Remote-Control Airplane Software

Does anyone other than me see a problem with this?

Some 30 European businesses and research institutes are working to create software that would make it possible from a distance to regain control of an aircraft from hijackers, according to the German news magazine.

The system “which could only be controlled from the ground would conduct the aircraft posing a problem to the nearest airport whether it liked it or not,” according to extracts from next Monday’s Der Spiegel released Saturday.

“A hijacker would have no chance of reaching his goal,” it said.

Unless his goal were, um, hijacking the aircraft.

It seems to me that by designing remote-control software for airplanes, you open the possibility for someone to hijack the plane without even being on board. Sure, there are going to be computer-security controls protecting this thing, but we all know how well that sort of thing has worked in the past.

The system would be designed in such a way that even a computer hacker on board could not get round it.

But what about computer hackers on the ground?

I’m not saying this is a bad idea; it might be a good idea. But this security countermeasure opens up an entirely new vulnerability, and I hope that someone is studying that new vulnerability.

Posted on July 28, 2006 at 2:09 PM106 Comments


Ed T. July 28, 2006 2:32 PM

“A hijacker would have no chance of reaching his goal,”

But, what if the goal was to blow up the plane? How is this going to prevent that?

Sounds like a nice thought – but I would prefer to see a sealed black-box on board, and a “PANIC” switch that the crew could activate which would cause the box to take control and land the a/c at the nearest designated airport, all the while squawking the code for “aircraft in distress” to alert the ATC and other a/c in the area that there was something wrong. This would be far less susceptible to interference from the ground (hacker or not.)


bob July 28, 2006 2:52 PM

News report: Hijackers sieze an aircraft as it flies near DC. Crew alertly hits the “we are hijacked button”. Automatic software takes control, diverts to the nearest airport, violating the ADIZ, and the USAF shoots missile(s) at the plane, destroying its airworthiness, causing the flaming wreckage to crash down onto the capitol building, accomplishing the hijackers’ goal. Al-quaida laugh themselves to death. Hmmm. Maybe not a bad plan after all.

Mike Sherwood July 28, 2006 2:54 PM

I’m willing to say that this is definitely a bad idea.

The problem is rare, so there’s a very low probability of this kind of system helping is extremely low. It’s not like hijackings are a daily occurrence.

On the other side of the equation, this proposes to create a system that takes control of the aircraft away from it’s pilot remotely. The security measures to keep airplane based hackers out would also keep the pilot from regaining control of his aircraft.

To take remote control, it opens up an avenue for attack that does not currently exist. This would be too tempting of a target. If someone could turn several jets into cruise missiles simultaneously and remotely, there would be a lot of money in finding a way to exploit it.

I like the idea of a panic button. Remote control would be a good thing if the pilot took a deliberate action to permanently(until replacement of components were completed) reliquish control of the aircraft. Absent a deliberate action on the part of the pilot to go into a fail safe condition, taking control away from the pilot is a bad idea.

Mord July 28, 2006 3:03 PM

Require future airplanes to have a physically isolated cockpit. Then complain about the amount of money required to install a second lavatory. Ask whether this is any cheaper after a cost/benefit analysis. Problem solved.

I still don’t know why the passenger compartment isn’t towed behind the plane on a line, with a parachute system in the event of catastrophe.

Chris July 28, 2006 3:16 PM

I also consider this to be an extraordinarily bad idea, mainly because it will be so hard to control the failure modes of the system.

Obviously they will protect the communication between the aircaft and the ground with some form of authentication and encryption mechanism, but how well will this link survive a denial-of-service attack? Not just from jammers on the ground but inside the plane? What’s to stop a motivated hijacker with complete control over the passengers and crew from simply destroying some piece of the control system from within the plane? If all you care about is destroying a plane, that’s pretty easy to do regardless of who’s in control of the plane.

How many remote-control sites will there be, and how many incidents will it take to exceed their capacity for controlling aircraft?

It takes years to design, build, and test human-rated systems from scratch. The article mentions a budget of $45M; this seems far too small to develop a system, let alone one suitable for deployment on the many types of aircraft in service. If this system is not ubiquitous, hijackers can always target aircraft without it. I fly quite frequently, and equipment I’ll be on is usually included in the results of a flight search. Will this information be withheld in the name of security?

Finally as Mike mentions, hijackings aren’t a frequent occurrence and never had been. There’s already in place a much cheaper system that’s able to handle a multitude of aircraft failure modes: It’s called a pilot. And you can buy a lot of hardened cockpit doors for $45M…

Rick July 28, 2006 3:27 PM

This whole plan sounds like a feeding trough for aviation-tech companies.

I like Mord’s idea of a towed passenger compartment. The flying horse-and-buggy.

I think the cost of a second lavatory can be answered with one word: Depends. If it’s good enough for astronauts, it’s good enough for airline pilots. If they think it’ll make ’em look stupid, give ’em shiny aluminized suits with helmets to look cool again.

Fred July 28, 2006 3:29 PM

I’m curious as to how they plan to be able to land the airplane, particuarly in extreme weather conditions.

Zachary Bedell July 28, 2006 3:34 PM

“would conduct the aircraft posing a problem to the nearest airport”

Maybe not such a bad idea. If indeed the software only knew how to bring the plane to an airport and (presumably) land it automatically, then perhaps at worst a hacker could cause a denial of service attack by landing otherwise uncompromised planes.

Of course, the devil is in the details. It seems like even with today’s modern avionics, it would be possible to de-couple the return system from the rest of the flight controls, forcibly if necessary.

As others have mentioned, if the goal is blow up the plain, then all the computers in the world are moot.

WhoIsInControl July 28, 2006 3:36 PM

This is a terrible idea. As pointed out, all this will do is introduce a multitude of additional vulnerabilities without actually solving a current problem, making matters worse. Who actually thinks this stuff up, and then gets a pile of money to research it.

Besides all the potential vulnerabilities in the radio system alone (interception, DoS, etc.) (if simple cell phones can interfere with aircraft navigation, this remote control radio would need to be pretty awesome), I would see the control centers to be a new prime target. Why have multiple teams taking over individual planes when all you need to do is secure one or more control centers, giving the ability to control all the planes in the air at once. These aircraft remote control centers would have to have “missile silo” type of security, which we all know would never happen.

I do like the suggestion of the “cockpit panic button”, where the plane goes into some form of “fail safe”, and follows some predetermined “emergency flight plan” to the nearest designated airport to land. However, I don’t believe that current flight computers and electronics are at the point were we could trust them to navigate, fly, and land the airplane without any human intervention. To do this, we would have to be at a point were we are ok with an “electronic” flight crew, and in that case, the system can also take the plane off and perform the rest of the flight autonomously, taking the pilots and cockpit takeover out of the equation.

Dubious July 28, 2006 3:38 PM

This project is just plain stupid. If the aircraft is controlled remotely, then it’s getting its instructions by radio. Jam or break the freakin’ radio and what do you have? An airplane without a pilot, without any onboard controls. Brilliant.

At the very least, the onboard failsafe will have to be autonomous, with GPS (or the Euro-equiv), pre-programmed landing destinations, etc. But that’s exactly what the black box with a panic switch is. They’re gonna have to develop that technology anyway (no failsafes would be insane), but if they develop that, then WTF is the point of the remote control?

Xyz July 28, 2006 3:45 PM

“The system would be designed in such a way that even a computer hacker on board could not get round it.”

I think that’s the first mistake that kills this idea. It’s a pretty lofty goal to assume that any design is that robust, and makes for a pretty flimsy keystone for the whole project.

Also, since we’re talking about remote control here, it seems to raise the question of how you could stop hijackers (airborne or otherwise) from jamming, rerouting, faking, hijacking, and otherwise munging the signal.

etcwarrionr July 28, 2006 3:49 PM

How would the attack surface change if the emergency takeover feature communications were based on both lasers and radio waves?

Zwack July 28, 2006 3:57 PM

Given the amount of room in aircraft seats (at least for those of us in the back) and the number of toilets, and the high quality of airline food (I’m excluding Sabena business class from that last jibe, they used to provide high quality cold food rather than poor quality hot food)…

Wouldn’t it be better to lock passengers into individual bulletproof compartments with a built in toilet system and a snack dispenser.

