It’s Wi-fi, Not Wi-Fly

For the record, I’m not an IT specialist, a security analyst or a person with top secret clearance (my clearance is bottom secret only). I am however someone with a fairly extensive knowledge of aircraft, systems, avionics and other stuff that’s related to being off the ground at high speeds. Therefore, I’m going to address the aircraft systems side of the current wi-fi hacking issue.

Recent articles have stated that it is possible to hack into an aircraft’s controls via a wi-fi connection. Some hackers have even publicly stated that they could and have get into an airplane’s avionics (and they probably got a nice visit from gentlemen driving cars with government plates soon thereafter). The worst case scenario that keeps getting bandied about is a passenger taking over the airplane from a laptop and making it go wherever the hell they want. This may be possible on some astronomically small level, but in reality it is not very plausible with current aircraft designs.

Everyone always talks about how airplanes are flown by computers. I’ve been at airshows where people next to me confidently tell whoever will listen that “Those Blue Angel pilots aren’t even doing anything. The computers are flying the airplanes, it’s all a program.” Passengers often assume that the pilots up front are just following commands from “ground control” and that computers will be able to take over completely by 2017. This is what happens when an industry touts its technology rather than its technicians…the machines become the heroes.

Part of this is a misunderstanding of basic aircraft systems, which considering the level of knowledge most people have about aircraft in general, is not surprising. Aircraft may be “flown” by computers, but human pilots tell the computers what to do (and if the computers get a a superiority complex, the humans can override the machines). It’s the same as how computers in your car govern much of its operation, but you still turn the wheel and hit the pedals manually.

Aircraft are a weird combination of old and new technology designed to provide ease of operation, redundancy and graceful degradation. Save for a few military jets (the statically unstable F-16 as a prime example), virtually all aircraft have a physical connection from the cockpit controls to the control surfaces. This ensures that even in the event of a major emergency, the pilot(s) will be able to maneuver the aircraft to a landing. These physical connections may be steel cables, pushrods, hydraulic actuators, screwjacks or a combination thereof.

While the old technology works great for ensuring that pilots can continue to fly even after malfunctions, the new technology is perfect for making the aircraft more precise, more capable and easier to manage over a variety of situations. Of course, this all hinges on the pilots understanding and being masters of all the different modes that the automation systems offer (they do and they are). Some of these systems include:

• Where-Are-We Systems: Inertial navigation systems (INS) are self contained units that use laser ring gyros to determine where the airplane is at any point on the planet with extreme accuracy; global positioning systems (GPS) that use satellites to triangulate the aircraft’s position. These prevent getting lost, which as a rule tends to erode passenger confidence.
• What-Are-We-Doing Systems: Attitude Heading Reference System (AHRS) that uses accelerometers to figure out what the pitch, roll and yaw state of the aircraft is; Air Data Computers (ADC) takes analog inputs from the pitot-static system and Angle Of Attack (AOA) probes to provide the pilots and other computer systems with information on how fast and how high the airplane is.
• Do-What-I-Tell-You Systems: Input interfaces like the Control Display Unit (CDU) allow pilots to enter data into the Flight Management System (FMS) to create and manage flight plans, and Autopilot Mode Control Panels (MCP or FCU) that give the pilots the ability to change autoflight settings or most importantly, disengage automation if the situation calls for it.
• How Are We Feeling Systems: The Central Maintenance Computers (CMC) and crew alerting systems (EICAS) check the health of the aircraft, run checklists and alert the pilots to any unusual situations. These are the computers that stole the job of the flight engineer…the third guy in the cockpit you often see in old movies.
• I-Can’t-Let-You-Do-That Systems: In some aircraft there are systems that prevent pilots from exceeding certain limits. Examples include Thrust Management Systems (TMS) that protect engines from overheating or overspeeding and commands the autothrottle system, and Flight Control System computers (FCS) that process information from various sources, determine what the pilots are asking for in terms of maneuvering and either direct or implement those inputs to the control surfaces and engines.

At this point you may have noticed that the aviation industry loves acronyms. You also may have noticed that there is not one single computer that controls the airplane. Probably the most important system in the bunch, the FCS is usually comprised of several computers all speaking different languages. If one computer doesn’t agree with the others, it is overruled. If two computers don’t agree with the other two, the fifth one kicks in as a tiebreaker. Needless to say, the implementation is far more complex than linking a couple desktops together with an ethernet cable, but the theory is straightforward.

