Why hackers won't be able to hijack your next flight - the facts

Re: "almost always mechanical backup for critical ... components."

Although the electronics is dual channel (one controlling, one backup), it's two channels of identical hardware running identical software.

This is frequently not the case; all the aircraft I've worked on have different types of CPU in the primary and secondary flight computers.

I've just read a presentation on Airbus fly-by-wire systems, and they use the same protocol.

Vic,

Re: Attacker vs Attacker

ACAS is not a radar, what they're talking about is spoofing the collision avoidance system to make the aircraft manoeuvre to avoid something that isn't there. To do that you'd have to transmit a series of transponder returns from a consistent position relative to the target aircraft.

It may be possible to hack the ACAS box, Google TCAS for an explanation of how it works, and I'm not sure how they're integrated into a modern airliner so their data is displayed on the flight displays. However it's perfectly possible to have it as a standalone box that only takes power from the aircraft.

Re: We don't need no stinkin' backups

> Why shouldn't that maintanance include a test flight

Because it's dangerous to the crew, plane, and anything the plane might crash into. I sure as hell wouldn't fly anything that has had the primary flight controls intentionally turned off.

The flight crew practice the emergency procedures in the massive simulators the airlines use on a regular basis, and part of the maintenance is testing and exercising backup systems.

You're not going to test an ejection seat in a fighter by hopping in and pulling the loud handle. I don't test the ABS on my motorcycle by screaming down the road at 60mph and trying to lock up the brakes, I test it by attaching a laptop (or clipping in a diagnostics jumper) and seeing if all the valves and calipers behave properly.

Re: We don't need no stinkin' backups

I know a few people who work on planes. The system are tested. Rigorously. And the pilots train in the use of those systems via (expensive) simulators.

I appreciate the parallel you are trying to draw but what you are asking them to do is to deliberately force the system into a simulated failure during normal operation where there is nothing wrong. That's not quite the same as what you are doing and I suspect that if you suggested that to your boss then he/she might (legitimately) ask why you can't do the test on the expensive test system you pushed through in last year's budget for exactly this purpose.

It would be important to note that a failure of the primary systems would likely warrant - as a matter of procedure - an emergency landing. Not 'ohgodohgodohgod' type emergency, but as a matter of prudence, I am pretty sure you aren't supposed fly without a backup system and so if the main system is lost in-flight I would expect that the plane would request diversion to a closer airport, possibly requiring dumping of fuel.

You certainly couldn't do that just as a test!

My point is that you should test your systems as thoroughly as possible and in as close to real conditions as possible. BUT, 99/100 that's just not possible so you have to test things in part and bring them together, including simulations.

The simple fact is that it works because air travel is very, very safe. The most fallible part is the meat, which is why there's always backup meat as well.

Re: We don't need no stinkin' backups

"The point is, unless you test your backups, they are useless. How do they know if these backup systems are working if you never use them?"

Excellent question.

The engine control systems I used to work with had pretty much two of everything, albeit all within one box - duplicated critical inputs and outputs, and duplicated electronics; call it System A and System B.

There was no permanent designated dedicated "backup" system as such. The system in control was alternated between flights, System A (and its inputs and outputs) for one flight then System B for the next,so that problems specifically couldn't lie hidden for long periods in between maintenance.

There is some logic in some of this stuff :)

Re: We don't need no stinkin' backups

How do they know if these backup systems are working if you never use them?

You do use them.

Two of the aircraft I fly have a "glass cockpit" system - the flying displays are big LCD screens, showing all the flight instrumentation and navigation systems.

The backups are mechanical instruments alongside the displays - and you *do* use them all the time. In fact, I rarely look at the airspeed indicator on the LCD, because I prefer to use the mechanical one (it's less laggy)

These backups aren't something that sit unused in a cupboard; they're in front of your face every time you fly.

Vic.

Re: But what upgrades the software?

There is no mechanical backup for Airbuses for some time. Nor I believe the 777.

There is certainly a mechanical backup on the 777. I'd have to look up the Airbus.

Vic.

You've been watching Die Harder again, haven't you ?

Re: Wot about ILS?

ILS is unencrypted. Heck, it's not even digital.

So?

Try to work out a practical hack for ILS. Just adding more transmitters isn't going to bring aircraft down - it's just going to piss off the first two pilots who have to execute a missed approach.

As soon as the difficulty is discovered - even if no-one knows why it's gone wrong - ILS will be marked as inoperative, and every single incoming aircraft will be told this. The pilot will need to say that it is inoperative as part of his read-back to ATSU.

ILS is an aid to navigation, it's not the only way of bringing an aircraft in. Should the visibilty be so poor that the airfield is effectively unusable without ILS, incoming aircraft will be diverted. They *do* have enough fuel for that - it's part of the flight plan.