These could then be loaded into the plane en-masse. It would save the airlines no end of money in the way of staff fees.

Hijackers would have to break out of their capsule, and in the event of an accident everyone even comes in their own coffin!

As for the idea of remotely controlling aircraft, it sounds like fun to me. But if your plane is the one I get to fly loops then don’t blame me.


WaitAMinute July 28, 2006 4:01 PM

Wait a minute. It’s Friday 🙂 Are we sure that these guys are not getting $45M to make a movie about some hair-brained plan to remote control airplanes and then come up with all the great terror movie plots that can be derived from such a plan!

J.D. Abolins July 28, 2006 4:23 PM

One type of a hijacking scenario, albeit a low-likelihood one, for the proposed remote control is where the legitimate controls are taken over during a country’s coup of invasion. The fleeing president/royal family/whatever are boomeranged back to face capture. (Or get slammed into a convenient mountainside if the new people at the control are inclined that way.)

Granted this is a very low likelihood scenario. (It’s relatively infrequent that a country is taken over and people flee by aircraft.) I am using it mainly to illustrate that the system itself doesn’t have to be compromise; just that the “management” changes and the system is used as designed.


The boomeranging deposed ruler scenario, however, might be a candidate for a terrorism movie plot. “Air Force One 2”, a sequel to the Harrison Ford movie about a plane hijacking?

Dirk D. Phoenix, III July 28, 2006 4:25 PM

@Dubious (3:38): At the very least, the onboard failsafe will have to be autonomous, with GPS (or the Euro-equiv), pre-programmed landing destinations, etc.

1) The hijacker gets a job as ground crew and then has possible access to the ‘onboard failsafe’, or

2) (even easier) The ground-crew hijacker splices in a little black box of his own between the GPS antenna and the ‘onboard failsafe’. Said black box does a little alteration with the true GPS signal, so the plane thinks it is coming in for a landing at JFK, when it is really plowing into the Statue of Liberty.

The Doctor What July 28, 2006 4:40 PM

Uhm…I’m confused. So I hijacker gets some means to threaten the crew onto the plane.

Using this threat, he demands the plane go to bermuda or something and ground control takes over from the pilot…

Okay, and ground control doesn’t give the hijacker what he/she wants because….they won’t be the ones to die on the plane?

Worse: As several people mentioned, if the goal is to kill people on the plane, remote control does nothing.


Pat Cahalan July 28, 2006 4:45 PM

I’ll jump on the “panic button” bandwagon and throw in an additional, “boy does this seem like a bad idea” vote.

Preston L. Bannister July 28, 2006 5:05 PM

A remote control for an airliner! Very cool!!

The slave would have to be installed in every airliner – not many of those.

The remote control would have to be installed at every major airport, and every remote control would have to work with every airliner. Enough folk would be trained in use of the remote control to have full-time coverage. Naturally we’d need some fool-proof way to select the folk to be trained … say the criteria used to select baggage screeners. We can be certain that every country – even those that don’t like us – will never allow the wrong folk to get ahold of an airliner remote control.

Surely the manufacturer of the remote controller would never allow the wrong folk to sneak one out of inventory. Choose the manufacturer carefully – say someone who gives money to politicians – and inventory control will not be an issue.

No chance anyone could build their own remote control. Keeping the design completely secret is no problem. Besides, if the design ever leaked out, all we would need to do is re-equip all the airliners and airports.

Very cool – a universal remote for airliners!

Jeff Carroll July 28, 2006 5:17 PM

Jamproof CDMA radio technology has been in use for decades and even given rise to consumer spinoffs, such as the cellular networks employed by Verizon and Sprint. Receivers in these networks are not only highly jam-resistant, but transmitters are also very difficult to detect due to the spreading of radiated signal energy over a very wide bandwidth in such a way to make the signal indistinguishable from thermal noise.

This is not to say that remote control of aircraft is necessarily a good idea, particularly when it involves close interaction with the ground (as in landing). Clearly, though, it could be successfully used in a tradeoff of the lives of a relatively small number of airline passengers for those of a presumably larger number of people in a building or other target facility.

Whether such a system could be exploited by either insiders or external agencies is a question that should be considered in system design; it seems to me that a more secure solution would be to refrain in the future from construction of high-value targets like the World Trade Center when a larger number of smaller buildings would accomplish the same purposes.

However, one should not necessarily assume that hackers would be able to gain access to any radio data link.

Incidentally, this is a good reason to care which cellular network your phone is on. All cellular technology is migrating toward CDMA, but some networks are not there yet.

Don July 28, 2006 5:18 PM

@The Doctor What

Okay, and ground control doesn’t give the hijacker what he/she wants because…. they won’t be the ones to die on the plane?

An ironically morbid result since this remote control is supposed to “put an end to a debate in Germany over whether the air force should shoot down a hijacked commercial airliner” (ref: news article).

Alan Porter July 28, 2006 6:09 PM

Most of the suggestions above assume that ATC is in charge of getting the plane from point A to point B safely. This is simply not true.

In the US, the pilot is the final authority in control of the aircraft (this is federal law). Air traffic control is the equivalent of a traffic cop at a busy intersection. They do not “control” where a plane goes… they simply keep traffic flowing without them hitting each other. With that responsibility comes some authority to direct the pilot of a plane in controlled airspace, just like a traffic cop has the authority to issue tickets.

Most people in this forum would probably not agree to putting police-activated remote controls in their cars. Likewise, I doubt many plane owners (private or airlines) would want remote controls in their aircraft.


P. Donohue July 28, 2006 6:11 PM

I remember back when I worked with AWACS. The AWACS had the ability to take control of certain jets. All that needed to happen was that AWACS would request control and the pilot had to hit a button. It never happened in the field. The pilots wouldn’t stand for it. The idea of turning control of their plane and their lives was unthinkable. I don’t see the commercial pilots being any more accepting of the idea.

Just my $0.02

Dustin D. Trammell July 28, 2006 6:58 PM

I can easily envision an attack similar to the recent attack on a German telephony system. The attackers made use of government-mandated eavesdropping technology (similar to our own US CALEA requirements) built into the phone system switches to achieve their goal of eavesdropping on various calls’ media channels, thus making any confidentiality features of the system which would prevent external eavesdropping completely moot.

The moral of the story? If you provide an attacker with a built-in attack vector, they will use it.

quincunx July 28, 2006 7:07 PM

Here’s another reason this plan is a dud.

Terrorist to passangers:

It looks like ground control is forcing this plane down. I can’t do anything about it – so now I will just have to kill all of you the old fashioned way. Actually you know what? Why don’t I start aiming fire at the engines? If I can’t get my task done, why don’t I just crash it as it approaches the landing strip, surely I can manage to hit something!

I agree with Rick’s sentiment:

“This whole plan sounds like a feeding trough for aviation-tech companies.”

Stefan Wagner July 28, 2006 7:27 PM

I understood the article in a different way than some posters here:
The ground can take control only, when the pilot requests so.
That would make hijacking from ground impossible without accomplice in the plane.

And the system would do an irreversible decision?
If the hijacker may force the pilot to fly to Cuba or Usbekistan without this system, why shoulnd’t he be able to prevent the pilot from hitting the red button if the system is present?

If the decision to take control is only made on ground, a system of secret keys could prevent enemys (formerly known as: friends) from using the technique to hijack planes.
Every plane could update their black/white-lists before starting.

On the other side: A reliable system would make pilots obsolete. Perhaps the true reason for the system: save costs?

Unixronin July 28, 2006 8:49 PM

There’s another aspect to this that no-one seems to have considered yet.

This system, if deployed, WILL sooner or later be cracked. We all know that. It’s just a matter of time. But this doesn’t “just” give terrorists the ability to hijack an airliner from the ground. It has a much more serious potential than that.

It gives terrorists the ability to DOS the entire worldwide commercial air system.

