From: Mike Lorrey (mlorrey@yahoo.com)
Date: Sat Aug 24 2002 - 22:10:38 MDT
--- Eugen Leitl <eugen@leitl.org> wrote:
> On Thu, 22 Aug 2002, Mike Lorrey wrote:
>
> > > > The wire harnesses generally travel along the dorsal spine of
> the
> > > > aircraft, above the passenger compartment, or else along the
> walls of
> > > > the cargo compartment, depending on the plane.
> > > >
> > > > In such a case pilots, once they lock themselves in the
> cockpit, have
> > > > taken themselves out of the equation. They can land the plane,
> and
> > > > negotiators show up an hour later, just in time to watch the
> plane take
> > > > off again under the control of the hijackers flying by laptop.
>
> This is what you wrote.
You cut out a lot of previous stuff, like the part where I specifically
stated that the team had individuals with FAA A&P certifications, with
at least one computer science major. Your assertion below that I
claimed that unskilled and untrained individuals could pull this off is
therefore unsupported and I want you to retract that.
>
> > > This specific scenario has been discussed in the relevant forums
> and
> > > found to be extremely improbable. You make it sound like an
> unskilled
> > > (skilled people don't fly suicide missions) only needs to plug a
> laptop
> > > into a network. It sure ain't so.
>
> This is what I said.
>
> > I never said it was, so you are putting words in my mouth, which
> I'd
> > like you to retract.
>
> I'm certainly not putting words into your mouth. (Notice the "you
> make it
> sound like" bit). As such I don't have to retract anything.
Try again.
>
> > I, of just about anybody on this list, is I think best qualified to
> > decide whether this scenario is possible. I served for three years
> in
>
> I believe you. However, this is not the point. The scenario (splicing
> into
> flight control buses on the ground) is theoretically possible, but
> *practically* irrelevant.
No, not at all. Not just theoretically possible, either. Did it, done
it, wore the t-shirt....
Furthermore, not only do all flight control and instrument data needed
to control an aircraft get wired from the cockpit to the flight data
recorder in the tail, but there are pre-wired panels on most such
aircraft that are generally used for troubleshooting interfaces,
everything from multimeter probe panels to interface connectors to
connect to hand held troubleshooting computers.
>
> > the US Air Force, as an enlisted man, as an aircraft electrical
> systems
> > technician. This entailed about four months of classroom training
> and a
> > year or so of on the job training that occured in the course of
> working
> > on the aircraft. I was trained in the classroom on a wide range of
> > aircraft: F-5, F-4, and F-16 fighters, as well as Constellation,
> C-130
> > and KC-135 aircraft. My on the job training included working on
> F-15
> > and F-111 fighter aircraft.
> >
> > I also attended ground school to work toward my private pilots
> license,
> > and have 5 years experience in computer network technologies.
> >
> > The KC-135 aircraft is identical to the Boeing 737, so at least
> with
> > that aircraft I can say for a fact that I know that this scenario
> can
> > be carried out with these aircraft. My research with 747, MD-80,
> and
> > Airbus flight control systems indicates that this is also possible
> with
> > these families of aircraft, and likely with any other.
>
> What are the boundary conditions for proper risk assessment? Misuse
> of civil aircraft as a human-guided cruise missile (kinetic
> kill/incendiary
> warhead. Assuming you can't access the cockpit(the vulnerablepoint),
> you have to splice into the control circuitry. You can't do it in
> flight,
> since you'll crash. You must do it on the ground.
No, it doesn't. I had thought that you had more practical knowledge of
circuit splicing technology, but such can be done on the fly, and is
done all the time. Phone circuitry, for example, is spliced into on the
fly, without interrupting the signal, by law enforcement doing
wiretaps, by hackers setting up hardwired circuit sniffers, etc. I've
spliced into aircraft circuits on-the-fly myself while I was a smurf.