Vic.

Heck, it's not even digital

And yet it works, it's as if you don't need a series of 1s and 0s in the real world...

Re: Collision avoidance system

From my understanding of how the ACAS/TCAS systems work it wouldn't really matter if you obeyed a false alarm as all it will have told you to do is make a climb or descent to avoid an aircraft that isn't there. The descent advisory is suppressed below a certain altitude above ground level as well so it won't order you into the ground.

You might, might, be able to confues the box as to which aircraft should climb and which should descend, which is based on serial number I think, but that means you'd have to be willing to sacrifice your spoofing platform, and get it in the right place to ensure a TCAS resolution advisory gets triggered agains your target aircraft. Which is the kind of non-trivial problem that makes air defence systems so expensive.

Re: Step back and thnk about this.

In theory you're right, but then again I have a hunch the NASA / Thiokol people weren't feeling particularly complacent either...

Re: Step back and thnk about this.

"Are the airline designers complacent? I very much doubt it. They have too much to lose."

You'd have been right a decade ago.

Are you still right?

Has it not occured to you that the Dreamliner may be about to prove that the MBAs and the outsourcing experts and the believers in unverified self-certification may have been allowed too much room to override engineering best practice? It's a thought that has occurred to many people in the industry, and some well known names outside.

"Richard Feynman's famous conclusion to his report on the shuttle Challenger accident, which arose again in the Columbia accident, is "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled." "

See also: Charles Haddon-Cave (Nimrod inquiry etc).

Re: Bob Wheeler Re: Step back and thnk about this.

Agree with the majority of your post except the bit about the de Havilland Comet, where the fault was an unverified production process change, not a design issue. The square windows and door apertures on the Comet's fuselage had been designed to be bonded with glue in the same manner as had been proven with the wooden Mosquito. But, in the politicised rush to get the aircraft into service, the production line switched to using rivets instead of gluing around the windows, doors, and several other apertures without checking with the design team. Although the square shape of the windows generated concentrated stress points, if they had of been glued it would not have been an issue. As it was, the first three Comets were lost due to pilot error, and the fourth (G-ALYP, the first production airframe) was lost due to structural failure caused by tears originating from the rivets around the aperture for the ADF. The resulting bad publicity (amplified by competing American manufacturers) killed the Comet as a commercial airliner, though it went on to have an excellent service career as a military aircraft.

Re: Step back and thnk about this.

"How many aircraft have been lost due to a design flaw over the last 10, 20, 30, 40 years?" - DC10 cargo doors. All 346 people on board Turkish Airlines Flight 981 were killed when the cargo door blew out over France in 1974. It was a known design problem (the door could be left partially unlocked without it being obvious rendering it liable to blow open in flight, with subsequent floor collapse severing control lines). OK this is slightly more than 40 years ago but unfortunately design weakness can and do happen - it's not necessarily poor design, sometimes the implications of a design don't become apparent until heavy use. Hopefully they mostly get spotted and corrected or procedures put in place to avoid them causing an incident. Though speaking of procedures 273 lives were lost in a further DC10 crash in 1979 caused by removing the engine and supporting pylon as a unit, to save time, against the manufacturers recommendations (for which American Airlines were fined $500k, but they weren't the only airline doing it).

Someone queried whether aircraft were allowed to fly without primary instruments working; I'm sure somebody in the industry can advise on this but a few years ago my holiday return flight was postponed because the captain's side primary engine display was inoperative; apparently to fly without it was against company policy. An engineer was to be flown out to fix it. After several hours wondering what overnight accomdation was going to be provided the captain appeared and informed us he'd persuaded the company that, as the right-hand instrument plus the backup were both working, it would be perfectly safe, and we duly took off the same night. I think the captain must have had a hot date ;-)

Re: Step back and thnk about this.

Here's one that failed as a direct result of a design flaw:

https://en.wikipedia.org/wiki/TWA_Flight_800

Incredibly rare for mechanical failures to occur these days, thankfully.

However, design flaws can be subtle and indirectly lead to losses, particularly flaws in relation to auto flight/autothrottle.

(Asiana, Air Inter, Air France 400 all come to mind....)

In this case I don't think they're talking about the human factor in terms of gaining access to the computer, I think they mean in overcoming what happens next. E.g. the computer may be hacked so the flight plan takes you to the wrong place but the humans should notice that and question it. Of course that depends on the quality of human being employed, I think Ryan Air try and beat out any tendency for the pilot to think for themselves at an early stage in case it costs money.

I agree. There is a direct link that I can think of:

The in-flight moving map for the passengers takes the arrival time from the Flight-Management Computers in the cockpit, no question.

I sure hope that's a one-way connection.....