American Cyber Défense Agency (CISA) has warned about flaws in Aircraft Collision Avoidance Systems : TCAS II. The reported flaws are tracked as CVE-2024-9310 & CVE-2024-11166Â
What is Traffic Alert and Collision Avoidance System ?
A “Traffic Alert and Collision Avoidance System II” (TCAS II) is an airborne system on aircraft that uses radar to detect nearby aircraft and, when a potential collision is imminent, provides the pilot with specific instructions on how to avoid the conflict, known as a “Resolution Advisory” (RA), essentially acting as a last-resort collision avoidance mechanism that operates independently from air traffic control (ATC). Traffic Alert and Collision Avoidance System (TCAS) is also known as the Airborne Collision Avoidance System (ACAS).
There are 4 versions of the TCAS : TCAS I, II, III & IV.
TCAS I is a cheaper but less capable system than the modern TCAS II system introduced for general aviation use after the FAA mandate for TCAS II in air transport aircraft. TCAS I systems are able to monitor the traffic situation around a plane (to a range of about 40 miles) and offer information on the approximate bearing and altitude of other aircraft. It can also generate collision warnings in the form of a “Traffic Advisory” (TA). The TA warns the pilot that another aircraft is in near vicinity, announcing “Traffic, traffic”, but does not offer any suggested remedy; it is up to the pilot to decide what to do, usually with the assistance of Air Traffic Control. When a threat has passed, the system announces “Clear of conflict”.
TCAS II is the first system that was introduced in 1989 and is the current generation of instrument warning TCAS, used in the majority of commercial aviation aircraft. It offers all the benefits of TCAS I, but will also offer the pilot direct, vocalized instructions to avoid danger, known as a “Resolution Advisory” (RA). The suggestive action may be “corrective”, suggesting the pilot change vertical speed by announcing, “Descend, descend”, “Climb, climb” or “Level off, level off” (meaning reduce vertical speed).
TCAS III originally designated TCAS II Enhanced, TCAS III was envisioned as an expansion of the TCAS II concept to include horizontal resolution advisory capability. TCAS III was the “next generation” of collision avoidance technology which underwent development by aviation companies such as Honeywell. TCAS III incorporated technical upgrades to the TCAS II system, and had the capability to offer traffic advisories and resolve traffic conflicts using horizontal as well as vertical manoeuvring directives to pilots.
TCAS IV was a version of the Traffic Alert and Collision Avoidance System (TCAS) that used information from aircraft transponders to generate bearing information. It was developed to improve on the accuracy of TCAS III, which used a directional antenna to assign bearings to transponder replies. TCAS IV was eventually abandoned in favor of Automatic Dependent Surveillance – Broadcast (ADS-B)
Affected Product
The reported vulnerabilities affect TCAS II versions 7.1 and prior.
Vulnerabilities and its impact
The reported flaws are tracked as CVE-2024-9310 & CVE-2024-11166 whose CVSS Scores are 6.0 and 7.1 respectively.
CVE-2024-9310, stems from reliance on untrusted inputs in security decisions (CWE-807). CISA said, “By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets.” This CVE has a CVSS score of 6.0 and requires highly specific conditions for exploitation. There is no mitigation for it currently.
CVE-2024-11166, stems from external control of system or configuration settings (CWE-15). By lowering the sensitivity level control to the lowest possible level, an attacker can mimic ground stations and disable Resolution Advisories (RA), which are suggested vertical maneuverers for collision avoidance. This will result in a denial-of-service problem. This CVE has a CVSS score of 7.1, mitigation options include a patch.
Conclusion
Following discussions with the researchers (Giacomo Longo and Enrico Russo of Genova University, Martin Strohmeier and Vincent Lenders of federal agency of the Swiss Confederation (armasuisse) and Alessio Merlo of Centre for High Defense Studies) and the Federal Aviation Administration (FAA) about these vulnerabilities, it was determined that either upgrading to ACAS X or upgrading the related transponder to conform with RTCA DO-181F would completely mitigate CVE-2024-11166. While there is no mitigation available for CVE-2024-9310.
