Details of Royal Air Force missions have been published online for years in a “staggering” security blunder, The Telegraph can disclose.
Messages that reveal air-to-air refuelling flight plans and the possible locations of British fighter jets have been broadcast by the the RAF over an insecure aviation messaging system that anyone can read.
The practice, which appears to have carried on for several years, includes details of recent missions in the skies over Cyprus, which has been attacked by Iranian drones.
When contacted for comment, the RAF claimed that nothing in the messages was “operationally sensitive”. But analysis by The Telegraph suggests that an adversary could use the data to work out potential locations and times at which fuel tankers intended to rendezvous with fighter jets.
Other messages appear to instruct pilots to remove secret documents being carried on a refuelling craft. In another case, a message apparently tells an aircraft where to park before landing in Cyprus on the same day as the Iranian drone strike.
The Telegraph is not reporting details of any live or upcoming missions. Messages only remain live on the internet for a few days before being wiped.
Philip Ingram, a former Intelligence Corps colonel who held personal responsibility for the security of military operations during his time in the Army, described the breach as a “staggering”.
He said: “Quite simply, this comes down to laziness and convenience.
“They find it easier to do that than to go through the secure means, especially when they’re chatting amongst their mates. They just haven’t considered the fact it’s being monitored by anyone and everyone.”
The RAF is sending the unencrypted messages over a communications network called Aircraft Communications, Addressing and Reporting System (ACARS).
ACARS is similar to mobile phone text messaging and was widely adopted by civilian aviation in the 1980s. Words are sent and received by pilots from screens in their cockpits.
Such text messages are used by civilian airlines for routine matters such as changes to flight plans or updated weather forecasts.
ACARS messages can be intercepted by anyone with a radio aerial and a computer equipped with the right software to read the messages.
RAF Voyagers are used to refuel military planes such as Typhoon interceptors and F-35 Lightning fighter jets – French MoD
However, the RAF is using ACARS for sharing operationally sensitive details about its fleet of tankers and cargo aircraft. The system is not used by fighter jets.
Text from the messages is being picked up on websites run by flight-tracking enthusiasts, who publish their content online.
Details seen by The Telegraph include the flight plan for a Voyager air-to-air refuelling jet departing from RAF Akrotiri in Cyprus after the start of the Iran war, on a mission to refuel fighters.
Messages detailed the precise amount of fuel aboard the tanker, its scheduled time of departure and the time of day it was expected to land back at Akrotiri.
Using this information, an adversary could calculate how long the tanker would spend airborne and how many fighter jets it could refuel, Col Ingram explained.
Another series of messages detail conversations about a Voyager numbered ZZ343, which flew to Akrotiri on Sunday (see map below) after the start of the Iran war, according to publicly available tracking data.
The messages show that before landing, ZZ343 was told to turn off a tracking system known as Identification Friend or Foe (IFF) upon landing at Cyprus, so that its location was secret. The message concludes with a request to acknowledge.
But a later publicly available message, which The Telegraph has partly redacted, shows the aircraft being told where to go upon landing at Akrotiri – potentially useful information for an adversary.
One of the messages also appeared to tell crew members to remove secret documents from another Voyager aircraft, ZZ334, following a mission out of Akrotiri.
It said: “UPON RETURN, PLEASE COLLECT ALL S DOCS FROM ZZ334 AND BRING BACK TO OFFICE.”
The Telegraph has also reviewed other messages from February, before the war began.
One exchange with a Voyager numbered ZZ336, which was operating over the North Sea, appears to refer to meeting a pair of F-35 Lightning fighter jets from RAF Marham operating under the callsigns Doom 11 and Doom 12, and refuelling them with two tonnes of fuel for a specified length of time.
The message – which included some details The Telegraph has redacted in the interest of national security – said: “DOOM 11-12 CANT MAKE 1200. ARE YOU HAPPY WITH STAYING IN 5 TILL 1600 AND MEETIN DOOM 11-12 FOR 1255-1305 WITH 2T AS PER DOT SHEET.”
Precise timing and quantities involved in air-to-air refuelling should not be broadcast publicly, Col Ingram said, as it could allow fighters to be targeted.
ZZ336 was named Vespina during Boris Johnson’s premiership following a £900,000 refit, and was to be used by VIPs as well as refuelling missions.
The plane was given new livery featuring the Union Flag on the tail and a secure satellite communications system was installed, the RAF said at the time.
Another ACARS message sent before the war contained details of Typhoon interceptors flown by 6 and 29 Squadrons, which were on a training exercise over the North Sea, stating that bad weather had caused delays and cancellations to a planned rendezvous.
One unencrypted message contained details of an RAF Typhoon, such as this one pictured at RAF Akrotiri in Cyprus – MoD
Other details included engineering and technical faults aboard military aeroplanes.
Flight plans for upcoming journeys have also been transmitted, along with details of diplomatic clearances received from each country en route.
Identical equipment to ACARS is used to power websites such as Flight Radar 24, which displays the locations of aeroplanes by reading automatic messages broadcasting their locations.
Changing the radio frequency used by such equipment allows it to pick up ACARS text messages instead of location messages.
Details of delays and timings given in the RAF messages were verified by looking at the public tracking website Flight Radar 24, which picks up Air Force aeroplanes that have their transponders switched on.
A Ministry of Defence spokesman insisted that security had not been compromised by any of the messages.
He said: “We take operational security extremely seriously and none of the information provided to us by The Telegraph is operationally sensitive. Information on the site includes non-classified information such as weather updates.
“It is common practice for Voyager military crews and all civilian airline crews to use ACARS to send non-sensitive operating information between the aircraft and ground operations.”