Not only can malicious people make airliners climb and dive without pilot input – they can also control where and when they do so, research from Pen Test Partners (PTP) has found.
TCAS spoofing, the practice of fooling collision detection systems aboard airliners, can be controlled to precisely determine whether an airliner fitted with TCAS climbs or descends – and even to produce climb rates of up to 3,000ft/min.
Building on earlier research into the bare-bones concept [PDF], PTP said it had figured out how to shape and control airliners' automatic TCAS responses so they moved up or down at precisely known points.
In a blog post the firm said: “We rationalised this to the point where we only needed three fake aircraft to provide [a Resolution Advisory] that caused a climb of over 3,000 ft/min.”
TCAS works by warning pilots that another aircraft (also fitted with TCAS) is going to collide with them unless they change course, climb or descend. It does this in two stages: the first is an aural Traffic Alert (TA) which shouts "traffic, traffic" or similar over the cockpit loudspeakers; the second is a Resolution Advisory (RA), where it gives instructions to pilots ("descend now" and so on).
The system shows pilots a target climb or descent rate, co-ordinated with the other aircraft's TCAS system, to ensure they both miss each other, so one might climb and the other descend. Advanced versions allow the autopilot to fly RA manoeuvres without pilot input, which is where Pen Test Partners' research comes in.
By spoofing fake TCAS contacts using previously described techniques, PTP found it could control exactly where and when airliners climbed and descended.
The prospect of a rollercoaster ride is less scary (or realistic) than it might seem; a recent Oxford University study showed that when airliner pilots are presented with too many spoof warnings, they simply disable the system responsible – and look out of the window so they keep flying safely. ®