SPOTTING THE FAKE

How to detect ADS-B spoofing

ADS-B was built for openness, not security — its messages are unauthenticated, so a fabricated aircraft is technically possible. The good news: spoofed broadcasts almost always betray themselves by contradicting physics or their own metadata. Here are the signals that expose them, and how AeroScope applies every one.

See it live ↗Open benchmark dataset

Why it’s possible

ADS-B is unauthenticated by design

ADS-B messages carry no signature and no encryption, so any transmitter could, in principle, inject a fabricated position. Documented research has shown ghost aircraft, altitude tampering and velocity tampering are all feasible. That’s why a serious platform treats every broadcast as a claim to be verified, not a fact. See the basics on ADS-B technology.

The four signals

How a spoof gives itself away

🛡️

1 · Integrity-field mismatch

Real avionics report consistent NIC/NACp/NACv/SIL quality fields. A fabricated message often sets them wrong, or claims a precision its jittery track can’t support.

DO-260B

📈

2 · Physical implausibility

A Kalman filter predicts where the aircraft should be next. A spoof that "teleports", accelerates impossibly or violates its performance envelope fails the normalised-innovation (NIS) test.

KALMAN NIS

⚖️

3 · Self-inconsistency

Geometric-vs-barometric altitude, ground-speed-vs-Mach and track-vs-heading should agree on a real airframe. Contradictions between them betray a fabricated record.

RESIDUALS

🌐

4 · Single-source / timing

A real aircraft is heard by several independent receivers. A target seen by only one network, or whose multi-receiver timing doesn’t add up, deserves suspicion.

CROSS-CHECK

How AeroScope does it

Every broadcast, checked

AeroScope runs a DO-260B-style 7-check plus a Kalman normalised-innovation test and the three self-consistency residuals on every aircraft, every cycle, and fuses 60+ feeds so multi-receiver agreement is a free integrity signal. Suspect aircraft are surfaced with the contributing factors shown — see signal integrity and threat scoring. None of this uses a black-box neural network; it’s built on auditable, established methods.

Want to evaluate detectors yourself? The open AeroScope ADS-B Anomaly Benchmark (CC-BY 4.0) pairs real traffic with injected attacks across 38 documented columns, with an IsolationForest baseline at ROC-AUC ≈ 0.87 — a reproducible testbed for spoofing-detection research.

FAQ

Frequently asked questions

Can ADS-B be spoofed?

Yes. ADS-B messages are unauthenticated and unencrypted, so a transmitter can in principle inject fabricated positions — ghost aircraft, altitude tampering and velocity tampering have all been demonstrated in research. Detection relies on catching the inconsistencies a spoof leaves behind.

How do you detect a spoofed aircraft?

Four complementary checks: (1) compare the ADS-B integrity fields (NIC/NACp/NACv/SIL) against the track’s actual precision; (2) test physical plausibility with a Kalman normalised-innovation test; (3) check self-consistency between geometric/barometric altitude, ground-speed/Mach and track/heading; and (4) cross-validate against multiple independent receivers. AeroScope applies all four.

What is a ghost aircraft?

A ghost aircraft is a fabricated ADS-B target that doesn’t physically exist, created by transmitting fake messages. It typically fails plausibility and integrity checks — for example, appearing to only one receiver, or moving in ways no real airframe could.

Does spoofing detection need machine learning?

Not necessarily. The core checks are rule-based and physics-based (integrity fields, Kalman plausibility, self-consistency). AeroScope adds a torch-free consensus of established anomaly detectors as a second opinion, but every flag remains explainable from its contributing features — there is no reinforcement learning or opaque model.

Where can I get data to test a spoofing detector?

The open AeroScope ADS-B Anomaly Benchmark (CC-BY 4.0) pairs real airborne traffic with synthetically injected attacks following the standard taxonomy, across 38 documented columns with a bundled IsolationForest baseline. See the research page.