{"id":26810,"date":"2025-03-10T08:47:15","date_gmt":"2025-03-10T12:47:15","guid":{"rendered":"https:\/\/ops.group\/blog\/?p=26810"},"modified":"2025-03-12T11:28:35","modified_gmt":"2025-03-12T15:28:35","slug":"dc-false-alerts-could-tcas-be-vulnerable-to-cyber-attack","status":"publish","type":"post","link":"https:\/\/ops.group\/blog\/dc-false-alerts-could-tcas-be-vulnerable-to-cyber-attack\/","title":{"rendered":"DC False Alerts: Could TCAS Be Vulnerable to Cyber Attack?"},"content":{"rendered":"<p>On March 1, several aircraft <a href=\"https:\/\/www.independent.co.uk\/travel\/news-and-advice\/washington-dc-reagan-airport-collision-warnings-faa-b2709270.html\" target=\"_blank\" rel=\"noopener\">reported<\/a> erroneous TCAS TA and RA alerts while on approach to Runway 19 at <strong>KDCA\/Washington.<\/strong> All aircraft correctly followed avoidance procedures, and <strong>no loss of separation<\/strong> occurred. Six of the incidents occurred within eleven minutes of each other.<\/p>\n<p><iframe loading=\"lazy\" title=\"Numerous COLLISION WARNINGS Near Washington DCA Airport!\" width=\"1080\" height=\"608\" src=\"https:\/\/www.youtube.com\/embed\/pOXV3AjESVU?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p>\u2b06\ufe0f <em>shared with permission, courtesy of <strong>VASAviation.<\/strong><\/em><\/p>\n<p>What has followed is speculation &#8211; who, or what, was responsible? It is an answer the FAA is actively seeking.<\/p>\n<p><strong>TCAS interference<\/strong> is rare but can occur. There are several plausible explanations including ground clutter and reflections, software issues and unintentional radio interference.<\/p>\n<p>However, it would be hard to deny that these alerts came at a <strong>sensitive time<\/strong> both for operations at the airport following the mid-air collision over the Potomac River, and across a broader tapestry of concern for aviation safety across the US NAS given recent events.<\/p>\n<p>Which begs an important question &#8211; <strong>can TCAS actually be tampered with?<\/strong> Is it possible these events were an act of criminal mischief or other mis-intent? While remote, a little-known alert <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-25-021-01\" target=\"_blank\" rel=\"noopener\">issued<\/a> just weeks ago by <strong>CISA<\/strong>\u00a0 (the part of Homeland Security responsible for US cyber and infrastructure security) suggests it is <em>indeed<\/em> possible.<\/p>\n<p>Published on January 21, CISA discussed<strong> two flaws in TCAS design<\/strong> that leave the system vulnerable to <strong>malicious<\/strong> <strong>cyber-attacks<\/strong> \u2013 one of which they deem a high, almost critical vulnerability.<\/p>\n<p>In event that such an attack occurs, criminal interference could generate fake targets on an aircraft\u2019s TCAS display and even disable resolution advisories.<\/p>\n<p>The problem is that bulletin is quite technical. So here is a break-down of what it says in plain, simple language.<\/p>\n<h6><strong>The Bulletin<\/strong><\/h6>\n<p>There were essentially <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-25-021-01\" target=\"_blank\" rel=\"noopener\">two risks<\/a> identified for TCAS II Versions 7.1 or older.<\/p>\n<h4>1. Fake Position Signals<\/h4>\n<p>It is theoretically possible to broadcast a spoofed aircraft location to another target.<\/p>\n<p>This could be achieved using specialised radio equipment where potential attackers could send fake signals to aircraft, causing the appearance of <strong>non-existent targets<\/strong> on TCAS displays, along with the associated warnings.<\/p>\n<p>In other words, crews would effectively be chasing shadows.<\/p>\n<p>As TCAS II systems rely on transponders that may not be able to adequately validate the data received, they remain vulnerable to unauthorised signals. The bulletin describes this risk as a reliance on &#8216;<em>untrusted inputs&#8217;.<\/em><\/p>\n<p>Read the report and you\u2019ll see something called a \u2018<strong>CVSS score.\u2019<\/strong><\/p>\n<p>CVSS stands for <strong>Common Vulnerability Scoring System<\/strong>, and it is basically a danger rating for flaws in computer security. It is a measure of how serious a vulnerability is. Factors include the method of attack, the access required and the potential impact.<\/p>\n<p>It is represented on a scale of 0 (non-existent) to 10 (critical).<\/p>\n<p>The issue of fake position signals has been given a CVSS score of <span style=\"text-decoration: underline;\">6.1.<\/span><\/p>\n<p>Perhaps more concerning is that the report advises there is no way to actively mitigate this threat with existing TCAS technology. The equipment required is accessible to the public. Therefore this threat is the most likely suspect of any erroneous TCAS interference occurring today.