CVE-2024-9310 and CVE-2024-11166: Critical Vulnerabilities in TCAS II Systems

 Critical Vulnerabilities in TCAS II Systems

CVE-2024-9310 and CVE-2024-11166 

The vulnerabilities CVE-2024-9310 and CVE-2024-11166, disclosed by the Cybersecurity and Infrastructure Security Agency (CISA), pertain to significant security flaws in the Traffic Alert and Collision Avoidance System (TCAS) II. These vulnerabilities could potentially jeopardize aviation safety by allowing attackers to manipulate aircraft collision avoidance systems.

CVE-2024-9310: Spoofing of RF Signals 

Description: 
CVE-2024-9310 is a vulnerability that exploits the reliance on untrusted inputs in security decisions within TCAS II systems. By utilizing software-defined radios combined with a custom low-latency processing pipeline, an attacker can transmit Radio Frequency (RF) signals containing spoofed location data to aircraft targets. This manipulation can result in the appearance of fake aircraft on radar displays, which may trigger undesired Resolution Advisories (RAs) for pilots, leading to potential confusion and dangerous flight maneuvers.Technical Details:

• CVSS v4 Score: 6.0 (Medium)
• Attack Vector: Local
• Attack Complexity: High
• Impact on Confidentiality: None
• Impact on Integrity: High
• Impact on Availability: None

Sample Scenario:
Imagine a scenario where an aircraft is approaching a busy airport. An attacker, using a software-defined radio, sends RF signals that mimic the location of another aircraft. The TCAS II system aboard the approaching aircraft detects this false signal and issues a Resolution Advisory, prompting the pilot to take evasive action. This could lead to unnecessary maneuvers, increasing the risk of mid-air collisions or other hazardous situations.

CVE-2024-11166: Impersonation of Ground Stations 

Description: 
CVE-2024-11166 affects TCAS II systems that utilize transponders compliant with Minimum Operational Performance Standards (MOPS) earlier than RTCA DO-181F. In this case, an attacker can impersonate a ground station and issue a Comm-A Identity Request. This request can set the Sensitivity Level Control (SLC) to its lowest setting, effectively disabling the system's ability to provide Resolution Advisories. This results in a denial-of-service condition where critical safety alerts are not communicated to pilots.Technical Details:

• CVSS v4 Score: 7.1 (High)
• Attack Vector: Local
• Attack Complexity: Low
• Impact on Confidentiality: None
• Impact on Integrity: Low
• Impact on Availability: High

Sample Scenario:
Consider an aircraft preparing for landing at an airport equipped with TCAS II. An attacker successfully impersonates a ground station and sends a Comm-A Identity Request that lowers the SLC. As a result, if another aircraft approaches too closely, the TCAS II system may fail to issue necessary advisories, leaving pilots unaware of potential collision risks and increasing the likelihood of an accident.

Mitigation Strategies

Following consultations with aviation authorities and researchers, CISA recommends specific actions:

1. For CVE-2024-11166: Upgrade to ACAS X or ensure that transponders comply with RTCA DO-181F standards.
2. For CVE-2024-9310: Currently, there are no available mitigations; however, organizations are advised to monitor for suspicious activities and report them to CISA.

Conclusion

The vulnerabilities CVE-2024-9310 and CVE-2024-11166 highlight critical security concerns within aviation systems that could have severe implications for flight safety. Continuous monitoring, adherence to updated standards, and prompt upgrades are essential in mitigating these risks effectively.