[SystemSafety] Five items: A400; Airbag recall; hacking airplanes; network eval handbook; open smart grid crypto

From: Peter Bernard Ladkin < >
Date: Wed, 20 May 2015 09:01:07 +0200

Hash: SHA256
  1. A400 crash. Bernd Sieker saw an article yesterday in the German edition of Der Spiegel about the A400 crash near Seville on 9 May. The article is by Gerald Traufetter, who often reports for Der Spiegel on aviation matters, and Matthias Gebauer. I cite the key technical points of the article and then translate.

[begin quote]

Die Nachforschungen ergaben ein deutliches Ergebnis: Kurz nach dem Start der Testmaschine hatten drei Triebwerke von den Computern widersprüchliche Befehle erhalten und daraufhin die Leistung abgeschaltet.
Die Piloten, die den A400M testen wollten, hätten nichts unternehmen können, heißt es aus Airbus-Kreisen. Sie versuchten zwar noch, das 45 Meter lange Flugzeug zurück zum Flugplatz in Sevilla zu steuern, konnten es aber nicht mehr kontrollieren. Die Maschine streifte einen Strommast, schlug auf einem Acker auf und brannte fast vollständig aus. .....
Am Dienstag versandte Airbus an alle Kunden des A400M eine eindringliche Alarmmeldung. Laut der sogenannten "Alert Operator Transmission" (AOT) können die erkannten Softwareprobleme zu einem "Ausfall der Triebwerkskontrolle" führen. Deswegen habe Airbus alle Kunden über "notwendige Aktionen" informiert, um dem Problem zu begegnen.

[end quote]

[begin translation]

The investigation produced a clear result: shortly after taking off, three engines received contradictory commands from the [computers = FADEC computers] and consequently lost [shut off] all power. Airbus personnel said that the pilots, conducting a test flight, really couldn't do anything. They attempted to turn the 45m-long machine back towards the Seville airport, but it collided with a power pole, crashed into a field and was completely destroyed by fire.... Airbus sent all operators an urgent alert message on Tuesday. According to the "Alert Operator Transmission" (AOT), the recognised software problem could lead to a loss of engine control". Airbus informed operators about "required actions" to counter the problem.
[end translation]

If this is so, this may well be the first fatal accident caused solely by software problems.

2. The Airbag manufacturer Takata has recalled 34m cars because of possible airbag defects. There have been reports that the inflation capsule has disintegrated on inflation, projecting shrapnel at high velocity into the occupant space of the vehicle. Six people have died and over 100 injured.

The most detailed article I have seen is http://www.nytimes.com/2015/05/20/business/takata-airbag-recall.html

Takata has been negotiating with the US NHTSA for a very long time about this. An investigation was opened in 2009 but, according to the NYT, rapidly concluded. Former Takata engineers told the NYT last year that they had been concerned about the in-the-field stability of ammonium nitrate, which is used in the inflators, for some time (over a decade) because it is sensitive to moisture and temperature, and there had been moisture contamination of the devices.

It is astonishing that such processes, determining that a design incorporates unacceptable risk, take so long. I guess we can all understand the difficulty of establishing that with complex software, cf. Bookout/Toyota, but shrapnel from inflators seems intuitively a rather more sharply defined causality.

3. The chap who tweeted about hacking into an aircraft he was on and was subsequently removed by the FBI from his next flight and questioned for hours, while having his equipment confiscated has made Bruce Schneier's Cryptogram newsletter this month. Chris Roberts is founder of the small (let's say, tiny) Colorado company One World Labs, and told Fox News in February he could hack into and take control of commercial aircraft control systems. The FBI talked to him then, and according to their affidavit accompanying their application for a search warrant, he told them he had taken over control of a FADEC on an aircraft on which he was flying, issued a "climb" command and the aircraft had then "moved laterally". Readers familiar with engines and which way they point on airplanes will be surprised at the amount of technical nonsense he can apparently cram into one sentence. That doesn't mean that Roberts is an idiot, of course, merely that he doesn't like being interrogated by people without any technical understanding. However, there are some videos of talks he has given in which I am told he appears to be spouting nonsense. He is good at namedropping kit. He mentioned the "Intellibus", which is a Boeing design (other manufacturers also produce kit) of which I'd not heard. I was specifically unable to find any infos on whether Intellibus is flying on any commercial aircraft - half a decade ago it was only on military kit and Boeing was apparently aiming for its use in ground-automotive applications, presumably in competition with AUTOSAR/Flexray.