Here’s why. Suppose I am a terrorist. Suppose I manage to learn enough about the workings of the system to make a convincing claim that I have subverted the system and can use it to take control of aircraft. I announce that I have done so, disclose enough of what I know to prove that I know what I’m talking about, and then I announce that I am going to randomly begin taking control of airliners every few days and crashing them into city centers, hospitals, government buildings, famous landmarks. Notre Dame Cathedral. The Houses of Parliament. The Taj Mahal. The Sydney Opera House.

What choice does ANY nation’s government have but to order their commercial air fleet grounded until they are certain it has been resecured? Sure, I could be bluffing. But what are the consequences to them if that government alone calls my bluff — and I’m not bluffing?

Victor Wagner July 28, 2006 9:46 PM

I suspect this plan is secretly lobbied by some European terrorist organization like IRA, which (being a Christian) don’t like idea of suicide hijackers, but have no shortage of qualified hackers and wants very much to repeat 9/11.

Andrew July 28, 2006 9:53 PM

I like the idea of a panic button.

They exist. Shhhh.

This is very stupid technology for the most part. However — it would be very, very useful under local control for excluding aircraft from high-value target areas and diverting them. Think of it as aircraft repellent, with designated reserve fields so that a nearly out of fuel aircraft leaves remote control and still has someplace (less valuable) to land and/or crash.

Naive July 28, 2006 10:50 PM

But! Everyone seems to miss that this system might be used in evil ways. Let’s take this quite possible scenario where a former ex-president of invaded country is trying to flee using aircraft, but the super secret ground personnel have added this mystic black box between the radio-controller and GPS-unit and tricked the big red panic button to actually detonate some high explosive C-4, but not so that it’ll exlode the plane, but the headquarters of the invaders! Now imagine! The mystic box isn’t an electonic box at all! It’s full of weapons of mass destruction and the president is actually ex navy pilot and kamikaze who has planned all of this ahead. He hits the red button destroying all the defense infrastructure of his enemy and makes a final strike to White House killing president of USA and driving gas prices up. What kind of possibilities does this open for yet more ridiculously stupid comments on Scheier’s blog?

Matthias Leisi July 29, 2006 2:06 AM

Apart from the remarks made by previous posters, I have just a single word to show that this is a bad idea: Siemens.

Have you ever had to deal with Siemens software (eg an ISDN handset, cell phone, DirX LDAP server, …)? I wouldn’t want to put my life into the hands of the programmers who made that software.

(Granted, they also make highspeed trains, which haven’t disintegrated due to the software.)

MathFox July 29, 2006 3:11 AM

What is the cost (and the disruption) when some sick-jokers randomly start diverting planes? We have
a) A plane at the wrong airport, needing fuel for take off, incurring at least 2 hours delay for its passengers. (More when authorities start a serious investigation)
b) An airport that is closed for start and landing for at least half an hour to handle the diverted plane safely. (Authorities can extend the disruption to several hours when they order evacuation of the airport.)

Jungsonn July 29, 2006 6:28 AM

What they are trying to say with this is simple: we cannot give you the guarantee that the person next to you in the plane is a terrorist., and sorry we failed, and are leaping to desparet meausres now.

sidelobe July 29, 2006 10:08 AM

My niece and I discussed this idea back in 2002. We refined the idea a bit. The first element is to give the passengers a bit of a say in the operation of the aircraft. If, for instance, a strong majority of the passengers pressed the flight attendant call button at about the same time, the control of the aircraft would be removed from the cockpit and the aircraft would autonomously head for the nearest airport.

Of course, the aircraft would announce this state through several means, including the ELT. Remote control of the aircraft could be established, but only after the passengers had allowed it. Further, if remote control was not established, the aircraft would do it’s best to land safely.

There are still problems. The aircraft must still have breakers on board for everything. Presumably the attacking passengers could pull the breakers on the autopilot and allow the aircraft to crash.

The past five years have shown that this is really a problem not worth solving.

Rodent July 29, 2006 10:30 AM

Not to worry: The remote-control software will be based almost exclusively on Windows 98, which by extension will make it the most secure piece of software ever known to man. Just be sure to apply all the relevant patches, hotfixes and ensure that your virus scanner is up to date.

Thank you for flying the friendly skies.


Peter July 29, 2006 12:41 PM

On the other side: A reliable system would make pilots obsolete. Perhaps the true reason for the system: save costs?
Stefan, in the past, a joke told by pilots goes something like this:
In the future, cockpits will have fancy new displays, one pilot and one dog. The pilot’s job is to watch the displays, and the dog’s job is to bite the pilot if they reach for the controls.

Davi Ottenheimer July 29, 2006 11:28 PM

“conduct the aircraft posing a problem to the nearest airport whether it liked it or not”

I thought the point of having human pilots on board in today’s computer-controlled jets was as a fail-safe in case the computers failed.

Maybe all this new feature needs to mean is that ground control will add the ability to remotely turn-off the human override so no-one onboard can interfere with the controls. I guess the system would then just detect a failure, send a distress signal, and attempt to land at the closest airport. At least that’s not quite as crazy-sounding as opening up the ability to remotely control planes.

Davi Ottenheimer July 29, 2006 11:32 PM

“A reliable system would make pilots obsolete. Perhaps the true reason for the system: save costs?”

Seems to me that humans are still considered a less expensive fail-safe than trying to eliminate all flaws in onboard systems, but that might just be our inherent distrust of automated mass-transit.

Davi Ottenheimer July 29, 2006 11:38 PM

Several people have mentioned “Windows”, which just reminds me of that infamous story about the LAX shutdown:

“The radio system shutdown, which lasted more than three hours, left 800 planes in the air without contact to air traffic control, and led to at least five cases where planes came too close to one another, according to comments by the Federal Aviation Administration reported in the LA Times and The New York Times. Air traffic controllers were reduced to using personal mobile phones to pass on warnings to controllers at other facilities, and watched close calls without being able to alert pilots, according to the LA Times report.

The failure was ultimately down to a combination of human error and a design glitch in the Windows servers brought in over the past three years to replace the radio system’s original Unix servers, according to the FAA. “

cavok July 30, 2006 12:20 AM

Heh, my first thought when seeing this news article last week was that “Schneier will most certainly write about this :)”. I agree fully on your comments.

another_bruce July 30, 2006 2:36 AM

9/11 would have been much worse if hackers could have gained control over every single plane in the air at the same time.
i’m with stefan wagner, i think this is a prelude to pilotless, crewless flights operated by someone on the ground. there aren’t enough drugs in the world to get me calm enough to board a flight like that.

Erik N July 30, 2006 6:50 AM

Spending money on investigating the problem and if feasible come up with possible solutions is a good idea. And certainly, the outcome – whichever it is – must then be evaluated by the end of the project. Discarding the idea without proper investigation is a bad idea.

I too think that a remote control that will give a ground station the ability to manouvre the aircraft sounds like a bad idea as it opens up to hijackers don’t even need to get on board. One could imagine that they would instead siece control of the control tower …

But there are alternatives:

A panic button as other mention. But it should be possible to activate both on the aircraft and on ground. Such a button should switch the air craft into a computer controled mode in which neither the pilot nor the ground control can maneuvre the aircraft.

The program should direct the aircraft either to the nearest airport or a desolate predefined area where a crash landing will be done. Such areas should be predifined and equipped with the rescue personel and material needed. The ground control would then evacuate airspace to make room for the emergency landing.

If it is not possible to crash land the craft safely by pure computer controls, then the program could give the pilot control of the aircraft within a specific area, and could even restrict the course of the aircraft. If the pilot gets out of that area the program should seice control again and return the aircraft to the allowed area.

Surely, this wont prevent aircrafts from getting hijacked or terrorist from blowing up the aircraft, but it will prevent them from using it as a giant missile against a specific target and reduce the impact.

So while it does not solve all problems it does solve some. I think this is a good idea.

Alan July 30, 2006 1:48 PM

As a pilot (albeit not commercial) this is a terrifying idea that there is an autonomous system onboard that could terminally take control of the aircraft. I could see far more things going wrong with this then it ever helping a situation.

