Serious vulnerabilities discovered in the anti-collision system of airliners

07 Aprile, 2025

A group of Italian researchers from the University of Genoa and the CASD – University School for Advanced Defense Studies in Rome, in collaboration with the Cyber-Defence Campus in Thun (Switzerland), as part of the PNRR SERICS (Security and Rights in the Cyberspace) research partnership, have identified two dangerous vulnerabilities in the Traffic Collision Avoidance System (TCAS) used on civil aircraft.

By exploiting these vulnerabilities in certified equipment currently in commercial airliners, the team managed to trigger false collision alerts in the cockpit and disable a critical function of the TCAS system.

In response to this discovery, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued its first security bulletin in January 2025.

The TCAS Collision-Avoidance System

Civil aviation is managed by a complex network of information systems that ensure its operational effectiveness and safety. One of these systems is the Traffic Alert and Collision Avoidance System (TCAS), which is mandatory on all commercial aircraft. TCAS constantly monitors the airspace surrounding the aircraft through radio communications. It is designed to detect nearby aircraft and coordinate with them, issuing mandatory commands to execute evasive maneuvers when a collision risk is detected, sometimes automatically. This system represents the last line of defense to prevent mid-air collisions and has helped avoid numerous potentially fatal incidents over the years.

The Tests and Vulnerabilities

The first vulnerability, identified during testing, allows false targets to be created on the displays showing nearby traffic, creating the illusion of non-existent aircraft on a collision course and prompting unnecessary evasive maneuvers. The second vulnerability can altogether disable the collision-prevention mechanism of the TCAS system, effectively removing this crucial layer of protection. While the second vulnerability can be managed through revised pilot procedures, no countermeasures are currently available for the first vulnerability.

Potential Correlations

On December 11, 2024 ^[1], a Boeing 737-800 on approach to JFK Airport in New York performed an evasive maneuver in response to a TCAS alert, even though no other aircraft were nearby. On March 1, 2025 ^[2], several TCAS alerts were reported on different aircraft approaching runway 19 at Washington National Airport. Thanks to excellent visibility, pilots could assess the situation and complete their landings safely, without harming people or property. The circumstances surrounding these events remain unclear but show striking similarities to the scenario posed by the first discovered vulnerability.

Countermeasures

Following these discoveries, on January 21, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a security bulletin ^[3], guiding how to detect and manage potential attacks based on these two vulnerabilities. However, the researchers emphasize the need for further investigation and development of additional countermeasures through technical working groups and future research initiatives with key stakeholders from industry, academia, and the aviation sector.

Dissemination of Results

The research results ^[4] were presented at the prestigious DEF CON 2024 ^[5] event in Las Vegas and the international scientific conference USENIX Security ^[6] in Philadelphia in August 2024. On these occasions, and only after informing all major aircraft manufacturers and relevant aviation authorities, a complete scientific paper was also released, ensuring responsible disclosure of the discovered vulnerabilities.

The Role of the ARTIC Project in the Vulnerability Tests

The discovery was made possible thanks to developments from the ARTIC project (Affordable, Reusable and Truly Interoperable Cyber ranges), part of Spoke 4 of the extended partnership “SERICS - Security and Rights in Cyber Space” ^[7], funded by the European Union under the PNRR. Innovative methodologies for virtually replicating complex cyber-physical systems enabled the accurate reproduction of the TCAS II system.

This allowed Giacomo Longo and Enrico Russo (ARTIC coordinator), researchers at the Department of Computer Science, Bioengineering, Robotics, and Systems Engineering – DIBRIS of the University of Genoa, together with Alessio Merlo, former professor at the University of Genoa and now director of the University School for Advanced Defense Studies (CASD) in Rome, in collaboration with the Cyber Defence Campus in Thun (Switzerland), to identify the vulnerabilities.

The Importance of Cybersecurity Research

“The impact of this research extends well beyond academia, representing a significant contribution to improving safety in the civil aviation sector,” said Alessandro Armando, Professor of Information Processing Systems at UniGe, scientific coordinator of Spoke 4 and Chair of the SERICS Scientific Committee. “This discovery confirms the excellence of research conducted in our country and the value that international scientific collaboration can bring in identifying and mitigating vulnerabilities in critical systems, ultimately enhancing the safety of aeronautical infrastructures and, consequently, that of millions of passengers around the world.”