Vulnerabilities in TCAS II collision warning system for civil aircraft identified by CYD Campus
Last week, American security authorities confirmed serious vulnerabilities in the collision warning system used in civil aviation. A research project conducted beforehand by the Cyber-Defence Campus (CYD) of armasuisse Science and Technology (S+T) in collaboration with Italian researchers contributed significantly to the discovery of these vulnerabilities.
Samuel Albrecht and Andrea Thäler, Cyber Security and Data Science, Competence Sector Science and Technology
In brief
The CYD Campus of the Federal Office for Defence Procurement has subjected the Traffic Alert and Collision Avoidance System (TCAS) II used in civil aviation to a comprehensive technical security analysis. The manufacturers and aviation authorities in Europe and the United States have been informed. The published vulnerabilities were classified as moderate and severe, respectively, by the US Cyber Defense Agency (CISA) and the Federal Aviation Authority (FAA) of the United States.
On 11 December 2024, a Boeing 737-800 is on approach to John F. Kennedy Airport in New York City. What initially appears to be a normal landing suddenly becomes unusual. A collision warning appears on the aircraft's TCAS display. The pilot is instructed by the TCAS system to immediately avoid the potential collision and climb to 3,700 feet, which he does as instructed. Subsequently, air traffic control and the pilot determine that there was no other aircraft in the vicinity and that there was never any risk of collision. Is this a technical problem or a new type of cyber attack?
Research at CYD Campus
Researchers at CYD Campus have been working on this topic for over five years. The Cyber Avionics Lab in Thun, which was set up for this purpose, allows them to investigate cyberattacks on certified aviation systems. CYD Campus researchers have been doing pioneering work in this field for years. Various systems such as ADS-B, MLAT, CDPLC and GPS have been scrutinised to show how these digital aviation systems would react to realistic cyberattacks.
Over the past two years, a team from CYD Campus has been working intensively with Italian researchers on the investigation of TCAS II. This system is mandatory in civil aviation for aircraft weighing 5,700 kg or more or carrying more than 19 passengers and serves as a last resort for avoiding collisions when all other procedures for maintaining distance between aircraft have failed. Pilots are obliged to respond immediately to TCAS collision warnings, for example by adjusting their altitude up or down. Following the Überlingen air collision in 2002, it became mandatory to follow TCAS instructions.
In autumn 2023, the team succeeded in triggering false warnings on a pilot cockpit in their laboratory using a certified TCAS processor from Garmin with its own radio setup. These results were then demonstrated at the DEF CON hacker conference in Las Vegas and at the Usenix security conference in Philadelphia in summer 2024.
Since the initial report by CYD Campus in the summer of 2024, various security and aviation authorities around the world have addressed this issue. The US Department of Homeland Security's Cyber Safety and Security Agency (CISA), together with the FAA, were the first to issue a safety notice on 21 January 2025. They classify the two vulnerabilities found on the CYD Campus as moderate and severe.This classification is crucial for other affected regions outside the US that require TCAS, including Europe.
Outlook and conclusion from the CYD Campus perspective
According to the FAA, there are currently no practical countermeasures. However, there are a number of limitations and complexities associated with successfully conducting such an attack in practice. Nevertheless, the risk should not be underestimated, and it is recommended that affected organisations have compensatory measures in place to detect such attacks and respond appropriately in the event of an attack.