Paul Gear July 30, 2006 8:20 PM

Then there’s always the hostages. If i were a terrorist and someone took over the plane that i had gone to the trouble of hijacking, i’d just start shooting hostages. “Turn off the remote control or another one dies.” A classic movie plot move… 🙂

phil July 30, 2006 8:52 PM

Given that most modern commercial planes fly (in some cases the entire flight, gate-to-gate) on autopilot full time anyway, this is probably more likely the ability to remotely issue commands to the autopilot, along with the ability to have the autopilot system disregard on-board pilot input

Frank McGowan July 30, 2006 9:29 PM

This is a bad idea in general. Erik N’s proposal seems ot cover quite a few of the potential problems. However, because the feds recently arrested quite a few airprort workers as illegal immigrants and the rise of home-grown terrorists in Great Britain, Canada and the US, I think it reasonable to believe that the on site firmware techs could cause a bit of mischief with this.

What would prevent the firmware from being “updated” to fly into selected buildings? A timer-switch to activate the “panic button” at a specifc time would turn over control to the on-board emergency control system. (I know; another tech of another specialty. A conspiracy of two would be inconceivable…)

There are too many modes of failure already identified and I doubt the problem has been thoroughly studied as of yet.

xC0000005 July 31, 2006 12:20 AM

For what it is worth I toned down the stories in that article (and the diary I based it on). In both cases even though the reality was more outlandish and entertaining, explaining the events and weird personalities around this takes the focus from where I wanted it. I hope the TSA does better now. I really do.

Emil July 31, 2006 1:21 AM

what it the ground control just sent a command to forcefully enable auto pilot on the plane? The auto pilot would be operated on the plane itself and will not allow manual control.

Pat Sutlaw July 31, 2006 3:39 AM

Yes, this is a bit mad.

Has anbody considered the acceptance criteria for the contract?
Lots of scope for fun there! Here’s my suggestion:

  1. Boeing (Airbus’ arch rival) should be hired to do penetration testing at an early stage of the project.
  2. The final acceptance test would involve all the senior Airbus staff and contractors taking a ride in a plane equipped with the new black box while a penetration test team try to hack in.
  3. Some leading life insurance companies should have full visibility of the project so that they can put together a special insurance deal for passengers on the new super safe, hacker-proof jet liners.

Loads more ideas for a laugh here. Suggestions anybody 🙂

Dietmar Lang July 31, 2006 5:09 AM

Paul Gear: You nailed what I think is the most important aspect to consider in this thing.

Wherever you fly or land your plane, you will still have a hostage situation. Your hijacker won’t sit by idly while the plane is flown around from the ground. He can and probably will exert pressure (hostages, remember?) to regain control of the aircraft.

Deathwind July 31, 2006 5:49 AM

“I’m curious as to how they plan to be able to land the airplane, particuarly in extreme weather conditions.”

Actually when you currently land in extreme weather conditions or night etc, more often than not, the plane was landed by the automatic pilot or terminal guidance systems.

Due to the great evolution of guidance systems, lhe pilot is almost useless in an airplane now.

It can even be argued that pilots are actually more a risk than a benefit now to flying airplanes. Most accidents happen now due to pilot errors and not technical mishaps.

The only thing that seems to rein in amibitions to throw the pilots out it that most people would not for their lives fly in a plane with no pilot (despite the fact that this should be statistically less dangerous).

arl July 31, 2006 8:14 AM

Despite the hype, the need has been demonstrated for a long time. While it may not be “terrorists” trying to down the aircraft, the loss of the flight crew has happened. Once the cockpit is untendable, for any reason, the plan is doomed.

Hacking the system sounds like a movie plot threat.

arl July 31, 2006 8:15 AM

Despite the hype, the need has been demonstrated for a long time. While it may not be “terrorists” trying to down the aircraft, the loss of the flight crew has happened. Once the cockpit is untendable, for any reason, the plan is doomed.

Hacking the system sounds like a movie plot threat.

Hullu July 31, 2006 8:47 AM

So if the point is to make planes NOT hit important buildings. I’d much prefer a different approach. Make ‘high profile targets’ send out signals which the on-board computer pilots the plane around. If the system is successfully jammed or dossed (nowhere to go, signals everywhere) the ‘go around’ signal is ignored.

Pilot could not fly into such ‘marked’ buildings even if he tried. This system could then be turned off from the ground station. Although not unbreakable this system would still need to be broken simultaneously in two places, the cockpit and the ground station. The ground station breakage could be substituted with jamming or dossing – as could any remote control. Still, it would need to be broken in two places at the same time which is exponentially more difficult. Neither system broken individually would cause no damage whatsoever.

I personally don’t see any reason why a system like this should exist either but it would sound more reasonable to me if the aim is to protect high profile crash targets.

bob July 31, 2006 8:56 AM

@Mord, Rick: I really like the “module” idea. Similar to tractor-trailers, where the prime mover component is separated from the payload component.

You could have a command module that had the wings, engines, drivers, cockpit, pressurization system, (a single potty) etc.

Then a separate passenger module that contained the cabin crew, food, pax, checked luggage (hopefully with a 1:1 correlation to the pax) movies, etc. the command module would drop off a pax module, connect to a new one and take off, while the sortie can was emptied and refilled.

Obviously it would need to have some sort of modular connector that could pass electricity, atmosphere and stuff and require no more than ~10 minutes to connect or disconnect. Seems like high- or shoulder-mounted wings would be more effective for this system.

This would be great for breakdowns, you could just grab a new command module and slap it on. A lot cheaper to have an extra of those, than an entire airliner, and it would take WAAAAY less time to transfer everybody.

There would probably need to be 3 size classes (regional, vente, jumbo?) You could even tailor the pax module to demand. (convention in town, lots of pax today, hook up to a “jumbo” instead of “regular”). But it would be trivial to add extra flights with this method because the turnaround is so quick.

The command module would need to be airworthy with no pax module attached.

They could also have compatible cargo-only modules. They could even have different categories of cargo modules: liquids, solids, dry bulk goods, pressurized or not.

I like this, anybody want to start an airplane company with me?

@arl: yeah, nobody could ever break encryption on a communications link.

derf July 31, 2006 9:22 AM

I’m sure that 14 year olds with a high intelligence and electronics knowledge would love control over commercial airplanes and somewhere that seems like a good idea.

I can also see the friendly TSA agent taking a break from feeling up toddlers and old ladies to take control of the wrong plane in an emergency, sending a plane that wasn’t hijaaked smashing into the Rockies, while the one that was hijaaked speeds happily on its way to Iran.

rudtx July 31, 2006 11:53 AM

Every time I have a security related thought I think of my grandfather who once told me “Locks only keep honest people out”.

havvok July 31, 2006 12:59 PM

What would probably be far more effective is to allow the perception that this was feasible; give the pilot a plausible means to illustrate that he no longer has control of the aircraft, but with a secret that allows the pilot to recover control.

Rigorous propagation of the myth will provide far better security than implementing this gaping hole.

Gary July 31, 2006 1:07 PM

What if the purpose of a hijacker is to divert the plane to a designated airport then set off a WMD. Example, a hijacker gets on a plane in Omaha and is flying to Philly. About 50 miles from Chicago they hijack the plane. The remote takes over and diverts the plane to Ohare. Once the plane lands the hijacker deploys the WMD and you in turn now lose a major HUB and potentially 10s of thousands of lives.

Like what was said before, the likely hood of a hijack these days is slim. I have a better chance of equipment malfunction due to improper maintenance than anything else. How about taking that $45 mil and give maintenance staff raises and rewards for their work, train flightstaff in martial arts and self defence, fire pilots that come to work drunk or impaired, and upgrade 30+ year old planes with working up-to-date black boxes.

This idea is less of a solution and more of a mask. It may very well work and be the first EVER hack proof system (except the laptop that is in my closet with a dead battery and no power cord). But planes are still going to crash, hijackers are still going to try and probably succeed, and people are going to whine about why did we let this happen. People die more on nearly every other mode of transportation, and those transportation devices can cause as much damage as any other. We are focusing only on planes because that is what is recent in our minds. We have to except risk every day. There is no way to guarentee our protection without limiting our rights.

I think this money can be spent better elsewhere and have more significant results.