Beyond just being the Supreme Court of the airplane, the FCS also acts as a mediator between the pilot’s inputs and control surface positioning. This provides protection against exceeding certain attitude limits, speeds or energy states. In some aircraft, full-time protection is provided to prevent pilots from This protection is present even if the pilots are flying the aircraft by hand. In other airplanes, protections are more limited and mostly confined to autopilot modes or dampers that reduce unwanted transients in a given axis. In any case, the idea is to prevent a pilot-induced situation from damaging the aircraft.

There is an even more advanced group of aircraft that operate with what is known as fly-by-wire. These aircraft have virtually no mechanical connections to control surfaces. They use electrical signals produced by force sensors or position transducers to trigger the movement of a self-contained hydraulic actuator near the control surface. The FCS in this case becomes the equivalent of Judge Dredd whereupon it declares “I am the law!” as it pertains to aircraft operation (seriously, the protections are referred to as Control Laws…if you flew an Airbus you’d be cracking up at that last pun). Pilots at that point are “educated suggesters” who tell the airplane what they want and the airplane decides if it’s a good idea or not. For example, if a pilot sees a giant condor while climbing at 400mph and yanks back on the controls, instead of allowing the wings to be ripped off, the FCS will say “Listen, I know that massive bird startled you, but if I let you pull as hard as you’re asking, we’re going to have bigger problems. I’m going to limit you to 1.8G rather than 5.3G. You’ll thank me.”

Different manufacturers have different views on how this should be implemented. Boeing prefers a more pilot-centric interface while Airbus leans towards a computer-centric operation. Both methods have their advantages and drawbacks. As creepily cybernetic as this sounds, commercial fly-by-wire aircraft still have mechanical reversions so that in the event that all the computers decide to divide by zero, the pilots can still fly the aircraft to a safe landing.

What is the point of me writing all this aerotech babble? To try to explain that aircraft control is a complex and well thought out architecture. Most of the robustness is there for nature and emergencies. Situations like getting struck by lightning cannot affect the operation of the critical avionics, therefore aircraft are tested by literally getting zapped by a massive Tesla coil before they can be certified. The loss of an ADC cannot cause the airplane to go out of control, therefore multiple ADCs are installed. The total loss of electrical power cannot cause the airplane to shut down its fly-by-wire controls, thus a deployable ram-air turbine is installed for just such an emergency. In the face of all these natural and mechanical threats, it therefore seems overly simplistic to assume that a hacker could seize control of an airplane.

Herein lies the issue with “laptop terrorist” scenario: There is no conceivable way that an individual can seize control of an airplane through a wi-fi signal without someone up front (read: pilots) figuring it out and taking corrective action. If for some implausible reason both pilots don’t notice the change in flight path, it is guaranteed that the air traffic control center responsible for the flight would notice that an airplane under positive radar control just decided to stroll off on its own. Even if someone could find holes in a firewall and hack their way through all the different systems to get to the autopilot, controlling the aircraft is not as easy as typing “C:\>FLYTOCUBA.EXE”.

But for argument’s sake, lets say Super Hacker can figure out how to change the heading or altitude. For all intents and purposes, control of the airplane is now in the hands of some guy in seat 37Q and everyone is doomed, right? Wrong. The pilots are not helpless, nor are they at the mercy of computers, laptops or otherwise. All they have to do is pull the disconnect switch on the autopilot. In the event that Super Hacker figured out how to disable that function as well, they’ll just pull the A/P circuit breaker, then walk to the back and smash his computer over a beverage cart.

All joking aside, this threat illustrates the continued need for humans to be in the decision loop when it comes to flying commercial aircraft. The insistent push for total automation especially in the wake of the Germanwings catastrophe is an emotional reaction that ignores the advantages of having both humans and computers working together. When backlit against the threat of nefarious individuals who wish to do harm, these advantages are even more important. Nevertheless, aircraft will become increasingly more automated in coming years and protecting them against electronic threats will be just as critical as protecting them against ice and microbursts.

For now, you don’t have anything to worry about.