Meet the new aviation insecurity, same as the old aviation insecurity: Next-gen ACAS X just as vulnerable to spoofing as its predecessor
Faking an emergency collision alarm - just what you don't need over Heathrow
Aviation boffins have found that next-gen collision aircraft avoidance systems appear to be just as vulnerable to signal spoofing attacks as older kit.
In a paper distributed via ArXiv, computer scientists at the UK's University of Oxford and Switzerland's Federal Office for Defence Procurement analyzed the Airborne Collision Avoidance System X (ACAS X), due to be deployed on commercial aircraft in the next few years, and found that it can be manipulated by a miscreant to produce fake collision alerts that prompt pilots to take evasive action.
Boffins Matthew Smith, Martin Strohmeier, Vincent Lenders, and Ivan Martinovic conducted their tests using laboratory simulations, so the work is theoretical. However, they argue that their findings suggest more work needs to be done to improve aviation system security before the identified flaws can be translated into a real-world threat.
... an attacker can successfully trigger a collision avoidance alert which on average results in a 590 ft altitude deviation
"We find that in 44 per cent of cases, an attacker can successfully trigger a collision avoidance alert which on average results in a 590 ft altitude deviation; when the aircraft is at lower altitudes, this success rate rises considerably to 79 per cent," the paper claimed.
Today's collision avoidance system for aviation is known as TCAS (Traffic Alert and Collision Avoidance System), or Airborne Collision Avoidance System (ACAS) outside the US. It's an automated, transponder-based warning system designed to prevent near mid-air collisions. And it operates independently from the guidance provided by ground-based Air Traffic Control.
TCAS responders in planes interrogate each other for position and identification data, in order to prevent aircraft from getting too close and possibly colliding.
The system may issue traffic advisories (TA), audible warnings directing pilots to check for nearby planes, and resolution advisories (RA), orders to take specific action like ascending or descending that pilots are supposed to follow.
Earlier this year, eggheads from Virginia Tech and Purdue University in America formulated a theoretical attack that could create phantom airplanes and force a TCAS warning.
And now, we learn, ACAS X suffers from similar issues.
You wait ages for a mid-air collision spoofing attack and along come two at once: More boffins take a crack at hoodwinking TCASREAD MORE
ACAS X, which relies on a probabilistic model (specifically, Markov decision processes) for its collision avoidance logic instead of the hardcoded rules of TCAS, is supposed to roughly halve the risk of collision [source PDF] compared to previous generations of kit, and reduce the number of advisories hectoring pilots.
While its calculations may be more sophisticated, ACAS X is just as susceptible to malicious abuse of the radio spectrum: "all current and next generation CAS rely on unauthenticated wireless links," the paper explained.
Using a commodity software-defined radio such as Hack RF, together with an amplifier and antenna capable of transmitting at 500W on the on 1030/1090 MHz band, it's feasible to create a custom gadget capable of moving an antenna to track aircraft, and of communicating with CAS transponders in a way that creates inaccurate data.
For their test, the boffins took flight trajectory data from the OpenSky Network over the course of 31 days, between November 15, 2019 and December 15, 2019. And they used ADS-B data from flights within an 80 km box around six airports: London Heathrow, Amsterdam Schiphol, Frankfurt Am Main, New York John F. Kennedy, and Washington Dulles.
Running 6,000 flight trajectories through their simulation, written with the Julia programming language, the UK-Swiss team found that London Heathrow was the most vulnerable, with 63 per cent of its runs having the opportunity – in terms of airplane distance, altitude, speed, and course – to inject a malicious RA. The least vulnerable was Washington Dulles, where only 18.7 per cent of runs led to an RA injection opportunity.
"The consequences of such an attack are significant," the paper concludes. "While causing mid-air collisions is unlikely, this attack causes direct disruption with the potential effects rippling out and affecting many aircraft nearby. We propose that to manage the risk of this attack, air traffic managers could use our simulation approach to map out high-risk areas and deploy monitoring systems there."
Not that we're saying planes are about to fall out of the sky, or give you a bumpy ride unexpectedly, due to ACAS shenanigans, though it's interesting research none the less. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust