Tuesday, June 9, 2009

Hack-Jet: Losing a commercial airliner in a networked world


When there is a catastrophic loss of an aircraft in any circumstances, there are inevitably a host of questions raised about the safety and security of the aviation operation. The loss of Air France flight 447 off the coast of Brazil with little evidence upon which to work inevitably raises the level of speculation surrounding the fate of the flight. Large-scale incidents such as this create an enormous cloud of data, which has to be investigated in order to discover the pattern of events, which led to the loss (not helped when some of it may be two miles under the ocean surface). So far French authorities have been quick to rule out terrorism it has however, emerged that a bomb hoax against an Air France flight had been made the previous week flying a different route from Argentina. This currently does not seem to be linked and no terrorist group has claimed responsibility. Much of the speculation regarding the fate of the aircraft has focused on the effects of bad weather or a glitch in the
fly-by-wire system that could have caused the plane to dive uncontrollably. There is however another theory, which while currently unlikely, if true would change the global aviation security situation overnight. A Hacked-Jet.

Given the plethora of software modern jets rely on it seems reasonable to assume that these systems could be compromised by code designed to trigger catastrophic systemic events within the aircraft's navigation or other critical electronic systems. Just as aircraft have a physical presence they increasingly have a virtual footprint and this changes their vulnerability. A systemic software corruption may account for the mysterious absence of a Mayday call - the communications system may have been offline. Designing airport and aviation security to keep lethal code off civilian aircraft would in the short-term, be beyond any government civil security regime. A malicious code attack of this kind against any civilian airliner would, therefore be catastrophic not only for the airline industry but also for the wider global economy until security caught up with this new threat. The technical ability to conduct an attack of this kind remains highly specialized (for now) but the knowledge to conduct attacks in this mold would be as deadly as WMD and easier to spread through our networked world. Electronic systems on aircraft are designed for safety not security, they therefore do not account for malicious internal actions.

While this may seem the stuff of fiction in January 2008 this broad topic was discussed due to the planned arrival of the
Boeing 787, which is designed to be more 'wired' --offering greater passenger connectivity. Air Safety regulations have not been designed to accommodate the idea of an attack against on-board electronic systems and the FAA proposed special conditions , which were subsequently commented upon by the Air Line Pilots Association and Airbus. There is some interesting back and forth in the proposed special conditions, which are after all only to apply to the Boeing 787. In one section, Airbus rightly pointed out that making it a safety condition that the internal design of civilian aircraft should 'prevent all inadvertent or malicious changes to [the electronic system]' would be impossible during the life cycle of the aircraft because 'security threats evolve very rapidly'. Boeing responded to these reports in an AP article stating that there were sufficient safeguards to shut out the Internet from internal aircraft systems a conclusion the FAA broadly agreed with - Wired Magazine covered much of the ground. During the press surrounding this the security writer Bruce Schneier commented that, "The odds of this being perfect are zero. It's possible Boeing can make their connection to the Internet secure. If they do, it will be the first time in the history of mankind anyone's done that." Of course securing the airborne aircraft isn't the only concern when maintenance and diagnostic systems constantly refresh while the aircraft is on the ground. Malicious action could infect any part of this process. While a combination of factors probably led to the tragic loss of flight AF447 the current uncertainty serves to highlight a potential game-changing aviation security scenario that no airline or government is equipped to face.

Comments on Hack-Jet:

(Note - these are thoughts on the idea of using software hacks to down commercial airliners and are not specifically directed at events surrounding the loss of AF447).

From the author of Daemon Daniel Suarez:

It would seem like the height of folly not to have physical overrides in place for the pilot -- although, I realize that modern aircraft (especially designs like the B-2 bomber) require so many minute flight surface corrections every second to stay aloft, that no human could manage it. Perhaps that's what's going on with upcoming models like the 787. And I don't know about the Airbus A330.

I did think it was highly suspicious that the plane seems to have been lost above St. Peter & Paul's Rocks. By the strangest of coincidences, I had been examining that rock closely in Google Earth a few weeks ago for a scene in the sequel (which was later cut). It's basically a few huge rocks with a series of antennas and a control hut -- with nothing around it for nearly 400 miles.

Assuming the theoretical attacker didn't make the exploit time-based or GPS-coordinate-based, they might want to issue a radio 'kill' command in a locale where there would be little opportunity to retrieve the black box (concealing all trace of the attack). I wonder: do the radios on an A330 have any software signal processing capability? As for the attackers: they wouldn't need to physically go to the rocks--just compromise the scientific station's network via email or other intrusion, etc. and issue the 'kill' command from a hacked communication system. If I were an investigator, I'd be physically securing and scouring everything that had radio capabilities on those rocks. And looking closely at any record of radio signals in the area (testing suspicious patterns against a virtual A330's operating system). Buffer overrun (causing the whole system to crash?). Injecting an invalid (negative) speed value? Who knows... Perhaps the NSA's big ear has a record of any radio traffic issued around that time.

The big concern, of course, is that this is a proof-of-concept attack -- thus, the reason for concealing all traces of the compromise.


From John Robb - Global Guerillas:

The really dangerous hacking, in most situations, is done by disgruntled/postal/financially motivated employees. With all glass cockpits, fly by wire, etc. (the Airbus is top of its class in this) it would be easy for anybody on the ground crew to crash it. No tricky mechanical sabotage.

External hacks? That is of course, trickier. One way would be to get into the diagnostic/mx computers the ground crew uses. Probably by adding a hack to a standard patch/update. Not sure if any of the updates to these computers are delivered "online."

Flight planning is likely the most "connected" system. Easier to access externally. Pilots get their plans for each flight and load them into the plane. If the route has them flying into the ground mid flight, it's possible they won't notice.

In flight hacks? Not sure that anything beyond outbound comms from the system is wireless. If so, that would be one method.

Another would be a multidirectional microwave/herf burst that fries controls. Might be possible, in a closed environment/fly by wire system to do this with relatively little power.


There has been continuous discussion of the dangers involved with fly-by-wire systems in Peter Neumann's Risk Digest since the systems were introduced in the late 1980s. The latest posting on the subject is here.


Contact: roderick[dot]jones[at]gmail[dot]com