In a first-of-its-kind disclosure, the Cybersecurity and Infrastructure Security Agency (CISA) has unveiled newly discovered vulnerabilities in the Traffic Alert and Collision Avoidance System (TCAS) II, versions 7.1 and earlier—a major safety-related system that prevents air-to-air collisions across nearly all aircraft flying today. There are no indications from the disclosing researchers that these exploits have been leveraged currently or historically, and operationalizing them requires very specific conditions with sophisticated means. However, this disclosure signals a significant evolution in how operators, manufacturers, regulators, and even consumers think about safety in the context of 21st-century cyber-related threats to critical infrastructure.
The scope of these Common Vulnerabilities and Exposures (CVEs)—CVSS v4 6.0 (Medium) and CVSS v4 7.1 (High)—impacts three key areas of operation:
- Safety Risks: Exploitation may result in false aircraft appearances on displays and unwarranted resolution advisories, directly compromising flight safety.
- Operational Disruptions: Manipulation of TCAS II could lead to unnecessary evasive maneuvers, causing flight delays, increased stress on pilots, and higher operational costs.
- Regulatory Compliance: Addressing these vulnerabilities is essential to adhere to aviation safety regulations and maintain certifications.
Here’s What the CVEs Indicate:
The TCAS protocol is internationally ubiquitous, and these vulnerabilities stem from the protocol itself, making the exploit agnostic to manufacturer or airframe. The fact that researchers were able to take control of TCAS displays—the interface pilots rely on to determine if they are on a collision course with another aircraft—represents a major compromise of a flight safety system across every operating aircraft in the world. The impact is compounded by the ability to create false aircraft on the display, with no easy way to distinguish between real and false aircraft. This has the potential to force pilots to make unnecessary maneuvers that could put the aircraft at risk.
Because TCAS operates via radio frequency (RF) protocols, other receivers—whether on other aircraft or ground stations—would also struggle to validate whether detected aircraft are real. Depending on the false aircraft and tracks, there may be a very limited time window to deconflict, adding increased stress and possible confusion for a pilot, especially given the recent operational impacts of GPS jamming and spoofing on commercial pilots. Combined, these flaws could allow attackers to manipulate safety systems, leading to potential denial-of-service conditions and imperiling the safety of the platform under certain conditions.
“Military actors are likely to have access to toolsets able to attack TCAS, so we need to think about processes and procedures now to avoid being caught off guard when an attack happens.”
– CISA CVE Disclosure
This advisory and its associated CVEs mark a significant moment in aviation cybersecurity. It is evidence that transportation endpoint systems are increasingly considered critical infrastructure susceptible to cyberattacks by both government agencies and industry. It also demonstrates that once-difficult-to-research systems and protocols are becoming easier to study, making them significantly easier for adversaries to exploit. Congress and federal agencies are also becoming more aware of these threats, with a renewed focus on aviation cybersecurity vulnerabilities across the U.S. government. This includes a congressional mandate requiring the Government Accountability Office (GAO) to publicly “report on the vulnerability of the national airspace system to potential disruptive operations by U.S. adversaries who might leverage the electromagnetic spectrum and security vulnerabilities in the Aircraft Communications, Reporting, and Addressing System and Controller Pilot Data Link Communications.”
To respond, the industry must develop authorization and integrity enhancements or create a new protocol—both of which will likely take several years to develop, field, and adopt. While the environmental conditions necessary to conduct an attack described in this advisory and underlying research are complex, nuanced, and likely only exploitable by a sophisticated actor, these CVEs clearly indicate that the TCAS protocol itself lacks cybersecurity protections or defense mechanisms, making it easy for an adversary to exploit at any time.
We support the mitigations suggested by the researchers who discovered these vulnerabilities, including detection of erroneous and malicious TCAS communications and developing new protocols and tools to alert pilots, operators, and ground personnel to exploitation in real-time.
Shift5’s Role in Addressing These Threats:
Shift5 is at the forefront of addressing these critical issues. We continue to develop a library of detection algorithms that alert on TCAS anomalies by collecting and analyzing onboard aviation network and RF data. This is accomplished through Shift5’s Manifold, equipped with serial bus collection interfaces and a software-defined radio (SDR) that collects and analyzes onboard serial bus networks and RF signals.
Our observability platform and vulnerability research for onboard operational technology (OT) enable smarter, faster decisions through real-time data access, contextual insights, and actionable analytics at the edge. By capturing and analyzing real-time onboard data, Shift5 provides critical insights that empower aviation stakeholders to proactively detect and mitigate threats such as this new set of CVEs, ensuring comprehensive observability from the asset level to fleet scale.
We stand ready with field-ready capabilities to support operators, manufacturers, and regulators in protecting passenger safety and ensuring the resilience of our transit, transportation, and national defense infrastructure.