<\/p>\n<h4>2. No TCAS RA<\/h4>\n<p>This affects some older TCAS II systems using transponders with outdated technical standards.<\/p>\n<p>It is theoretically possible for an attacker to impersonate a ground station and send a special request that lowers a system&#8217;s sensitivity settings. A TCAS sensitivity level command does exist, envisaged to reduce nuisance alerts at some airports.<\/p>\n<p>This could be used to maliciously adjust sensitivities to the lowest setting and even <strong>disable a resolution advisory<\/strong> completely.<\/p>\n<p>The threat has a concerning CVSS score of<span style=\"text-decoration: underline;\"> 8.1<\/span> \u2013 highly vulnerable to exploitation, but would require a high level of expertise and technology to carry out.<\/p>\n<p>Fortunately, in this case there is a way to mitigate the problem \u2013 by switching to ACAS X, or upgrading your associated transponder to more recent technical standards.<\/p>\n<p>There is <strong>no indication<\/strong> that this has vulnerability has ever been exploited.<\/p>\n<div id=\"attachment_26812\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-26812\" class=\"size-large wp-image-26812\" src=\"https:\/\/ops.group\/blog\/wp-content\/uploads\/2025\/01\/freepik__the-style-is-candid-image-photography-with-natural__6974-1024x701.jpeg\" alt=\"\" width=\"1024\" height=\"701\" srcset=\"https:\/\/ops.group\/blog\/wp-content\/uploads\/2025\/01\/freepik__the-style-is-candid-image-photography-with-natural__6974-1024x701.jpeg 1024w, https:\/\/ops.group\/blog\/wp-content\/uploads\/2025\/01\/freepik__the-style-is-candid-image-photography-with-natural__6974-300x205.jpeg 300w, https:\/\/ops.group\/blog\/wp-content\/uploads\/2025\/01\/freepik__the-style-is-candid-image-photography-with-natural__6974-768x525.jpeg 768w, https:\/\/ops.group\/blog\/wp-content\/uploads\/2025\/01\/freepik__the-style-is-candid-image-photography-with-natural__6974.jpeg 1216w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><p id=\"caption-attachment-26812\" class=\"wp-caption-text\">While unlikely, the CISA bulletin proves that TCAS could be vulnerable to malicious interference.<\/p><\/div>\n<h4><strong>So,<\/strong> could<strong> the aircraft at KDCA have been hacked?<\/strong><\/h4>\n<p>It&#8217;s unlikely, but CISA&#8217;s report indicates it&#8217;s possible. And a<a href=\"https:\/\/aireon.com\/dca-tcas-anomalies-explained\/\" target=\"_blank\" rel=\"noopener\"> new expert analysis<\/a> of events at KDCA by <strong>Aireon<\/strong> seems to agree. In their published report they found that <em>&#8216;it is possible the intruder was airborne or related to a ground-based transmitter used for testing or spoofing.&#8217;<\/em><\/p>\n<h4><strong>Why does this matter?<\/strong><\/h4>\n<p>The industry must remain responsive to security threats that are becoming increasingly sophisticated and designed to exploit vulnerabilities in safety critical systems.<\/p>\n<p>The recent industry-wide interest in <a href=\"https:\/\/ops.group\/blog\/gps-spoofing-final-report\/\" target=\"_blank\" rel=\"noopener\">GPS interference<\/a> spanning from the inconvenient, to major degradations including the loss of EGPWS protection, ADS-B tracking and navigational accuracy is a startling testament to this fact. This is all possible because of <strong>existing system design.<\/strong><\/p>\n<p>Since the events of September 11, passenger screening and security protocols have undergone a revolution, and it&#8217;s now much harder for bad actors to carry out conventional attacks. But there are still risks associated with malicious attacks that could potentially be achieved <strong>remotely<\/strong> \u2013 and cyber-interference seems an obvious choice.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On March 1, several aircraft reported erroneous TCAS TA and RA alerts while on approach&#8230;<\/p>\n","protected":false},"author":49,"featured_media":27164,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1899,2289,1687],"class_list":{"0":"post-26810","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-briefings","8":"tag-cyber-attack","9":"tag-kdca","10":"tag-tcas"},"_links":{"self":[{"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/posts\/26810","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/comments?post=26810"}],"version-history":[{"count":31,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/posts\/26810\/revisions"}],"predecessor-version":[{"id":27181,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/posts\/26810\/revisions\/27181"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/media\/27164"}],"wp:attachment":[{"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/media?parent=26810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/categories?post=26810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ops.group\/blog\/wp-json\/wp\/v2\/tags?post=26810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}