Hacking into the Potomac Disaster: Could Cyber Vulnerabilities Have Caused the Mid-Air Collision Over Our Nation’s Capital?
Recent CISA Advisors could hold clues to Potomac Crash and explain the Blackhawk's bizarre behavior in the moments before it struck an American Airlines Jet.
Vulnerable, Outdated Systems: Chaos on the Horizon
With the Potomac mid-air collision just a few days behind, I, like others, researched possible contributing factors. While several hypotheses have emerged—ranging from the military’s DEI issues to the failures of air traffic controllers—the hacker in me watches the raw footage and cannot help but wonder: was there a more malicious cause? Alex Jones has already jumped ahead, discussing the possibility that one or both aircraft were not under the control of the pilots. Sound far-fetched? It sounds rather James Bond—until you dig a little deeper.
What if I told you air traffic control systems (ATC), by their very nature, are vulnerable to cyberattacks? Air traffic control systems rely heavily on complex software and communication networks to guide aircraft safely through congested airspace. These systems are often vulnerable, which can compromise the integrity of flight information and communication—even for military aircraft. If hackers gain unauthorized access to these systems, they can disrupt operations, misdirect aircraft, or create other dangerous situations. Exploring how specific vulnerabilities could have played a role in the Potomac River crash is not an exercise in esoteric hypothesizing and badinage. In fact, a very recent CISA advisory could hold some interesting possibilities for the horrific crash in Washington, D.C.
The Simplest Route Is Often a Straight Line: CWE-15 - Improper Input Validation
Enter ICSA-25-021-01, a CISA ICS (Industrial Control System) advisory with the boring title: Traffic Alert and Collision Avoidance System (TCAS) II. Issued on January 21, 2025, the advisory was just another of a dozen alerts issued that week across various industries. In the same week, advisories for Siemens and Hitachi were also posted—just another blip on a very big radar. Now, the alert seems far more relevant.
The first CWE (Common Weakness Enumeration)—a very bureaucratic way of saying threat or vulnerability—is CWE-15, improper input validation. This vulnerability occurs when a system fails to adequately check or filter incoming data, allowing for malicious input that can compromise system operations. TCAS II systems using outdated MOPS (Minimal Operations Performance Standards) written before the 2020 RTCA DO-181F could be vulnerable to an attack where a threat actor impersonates a ground station, issuing a Comm-A Identity Request that results in a sort of denial-of-service condition. By forcing a reset of the Sensitive Level Control (SLC) to the default lowest setting, resolution advisories sent to the pilots would be negated—causing confusion in critical moments like approach and takeoff.
In the context of the Potomac disaster, a threat actor could inject false navigation data into the system. A bad actor could create false flight plans, exploit the guidance system, and, notably, alter the altitude of an aircraft. Even the most capable of pilots, flying at night over such terrain, could be fooled by a false altimeter reading.
Mitigation relies on preventing false input validation through a multi-layered approach. Simple steps such as implementing strict input validation protocols at system entry points, sanitizing data, checking for anomalies or unexpected entries, and regular testing to identify weak points would go a long way in preventing exploitation of this vulnerability.
The Broken Lock: CWE-807 - Access Control Issues
CWE-807 is even worse. Spoofed RF signals, utilizing software-defined radios and a custom low-latency pipeline, could transmit fake data over transponders, leading to the appearance of fake aircraft. This could trigger a resolution advisory that confuses pilots. It could also be used to tell two pilots that they were at 200 feet, give or take a foot, when in reality, they were at 375 feet. Add night vision, the hyper-focus of military pilots training for real-world calamity, and there you have it—a mid-air collision.
In this terrifying scenario, an attacker could access ATC by exploiting weak access control mechanisms and order an aircraft to fly into the path of an oncoming plane. If this were to occur in a busy area like the Potomac, the result should be obvious: confused pilots, malicious data, the perfect recipe for an air disaster.
Mitigation is not as simple as many ‘experts’ would like to make it seem. Yes, multi-factor authentication (MFA) and least-privilege access control will help. But using software and systems that are decades out of date makes patching the problem just that—patching. You are effectively trying to drive cross-country in Grandpa’s old Rambler. Over the last twenty years, the U.S. has bungled its way through misadventure after misadventure while ignoring crumbling roads, bridges, public buildings, and other infrastructure—including air traffic control systems like TCAS.
This is not state-of-the-art equipment. This is equipment designed when Joe Biden still had a comb-over and Donald Trump was just a New York real estate expert advising the NYC mayor on renovating Madison Square Garden. Most of our ATC systems are older than disco. Disco! YMCA! DISCO! Hacking is not that difficult for the right hackers. Foreign adversaries trained by APT groups like Lazarus or Salt Typhoon could do this all day long. And do not think for a second they are unaware of these vulnerabilities. They keep a better watch on CISA advisories than most CIOs of Fortune 500 companies.
A Double Whammy: A Complex but Executable Plan
Consider a situation in which an air traffic control system, which relies on outdated software (as warned in the CISA advisory), is vulnerable to a hacker. This hacker could gain access to the system by exploiting weaknesses in input validation (CWE-15) and manipulating the data sent to both pilots and controllers.
In this chilling scenario, one aircraft might be directed to an incorrect altitude or be misinformed about its position relative to another aircraft. At the same time, a second aircraft might receive false information indicating a clear path. The lack of proper access controls could allow the attacker to bypass security measures and manipulate flight data unnoticed. As a result, the two planes could be on a collision course, unaware of each other’s proximity—until it’s too late. Sound familiar?
This scenario highlights how a combination of outdated software, poor input validation, and inadequate access control could create a perfect storm of cyber vulnerabilities, leading to a disaster that could have been prevented with more rigorous cybersecurity practices.
An Ounce of Prevention...
The Potomac River mid-air collision is a tragic reminder of how outdated, vulnerable, and interconnected modern air transportation is—and how unaware most laypersons are of the dangers it poses. Cyber vulnerabilities in air traffic control systems pose one of the greatest threats to aviation safety, far exceeding that of explosive devices or missile systems. By addressing weaknesses in unpatched software, improper input validation, and poor access control—and reiterating to pilots that their foremost priority is to fly the plane—we can significantly reduce the risk of similar accidents in the future.
Mitigation strategies such as regular software updates, rigorous input validation protocols, strong access control measures, and real-time monitoring are all critical to improving the security of air traffic management systems. These measures, when implemented effectively, can ensure the safety of passengers and crew, preventing another devastating collision from occurring. Most importantly, pilots need to be acutely aware that these threats exist and how to recognize when they might be in the crosshairs of a bad actor.
The Who: Looking at Suspects
A final note on hypothetical threat actors who would be capable of this level of cyberattack. This would not be the work of a script-kiddie in mom’s basement, using his pooter to steal credit card numbers or deface the local school board website. This would require a small group. A lone black hat could not pull off such a scenario. Moreover, they would not be sitting cozy in Pyongyang, Beijing, Moscow, or Tehran—they would need to be close to the target, likely within sixty miles. They would need fairly sophisticated civilian RF equipment and the knowledge to use it—GROL or General Operator HAM level skills, combined with mid-level security engineering expertise.
In short, law enforcement would need to seek out suspects with those skills. In the U.S., that could be hundreds of thousands of our own citizens. And with open border issues, any APT nation-state actor could manage to get a small team in place. I shiver at the thought.
Have a good ‘en.
Jack
https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-01