Re: Backdoor Software Being Developed to Regain Control of Hijacked Aircra ft

[Nick FitzGerald <nick () virus-l demon co uk>]

Fergie wrote:

> The system "which could only be controlled from the ground would
> conduct the aircraft posing a problem to the nearest airport whether it
> liked it or not," according to extracts from next Monday's Der Spiegel
> released Saturday.

How will typical avionics fail safe design requirements affect the 
design of this functionality and the component(s) that implement it?

Or are we all happy to accept that _this_ sub-system should be designed 
to not fail-safe?

Recall that the important end of the equipment that does the 
controlling _is on the plane_, as are the hijackers.  Also note that 
avionics tend to be incredibly modular for all those good ease of 
testing, servicing and replacement reasons.

I recently -- well nearly a year ago now -- was reminded of this when a 
plane I was on aborted a take-off (while approaching the final taxi-way 
on the ground) when a diagnostics routine indicated a problem with some 
computerized control involved in steering the front wheel.  The plane 
went back to the gate (the steering was apparently working fine, 
despite the diagnostics), they ran (and ran and ran, then re-ran all 
over again) the complete diagnostics for this control mechanism and 
when it persistently failed (presumably after "re-booting" or its 
equivalent), an engineer pulled out the unit and slotted in a new one.  
(This also failed, for reasons that were never explained to us and we 
were eventually taken off the plane and bussed to another plane, but 
that's another story...)

Do we really think they're going to be allowed to design such an "anti-
hijacker" system _to bolt onto existing avionics systems_ so that, if 
it's module (and its hot-swap/fail-over backups) are physically pulled 
from their equipment slots, the plane will not revert to manual 
control, or at least to traditional assisted navigation under the 
control/direction of those on-board?

And, as the intended use of this is once the bad guys are on board, 
what's to stop the badguys simply finding the antenna cable for this 
device's comms channels and yanking it?

And would especially ruthless hijackers with, say, one of the new 
"super-jumbo" A380 planes with 500+ hostages not simply start killing 
hostages until the remote navigational override was turned off?  Whose 
government would actually NOT succumb to such a threat?

> From the purely technical perspective, I'm fairly sure you could design 
such not-to-be-overridden navigation override functionality into a 
plane's navigation systems _from the ground up_, but doing it as a bolt-
on for existing systems seems unlikely to be usefully workable.

> The system would be designed in such a way that even a computer
> hacker onboard could not get round it.

Yeah, right.

And it would be unhackable from the ground too, right?

Which leaves the question -- is hacking really the thing we should be 
most concerned about in such a situation?

Are they telling us that no-one would be able to kidnap a few family 
members of the staff of whatever organization will have physical access 
to the crypto keys (or whatever) that will be needed to enable this 
navigational override?  If such a system can be compromised "on the 
ground" (which it almost surely can) then it may as useful as a weapon 
of terror to a purely ground-based attack with no hijackers on the 
plane...

Methinks there are some harder problems to be solved here than the 
article touches...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.