Networking: March 2007 Archives


March 9, 2007

According to this article Boeing is designing an "Uninterruptible Autopilot System". The idea here is that if the plane is being hijacked you trigger the UAS. Once it's engaged, the plane can't be controlled by the pilot but is remotely controllable from the ground.

It's important to remember here that there are two kinds of hijacking:

  • The old style "take me to Cuba" hijacking where you threaten the pilot or passengers to get them to take you where you want, get your demands met, etc.
  • The newer 9/11 style hijacking where you take control of the plane and crash it into something.

This seems to be mostly targeted at the second type of hijacking, since the first type depends principally on people complying under a threat and this threat is at least 95% as credible when the pilot is on the ground as if they're in the air with you. You just threaten someone on the plane instead of the pilot. On the other hand, if your objective is to fly the plane into some building, presumably the flight controllers on the ground won't allow that no matter how much you threaten to kill passengers.

That said, it's not entirely clear that 9/11-style hijacking can work even without this technology. If you're a passenger on a hijacked plane and you expect the hijackers to fly it into a building you've got a pretty good incentive to try to take back the plane regardless of what weapons the hijackers have. As has been often observed, 9/11 was successful because people's responses to hijacking were predicated on the assumption that it was the first type—who had heard of the second?

From a security guy's perspective, the interesting question is what safeguards are in place to prevent accidental activation and control by attackers? Imagine you get your hands on the control unit for an aircraft and can somehow get it put into UAS mode. Congratulations, you've got yourself a remote controlled, manned cruise missile. Presumably there are safeguards in place to defend against this sort of attack. Minimally, one would hope that some sort of cryptography is used to limit control to authorized units. The COMSEC techniques here are of course relatively straightforward.

The second thing you would like would is for it to be impossible to remotely put the plane into UAS mode, thus minimizing the damage from any compromise of a control unit/control unit keying material. For instance, the UAS radio receiver could be physically disconnected until engaged onboard the plane.

Even if proper COMSEC techniques are used, there still is a residual risk if it's possible to jam the signal. In order for the system to work, it needs to be fairly sensitive so that any attempt to take over the cockpit triggers it (hence the proposed pressure sensors on the cockpit door). But this potentially enables an attacker onboard to trigger the UAS while a confederate on the ground holds the plane hostage by jamming the control signal. Again, there are techniques to make signals harder to jam (though the authentication techniques you're likely to use make the control channel very sensitive to errors so you'd need a lot of forward error correction).

I'd certainly be interested in hearing more about the design of the proposed system. p