Establishment of a Cyber-Physical Systems (CPS) Test Bed to Explore Traffic Collision Avoidance System (TCAS) Vulnerabilities to Cyber Attacks

Traffic Collision Avoidance Systems (TCAS) are safety-critical, unauthenticated, ranging systems required in commercial aircraft. Previous work has proposed TCAS vulnerabilities to attacks from malicious actors with low cost software defined radios (SDR) and inexpensive open-source software (GNU radio) where spoofing TCAS radio signals in now possible. This paper outlines a proposed threat model for several TCAS vulnerabilities from an adversarial perspective. Periodic and aperiodic attack models are explored as possible low latency solutions to spoof TCAS range estimation. A TCAS test bed is established with commercial avionics to demonstrate the efficacy of proposed vulnerabilities. SDRs and Vector Waveform Generators (VWGs) are used to achieve desired latency. Sensor inputs to the TCAS system are spoofed with micro-controllers. These include Radar Altimeter, Barometric Altimeter, and Air Data Computer (ADC) heading and attitude information transmitted by Aeronautical Radio INC (ARINC) 429 encoding protocol. TCAS spoofing is attempted against the test bed and analysis conducted on the timing results and test bed performance indicators. The threat model is analyzed qualitatively and quantitatively.