Traffic Collision Avoidance Systems (TCAS) are used in aircraft to avoid hitting other aircraft in flight. And like many electronic systems, they weren't designed for security.
Five researchers in the US – Paul M. Berges, Timothy Graziano, and Ryan Gerdes from Virginia Tech, with Basavesh Ammanaghatta Shivakumar and Z. Berkay Celik from Purdue University – recently put TCAS to the test and found it wanting.
In a paper [PDF] distributed through ArXiv, "On the Feasibility of Exploiting Traffic Collision Avoidance System Vulnerabilities," the cybersecurity boffins found TCAS is vulnerable to spoofing, at least in a laboratory setting. Specifically, they tried to spoof TCAS signals to make phantom planes appear on a collision course, forcing the software to recommend evasive action to pilots. They were able to show it can be done, in theory, though lacked the precision required to pull it off in reality.
This works follows similar spoofing research in Britain revealed last month.
"Heretofore the nature of TCAS, as a highly complex system, has allowed it to enjoy a sort of security through obscurity," the American paper explained. "We have, however, shown that a relatively low-resourced attacker can reproduce the essential signals of TCAS so as to mount an attack against it."
TCAS – known as Airborne Collision Avoidance System or ACAS internationally – is used to prevent near mid-air collisions (NMAC); it's a separate system from Air Traffic Control (ATC). It relies on an onboard transponder that transmits and receives messages between aircraft. The transponder interrogates nearby aircraft for position and identification data over the 1030 MHz frequency band and listens for replies on the 1090 MHz frequency band.
These replies can prompt a Traffic Advisory (TA), which helps the pilot locate the approaching plane, or a Resolution Advisory (RA), which directs the pilot to take specific action or maintain heading to avoid a possible collision. Creating a malicious RA has the potential to cause flight delays, injuries through sudden maneuvers, or, in the worst case scenario, a crash since pilots are obliged to follow them.
Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchersREAD MORE
A year after the July 2002 crash of a Bashkirian Airlines passenger jet and DHL cargo jet over southern Germany, the International Civil Aviation Organization (ICAO) amended its regulations to state that pilots should follow TCAS advisories even in the face of alternative guidance from ATC. And that's been adopted by America's FAA and other civil aviation agencies.
The reason for deferring to TCAS is that the automated system is assumed to have more up-to-date data and to be capable of responding faster than human air traffic controllers and ground-based systems. While human error has been blamed for about 60 to 80 per cent of accidents [PDF], automated systems can cause problems too, as was seen with Boeing's 737 Max.
In an email to The Register, Paul M. Berges, a Virginia Tech computer scientist and one of the paper's authors, said the team's proof-of-concept attack against TCAS requires ascertaining the range between the attacker and the target aircraft using the TCAS messaging protocol.
"TCAS does this by estimating the difference in time between when it sends an interrogation message and when it receives a reply from the interrogated aircraft," he said.
The attack relies on a GNU Radio-based application, software-defined radio (SDR) hardware from Ettus Research (Universal Software Radio Peripheral B210 and N2010), and a PC powered by an Intel Core i7-6800K with six 3.4 GHz cores and 16GB RAM to dupe TCAS into tracking a phantom aircraft.
These are radio signals traveling at light speed where the slightest variance in a series timestamps translates to thousands of meters of variance in apparent range
Making it work, Berges explained, requires that the system handling the TCAS interrogation minimize latency between detecting a reply signal and recording the time the reply is detected as precisely as possible "because these are radio signals traveling at light speed where the slightest variance in a series timestamps translates to thousands of meters of variance in apparent range."
Berges used Python to make the GNU Radio-based app and that was enough to validate the idea but fell short of a fully successful attack. That is to say, the researchers successfully spoofed TCAS messages but the precision of the calculations to place a phantom plane proved too variable because Python was too slow.
"Using this architecture, I found that, while I could detect TCAS messages and translate them from I/Q samples to packets of data, I couldn't create timestamps that were precise enough to produce reliable range estimates," said Berges. "However, the GNU Radio framework supports components written in languages better suited for real-time applications (e.g. C++), so I would look into writing such custom components in order to sufficiently meet the two criteria above."
Berges said that if a different language failed to provide the necessary performance increase, there are other options such as migrating from software to a hardware solution that uses an onboard FPGA.
A professional pilot who spoke with The Register and asked not to be identified for this story said that even if this particular attack isn't fully formed, it raises concerns that the aviation community should consider.
Security researchers outlined the possibility of attacks of TCAS and other avionics systems in an academic paper last year. And they came to a similar conclusion: "Longer term, avionic communications systems need secure design." ®