Securing Air Taxi Landing Queues Against Spoofing

Q: Threat types modeled

2 — Selfish misreporting (individual gain) and malicious spoofing (system disruption) — each requiring a distinct robust defense

Q: Detection threshold

±εᵢ seconds — Lies within the surveillance uncertainty bound cannot be proven false — the robust framework must operate within this window

Q: Game-theoretic structure

Stackelberg — Coordinator announces rule first; self-interested vehicles respond optimally — a classic leader-follower game from economics

Q: Individual adjustment cost

(aᵢ − τᵢ)² — Each vehicle's cost is the squared difference between its assigned and natural arrival time — penalising large deviations heavily

Q: Sensitivity dimensions planned

4+ — Traffic density, arrival separation, surveillance noise, and size of the suspect-vehicle set will all be varied in the forthcoming numerical study

Imagine a fleet of electric air taxis converging on a rooftop vertiport in downtown Austin — twenty vehicles, similar speeds, all expecting to land within the same ten-minute window. Who goes first? In the world being built right now by companies like Joby, Archer, and Lilium's successors, the answer depends partly on each vehicle telling a ground coordinator when it expects to arrive. That self-reported number — the estimated time of arrival, or ETA — flows through a protocol called Remote-ID, a kind of digital license plate for drones and air taxis that broadcasts identity, position, and flight data.

The problem, as a team at the University of Texas at Austin has now formally shown, is that nothing stops a vehicle from lying about that number. Shave a few seconds off your reported ETA, and you might jump ahead in the landing queue. Shift your claimed arrival slightly earlier than your true plan, and someone else absorbs the delay you avoided. It sounds almost petty — until you scale it up to thousands of daily flights in a congested urban airspace, or until a malicious actor realizes they can use the same mechanism not to benefit themselves but to deliberately scramble the entire sequencing system and manufacture congestion where there was none.

This is the problem Im, Fotiadis, Topcu, and Fridovich-Keil (2026) set out to solve. Their paper, "Secure Coordination for Vertiport Sequencing in Advanced Air Mobility," is one of the first formal treatments of adversarial manipulation in urban air traffic management — and the mathematical architecture they propose is worth understanding in some detail, because it captures something genuinely tricky: how do you defend a system against lies you cannot always prove are lies?

The Science

Advanced air mobility (AAM) — the umbrella term for electric vertical take-off and landing aircraft, air taxis, and urban drone networks — is expected to bring aircraft densities near vertiports that dwarf anything conventional air traffic control was designed to handle. A vertiport might serve dozens of arrivals per hour, with minimum temporal separation between consecutive landings ($s_{\min}$, in the paper's notation) measured in seconds rather than minutes. At those margins, the order in which vehicles land matters enormously. A resequencing that pushes one aircraft back by thirty seconds might force it to enter a holding pattern, burning battery, increasing risk, and cascading delay through the queue behind it.

The coordinator — a ground-based system, likely automated — receives two kinds of information about each approaching vehicle. The first is the self-reported ETA, $\overset{τ}{^}_{i}$ , broadcast via Remote-ID. The second is an independently derived estimate, $\tilde{τ}_{i}$ , inferred from surveillance infrastructure: radar, ADS-B receivers, or optical tracking systems, similar to what conventional air traffic management already uses (Federal Aviation Administration, 2024; Eurocontrol, 1997). The key insight of the paper is that these two sources are not equally trustworthy, and that the gap between them is the terrain on which manipulation happens.

A vehicle's true ETA is $τ_{i}$ . Its reported ETA is $\overset{τ}{^}_{i} = τ_{i} + δ_{i}$ , where $δ_{i}$ is the reporting deviation — zero for an honest vehicle, negative if the vehicle is claiming to arrive sooner than it actually will. The surveillance system produces its own estimate, but with noise: it cannot tell you $τ_{i}$ exactly, only that $τ_{i}$ probably falls within some interval of width $\pm ε_{i}$ around the measured value. This creates what the authors call the uncertainty-consistent feasible falsification set $U_{i}$ — the range of deviations $δ_{i} \in [- ε_{i}, ε_{i}]$ that a vehicle can claim without its report being definitively contradicted by the surveillance data.

Any lie within that window is, in a strict evidentiary sense, undetectable. The coordinator cannot prove it false. That is not a failure of the system; it is a fundamental consequence of physics. Surveillance sensors have noise. This is the constraint the paper works within, and the honest acknowledgment of it is what makes the framework intellectually serious.

What They Found

The paper's core contribution is a set of two robust optimization problems — one for each threat model — that allow the coordinator to design sequencing rules that remain defensible even when some vehicles are lying within the undetectable window.

Two Threat Models: How False Reporting Affects the Sequencing System

Conceptual comparison of the two adversarial models studied in the paper. Self-interested misreporting optimizes one vehicle's outcome; malicious spoofing degrades the system-level objective.

