[SystemSafety] Five items: A400; Airbag recall; hacking airplanes; network eval handbook; open smart grid crypto

Wed May 20 09:01:07 CEST 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

1. A400 crash. Bernd Sieker saw an article yesterday in the German edition of Der Spiegel about
the A400 crash near Seville on 9 May. The article is by Gerald Traufetter, who often reports for
Der Spiegel on aviation matters, and Matthias Gebauer. I cite the key technical points of the
article and then translate.

[begin quote]

Die Nachforschungen ergaben ein deutliches Ergebnis: Kurz nach dem Start der Testmaschine hatten
drei Triebwerke von den Computern widersprüchliche Befehle erhalten und daraufhin die Leistung
abgeschaltet.
Die Piloten, die den A400M testen wollten, hätten nichts unternehmen können, heißt es aus
Airbus-Kreisen. Sie versuchten zwar noch, das 45 Meter lange Flugzeug zurück zum Flugplatz in
Sevilla zu steuern, konnten es aber nicht mehr kontrollieren. Die Maschine streifte einen
Strommast, schlug auf einem Acker auf und brannte fast vollständig aus.
.....
Am Dienstag versandte Airbus an alle Kunden des A400M eine eindringliche Alarmmeldung. Laut der
sogenannten "Alert Operator Transmission" (AOT) können die erkannten Softwareprobleme zu einem
"Ausfall der Triebwerkskontrolle" führen. Deswegen habe Airbus alle Kunden über "notwendige
Aktionen" informiert, um dem Problem zu begegnen.

[end quote]

[begin translation]
The investigation produced a clear result: shortly after taking off, three engines received
contradictory commands from the [computers = FADEC computers] and consequently lost [shut off] all
power. Airbus personnel said that the pilots, conducting a test flight, really couldn't do
anything. They attempted to turn the 45m-long machine back towards the Seville airport, but it
collided with a power pole, crashed into a field and was completely destroyed by fire....
Airbus sent all operators an urgent alert message on Tuesday. According to the "Alert Operator
Transmission" (AOT), the recognised software problem could lead to a loss of engine control".
Airbus informed operators about "required actions" to counter the problem.
[end translation]

If this is so, this may well be the first fatal accident caused solely by software problems.

2. The Airbag manufacturer Takata has recalled 34m cars because of possible airbag defects. There
have been reports that the inflation capsule has disintegrated on inflation, projecting shrapnel
at high velocity into the occupant space of the vehicle. Six people have died and over 100 injured.

The most detailed article I have seen is
http://www.nytimes.com/2015/05/20/business/takata-airbag-recall.html

Takata has been negotiating with the US NHTSA for a very long time about this. An investigation
was opened in 2009 but, according to the NYT, rapidly concluded. Former Takata engineers told the
NYT last year that they had been concerned about the in-the-field stability of ammonium nitrate,
which is used in the inflators, for some time (over a decade) because it is sensitive to moisture
and temperature, and there had been moisture contamination of the devices.

It is astonishing that such processes, determining that a design incorporates unacceptable risk,
take so long. I guess we can all understand the difficulty of establishing that with complex
software, cf. Bookout/Toyota, but shrapnel from inflators seems intuitively a rather more sharply
defined causality.

3. The chap who tweeted about hacking into an aircraft he was on and was subsequently removed by
the FBI from his next flight and questioned for hours, while having his equipment confiscated has
made Bruce Schneier's Cryptogram newsletter this month. Chris Roberts is founder of the small
(let's say, tiny) Colorado company One World Labs, and told Fox News in February he could hack
into and take control of commercial aircraft control systems. The FBI talked to him then, and
according to their affidavit accompanying their application for a search warrant, he told them he
had taken over control of a FADEC on an aircraft on which he was flying, issued a "climb" command
and the aircraft had then "moved laterally". Readers familiar with engines and which way they
point on airplanes will be surprised at the amount of technical nonsense he can apparently cram
into one sentence. That doesn't mean that Roberts is an idiot, of course, merely that he doesn't
like being interrogated by people without any technical understanding. However, there are some
videos of talks he has given in which I am told he appears to be spouting nonsense. He is good at
namedropping kit. He mentioned the "Intellibus", which is a Boeing design (other manufacturers
also produce kit) of which I'd not heard. I was specifically unable to find any infos on whether
Intellibus is flying on any commercial aircraft - half a decade ago it was only on military kit
and Boeing was apparently aiming for its use in ground-automotive applications, presumably in
competition with AUTOSAR/Flexray.

There has been no CVE filed with Mitre.

The Risks Forum recently contained a summary of and link to a Wired article:
http://catless.ncl.ac.uk/Risks/28.64.html#subj4
The stories about Roberts constitute the fourth item in Schneier's Cryptogram News at
https://www.schneier.com/crypto-gram/archives/2015/0515.html#4
and an article Schneier wrote for cnn.com on hacking airplanes, with links to the GAO report, is at
https://www.schneier.com/crypto-gram/archives/2015/0515.html#6

Most experts are sceptical. However, many of us have been concerned about a recent lack of
physical separation, a so-called "air gap", between control avionics and cabin systems, including
IFEs. So has the US GAO, which has recently warned that vulnerabilities could arise when systems
are connected. Some avionics info has to get through to the cabin systems, for example to drive
the moving-map display and speed/altitude announcements. Simply connecting the TX lines but not
the RX of an avionics bus to cabin systems doesn't work, because such a physical connection can
theoretically be "back driven" - the transmit lines used to convey signals in the unintended
direction which then may have an effect on the avionics systems.

It is a theme which I suspect will not go away. Which is a good thing.

4. Looking for stuff on Intellibus, I came across a DOT/FAA handbook from 2009 on evaluation
criteria for data communications networks, cowritten by some people who are here. Since avionics
and aerospace seems to constitute almost a separate community from ground-based safety critical
engineering, I'll pass the link around with a recommendation to read:
https://www.faa.gov/aircraft/air_cert/design_approvals/air_software/media/AR-09-24.pdf

5. Bruce Schneier denigrates the people rolling their own crypto for the Open Smart Grid Protocol.
Since he first became well known through turned cryptography from an arcane mystery into an
engineering field accessible to us mere mortals, his views are deservedly influential.

[begin quote]
Anyone can design a cipher that he himself cannot break. This is why you should uniformly distrust
amateur cryptography, and why you should only use published algorithms that have withstood broad
cryptanalysis. All cryptographers know this, but non-cryptographers do not. And this is why we
repeatedly see bad amateur cryptography in fielded systems. The latest is the cryptography in the
Open Smart Grid Protocol, which is so bad as to be laughable.
[end quote]

followed by a list of references. It's the penultimate item in his News column:
https://www.schneier.com/crypto-gram/archives/2015/0515.html#4

I've passed it on to the German smart grid standardisation people.

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de