From: Eugen Leitl (eugen@leitl.org)
Date: Sat Aug 24 2002 - 07:05:01 MDT
On Thu, 22 Aug 2002, Mike Lorrey wrote:
> > > The wire harnesses generally travel along the dorsal spine of the
> > > aircraft, above the passenger compartment, or else along the walls of
> > > the cargo compartment, depending on the plane.
> > >
> > > In such a case pilots, once they lock themselves in the cockpit, have
> > > taken themselves out of the equation. They can land the plane, and
> > > negotiators show up an hour later, just in time to watch the plane take
> > > off again under the control of the hijackers flying by laptop.
This is what you wrote.
> > This specific scenario has been discussed in the relevant forums and
> > found to be extremely improbable. You make it sound like an unskilled
> > (skilled people don't fly suicide missions) only needs to plug a laptop
> > into a network. It sure ain't so.
This is what I said.
> I never said it was, so you are putting words in my mouth, which I'd
> like you to retract.
I'm certainly not putting words into your mouth. (Notice the "you make it
sound like" bit). As such I don't have to retract anything.
> I, of just about anybody on this list, is I think best qualified to
> decide whether this scenario is possible. I served for three years in
I believe you. However, this is not the point. The scenario (splicing into
flight control buses on the ground) is theoretically possible, but
*practically* irrelevant.
> the US Air Force, as an enlisted man, as an aircraft electrical systems
> technician. This entailed about four months of classroom training and a
> year or so of on the job training that occured in the course of working
> on the aircraft. I was trained in the classroom on a wide range of
> aircraft: F-5, F-4, and F-16 fighters, as well as Constellation, C-130
> and KC-135 aircraft. My on the job training included working on F-15
> and F-111 fighter aircraft.
>
> I also attended ground school to work toward my private pilots license,
> and have 5 years experience in computer network technologies.
>
> The KC-135 aircraft is identical to the Boeing 737, so at least with
> that aircraft I can say for a fact that I know that this scenario can
> be carried out with these aircraft. My research with 747, MD-80, and
> Airbus flight control systems indicates that this is also possible with
> these families of aircraft, and likely with any other.
What are the boundary conditions for proper risk assessment? Misuse of
civil aircraft as a human-guided cruise missile (kinetic kill/incendiary
warhead). Assuming you can't access the cockpit (the vulnerable point),
you have to splice into the control circuitry. You can't do it in flight,
since you'll crash. You must do it on the ground. It takes a long time,
and one or several highly trained technicians (who, for some strange
reason, don't like suicide missions), with custom hardware (lots of custom
hardware). Once you take off, you will be shot down before you reach any
of your targets.
Does this describe a meaningful probability in a scenario? I don't think
so.
> ANY electronic circuit can be hacked. Flight control circuits are not
> only quite stupid and easily hackable (each wire is generally stamped
> with its unique circuit wire number at 1 foot intervals or less along
> its entire length, so it is easy to determine what wires do what at any
> point in the aircraft, for someone with copies of the schematics, which
> are publicly available).
Well, in a Boeing you've got ARINC xyz (mostly 429, also used in Airbus),
and FDDI. Paradoxically, it will be easier in the future, since most of
critical avionics control data will be moved to Ethernet. The same is also
true for Airbus, apparently.
I actually expected that arcane buses and protocols will make this far
more complicated, but in the near to mid term future, a laptop with
Ethernet jack, optical/Cu converter, splicing equipment, and a packet
sniffer could go a long way in the hands of a very good technician. It
could be even done in flight, if you're nimble about it.
This definitely asks for symmetrical encryption on avionics data traffic.
> For such simple circuits (and believe me, they are quite simple
> compared to any computer technology), it only requires a bit of advance
Well, they *are* computer technology.
> preparation with custom made splicing wire harnesses to allow a team to
> rapidly hack into the flight controls and take over control of an
> aircraft. These wire harnesses can be configured ahead of time to
> provide I/O connectivity to any publicly available I/O card (many of
> which are available as PCM/CIA cards) to give total control of an
> aircraft to a laptop so connected.
Will people who can do this sacrifice their lives?
> Given access to circuit schematics and prior preparation of such I/O
> tools, rapid takeover of an aircraft is quite possible. I would even
> put money on it if I had any, and will meet anyone anywhere (provided a
> consulting retainer fee is deposited) to prove so publicly.
Of course it's possible. The question is, is it probable?
> >
> > Besides, if the plane is on the ground you can either dump the fuel
> > or trigger a trapdoor box out of reach which needs manual resetting.
>
> Assuming a) that the fuel dump is not the first circuit cut out by the
> infiltrators, and b) that the dump system can get rid of several tens
> of thousands of pounds of fuel in a few minutes. Even assuming that (A)
> doesn't occur, given what I know of fuel dump systems, they could not
> dump more than a few percent of their fuel before an aware team takes
> that circuit over and cuts off flow to the dump valves.
You're right. Dumping fuel on ground is probably too slow. It needs to be
a trapdoor device, triggerable from the cockpit, and needing an secret
stored off-plane to be reset. Given that encrypting avionics traffic is
sufficient (albeit making debugging more difficult), that should be the
preferrable solution.
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:16:23 MST