Two Threat Models: How False Reporting Affects the Sequencing System
Label	Value
Selfish misreporter's goal: minimize own cost	1
Malicious attacker's goal: maximize system cost	0

The coordinator's baseline job is to solve a scheduling problem: assign arrival times $a_{i}$ to each vehicle such that consecutive arrivals are separated by at least $s_{m i n}$ , while minimizing the total schedule-adjustment cost across all vehicles. Each vehicle's individual cost is:

$J_{i} (a_{i}, τ_{i}) = (a_{i} - τ_{i})^{2}$

This is a squared deviation — the further a vehicle is pushed from its natural arrival plan, the worse. The system-level cost is the sum of all individual costs. Under truthful reporting, this is a clean, tractable optimization. Under false reporting, the coordinator is minimizing against the wrong inputs, and the resulting schedule may look efficient on paper while actually imposing large hidden costs on honest vehicles.

Threat model one: the selfish cheater. A self-interested vehicle observes the coordination rule — it knows how the system will respond to reported ETAs — and chooses the most favorable lie within $U_{i}$ . The interaction has a Stackelberg structure (named after the economist Heinrich von Stackelberg): the coordinator moves first by announcing its sequencing rule, and each strategic vehicle moves second, responding optimally to that rule. This is exactly the structure of many regulatory games — a tax authority sets a policy, and firms optimize against it.

The vehicle's best response is:

$δ_{i}^{⋆} (θ) \in ar g δ_{i} \in U_{i} min J_{i} (S_{θ, i} (τ_{i} + δ_{i}, \overset{τ}{^}_{- i}), τ_{i})$

Here, $S_{θ}$ is the parameterized sequencing rule (the coordinator's policy, governed by robustification parameter $\theta$), and $\hat{\tau}_{-i}$ is the reported ETAs of all other vehicles. The coordinator then solves for the $θ$ that minimizes total system cost assuming every vehicle in the suspect set $M$ will play its best response. The result is a sequencing rule that has already anticipated the cheating and priced it in.

Threat model two: the malicious attacker. This is more unsettling. Here, an external actor — not a vehicle operator seeking personal gain, but someone who simply wants to break things — injects false reports for vehicles in $M$ . The vehicles themselves are assumed to be honest; it is the broadcast signal that has been tampered with. The attacker's goal is to maximize the system-level cost, not minimize any individual vehicle's cost. The coordinator's problem becomes a minimax: choose $θ$ to minimize the worst-case total sequencing cost over all adversarially chosen deviations within the uncertainty sets.

$θ min δ_{i} \in U_{i}, i \in M max i = 1 \sum N J_{i} (S_{θ, i} (τ + δ_{M}), τ_{i})$

This is the classic robust optimization setup — and it is harder to solve than the Stackelberg version, because the adversary has no self-consistent objective beyond disruption. The coordinator must hedge against the most damaging possible combination of false reports, even if that combination would require the attacker to simultaneously manipulate many vehicles in coordinated fashion.

Planned Experiment Conditions: Sensitivity Study Variables

The authors plan to evaluate their robust sequencing framework across four key sensitivity dimensions. Each axis represents a study variable that will be varied to assess when secure coordination provides the greatest benefit.

Planned Experiment Conditions: Sensitivity Study Variables
Label	Value
Traffic density	5
Arrival-time separation	5
Surveillance noise level	5
Size of suspect set \|M\|	5
Falsification magnitude ε	5

Key Facts

2 Threat types modeled Selfish misreporting (individual gain) and malicious spoofing (system disruption) — each requiring a distinct robust defense

±εᵢ seconds Detection threshold Lies within the surveillance uncertainty bound cannot be proven false — the robust framework must operate within this window

Stackelberg Game-theoretic structure Coordinator announces rule first; self-interested vehicles respond optimally — a classic leader-follower game from economics

(aᵢ − τᵢ)² Individual adjustment cost Each vehicle's cost is the squared difference between its assigned and natural arrival time — penalising large deviations heavily

4+ Sensitivity dimensions planned Traffic density, arrival separation, surveillance noise, and size of the suspect-vehicle set will all be varied in the forthcoming numerical study

What the paper does not yet provide — this is an extended abstract, with full numerical results forthcoming — is a concrete answer to how large the cost of robustness is. Making a system harder to game typically makes it less efficient under honest conditions: more conservative schedules, more buffer time, less throughput. The planned numerical study will quantify this tradeoff directly, comparing baseline, selfish-robust, and malicious-robust sequencing under both truthful and falsified reporting conditions, across varying traffic densities and surveillance noise levels.

Why This Changes Things

To appreciate why this matters, it helps to understand that Remote-ID was not designed with adversarial game theory in mind. It was designed for identification and accountability — to give regulators and law enforcement a way to know who is flying what, where. Its security properties against active spoofing are limited (Bjorkman et al., 2026; Keizer et al., 2024), and the aviation community is only beginning to grapple with what that means as the systems that depend on Remote-ID data grow more consequential.

