back to article You wait ages for a mid-air collision spoofing attack and along come two at once: More boffins take a crack at hoodwinking TCAS

Traffic Collision Avoidance Systems (TCAS) are used in aircraft to avoid hitting other aircraft in flight. And like many electronic systems, they weren't designed for security. Five researchers in the US – Paul M. Berges, Timothy Graziano, and Ryan Gerdes from Virginia Tech, with Basavesh Ammanaghatta Shivakumar and Z. Berkay …

  1. Anonymous Coward
    Anonymous Coward

    Longer term, avionic communications systems need secure design

    Do they ?

    What is the risk of a collision because a valid TCAS warning is ignored because of an expired certificate?

    How are you going to keep the keys secure when they have to be handed out to every aircraft operator from North Korea to Narnia?

    What is the risk of an attacker using this to cause an accident?

    Many people are killed every year in the USA because of false 911 calls. The solution is to persuade Police to think before shooting - not to limit 911 calls to mil-spec secure communication channels.

    1. David Pearce

      Public and private keys

      Boeing/Airbus etc sign their TCAS message with their private keys and the other aircraft has a list of the various public keys. This is an authentication problem, not encryption

  2. beep54


    Uhm, shouldn't this be job one in practically anything?

    1. andy 103

      Re: Security

      It's more concerning how people who come up with these proofs of concept get the information required to simulate them in the first place.

      From the way this article is written it suggests all they did was a bit of Googling, then bought a mid-to-high spec computer from their local PC World. Frightening that that's "all" it takes. The information needed to do something like this shouldn't be in the public domain, simple as.

      It isn't security through obscurity because they clearly knew enough about how it worked to simulate an attack. Absolutely crazy.

      1. MiguelC Silver badge

        Re: Security

        You say it's not security by obscurity and seem to advocate using that? It doesn't really work, you know... Systems should be public knowledge so that any failings can be quickly found and corrected

        I would say they're likening it to security by obscurity just because the system is pretty complex, enough to make it hard to replicate (not impossible, obviously).

        1. andy 103

          Re: Security

          I would never advocate security through obscurity. But I also don't feel that on a system of this nature the details of how it works should be in the public domain. Personally I'd prefer it if these things were kept within closed circles rather than "hey everyone here's how this works, please can you try and break it?". Not for this application anyway. Opening everything up to the world for scrutiny doesn't automatically make it "secure".

          1. SkippyBing

            Re: Security

            That would work until exactly one person tells someone outside the circle of trust the details. Given the basics of its operation is taught to all commercial pilots I'm not sure how you think anyone could keep a lid on it.

            Mind you I'm not sure they've actually proven an ability to usefully spoof it either. At best they're going to have an aircraft say it's further away from another one than it really is, but the windows will still work so they won't have achieved more than just turning the transponder off.

    2. SkippyBing

      Re: Security

      It was designed in the late 70s/early 80s to use existing systems to ensure compatibility with aircraft that didn't have TCAS fitted. For the time it was completely secure and un-spoofable.

  3. Phones Sheridan Silver badge

    So all a miscreant needs is a hacked DJI Phantom with a max flying height of 19000 feet, an FCPGA powered transponder on board or possibly one powered by a PI running a C++ app, and if they get it close enough to a jet they could con it into taking a dive to avoid a crash. Wonderful.

    I wonder how eager the aeroplane manufacturers were to let these guys at the system, of if the security testers had to gain access via other means.

    1. W.S.Gosset

      Worse and increasingly easy and cheap:

      A flock of them, all with bicycle chains attached and dangling, with the aircraft directed to perform an emergency deviation through the flock.

      Bang. Crash. Carnage.

      Cheap. Easy. Fantastic news drama globally. Next on the list for any tryhard would-be backyard terrorist.

      1. Tom Paine

        Sounds rather like what Bruce Schneier used to call "movie plot threats".

      2. crayon

        "A flock of them, all with bicycle chains attached and dangling"

        If someone could manage to get consumer drones up near the flight path of passenger plane wouldn't it be less hassle to just fly them things into the engines.

