Not only can attackers climb and dive airliners without pilot intervention, but they can also control where and when they do, according to research from Pen Test Partners (PTP).
TCAS spoofing, the practice of deceiving collision detection systems on airliners, can be controlled to accurately determine whether an airliner equipped with TCAS is going up or down – and even to produce climb rates up to 3000 feet / min.
Building on previous research on bare bones concept [PDF], PTP said it understood how to shape and control automatic TCAS responses from airliners so that they ascend or descend at precisely known points.
In a blog Publish the firm said, “We streamlined this to the point where we only needed three fake planes to supply [a Resolution Advisory] which caused a climb of more than 3,000 ft / min. ”
TCAS works by warning pilots that another aircraft (also equipped with TCAS) will collide with them unless they change course, climb or descend. It does this in two stages: the first is a sound traffic alert (TA) which shouts “traffic, traffic” or the like on the cockpit speakers; the second is a Resolution Notice (RA), where it gives instructions to pilots (“descend now” and so on).
The system shows pilots a target rate of climb or descent, coordinated with the TCAS system of the other aircraft, to ensure that they are both missing, so that one can climb and the other go down. The advanced versions allow the autopilot to perform AR maneuvers without pilot intervention, this is where the search for Pen Test Partners comes in.
By usurping fake TCAS contacts using the techniques described above, PTP discovered that it could control exactly where and when airliners went up and down.
The prospect of a roller coaster ride is less frightening (or realistic) than it seems; a recent study from the University of Oxford has shown that when airline pilots receive too many spoofing warnings, they just deactivate the responsible system – and look out the window to keep them flying safely. ®
Webcast: Build the Next Generation of Your Business in the Public Cloud