Blog: Aviation Cyber Security
Jeopardising aircraft through TCAS spoofing
The Traffic Alert & Collision Avoidance System or TCAS was first developed in the early 1980s using transponders on aircraft to interrogate other aircraft within a set range about their distance, altitude, and heading. If a collision course is detected and the aircraft is suitably equipped, a TCAS alert will be sounded.
There are several levels of alert and advice:
Initially the Traffic Alert (TA) audibly alerts the pilot to the conflicting traffic. If no action is taken, further alerts will sound. TCAS II can provide a Resolution Advisory (RA) also:
The RA gives the pilot specific instructions to avoid the conflicting traffic. These are likely to be to advise one pilot to climb and the pilot of the other aircraft to descend, or vice versa. RAs under TCAS II are always vertical, never to initiate a turn.
e.g. <Traffic> and <Descend>
The climb/descend rate required will be displayed by the pilot’s Flight Director in the Primary Flight Display with green “fly to” zones displayed on the vertical speed tape , so it’s a matter of ‘chasing the needles’ to avoid a crash.
In certain autopilot modes (mostly on Airbus), the aircraft will automatically follow the TCAS RA and climb or descend with no input from the pilot.
There’s plenty more on the finer detail of TCAS and the many mid-air collisions that have been caused as a result of pilots not following a TCAS RA here.
However, others have shown that it’s possible to create fake TCAS traffic.
We’ve taken this further and investigated how airplanes equipped with autopilots capable of flying a resolution advisory themselves would respond in certain scenarios.
Technically, we first need to know a little about the RF communications that form the basis of transponder data.
TCAS uses responses from secondary surveillance radar transponders – there are two types used to compute the position of other aircraft. Mode S transmits a unique 24bit aircraft address along with altitude and GPS-derived position data, Mode C transmits a 4 digit transponder code and altitude information only so the TCAS unit itself calculates range and bearing based on these transmissions. The full FAA introduction to TCAS is available here for reference.
The Mode S data is known as “extended squitter” (really!) and data packets are sent over 1090MHz using Manchester encoded PPM at 1Mbps. The data structure is actually easy to decode and a cheap, $10, DVB USB dongle can pick them up for you to plot aircraft data yourself [https://www.rtl-sdr.com/adsb-aircraft-radar-with-rtl-sdr/]
TCAS is not stupid – it can analyse multiple inputs from conflicting aircraft concurrently. However, it will prioritise dealing with the most pressing conflict first, dealing with that and then moving on to the next most pressing conflict. A very logical process.
Creating real alerts is perfectly possible, but very dangerous and very illegal. We were therefore restricted to working on flight simulators. There are clearly limitations of the simulator model, but these are developed for approved training and should deal with TCAS alerting in a very similar manner to real airplanes.
We experimented with multiple configurations of fake aircraft, iterating through different ‘stacks’ of fake airplanes to determine how to make TCAS respond in a way to cause the victim plane to move in a direction of our choice.
First, we presented it with a simple ‘wall’ with more aircraft above than below.
TCAS responded with a steep descent, unsurprisingly.
Then we presented it with more aircraft in a wall, extending beyond the limits of its climb and descent performance.
Finally, we presented it with a ‘wedge’ of fake aircraft, to see if the TCAS would provide an RA in the direction we intended.
We rationalised this to the point where we only needed three fake aircraft to provide an RA that caused a climb of over 3,000 ft/min.
By careful placement of ghost aircraft, we could cause TCAS RA reversals too:
The most likely consequence of fake TCAS alerts is that the pilot will turn off TCAS resolution advisories, possibly even traffic advisories. The fake aircraft do not show up on radar, the pilot will realise they are fake and seek to suppress the fake alerts. This has been demonstrated in a paper from Oxford University.
The resolution advisory is only made if the switch is as displayed:
If not, no RA will be given. If set to ‘STBY’ then no traffic alerts are given either:
As a result, pilots will not be alerted to conflicting traffic by TCAS. Ground stations however will continue to monitor for conflicts and will advise the pilot appropriately
If a traffic alert is sounded, the traffic will appear on the PFD. However, the pilot has other methods to identify traffic, including radar. If the TCAS data does not match that shown on radar, then its legitimacy is brought in to question.
Further, ground controllers also have systems to identify conflicting traffic. Indeed, a ground controller will probably identify potential traffic well before TCAS would alert.
It’s also worth noting that mis-configured transponders in light aircraft can cause TCAS false alarms, so they aren’t that unusual. Mode C and Mode S transponders in light airplanes can transmit height data. If the altitude encoder is mis-calibrated or faulty, rogue TCAS alerts can be created on aircraft operating at much higher altitudes.
Excellent research by the University of Oxford looked at the human performance of pilots in similar situations. They demonstrated that in many cases, experienced pilots would turn off the TCAS Resolution Advisory in response to false alerts.
This leads one on to a worrying conclusion that pilots could first be irritated in to disabling the TCAS RA, then would be less able to deal with a legitimate TCAS alert. A version of the ‘Crying Wolf’ attack.
All of the above undermine the effectiveness of TCAS, in that the pilots trust in the system is reduced.
We have shown that careful placing of fake aircraft through rogue transponder broadcasts can cause an aircraft under autopilot control to climb or descend towards legitimate traffic.
Human pilots could also be directed to follow the same rogue resolution advisories, or confused in to inadvertently disabling safety systems.
The next generation of TCAS, known as ACAS-X, takes an input from ADS-B which includes GPS data. This should make TCAS spoofing much harder….
…except that ADS-B is also relatively straightforward to spoof. This clearly adds a layer of complexity to creating fake aircraft, but is well within the capability of any hobbyist with RF expertise.