There has been no CVE filed with Mitre.

The Risks Forum recently contained a summary of and link to a Wired article: http://catless.ncl.ac.uk/Risks/28.64.html#subj4 The stories about Roberts constitute the fourth item in Schneier's Cryptogram News at https://www.schneier.com/crypto-gram/archives/2015/0515.html#4 and an article Schneier wrote for cnn.com on hacking airplanes, with links to the GAO report, is at https://www.schneier.com/crypto-gram/archives/2015/0515.html#6

Most experts are sceptical. However, many of us have been concerned about a recent lack of physical separation, a so-called "air gap", between control avionics and cabin systems, including IFEs. So has the US GAO, which has recently warned that vulnerabilities could arise when systems are connected. Some avionics info has to get through to the cabin systems, for example to drive the moving-map display and speed/altitude announcements. Simply connecting the TX lines but not the RX of an avionics bus to cabin systems doesn't work, because such a physical connection can theoretically be "back driven" - the transmit lines used to convey signals in the unintended direction which then may have an effect on the avionics systems.

It is a theme which I suspect will not go away. Which is a good thing.

4. Looking for stuff on Intellibus, I came across a DOT/FAA handbook from 2009 on evaluation criteria for data communications networks, cowritten by some people who are here. Since avionics and aerospace seems to constitute almost a separate community from ground-based safety critical engineering, I'll pass the link around with a recommendation to read: https://www.faa.gov/aircraft/air_cert/design_approvals/air_software/media/AR-09-24.pdf

5. Bruce Schneier denigrates the people rolling their own crypto for the Open Smart Grid Protocol. Since he first became well known through turned cryptography from an arcane mystery into an engineering field accessible to us mere mortals, his views are deservedly influential.

[begin quote]

Anyone can design a cipher that he himself cannot break. This is why you should uniformly distrust amateur cryptography, and why you should only use published algorithms that have withstood broad cryptanalysis. All cryptographers know this, but non-cryptographers do not. And this is why we repeatedly see bad amateur cryptography in fielded systems. The latest is the cryptography in the Open Smart Grid Protocol, which is so bad as to be laughable.
[end quote]

followed by a list of references. It's the penultimate item in his News column: https://www.schneier.com/crypto-gram/archives/2015/0515.html#4

I've passed it on to the German smart grid standardisation people.

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Je suis Charlie
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de

-----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJVXDEzAAoJEIZIHiXiz9k+JH0H/i7qi67YsHj+iWKZIQuIOlIi PprBVwGLZxFrHC3chTuJHRr92ZlbSn0yT/KlVSYM8/jzKAN1w5Pb2uyYHb4azv5D SY3uuliVSGEPQnwWYfTAnfCXXa1Qc8LeF1YITLu/apRRpGfeFB8F7NHCkDVUE518 bc+kyasNywgb4q3ymq1kWBV+/IPwmfKE60i0CRachygmyn4V9o7XJEeIyvv7yLQo ZPRWAYzjdkAATKxX4oILja0OUubHh7uMFlRWNoZoHWOD/KktKik3MA4vzlXb/VO5 L+GlOeLHCCjzD5pZ+Xe7bhvwpClQCy8URXgd+Gjrwr5h4yRWr2jL5kM5EefgwxA= =LgmE

The System Safety Mailing List
Received on Wed May 20 2015 - 09:01:20 CEST

This archive was generated by hypermail 2.3.0 : Wed Feb 20 2019 - 01:17:07 CET