    2. phuzz Silver badge

      Or, with the same drone, but without the transponder, you could just crash the drone into the aircraft.

      Why make it more complicated?

  4. Neil Barnes Silver badge

    Why simulate the TCAS?

    Can one not purchase a commercial TCAS unit and lie to it about where it is and how it's moving? (Ignoring the cost of such devices, of course).

    It would seem that if one has the heavy lifting done by the unit, needing only to control its inputs should be a much simpler proposition.

    Hmm. Worst case, I suppose, is a unit on an actual in-flight aircraft, either piloted or not, that sends signals that translate as 'crash on me' instead of 'run away, run away'.

    1. SkippyBing

      Re: Why simulate the TCAS?

      TCAS unit doesn't know who care about where it is or how it's moving. It's just measuring the time taken to receive a reply, and the rate of change of that time to estimate closure rate, and the phase difference of the received signal on two antenna to get a bearing*. The reply it's listening for is literally the serial number of the transponder unit in the other aircraft.

      There is nothing in the signals being transmitted or received that gives position information (altitude information is encoded in the reply). This allows non-TCAS equipped aircraft to be detected and avoided by TCAS equipped aircraft as pretty much all aircraft have a transponder fitted so they appear with useful information on ATC radar.

      Consequently the only way to do spoofing would appear to be altering the time the response signal is transmitted. I suppose you might be able to transmit two signals slightly out of phase to confuse the bearing calculation as well?

      *It's not that accurate in bearing but it's not really an issue.

  5. Displacement Activity

    Don't get it...

    They've built an SDR TCAS, which is not really interesting. To get it to do anything, they have to get it *close* to an approaching aircraft - it's physically impossible to pretend to be close, without the next-gen faster-than-light SDR2. And, if they have managed to get their kit near an approaching aircraft, then the target aircraft should get out of the way anyway. There may be some limited mileage in putting it on the ground, spoofing their altitude, and hoping that they can persuade passing aircraft to gently ascend or descend.

    Note that 'security' doesn't mean authentication here. ACAS uses 64-bit messages. The Wikipedia article makes the point that it can't be extended to even 128 bits because it would then be too slow to handle high-traffic scenarios.

    The only interesting thing here seems to be the comparison of Python and C++.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't get it...

      Of they load their kit up on to a drone, and fly it up to where two aircraft are about to safely pass each other. Switch on the system and fool one of the aircraft into diving and the second into climbing.

      This could potentially be a lot more problematic in the future when the bags of mostly water are removed from the cockpit.

      1. SkippyBing

        Re: Don't get it...

        I think the getting a drone where 'two aircraft are about to safely pass each other' might be the challenging part. Unless you're relying on luck you're going to need a chunky drone to get up to the heights needed for a usable length of time.

        You'd also need to find two aircraft heading exactly towards each other only separated by height, in most cases airliners now fly offset to one side of an airway to avoid people going the wrong way down it. The Flight Management Computers even have pre-sets to do this. i.e. you're trying to get two objects in 3D space to collide by controlling their movement in 1 dimension only. Not impossible, but not easy even if their kit actually worked as intended. Not saying you wouldn't get a near miss mind.

        Oh and you'd have to spoof a serial number that made the two aircraft manoeuvre the way you wanted, the rule is something like lowest serial always climbs. So depending on the numbers of the two aircraft you want to interfere with the geometry may not work out.

  6. Kevin McMurtrie Silver badge
    Paris Hilton

    light speed

    You know you need to trick a speed-of-light measuring mechanism and you chose Python running on a desktop computer? Aren't there plenty of no-OS hobby boards out there?

  7. c1ue

    The researchers probably tried to do things the hard way.

    The easy way would be to pre-calculate a spoof plane at a specific distance and just hard code that delta onto the signal.

    As for encryption: we all know how to make signals more secure. However, the TCAS hardware simply isn't capable of it.

    And retrofitting would require all of the planes: commercial, private, new, old to be refitted.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like