Tom July 31, 2006 6:53 PM

I have always thought – why don’t they make sure there are secure doors to the cockpit (in progress), and use a sleeping gas that can put everyone to sleep? TSA should be able to prevent a gas mask from going through security.

If the terrorist somehow gets a gas mask through security, then you rely on the gun that the pilot has. He does have a gun? Right?

Back to the technical means for a remote controlled AC. We have been flying unmanned aircraft in California and in war zones for years. Large airplanes have an autoland capability. – The technology is proven today. It’s not worth it to apply the technology due to the lack of a complete solution.

TomB August 1, 2006 3:05 AM

I disagree with most comments.

it is a bad idea at first sight, but if you got a bit more information about it, it isnt that complicated and not that expensive as you might think.

modern planes (airbus-planes of the last 10 years) are able to start and land airplanes automatically without interaction of a human (except the startbutton 😉 ). for this it is quite simple to additionally simply activate it in a different way like from the ground, sending the route and some codes to deactivate it. for this the only hazardous point is the communication and the activation, but not the flight-control itself and that it is not an us-development but an european, so their might be no nsa-code inside 😉

a. August 1, 2006 6:39 AM

Great, so instead of terrorists we’d just have to fear 14 years old script kiddies when we fly …
And hey, attacking a remote-control airplane software would be way more interesting than defacing webpages and similar scriptkiddo/wannabehacker things.

TomB August 1, 2006 7:15 AM

so cause you a feared fo 14 year old script kiddies you are not willing to accept any renewal? despite the fact that f.e. public transportation is in some countries fully automatic with remote controlled features for years (and without any terroristaction so far). so this “wanna-be-hackers-can-hack” argument is just hollow words. wanting all electronic systems to bei 100% secure against any threat does mean decline all systems.

Xellos August 1, 2006 9:39 AM

–“and use a sleeping gas that can put everyone to sleep?”

Because you’ve been watching too many movies and tv shows ^_^

A gas that does such a thing safely does not exist. You can knock people out in all sorts of ways (carbon monoxide, for instance, as oxygen displacement is probably simplest), but if you think insurance companies won’t throw a wobbler over that you’re kidding yourself. There’s nothing even close to safe about it, and considering the most at-risk groups (little kids for one) you’d just be asking for a media frenzy.

Erik N August 1, 2006 10:43 AM

Dietmar Lang: You assume that letting hijackers have there will, will save the lives of the passengers.

Sept. 11 showed this assumption cannot be made. This is why new policies to shoot down hijacked aircrafts has been made. Shooting down the aircraft or letting the terrorist blow it up seems to be the same.

If an automatic control can guide the aircraft down to safe landing, then we at least rule out the need of a fighter jet shooting down a hijacked aircraft. This may save many lives, both in the aircraft and on ground.

Nick August 1, 2006 1:10 PM

This project sounds like a pretty useless way to spend money.

Forget all the movie plot scenarios. Real world. You have to install a system that disconnects, permanently, the cockpit controls from the flight surfaces and engines, while retaining control of the flight surfaces and engines by other means, presumably utilizing the autopilot servos. Note that typical items you need for landing, like flaps and gear, are NOT controlled by autopilots presently, so they would require additional servos and controls installed.

1) The installation of this would be VERY expensive on non-FBW aircraft, probably millions per plane. For those who claim, “The autopilot alreaduy can steer the plane!”, you need to understand that an autopilot can ALWAYS be overridden by the flight controls – installing a permanent disengagement clutch or some other physical mechanism that still leaves the autopilot servos connected to the flight controls is a very significant problem.

For FBW aircraft, it is a matter of computer programming… But considering the extreme measures that are taken to insure to code is bug-free, I’d say this comes with substiantal expense as well.

2) Establishing that the probability that this “disengagment” mechanisim doesn’t go off by accident is less than the probability of a successful hijack of the aircraft. Every gadget has failure modes. Remember that the probability of a successful hijack per flight is probably in the 10e-7 or less range, going by past history.

3) Once the flight controls have been disengaged, how will the “ground controllers” steer the airplane? Will it be a passive uplinking of commands into the airplane’s FMS, or will it be a two way comm channel? The simpler approach would be a standardized, onboard program that, once activiated, locates the closest airport with a suitable runway with a suitable landing system. A “suitable landing system”, meaning one capable of guiding an aircraft to a safe landing on autopilot, is a CAT III ILS, of which only 100 or so airports in the world have. Most other systems only have the precision to get you near the runway, near being about 200 feet above and .5 nm away, pointed roughly in the right direction. Perhaps we are willing to take the risk of having a aircraft do a “controlled crash” (think Sioux City, Iowa, for an idea of what that would be like) , since presumably the pax are at the mercy of the hijackers anyway, and would probably off them once they realized they couldn’t control the aircraft, or perhaps just blow it up inflight.

That’s just for a passive, ground activiated “panic switch”. It’s a great deal more complex, failure-prone, and expensive if we want ACTIVE control.

All this trouble, and expense, to prevent hijackers from flying an airplane. It seems that a solid partition, with a seperate lav for the cockpit so that at NO time during flight does anyone enter/leave the cockpit/lav section would be cheaper, FAR FAR simpler, and better protection.

TomB August 2, 2006 1:45 AM

All this trouble, and expense, to prevent hijackers from flying an airplane. It seems that a solid partition, with a seperate lav for the cockpit so that at NO time during flight does anyone enter/leave the cockpit/lav section would be cheaper, FAR FAR simpler, and better protection.

Sorry but this is untrue, unless you cut of also all communication between cockpit-crew and the rest of the plane. if you don’t than as a highjacker, I would simple take a hostage from the crew or passenger and tell the pilot, if he don’t land on a different airport, someone will die. So what would that help? nothing. you will need to add additional security folks to the crew like ElAl did, that would bring security, but this costs money and needs equiped, trained and motivated employees which you can’t expect to get for 5 $ an hour

Erik N August 2, 2006 2:27 AM

The cost of the project is $45million – compare that to the cost of 9-11, and the probability of such an event. It’s not a completely disproportionate use of money.

It’s a R&D project, before rejecting it, let’s see the results, and the cost of the proposed solution. I am all in favour of investigating solutions to problems. Disgarding ideas before proper investigation have never given anyone a head start. Of course solutions must be evaluated, cost against benefit. But we gotta have some solutions to evaluate first.

Such a system is not to be installed on every aircraft – at least not at first. Small aircrafts are not so interesting for use in kamikaze attacks (remember the wannabe-al-Qaeda in Florida?), they don’t cause so much damage. On passenger airlines the cost of installing such a device might be reasonable.

And all these ideas of physical and logical attacks:

There are certain parts of an aircraft that it is very difficult to access in flight – and as with suicide bombers “dead man trigger” the device could be installed such that while installed correctly normal operation of the aircraft would be possible. Removing or tampering the device would switch into safe mode.

And as proposed, it should pretty much be a one way switch which require physical replacement. Remote control may not be required, it would be enough to implement an automode and restrict pilot control of the flight to specific areas, such as to permit a controled emergency landing.

And your ideas that hijackers will then threaten to kill passengers unless the captain turns control to the hijacker – first, if the system cannot be circumvented by the pilot, there is nothing he cand do. And second, I think that 9-11 showed quite well that taking orders from hijackers or letting them take control does not necesarily save lives. If a hijacker kills a few passengers to make his point – I still believe that is better than having standing “shoot-down-entire-aircraft” orders or permitting hijackers to crash the aircraft at their prefered target.

Remember London one year ago? Jean Charles de Menezes, innocent and absolutely non-terrorist, was killed by London police on a “shoot-to-kill” policy, the point of which was to save the lives of the rest.

Installing a controled mode will ensure that the aircraft cannot be used as a guided missile and hence, there is no need for such “just-kill-them-all” policies. This will save lives in the more “common” cases of hijacking.

The more I think of the idea – the more potential benefits I see. So, let’s see what they come up with.

bob August 2, 2006 9:47 AM


All this trouble, and expense, to prevent hijackers from flying an airplane. …(snip)… FAR FAR simpler, and better protection.

Sorry but this is untrue, unless you cut of also all communication between cockpit-crew …(snip)… , if he don’t land on a different airport, someone will die.

