The U.S. Air Force intelligence aircraft have been using fake Mode-S codes, but this doesn’t give any real operational advantage. It just fuels some crazy conspiracy theory.
On Sept. 7, 2020, a USAF RC-135W Rivet Joint, registration 62-4134/OF, from Kadena, Japan, as “RAINY 51” carried out an intelligence gathering mission over the South China Sea. During the mission the aircraft flew off Hainan island and came as close as 55 miles from mainland China. While the sortie was pretty routine (the Rivet Joints just like many other ISR – Intelligence Surveillance Reconnaissance – aircraft conduct daily missions near hotspots all around the world), the one earlier this month made the news because, at a certain point during the flight, the American spyplane changed its hex code.
The hex code is a unique ICAO 24-bit address (part of the aircraft’s Certificate of Registration) used to identify the aircraft and broadcast by its Mode-S transponder. Normally, the hex code is never changed, but the onboard transponders can be re-programmed.
On Sept. 7, the RC-135 changed its hex code from the usual AE01CE to 750548, a code in the range assigned to Malaysia. Indeed, each nation has its own range of assigned hex codes: Malaysia has the range 750000 to 750FFF; the U.S. has the range A00000 to AFFFFF.
⚠️ CONFIRMED ⚠️
(Using independent #ADSBexchange flight data.)
🇺🇸 United States Air Force Boeing RC-135W Rivet Joint 62-4134/OF|#AE01CE|#RAINY51 took off from #KadenaAB #RODN @ 2020-09-07 23:28Zhttps://t.co/UP2W7ZkAkx https://t.co/DUqGUTcJ5Z pic.twitter.com/ArS0bZCsaf
— Steffan Watkins 😷🇨🇦 (@steffanwatkins) September 9, 2020
The use of a bogus hex code does not mean the aircraft disappeared from radars or was automatically considered a Malaysian airliner by the Chinese Air Defense: the aircraft remained very well visible on all the radars in that area while transmitting a false identifier. By electronically impersonating a Malaysian aircraft, the RC-135 could hardly fool China (or any other radar operator in any part of the world). In fact, air defense radars simply do not rely on the information autonomously transmitted by the aircraft for identification. A more complex correlation that includes checking on the FPL (Flight Plan), Diplomatic Clearance (DCN) and “history” of the track is required to correctly declare a track either “friendly” or “hostile”. When some of the details are missing hence identification can’t be done or there are doubts information provided might be inaccurate or false, a visual identification by fighter jets in QRA (Quick Reaction Alert) can be required, especially if the “zombie” (as the unknown/hostile traffic is called in the fighter lingo) is approaching or operating next to the sovereign airspace. No aircraft is identified or worse, fired upon, because of what its Mode-S transponder transmits.
For this reason, any report stating that the aircraft was trying to “hide from” or “fool” Chinese Air Defense does not make sense. Rivet Joint as well as any other ISR platform can legally operate with their transponder turned off outside of controlled airspaces without spoofing their transponders hex codes. As we have often explained here at The Aviationist, spyplanes (and drones) usually operate in “due regard” with transponder switched off, with no radio comms with the ATC control, using the concept of “see and avoid” where the pilot flying is responsible for avoiding all traffic conflicts, much like a VFR flight plan without flight following.
In other words: they could continue operating as they have done for decades without using fake hex codes that would not help them hide from enemy radars.
At this point is also worth spending some time explaining that when the aircraft turns its transponder off it does not become stealth: it only passively bounces radio waves sent by the radar becoming a “non-cooperating” target in a primary surveillance radar (PSR) scenario. The pulse of radio energy sent out by the radar is reflected by the surface of the target plane back to the receiver providing the bearing of the aircraft from the ground station and its distance (calculated as the time taken by the pulse to reach the target surface and return). Since only a fraction of the interrogation pulse is reflected back to the ground radar, the reply signal has a reduced range and is subject to signal attenuation. Hence, it can be difficult to detect. But for sure, it’s not “invisible”.
Back to the RC-135 episode, it’s also worth highlighting that the episode, that has made the news after the South Sea Probing Initiative, a Chinese think tank whose advisory board includes serving officers of the People’s Liberation Army and Chinese Navy, first announced the “impersonation”, was not the first time a Rivet Joint changed its hex code during a mission.
The first recorded case we are aware of dates back to February 2019:
Really funny, on Friday, USAF was using a fake Russian HEX CODE to hide Rivet Joint registration patrolling off the coast of #Venezuelahttps://t.co/uKpWQpkmui
— Manu Gómez (@GDarkconrad) February 26, 2019
In that case the Rivet Joint was conducting a spy mission off Venezuela. Same behaviour and same effect, with the main difference that the event did not fuel any crazy conspiracy theory.
Many other similar occurrences have been recorded since then.
