Photo: Allison Robbert/The Washington Post/Getty Images
On January 29, at 8:47 p.m., an American Airlines flight landing at Ronald Reagan National Airport in Washington, D.C., collided with a U.S. Army Black Hawk helicopter a half-mile shy of the runway at an altitude of about 300 feet. Nineteen seconds prior to impact, the jet had received a warning about the helicopter’s presence when its Traffic Collision Avoidance System (TCAS) generated an audio alert — “TRAFFIC, TRAFFIC!” — and displayed a yellow dot on the cockpit navigation system’s screen. But further aural warnings were silenced by design once the plane descended below 900 feet, so as not to distract the pilots during landing. The dot on the navigation display remained, but the flight crew’s attention had turned to the runway coming up ahead of them. Everyone aboard both aircraft died.
The accident was the first fatal crash of a U.S. commercial airliner in 16 years and the deadliest since 2001. So nerves were especially tense a month later, on the morning of March 1, when more than a dozen planes inbound for Reagan experienced similar warnings. As they were drawing near the airport, following the course of the Potomac River, TCAS audio alarms unexpectedly went off: “Traffic, traffic!” or “Descend, descend!” The pilots responded as they were trained to do, quickly putting their aircraft into a dive. But just as quickly, the flight crews realized that nothing was there. Visibility was good, and there was nothing to be seen ahead of them in the sky. The tower also saw nothing, either visually or on radar. The oncoming planes weren’t real, but some kind of electronic ghost.
The mystery persisted for much of the morning. “Aliens,” quipped one inbound pilot. “Russia,” retorted another. Once it became clear that there was no real danger, most planes continued their descent to landing as normal, though three aborted their landings and went around to try again.
It’s not that unusual for TCAS systems to issue spurious warnings. A receiver might pick up its own outgoing radio signal reflected off a building or vehicle, for instance. But for so many planes to receive the same warning in the same place for hours on end was deeply weird. As Robert Sumwalt, the former chairman of the National Transportation Safety Board, told CBS News, “I’ve never heard of something like this.”
Whatever these phantom aircraft were, they weren’t dangerous in themselves, but they presented a distraction during landing, a critical phase of flight. A pilot busy with a false alarm could be distracted from real hazards, like a malfunction or bad weather, potentially resulting in disaster.
What’s more, the ghost signals came at a time when civil aviation around the world has experienced a growing number of similarly troubling incidents. Cyberattacks against planes in flight have been on the rise in recent years, spurring the growth of a whole area of academic study devoted to elucidating cyber risks in aviation. And yet we’re still not really prepared. Experts in the field say that airliners are vulnerable to a wide range of attacks and we’re not doing enough to mitigate the risks. “The warning bells are all over this issue,” says Mary Schiavo, a former inspector general of the Department of Transportation who has long been critical of the FAA’s approach to air safety.
Fortunately, with a bit of digging, I was able to find out who was responsible for the ghost planes.
After a spate of deadly midair collisions, the aviation industry devised a system in the 1980s to warn airplanes of other flying aircraft in the vicinity. TCAS piggybacked on an earlier piece of technology called a transponder that sends a signal to air-traffic controllers containing the plane’s identifier and altitude. TCAS works by allowing planes’ transponders to exchange these messages as well. Each aircraft constantly pings others in the vicinity, using a directional antenna to determine the relative bearing to the responding aircraft, known as the “intruder,” and calculates how far away it is based on how long it takes to receive the response.
If the system calculates that a collision could potentially occur in the next 20 to 48 seconds, it generates what is called a “traffic advisory,” or TA, to alert the flight crew of potential danger. If impact might occur in just 15 to 35 seconds, it produces a more urgent warning called a “resolution advisory,” or RA. This can include an instruction to climb, to descend, or to reduce the rate of climb or descent. In some Airbus planes, the aircraft will actually respond on its own, without human input. The system is primitive by modern standards, but it has been incredibly effective. Prior to the January crash at Reagan airport, not a single U.S. airliner had been involved in a midair collision since TCAS entered service in the early ’90s. But the system contains a potential vulnerability.