Thats how the 9/11 hijackings were designed. Torture/kill people (pax, cabin crew) until the cockpit crew capitulates. The airline operational model now is “nobody gets in the cockpit no matter WHAT happens in the cabin” so we are already there. They can execute the entire payload one at a time and they dont unlock the door. Frankly, sitting on the ground, I think this is an excellent idea (Ask me again when I am on the aircraft in question, trapped in the cabin without even toenail scissors to defend myself with. One wonders if a pilot was married to a stew on the same aircraft and the hijackers had found that out, would that rule actually stick?) because the max they could kill would be ~50-500 people on board, no “innocents” on the ground.

And in a way 9/11 was ‘beneficial’ in that it decreased the value of that because they were so overwhelmingly successful that day that today a “mere” hijacking and murdering of that few hundred people would not make much of a media splash; that always being the political hijacker’s goal.

Mark Walker August 2, 2006 1:54 PM

Sure, now remote hijacks become a real possibility. Actually, why bother to hijack? Just crack the system to implement remote-crashes. It wouldn’t matter where the planes went down, who would ride them after a crash or two from this method?

Could the proposed system be made to work? Unlikely.

Bay Area Rapid Transit (BART) and the Denver Airport luggage handling systems both failed to be automated, and they are solidly rooted on the ground and simple by comparison.

By the way, what makes anyone so sure the control facility can’t be physically compromised and then used to crash all planes in the air at that moment?

I’m not riding in planes with this software override installed…

It also occurs to me that it’s really quite obscene that expensive non-solutions are proposed by those who stand to gain handsomely. Time to fire off another set of letters to Washinton…

Erik N August 3, 2006 2:12 AM

Mark Walker: Did you actually read the article? It’s a European project, writing to Washington won’t get you anywhere – and if you’re US citizen, it’s not even your tax money.

I honestly don’t get why people are against this project: It’s a research project! The point is to figure out if there are viable solutions to a given problem. It’s not a decision to install some crude hack in all aircrafts!

There are good examples where such a system could have saved lives, the 9-11 is one. But also, in non-hijacking incidents: Last year a plane from Cyprus lost cabin pressure. Pilots fainted, and a steward with very few flying lessons tried to call for help – but on the wrong channel. Eventually he fainted to and the plane went on autopilot till it eventually ran out of fuel and crashed. All on board died – luckily, the aircraft didn’t crash in a densely populated area.

While the events that such a system could prevent are not common, they have happened, so this is a real risk with a real cost. The cost of 9-11 to NYC was around $100Bn. The cost of the project is $45million, a fraction of the cost of the cases it aims to prevent.

Certainly thorough research will give better answers to whether this is viable or not, than some discussion on a blog. Sorry folks, but progress is usually a result of investigating ideas before drawing conclusions. Discarding ideas only ensure that you will remain where you are.

Most here assume that it will be remote control only. Obviously this has potential risks that must be mitigated. Other solutions could be automatic, or semi-automatic seeking to limit the pilot control rather than give others control.

A remote control would be usefull to prevent cases such as the crash in Greece. In such a case, it would be perfectly fine to enable the pilot to override.

An automatic or semi-automatic solution should not give anyone control but rather ristrict it. This would be useful in cases of hijacking.

Just look at the policies now: Fighter jets will be ordered to shoot down highjacked aircrafts if the hijacker threatens to use it as a weapon. This screams for a new “Jean Charles de Menezes” – only this time they won’t just shoot down the suspect but also the 200+ people who where unlucky to be on the same aircraft.

If a well designed solution comes up, this could prevent these insane policies and save lives. The idea is good, it’s a question of the solution will be good – research is to answer that question.

Certainly, if we want money well spent then we should take away control from drivers – after all, traffic presents a greater threat than both terrorists and airline crashes.

Brian McMahon August 15, 2006 11:42 AM

It’s a punctuation problem — missing commas.

Original report: The system “which could only be controlled from the ground would conduct the aircraft posing a problem to the nearest airport whether it liked it or not,” according to extracts from next Monday’s Der Spiegel released Saturday.

Corrected: The system … would conduct the aircraft, posing a problem to the nearest airport, whether it liked it or not.”

Don’t you think an automated landing of (potentially) a very large missile would pose a problem to the nearest airport? Or that it (the airport) might not like it?

Loren Pechtel August 15, 2006 2:41 PM

The problems with this idea are obvious but it’s not going about it right:

1) It shouldn’t be able to be triggered from the ground. That asks for hacker problems.

2) There shouldn’t be humans involved. Said humans can be pressured by hostages.

My proposal:

The main part of the system is on the airplane, not on the ground. The airplane has a GPS receiver and a detailed map of the world, it knows where airports are and it knows where terrain (including buildings) is. (This database need not be all that big–over most of the world you don’t need all that much resolution. Say the highest point in a square mile or even bigger and note that the oceans are vast expanses of 0′ height.) Store it on flash memory so updates can be downloaded periodically as new things are built or old runways closed.

In normal operating mode the system simply monitors where the plane is going and raises a ruckus if it thinks the plane is going to fly into the ground–including flying the plane up unless specifically overridden by the pilot. (You need an override because an emergency could mean the pilot had to put the plane down on the best surface available even if it isn’t a runway.) The system has considerable value if this were all it could do–this will virtually prevent controlled-flight-into-terrain accidents.

If there’s trouble on board the pilots put the system into a prearm state. If the cockpit door is breached this switches automatically to active, it also switches to active if not countermanded by the pilot within a certain length of time and the pilot can also switch it to active at any time if he’s sure it’s a hijack.

In it’s active state it pretty much takes control of the airplane. It sets the transponder to 7700 (or probably a new code saying it’s hijacked and now under robot control) and flies for the nearest suitable airport. Airports have transmitters that say “Don’t land here–head ” if they can’t take the plane for whatever reason. The controls aren’t completely locked out, though–it will accept pilot input so long as that input won’t take it too far from the flight path the computer decided on and won’t take it into the ground. Thus the pilot can steer around the thunderhead but if the plane has decided to go to Miami it doesn’t matter what anybody wants, it’s going to Miami, not Havana. As it gets close to the airport the allowed flight path becomes quite narrow but it’s sufficient to allow the pilot to land it or go around if need be.

Once the speed drops below some value the system brings the plane to a stop and then shuts it down for say 48 hours. During that time the engines won’t work. Yes, this leaves it on the runway but it can be towed off.

A limited remote control capability might be added to allow the airport to land the plane but I’m not at all sure that would be needed. There would be no security risk from this as ground instructions would only be honored if the system was active and ground instructions would be subject to the same restrictions on where the plane could go.

ixa2a August 16, 2006 4:21 AM

You might want to look closer at this. Airbus have long had an idea that since the a/c is fly by wire, why not fly it from the ground? Pilots are expensive and you need two per 200 or so passengers. What a great value proposition if you sell a/c that you can keep the pilots on the ground and they can run say 5-10 flights in parallel – even change a/c mid-flight – and avoid all those nasty rest period/ sleep issues demanded by aviation regulations. The airlines will love them.

Are you sure that this is not just using security to justify a commercial ideal? After all I am sure the passengers would prefer to have the pilots on the a/c so if you can persuade them its in their interest to have the pilots on the ground, what a great plan!

Loren Pechtel August 16, 2006 3:23 PM

I don’t think they would be stupid enough to consider in general flying a plane from the ground.

The real reason we have a pilot on a modern FBW aircraft in the first place is to deal with the unexpected. When the fecal matter hits the air mover the plane is more likely to make it home with a pilot on board. Problems sometimes take out the radio–a ground-based pilot would be cut off if that happened.