USAF Rivet Joint fake Hex Code 05886F DKPCH4D call sign tracking near #Venezuela pic.twitter.com/T3GkLYhWqQ
— Manu Gómez (@GDarkconrad) March 29, 2019
The one on Sept. 7, was neither the first not the last such episodes. Other U.S. aircraft have started using spoofed hex codes:
Miscode US Navy P8 Poseidon ICAO Hex Code BA686F orbiting South of #Cyprus pic.twitter.com/zB4JbwUD0m
— Manu Gómez (@GDarkconrad) September 29, 2020
As we write this, an RC-135 is using a bogus hex code during an operational mission from Souda Bay, Crete:
HEX code switched to D2921E pic.twitter.com/TMyNYq1n2v
— Manu Gómez (@GDarkconrad) September 29, 2020
We have asked former RC-135 aircraft commander and national security historian Robert Hopkins to give us his point of view on the use of fake Mode-S codes by the Rivet Joints. Robert has operational experience with the S, U, V, W, and X models of the RC-135 so there is probably no better qualified expert to comment on this.
“USAF RC-135s have indeed been squawking bogus Mode S codes, but they are RANDOM, not intentional. That’s important to note,” told us Hopkins in a message. “There was an instance where ONE Mode S code apparently fell within the range assigned to Malaysia, but not specifically assigned to an airliner —just any Malaysian aircraft. At the same time, USAF RC-135s in the Black Sea have used random Mode S codes. These clearly do not attempt to mimic Malaysian airliners.”
“There is ZERO operational advantage, repeat ZERO advantage in doing this. It affords no better proximity nor protection for the RC-135. PERIOD”, the experienced pilot says.
Therefore, considered that it does not obfuscate operations to the adversary, why do they use bogus hex codes?
“My assessment is that someone has determined that using these random Mode S codes will confuse amateur OSINT trackers/Flight Radar followers from tracking RC-135s on their legal missions in international airspace. Instead, serious trackers note this discrepancy and report it, spawning no end of stupid conspiracy theories and drawing needless attention to missions that have been going on without incident for decades. This is a terrible decision by some clever person that only serves to undermine a legitimate and safe operation in international airspace.”
We have also asked Steffan Watkins, a Canadian open source research consultant specializing in ship and plane movements, a comment about the hex codes spoofing story.
“I think someone wrote a standard operating procedure (SOP) at some point, and figured obfuscating things was safer than not obfuscating things; but they’re not at war, and it doesn’t protect their operations, it only continues to feed conspiracy theories about planes’ transponders being a vector of obfuscation or cyber-attack; especially Malaysian-aircraft conspiracy theories about MH370 or MH17,” Watkins told us.
“American C-17 flights into Libya, which seem to not be reported in the American press, use their real ICAO, so I can’t explain why they would fake it for reconnaissance immediately off the coast of China, Syria, or Crimea for that matter. We have evidence from all three using spoofed identifiers, for over a year.”
Big fail in coping with OPSEC failures?
We have been writing about the possible OPSEC implications of improper use of ADS-B/Mode-S since 2011. Back then, there were just a few flight tracking websites and just a handful of military aircraft could be tracked online as most turned off their Mode-S transponders when approaching the operational areas. But not always. During the opening stages of the Libya Air War in 2011 some of the combat aircraft involved in the air campaign forgot/failed to switch off their mode-S or ADS-B transponder, and were clearly trackable on FR.24 or PF.net. And despite pilots all around the world already knew the above mentioned flight tracking websites very well, transponders remained turned on during real operations, making their aircraft clearly visible to anyone with a browser and an Internet connection.
As a consequence, we have highlighted the the risk of Internet-based flight tracking of aircraft flying war missions for years.
In 2014 we discovered that a U.S. plane possibly supporting ground troops in Afghanistan acting as an advanced communication relay can be regularly tracked as it circled over the Ghazni Province. Back then we explained that the presence of the aircraft over a sensitive target alone could expose an imminent air strike, jeopardizing an entire operation. But, as more aircraft became visible online thanks to websites and apps that did not hide combat aircraft (such as the now famous ADSBExchange.com), the use of Mode-S transponders has clearly become a way to “show the flag”: since “standard” air defense radars would have been able to see them regardless to whether they had the transponder on or off, RC-135s and other strategic ISR platforms, including the Global Hawks, began to operate over highly sensitive regions, such as Ukraine or the Korean Peninsula, with the ADS-B and Mode-S turned on, so that even commercial off the shelf receivers (or public tracking websites) could monitor them.
This has been the case at least until 2019, when the first cases of bogus hex codes have been recorded. The purpose was probably to keep a low profile on certain operations and disappear from the public eye (not from the enemy radars). But the effect, in the end, was quite the contrary.