At the time they designed it, engineers didn’t give much thought to whether malicious actors might someday try to interfere with an automated system that has no other purpose than to prevent planes from running into each other, and they built TCAS without any form of security. They built other automated safety systems in the same way: to measure the exact distance to the ground on landing, to determine the precise location in the sky, to help a plane land when the airport is obscured by clouds. All use radio signals, and none are encrypted. Theoretically, any of them could be susceptible to an attacker who sent falsified signals to mislead a targeted plane.
The risk of attack seemed largely theoretical until around 2014, when a new form of warfare emerged in the form of off-the-shelf drones. Inexpensive to purchase and widely available, drones let underdog combatants easily surveil their enemies and drop explosives. Hard to spot and able to duck between trees and buildings, small drones were invulnerable to expensive fighter planes and anti-aircraft missile systems that the world’s biggest militaries had poured their resources into. The most effective way to defend against them is through electronic warfare: swamping the airwaves with powerful radio signals that either overwhelms sensors or confuses drones’ navigation systems by transmitting misinformation.
These transmissions affect not just drones but everything else in the airspace, including civil aviation. The phenomenon started around Syria, where various forces used electronic warfare in the country’s civil war, causing nearby airliners to lose their GPS or find that their navigational systems reported them to be hundreds of miles from where they actually were. The phenomena spread after Russia’s full-scale invasion of Ukraine in 2022. The Ukrainians, outmanned and outgunned, turned to drones to even the odds, eventually producing 4 million a year. The Russians, who had long been producing some of the world’s most sophisticated electronic-warfare equipment, found themselves racing to neutralize the Ukrainians’ capabilities. The following year, airliners in the Baltic Sea region began to experience anomalies with their GPS-based navigation systems.
Some of the incidents were likely an unintended byproduct of anti-drone defenses. But others, which could cause planes to drift off course and even enter the wrong country’s airspace, were a form of “smart spoofing” that appears to have targeted specific aircraft for unknown reasons. Finland was hit especially hard, with tens of thousands of commercial flights reportedly affected. Some planes even had to turn around because they were unable to land at their destinations. The culprit, everyone assumed, was Russia.
As the possibility of electronic warfare against aircraft became an increasingly urgent possibility, researchers around the world began turning their attention to the problem, poring over schematics and circuit diagrams for the various aviation systems to understand how they might be attacked.
One of the systems they looked at was TCAS. In 2020 a team of researchers that included Ryan Gerdes, a cybersecurity researcher and professor at Virginia Tech, published a paper that explained how an attacker in the vicinity of a targeted flight could create radio messages that would make the TCAS system aboard the targeted plane think that a collision was imminent. But there was a severe limitation on the proposed spoof: It would only work if the attacker really was quite close to the aircraft — within a mile for a plane that was setting up to land.
Another group of researchers saw a way around this restriction, however. In August 2024, Giacomo Longo, an aviation-cybersecurity researcher at the University of Genova in Italy, explained at a cybersecurity conference in Philadelphia how he and his colleagues had built customized hardware that could generate spoof RAs from a distance of up to 2.6 miles away from the targeted aircraft, then operated it successfully against a mocked-up TCAS system.
Four months later, something eerily similar to what he’d proposed happened in New York. Planes coming in to land at JFK airport last December reported receiving RAs with no traffic in sight. U.S. government officials took the possible vulnerability seriously, and the following month the Cyber Security & Infrastructure Security Agency issued an advisory notification describing how TCAS signals could be spoofed.
Then, a little over a month later, the spate of anomalies occurred over Washington.
Researchers from Aireon, a company that collects aircraft-tracking data via satellite, analyzed data from a sample of the March 1 incidents. All had occurred while the planes were landing from the north while in the general proximity of the Georgetown Reservoir, three miles west of the White House. The phantom intruders were all located to the east, about 1,000 feet ahead of the targeted aircraft, and at an altitude of 2,300 feet. None were transmitting any of the other signals that aircraft use to provide their position though. Five days later, another batch of anomalies occurred.