Dr. Lyman Hazelton August 17, 2006 11:22 AM

I invented this idea on 9/12/2001, wrote it up and sent it to my fellow scientists and engineers at KinetX, Inc.  We improved on the initial idea over a period of weeks, wrote both a white paper and a slide presentation on it, and presented it to a group at Honeywell, to upper management at FEDEX and to a congressional committee in DC.  Those in DC told us it would never be adopted because the US pilots’ unions would trash it and get it voted down. FEDEX showed some interest, but only if we could get some government funding.  Honeywell told us they weren’t interested, and then secretly went to work on it (we know this from leaks from some friends there), and, as far as I know, they may still be working on it.  We call it the “National Flight Emergency Response System”, NFERS.  It uses strong crypto, a command-able autopilot in a physically secured section of the aircraft, and the IRIDIUM satellite phone system (which we helped to design and are still working on now).  The Arizona Republic referred to us and our idea on the front page of the business section sometime in 2002, but overall, the idea here has just died for lack of interest.  If you, or anyone else reading this, are interested in more information on NFERS, I can send you the white paper.  We tried hard to think through the security process for the system, and I think we did a good first cut.  We certainly have all the technology to make it happen, and I believe it could save lives even in some rare instances where there aren’t even hijackers involved.

I don’t know if the EU guys are going about it in a similar fashion, but I imagine that they are.  I’ll look into it if I have the time, though I am busy now working on a new communications satellite system and don’t have much free time.

David John August 20, 2006 2:10 AM

While there are some interesting suggestions here – and some weird ones! – a spot of technical perpective might be useful.

As a former airline pilot who is now involved in navigation and landing guidance systems, aircraft certification and air traffic management, I regard remote, “bring ’em back alive,” control of commercial aircraft as possibly feasible at some point in the distant future, but likely to be rejected by the airline industry as totally unaffordable, due to the incredible cost of safety certification.

I’ll pass on all the clever things described by the European media except for the one where the hijackers have managed to enter the flight deck, have disabled the crew, and are now set to fly the airplane into the White House, or wherever. Assuming that, before being disabled, one of the crew members had alerted the aircraft system that it was being hijacked, it is certainly possible for the flight management computer to then prevent the hijackers flying the aircraft at their target, or at anywhere else on the surface. This could be achieved by modifying the input to the flight management computer from the Terrain Warning and Avoidance System (TAWS) – sometimes called the Enhanced Ground Proximity Warning System (EGPWS) – which has long been mandatory in every passenger aircraft to avoid Controlled Flight Into Terrain (CFIT) This would definitely prevent the hijackers from descending to hit their targets, or deliberately crashing into the ground anywhere. They’d simply be along for the rest of the ride.

What happens next? Many seem to believe that someone on the ground would then take over and land the airplane, following which the bad guys would be carted off to jail. Unfortunately, that is simply not possible today, except with expendable, fairly elementary, UAVs, which have a very unenviable safety record. Achieving it in complex passenger airplanes would be incredibly more demanding, and involve enormous airworthiness certification and logistics challenges to meet current or future civil aviation safety standards.

Yet since it’s interesting to speculate about such things, here are four conceivable future scenarios – none of which exist – and I’m sure there are others..

  1. The aircraft would be totally automated: essentially, a passenger carrying UAV. Upon detecting a hijack attempt, it would promptly fly to and land at the nearest suitable airport, whereupon the paddy wagons would pull up beside the exit doors. It’s a lovely idea. Except we are talking about next, next, next generation airplanes. That is, those coming long after the Boeing 787 and the Airbus A.350, which are even now only in development. Retrofitting such an automation system to these two or earlier airplanes might one day be technically practical, but it would be financially prohibitive.
  2. A less sophisticated automation system would be installed in aircraft, with advanced, redundant and interference-resistant (I leave the anti-hacking discussion to others!) two way data links to allow a pilot – but preferably two pilots – on the ground to fly the aircraft remotely, while sitting in a jet transport-like flight deck simulator. Those pilots would need to be type rated on at least one in the class of aircraft (turbo prop, small jet, large jet) being hijacked. Modern passenger airplanes are very complex, and not instinctively easy to fly. Radio-controlled model airplane enthusiasts, or general aviation pilots, couldn’t handle them, and even untrained commercial pilots would have real difficulty.. Aircraft capable of fully automatic landings (which is becoming common) brought back to one of the 30% or so airports equipped in the future with very low visibility Cat. III landing guidance equipment would be – very relatively speaking! – easier to recover than non-autoland types. Landing the latter from a generic flight simulator could be demanding, especially by a pilot not qualified on the specific aircraft being recovered. In all cases, aircraft would need to carry wide angle nose mounted TV and infra red cameras, data linked down to a wide projection screen in front of the simulator. Without autoland, the pilots really have to see the runway. (And please, consult a landing systems specialist before suggesting GPS or another satnav system as the simple solution for any of this.)

However, certifying and then retrofitting all that equipment would be extremely costly, and the ground environment could pose logistic nightmares. Like, how many appropriately equipped airports across the nation would be required, how many qualified pilots with different type ratings should be on 24 hour standby, how many different simulators would be needed at each location, and so on, and so on.

  1. After being alerted to the hi-jack, the flight management system would fly the aircraft to the closest of several pre-programmed points around the nation, characterized by flat terrain and with no buildings, human habitation, obstructions or other impediments within at least a mile. Upon approaching that point, fuel would be jettisoned down to a very minimal level, and the aircraft would then, after reducing its speed to a safe margin above stalling consistent with the aircraft’s weight, descend to an appropriate low altitude over the point, shut down all engines and deploy airframe parachutes. (Recovery parachutes are already installed in several light aircraft today.)
  2. The Doomsday scenario. Since, by definition, control of the aircraft cannot be given back to the hi-jackers, and lacking any of the three systems described above, the airplane would continue along the route which the crew had earlier programmed into the flight management computer and, after reaching the end of that route, it would continue to fly until it ran out of fuel, and crashed.

I have no doubt that the first three recovery methods could one day be shown to be technically feasible, at the required reliability levels. But achieving any of them in certifiable form for even one aircraft type would be enormously expensive. Would the airlines pay for it? It seems very doubtful. They have already rejected the one-size-fits-all anti-MANPADS under-fuselage pod, which has scarcely any interface with the aircraft’s electronics, because its estimated $1 million cost per aircraft is considered too expensive versus the risk. And yet the worldwide risk of a MANPADS attack appears far greater these days than that of a hijacker getting onto an airliner flight deck and aiming the aircraft at a ground target. And $1 million would pale in comparison with any of the fully automatic anti-hijack, bring-’em-back alive, packages described above.

As well, the recent UK experience shows that you don’t need to take control of an aircraft to destroy it. And should un-hackable anti-hijack technology ever be developed and adopted, terrorists will simply move on to other tactics to strike their targets.

Like retired generals, the European researchers appear to be working on how to win the last war.

Loren Pechtel August 22, 2006 9:39 PM

David John:

Your arguments do a fine job of demolishing most of the arguments in this thread.

You didn’t address my proposal at all, though. Yes, I’m using GPS but I realize that you wouldn’t want to use it to actually land other than in an utter emergency. Rather, I’m using it to restrict the actions of the pilot to things which are pretty much safe (under my system you could land it pretty hard in the underrun and you might be able to run it off the runway during braking) but giving the pilot the fine control needed to actually land it.

GPS knows what it’s maximum error is. Add a bit to that and ensure the pilot stays within that distance of where the computer thinks the plane should be–and make sure that that envelope does not include anything the terrorists might want to kamikaze.

scout September 5, 2006 2:28 PM

Please tell if the Americans already have this software, installed, and it was used to fly the aircraft into the WTC?

Has anyone researched this possibility? I mean, the CIA are already bombing Iraq from Nevada; all these boys would need is a software.

Andrew618 September 11, 2006 3:07 PM

Today’s “Global Snapshot” from USP3 (United States Private and Public Partnership National Governance) again mentions this project, linking to an article in The Hindustan Times (?!?).

Good to see Bruce is still 5-6 weeks ahead of the government!

