A ‘White Hat’ hacker has just disclosed the potential of the ‘Crying Wolf’ exploit of 1980s tech that could potentially cause collisions when planes are in autopilot, by social engineering of IOT.
The possibility of confusing pilots with fake alerts while deceiving a plane’s autopilot navigation system has been recently discovered by penetration tester Ken Munro of Pen Test Partners.
The ‘Crying Wolf’ attack seeks to exploit vulnerabilities in the Traffic Alert & Collision Avoidance System (TCAS) – first developed in the early 1980s.
Transponders
It uses transponders on aircraft to communicate with other local planes about distance, altitude, & heading.
Usually, a TCAS alert would sound immediately if 2 aircraft are on a direct collision course.
As described in a recent blog post, Munro explains that in some autopilot ‘modes’, especially on Airbus family aircraft, the plane automatically follows the TCAS & then climbs or descends with no help from the pilot whatever.
It is possible too to create “fake” traffic with the TCAS.
Pent Test Partners additionally looked into exactly how planes on autopilot would respond in such artificially created scenarios.
Dangerous
Munro also advised, “Creating real alerts is perfectly possible, but extremely dangerous & very illegal. We were therefore restricted to working on flight simulators.”
The ‘Simulator Model’ had its limitations, he confided, but observed that as they are used for approved training it should deal with TCAS alerts in much the same was as real planes.
The TCAS uses 2 kinds of secondary surveillance radar transponders in order to calculate the height and location of a plane, one with a 24 bit aircraft address along with altitude & GPS-derived position data called “Mode S”, the other with a 4 digit transponder code & altitude information called “Mode C”.
The Mode S is quite easy to decode & cheap, & a US$10, DVB USB dongle can be used to collect & chart aircraft data.
Stacks
‘Stacks’ of at least 3 fake or ‘ghost’ aircraft were required to compel a plane to climb more than 3,000 feet per minute, he explained.
An obvious response from a pilot would be to turn off TCAS resolution advisories, as ‘ghost’ planes do not show up on radar, Oxford University recent research indicated.
Even this disabling of the TCAS RA, would leave pilots less able to deal with a real TCAS alert, so a form of ‘Crying Wolf’ attack.
Munro concludes: “We have shown that careful placing of fake aircraft through rogue transponder broadcasts can cause an aircraft under autopilot control to climb or descend towards legitimate traffic.
“Human pilots could also be directed to follow the same rogue resolution advisories or confused in to inadvertently disabling safety systems.”
Rules
Sarb Sembhi, CTO, CISO, Virtually Informed, further cautioned “This blog post shows how traditional attack techniques can be used on systems based on rules, by abusing the rules to cause annoyance that leads to switching off a safety system. This attack is interesting from many perspectives as one of many recent exploits have targeted IP based IoT systems such as cars, ships, cruisers, etc. Here is an attack that that is more like a social engineering attack on a technical system.
Fail Safe
“Fail safe systems should be made to fail safely, not switched of for safety. That is a fundamental flaw in the logic of the practice by pilots that somehow has been accepted or ignored by the aviation authorities. The whole thing needs a rethink, as it is the sort of flaw you see exploited in the movies – not thinking for one minute that it is a real-life danger.”
Kill
Why anyone in ‘their right mind’ would wish, in the real world, to embark on actions calculated to attempt to kill hundreds of men, women & children is beyond the understand of normal human beings.