Illustration: Aireon
Longo says that these ghost planes are “suspiciously compatible” with the attack vector his team identified but is unable to provide a more detailed assessment of the events until they have completed their analysis. “We are in the process of writing a scientific report about the whys and hows,” he says. “We do have almost the full picture, but there’s still some work to be done.”
To Longo, one of the dangers of spoofing is that it can train pilots to ignore TCAS warnings, leaving them vulnerable to running into actual aircraft. “The most problematic thing that happened is that at one point, one of the planes ignored the RA,” he says. “This is not the procedure. Technically, you can only choose to not follow an RA if your plane doesn’t allow it or you will jeopardize someone’s safety.”
Anything that encourages pilots to ignore a collision warning is especially troubling given that, just a month before, the first fatal U.S. airline crash in 16 years had taken place not six miles away from the site of the ghost alerts— and it had been a midair collision. Still, the March 1 ghost planes hardly amounted to a convincing test of a weapon.
The mystery began to unravel on March 27, when Ted Cruz announced at a Senate hearing, “It’s now come to my attention that these warnings were caused by the Secret Service and the U.S. Navy and improperly testing counter-drone technology.”
Taken at face value, Cruz’s claim didn’t make sense to Ryan Gerdes, the Virginia Tech professor. Whoever was sending these signals, Gerdes points out, “probably weren’t using anti-drone technology, because drones aren’t really equipped with TCAS.”
Asked for comment, a Navy official told me, “We weren’t involved.” The Secret Service denied that it had been doing “any drone-system testing.”
But then, a few days later, a reliable government source told me the Secret Service had been testing equipment at the Naval Observatory, which is the vice-president’s official residence. “They didn’t tell anyone or coordinate with anyone,” the source said. “Once it became known that this was causing issues throughout the area, they worked with the FAA.” As for the nature of the equipment that was being used, “I don’t know what they were installing, or what the reason was that they installed it.”
The story added up. The Naval Observatory lies east of the Georgetown Reservoir, in the general direction from which the phantom signals had appeared. It is nearly two miles away from where the aircraft received the spoofed RAs, meaning the perpetrators must have used customized hardware of the type that Longo had described in his presentation seven months before.
When I pressed the Secret Service, a spokesman essentially confirmed my source’s version of events, writing by email: “The U.S. Secret Service continues to review the circumstances of this event in order to better understand the specifics of how these alerts occur and ensure our systems do not interfere with commercial air-traffic operations.”
A spokesperson for the FAA tells me, “We were able to pinpoint the source and correct it and there were no further issues.”
It’s hard to fully explain what happened given the secrecy around the technology — was it a counter-drone system or something else entirely? Whatever their reasoning, Schiavo considers the actions shockingly irresponsible. “The Secret Service experiments are grossly negligent and outside the scope of their official duties and responsibilities,” she says. “I just could not believe that our government would do that, putting so many civilians at risk.”
Coming amid a spate of mishaps at Reagan — including the midair collision in January, a fight between controllers in the tower, collisions on the ground, and aborted landings due to an Army helicopter near the runway — the incident raises serious questions about aviation safety in the area, and about the competence of the leadership in general.
Those questions only became more acute in the wake of the April 28 failure of the air-traffic-control system at Newark, which left more than a dozen airliners invisible to controllers for over a minute and triggered a weeklong series of severe travel delays at the airport.
It seems that, at present, America can barely keep its existing system operational, let alone respond intelligently to the challenges of a fast-changing world.
“The aviation industry has to adapt to a new security environment that includes the possibility of cyberattack, and the U.S. government has to mandate change if the airlines can’t or won’t adapt,” Schiavo says. “But whatever the Secret Service was doing in D.C. that day, that sure isn’t the way to go about it.”
Related
