CISA Alerts About Vulnerabilities in Aircraft Collision Avoidance Systems

In a recent advisory, the U.S. federal government disclosed a significant, unpatchable vulnerability within the Traffic Alert and Collision Avoidance System II (TCAS II) that prevents mid-air collisions of commercial aircraft. While security researchers recognize the flaw, they deem its exploitation in the real world as “unlikely” given the necessary conditions for such an attack.

According to the Cybersecurity and Infrastructure Security Agency (CISA), this flaw is one of two vulnerabilities affecting TCAS II versions 7.1 and earlier. The first vulnerability, identified as CVE-2024-9310, is a result of the system’s reliance on untrusted inputs for making security-related decisions. Attackers equipped with software-defined radios can potentially transmit spoofed radio frequency signals, tricking aircraft systems into displaying false targets on their cockpit screens.

CISA elaborates that the transmission of these misleading signals is achievable through a customized low-latency processing pipeline. Despite the vulnerability’s CVSS score of 6.0, its exploitation requires highly specific conditions. Notably, there is currently no mitigation available for this vulnerability.

The second vulnerability, tracked as CVE-2024-11166, concerns the external manipulation of TCAS II system configurations, stemming from the use of obsolete transponder standards. This flaw permits attackers to impersonate ground stations, effectively disabling critical collision avoidance advisories. By lowering the sensitivity settings to their minimum, they could induce a denial-of-service condition, which has a CVSS score of 7.1.

While there have been no reported instances of these vulnerabilities being publicly exploited, CISA underscores the urgency for organizations to address CVE-2024-11166. The agency recommends upgrading to the next-generation collision avoidance system, known as ACAS X, or transitioning to transponders compliant with RTCA DO-181F, which outlines operational performance standards for TCAS II.

This advisory serves as a critical reminder of the vulnerabilities within operational technology systems that govern aviation safety, highlighting the relevance of the MITRE ATT&CK framework for such technologies. Understanding adversary tactics such as initial access and exploitation is vital for organizations seeking to bolster their cyber defenses in an increasingly threatening landscape.