US aviation regulator warns of mid-air collision risk if Garmin TCAS boxes are not updated
Software fixes available, says FAA
Updated American aviation regulators have ordered private jet operators to install software updates for Garmin collision avoidance units after multiple reports of false alarms – raising the risk of a mid-air crash.
The affected Garmin products, its GTS 8000 series, generated seven false Traffic Collision Avoidance System (TCAS) warnings, said the US Federal Aviation Administration (FAA) in a formal Airworthiness Directive (AD) published [PDF] earlier this month.
GTS 8000 processing units, said the FAA, are known to be installed in a range of posh private jets including Cessna Citations, Learjet 45s and Embraer Phenoms – as well as the decidedly unsexy Shorts 360 passenger/cargo hauler.
TCAS Resolution Advisory (RA) systems work by detecting nearby TCAS-fitted aeroplanes. Alex Lomas, aviation security lead at British infosec consultancy Pen Test Partners (PTP) told The Register: "TCAS works with dedicated transponders that interrogate both the 'ownship' and 'intruder' to calculate a closing rate and generate alerts accordingly. In this case it seems that this calculation has failed safe in one regard, which is that alerts are generated when an intruder is too far away, but the knock on effect is that instructions to the pilot could then increase the risk of collision with a third aircraft."
The FAA said the GTS 8000s were calculating "incorrect range rates" and triggering resolution advisories (RAs, instructions to climb or dive) for intruder aircraft which were "greater than 10 nautical miles (NM) away." The technology is only supposed to do that when an intruder is 40 seconds away from a collision, as explained on the Skybrary website. Typically TCAS is fitted to jet airliners and commercial aircraft.
- Meet the new aviation insecurity, same as the old aviation insecurity: Next-gen ACAS X just as vulnerable to spoofing as its predecessor
- You wait ages for a mid-air collision spoofing attack and along come two at once: More boffins take a crack at hoodwinking TCAS
- Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchers
- Fancy that: Hacking airliner systems doesn't make them magically fall out of the sky
The agency explained that with unmodified Garmin GTS 8000s, a TCAS event "involving three or more airplanes can result in mid-air collision," saying that a three-way collision warning raised the risk "that the TCAS, in resolving the false RA with the initial airplane, will create an actual loss of separation with a third airplane."
"This condition, if not addressed, could result in an RA being generated when no risk of loss of separation or risk of collision exists between the airplanes involved, which can lead to a mid-air collision with a third airplane," it concluded.
This warning echoes earlier research from PTP, which found that three fake warnings could be precisely manipulated to cause an airliner to climb or descend on a predictable trajectory. It also has echoes of spoofing ACAS X, the next generation of TCAS technology.
Lomas said: "As with any software implementation of a complex algorithm there are occasionally mistakes made, which seems to be the case here. Current implementations of TCAS do not always handle multiple aircraft encounters particularly well and are limited to RAs to vertical changes in altitude only."
We have asked Garmin for comment and will update this article if the manufacturer responds. ®
Updated to add
Conor McDougall, Garmin's media relations specialist, got in touch to tell The Register: "Garmin is aware of this potential issue and has developed a software update to address it. We are working swiftly with our partners to ensure fielded aircraft are provided with this solution."