In conventional air traffic control, pilots and controllers communicate verbally, and a pilot who falsely reported their position would be violating federal law and risking their license. The deterrence is social and legal as much as technical. In a highly automated AAM system — where the "pilot" may be software, and the vehicle operator may be a fleet management algorithm optimizing across hundreds of aircraft simultaneously — those social deterrents weaken. The incentive to shave a few seconds off a reported ETA and gain a better landing slot could, in principle, be baked into a fleet operator's optimization routine without any human ever consciously deciding to cheat.

The Surveillance Window: What Can and Cannot Be Detected

A report deviation δᵢ is detectable only if it falls outside the surveillance uncertainty bound εᵢ. Deviations inside the window [-εᵢ, +εᵢ] are consistent with sensor noise and cannot be rejected as false — this is the space the robust rules must defend against.

The Surveillance Window: What Can and Cannot Be Detected
Label	Value
Detectable lie (\|δᵢ\| > εᵢ): rejected outright	1
Undetectable lie (\|δᵢ\| ≤ εᵢ): robust rule required	0
Truthful report (δᵢ = 0): nominal scheduling applies	0

This is what makes the Stackelberg framing so apt. The paper is not imagining dramatic hacking scenarios (though those are also in scope under the malicious model). It is imagining something more mundane and more likely: a competitive market of air taxi operators, each running automated systems, each with economic incentive to minimize delay for their own vehicles, and none of them necessarily intending to cause harm. The sequencing protocol needs to be robust against rational self-interest operating at machine speed, not just against bad actors.

The surveillance cross-check is the key defensive layer. By maintaining an independent, externally derived estimate of each vehicle's arrival time, the coordinator creates an evidentiary standard: reports that fall outside the surveillance-consistent window $U_{i}$ can simply be rejected. Reports inside the window cannot be rejected — but the robust sequencing rule is designed to limit the benefit a vehicle can gain by lying within that window, reducing the incentive to lie in the first place. This is mechanism design in the classical economic sense: structuring the rules of the game so that honest behavior becomes the rational strategy.

The distinction between the two threat models also has practical significance for system design. Defending against selfish misreporting is, in some ways, the easier problem: you need to make cheating unprofitable. Defending against malicious spoofing is harder, because the attacker has no positive objective to constrain them — they will simply find the worst-case disturbance. The paper's minimax formulation provides a principled worst-case guarantee, but it will also tend to produce more conservative schedules. Regulators and operators will need to decide how much efficiency to sacrifice for how much security, and the upcoming numerical study promises to give them actual numbers to work with.

The planned extension on surveillance resource allocation adds another dimension. If the coordinator can direct sensing resources — radar dwell time, resolution, tracking priority — toward vehicles that appear more likely to misreport, it can shrink $U_{i}$ for those vehicles, making their lies easier to detect. This transforms surveillance from a passive measurement system into an active strategic tool, one that the coordinator wields as part of the same optimization problem it uses to assign landing slots.

What's Next

The immediate limitation of this work is that the full numerical results are not yet in hand. The paper is an extended abstract — a research agenda presented at a conference, not a completed study. The planned experiments promise to quantify the efficiency-security tradeoff across realistic scenarios, but until those numbers exist, the framework remains a theoretical architecture without empirical validation.

There are also open questions the authors acknowledge. The set $M$ — the vehicles whose reports are treated as suspect — is taken as given in this version of the paper. In practice, deciding which vehicles to distrust requires its own algorithm, one that draws on reported patterns, surveillance measurements, and operational risk indicators. Getting that classification wrong in either direction has costs: miss a cheater, and the robust rule provides no protection; flag an honest vehicle, and you impose unnecessary conservatism on it.

The single-vertiport assumption also simplifies a problem that will, in practice, involve networks of vertiports with interdependent traffic flows. A vehicle that is delayed at one facility may affect sequencing at the next. How robustness propagates through a network — and whether coordinated spoofing attacks across multiple vertiports could defeat local defenses — remains an open question.

What this paper establishes, clearly and rigorously, is that the problem is real and that the tools to address it exist. The mathematics of robust optimization, Stackelberg games, and uncertainty sets are mature; what has been missing is their application to this specific domain. Im et al. (2026) provide that application, and in doing so, they set the agenda for a field that will matter enormously as urban skies grow crowded. The question of who lands first sounds mundane. At scale, in a city with thousands of daily air taxi flights, it is a question of safety, fairness, and the basic trustworthiness of the infrastructure that makes the whole system run.

Flying Taxis Could Be Gamed — This Math Aims to Stop That

The Science

What They Found

Why This Changes Things

What's Next

Source articles

Comments (0)