hardware costing less than £50. Research has demonstrated that it is technically possible to inject forged ACARS messages that would appear to come from ground stations or ATC. While modern aircraft have multiple redundant systems and crews are trained to cross-check information, the potential for confusion from forged weather, clearance, or operational messages presents a genuine risk — particularly in high-workload scenarios. The aviation industry acknowledges these vulnerabilities but has been slow to retrofit authentication given the global coordination required.
CPDLC and the Evolution of Datalink Security
Controller-Pilot Data Link Communications (CPDLC) — which is replacing voice ATC in oceanic airspace and some terminal environments — runs over more modern infrastructure including ACARS VHF datalink (VDL Mode 2) and SATCOM. While newer implementations include some additional security measures, the broader ACARS/CPDLC ecosystem still lacks end-to-end authentication and encryption comparable to modern internet communications standards. ICAO and Eurocontrol are aware of these limitations and are working on longer-term security standards for aviation datalinks, but near-term improvements are constrained by the need for global interoperability.
What Aviation Security Teams Should Do
While aircraft and airspace system vendors work on longer-term ACARS security improvements, aviation security teams should:
- Ensure crew training covers ACARS-related threat scenarios — recognising potentially anomalous messages and cross-checking against other information sources
- Review ground-side ACARS system security: servers processing ACARS data should be hardened, access-controlled, and monitored
- Include ACARS infrastructure in OT/ICS security assessments — ACARS ground stations and routers are OT assets
- Monitor threat intelligence for ACARS-related attack developments — the security research community continues to publish new findings
- Consider ACARS message logging and anomaly detection for ground-side infrastructure
- Engage with airline and airport information sharing communities on ACARS threat intelligence
Frequently Asked Questions
Can an attacker actually take control of an aircraft via ACARS?
No credible evidence exists of an attacker successfully controlling a commercial aircraft via ACARS. The scenarios demonstrated by researchers like Hugo Teso exploited ACARS as a delivery mechanism to inject data into avionics — a proof of concept, not an operational attack. Modern aircraft have multiple redundant systems, and pilots are trained to cross-check and reject suspicious information. However, the potential for ACARS to be used to deliver confusing or misleading information to flight crews — particularly forged weather or ATC messages — remains a genuine concern in specific scenarios.
Is ACARS security being addressed by the aviation industry?
ICAO, Eurocontrol, and aviation industry bodies including AEEC (Avionics Engineering and Engineering Committee) are working on longer-term security standards for aviation datalinks. The Aeronautical Telecommunications Network (ATN) standards that underpin CPDLC include provisions for authentication in newer implementations. However, retrofitting authentication to the global ACARS ecosystem — involving thousands of aircraft, hundreds of ground stations, and multiple service providers — is a substantial challenge requiring international coordination and significant investment.
Get an aviation OT security assessment
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.