> It takes a long time,
> and one or several highly trained technicians (who, for some strange
> reason, don't like suicide missions), with custom hardware (lots of
> custom
> hardware). Once you take off, you will be shot down before you reach
> any of your targets.
Why do you keep assuming that highly trained technicians would have
some aversion to death? In the 9/11 attack, the most highly trained
individuals, the pilots, were the ones who knew the most about the
mission. Said pilots were highly educated, financially well off, from
wealthy Saudi families, and pursued flight training for extended
periods of time to attain proficiency they felt they needed.
Furthermore, what makes you assume that you'll be shot down before
reaching your target? First off, it is pathetically easy to avoid
civilian radar systems by dropping below 5,000 feet altitude and
changing your transponder codes. They've ended round the clock
interceptor flights over all major cities except DC itself. The closest
fighters to New York, for example, are still at Otis AFB out on Cape
Cod.
Additionally, what makes you think that any attack will be made of more
than one aircraft? It seems as though you are making lots of
unwarranted assumptions, as well as ignoring things I've already said
and claiming I am saying something I'm not.
>
> > ANY electronic circuit can be hacked. Flight control circuits are
> not
> > only quite stupid and easily hackable (each wire is generally
> stamped
> > with its unique circuit wire number at 1 foot intervals or less
> along
> > its entire length, so it is easy to determine what wires do what at
> any
> > point in the aircraft, for someone with copies of the schematics,
> which
> > are publicly available).
>
> Well, in a Boeing you've got ARINC xyz (mostly 429, also used in
> Airbus),
> and FDDI.
In the 747-400, perhaps, but not any of the older models.
> Paradoxically, it will be easier in the future, since most of
> critical avionics control data will be moved to Ethernet. The same is
> also true for Airbus, apparently.
>
> I actually expected that arcane buses and protocols will make this
> far
> more complicated, but in the near to mid term future, a laptop with
> Ethernet jack, optical/Cu converter, splicing equipment, and a packet
> sniffer could go a long way in the hands of a very good technician.
> It could be even done in flight, if you're nimble about it.
>
> This definitely asks for symmetrical encryption on avionics data
> traffic.
Sure, but who has the keys? This is a major problem of security. We
have to assume that there are already sleeper moles on the inside of
the industry who can get the terrorists security access. They had
already established legitimate credentials for the 9/11 pilots. The
perimeter is penetrated and the system itself cannot be trusted to
provide trustable data.
>
> > For such simple circuits (and believe me, they are quite simple
> > compared to any computer technology), it only requires a bit of
> advance
>
> Well, they *are* computer technology.
>
> > preparation with custom made splicing wire harnesses to allow a
> team to
> > rapidly hack into the flight controls and take over control of an
> > aircraft. These wire harnesses can be configured ahead of time to
> > provide I/O connectivity to any publicly available I/O card (many
> of
> > which are available as PCM/CIA cards) to give total control of an
> > aircraft to a laptop so connected.
>
> Will people who can do this sacrifice their lives?
They did it on 9/11
>
> > >
> > > Besides, if the plane is on the ground you can either dump the
> fuel or trigger a trapdoor box out of reach which needs manual
> resetting.
> >
> >Assuming a)that the fuel dump is not the first circuit cut out bythe
> >infiltrators, and b)that the dump system can get rid of several tens
> > of thousands of pounds of fuel in a few minutes. Even assuming that
> (A) doesn't occur, given what I know of fuel dump systems, they could
> not dump more than a few percent of their fuel before an aware team
> takes that circuit over and cuts off flow to the dump valves.
>
> You're right. Dumping fuel on ground is probably too slow. It needs
> to be a trapdoor device, triggerable from the cockpit, and needing an
> secret stored off-plane to be reset. Given that encrypting avionics
> traffic is
> sufficient (albeit making debugging more difficult), that should be
> the preferrable solution.
Well, yes, but that isn't a design that the FAA is going to approve,
cause it then makes it very easy for a terrorist pilot to dump jet fuel
like napalm on unsuspecting cities as they are flown over.
__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:16:24 MST