Chris McReynolds December 2, 2006 6:15 PM

I have approached this very issue in other similar scenarios related to security and remost contols. Here is the simple answer. Which is easier to secure physcially? The cockpit, or the location of the terminals that would control the aircraft remotely? The answer to this question is the answer to your question. If you think that “hacking” in to a neckwork that is discrete (physically and logically isolated completely) simply because it uses radio frequency to communicate, if this is true you should be much more concerned about nuclear tipped criuse missles that already operate exactly this way. The only thing new is landing an airplane from remote control. This however, is not a barrier either because in large airliners visual and instrumental feedback to the pilot flying from the remote will have the same view as a pilot on board. Did you know that many fighter aircraft use Heads Up Displays (HUD) with camera views that allow global views from the aircraft as if the plane was transparent. IOW, they are flying the plane remotely even when they are physically seated in the plane. There are only 2 changes. The first is the missing gravitaional sensations, and the second is that if a pilot gets disabled somehow, there are lots of available back-up pilots to take his or her chair. There are also entire teams of pilots that fly recon airplanes througout the globe and as far as I know, they have had zero losses due to landing crashes. Again, all of your concerns have already been dealt with and those who propose to develop the technology are merely proposing to compete with the US Air Force technologies already in use running recon and light weapons missions.

Chris McReynolds December 2, 2006 6:18 PM

You call yourself a “securty guru” and have these thoughts? Do you think that every computer network in existance is connected to the Internet?

Bruce Schneier December 3, 2006 4:33 AM

“You call yourself a ‘securty guru’ and have these thoughts?”

For the record, I don’t call myself a security guru. I think it was The Economist who first did that. And then it kind took off. Personally, I have a love/hate relationship with the term.

“Do you think that every computer network in existance is connected to the Internet?”

Of course not. Do you think that only networks connected to the Internet are hackable?

sy January 8, 2007 11:59 AM

I would like to call your attention to the web site:

Most of the items covered. If safelander were implemented there wouldn’t have been the horrific 9/11. One year prior to 9/11 I spoke in NY at the International Air Safety Association and covered this topic. Golfer Pain Stewart plane and Helios (decompression) crashes could have been prevented. As to the security issue that can be handled via ciphered communication like we do with our balistic missles (no-one has ever altered them). Planes would not be remotely piloted unless the aircraft is way off its approved flight plan.

sy levine February 17, 2007 7:21 PM

Another point that the traveling public should be made aware is that the flight recorder data, commonly called the black box, should be telemetered to the ground and used in real-time to prevent fatal crashes. At the present time this data is stored on the plane and not transmitted in real-time to the ground where it can be safely stored (in many instances the black-box data presently can’t even be recovered such as what occured in 911, etc.). The data is so important that it is used by the NTSB in the autopsy mode to discover the cause of a fatal crash. Instead if it was used in real-time to prevent crashes in a proactive mode, as well as of its present autopsy mode, approximately 70 % of all fatal crashes could be avoided. This is how we got the astronauts back from the moon. The net result is that it is presently safer to be an astronaut (fatalities per mile, etc.) than to be a passenger on a commercial aircraft.
It is technically viable and relatively simple to telemeter and use the black box data in real-time to proactively prevent fatal crashes. There is only one reason why it isn’t being used. The aviation industry has been afraid to make this data available for fear of liability law suits. Unfortuneately, for the traveling public and the security of our nation there exists an aviation industry and government partnership where the FAA (its major directive is to promote the aviation industry) and the NTSB have genuflected to the aviation industry and not insisted that this vital data be made available. The FAA has permitted this to occur and has built its traffic control systems etc. leaving out the most important piece of safety and security data. Thus, the FAA and the industry allowed 911 to occur. Everyone, prior to 911, knew that hijacking of aircraft is a major cause of fatal accidents around the world. Even after the Payne Stewarts decompression crash it was known that in many instances a remote pilot using ciphered telemetry, similar to what we use for ballistic missle systems, could prevent many fatal crashes when aircraft deviate substantially from their approved flight plans either from non-terrorist or terrorist problems aboard a plane..

To this day because of the fear of the aviation industry liability suits we are just as vulnerable to terrorists, decompression, etc. fatal crashes as we were in 911. The 2005, 100+ fatality decompression crash, similar to golfer Payne Stewart’s crash, of Helios proves it.

It is imperative that the public make the industrial-government partnership (the DOT, FAA and NTSB) know that this data vacuum is intollerable. The government must be told in no uncertain ways that the black box data should be telemetered to the ground in real-time and used proactively to prevent crashes from occuring . The travelling public and the nation deserve the same security and safety we routinely provide for our astronauts.

Sy Levine

sy levine February 18, 2007 2:27 PM

At first look it isn’t obvious Payne Stewart(golfer)/ Helios(2005 – 110+fatality) decompression crashes and 911 are related but from a aviation safety and security system view they are:

When a plane substantially deviates from its approved flight plan it is presently possible to have a remote pilot located in a secure simulator fly the plane to a safe landing at a remotely populated airfield. Over 70% of all fatal air crashes occurrences are readily preventable if handled correctly.

Unfortunately the data needed to accomplish this is locked up in the flight recorder and is utilized predominately in an autopsy mode. If the data is so important that it is necessary to discover the cause of a fatal crash it is much more important to prevent a fatal crash. Yet because of the aviation industry’s partnership with the FAA and NTSB none of the flight data coming out of the recorders is available in real-time to proactively prevent fatal crashes. The inability to use the flight data in real time has jeopardized the safety and security of the traveling public and the nation. The astronauts were guided back from the moon because the data telemetered to the ground in real-time. Once it got to the ground it was analyzed, via a concerted effort by experts, using simulations the proper and safe way to handle life threatening situation was accomplished. Yet this proven technique isn’t utilized by the industrial/government partnership to keep our nation and air-passengers safe and secure.

One year prior to 911, I was the guest speaker at the International Aviation Safety Association meeting in NY where I spoke on how terrorists and decompression fatal crashes are preventable via remote control of a deviating aircraft using ciphered technology developed for our ballistic missiles. This technology can prevent most aviation crashes(approximately 70%) even those from mechanical errors. At present a pilot has displayed only a fraction of the information necessary to make the right decision to prevent a crash. The pilot in many instances is seeing a problem for the first time. The aircraft data and air traffic control data isn’t shared so experts on handling the aircraft’s problem aren’t even consulted nor can the problem be simulated to aid in crash prevention. This data vacuum is responsible for most fatal crashes. For example, the Swiss Air and Alaskan Air fatal crashes could have been prevented if handled correctly.

In addition it is not only terrorists that sabotage aircraft. Commercial Military pilots have also done it. When a pilot deviates substantially from the approved flight plan the aircraft should be safely remote piloted to a landing at a sparsely populated airport. Several years ago a rogue military pilot flew an A-10 aircraft loaded with bombs across the US. It took two weeks to find the plane which had crashed into a Colorado mountain way off its approved flight plane. The plane was eventually found but the bombs are still missing. Substantial searches were made but no one has a clew as to what happened to the bombs – and this happened over the Continental US (CONUS). Must we wait for a bigger disaster than 911 before any action takes place?

Everyone knowledgeable about the holes in our aviation system, brought about by the industrial government partnership, knew that a 911 could occur and the government allowed it to occur. Even though we knew about Payne Stewart nothing was done and so we got Helios’ 100 + deaths. Presently we are just as vulnerable to a 911 disaster, decompression disaster, … etc. as we were in 2001. The public needs to know the system is fixable for the good of our nation. Even though 3000 people died needlessly on 911 the system doesn’t fix the data vacuum mode of operation. It works around the system with patch fixes that are costly and ineffective simply to protect the industry from liability suits. The necessary data is only available in the tombstone/autopsy mode. With all of the deaths that were preventable not a single FAA or NTSB person was even laid-off. Thus, the industry won out and the public and nation suffered. It is quite possible that we went to unnecessary and horrible war just because we protected the special interest of the aviation industry. The cost of those disasters alone would have been a small fraction of the cost necessary to fix the system and we would now have been safer and securer nation. Instead things are the same and we are vulnerable.

If you should need more info on this please don’t hesitate to contact me (you can see some of my work by going to Google and doing a search on “aviation security, safety and sy levine” or go to my web site My work was also featured on the BBC show called “The Black Box”. There is simply no reason, technical, cost or data privacy wise” for not using the Black Box Data in real-time to make our nation safer and securer. The fear of liability, via law suits, should not stand in the way of the airline passenger safety, the safety of people on the ground, or our national security. It is imperative that the traveling public write to the President, their Congressional Representatives, the DOT, FAA and NTSB and demand that the Black Box data be available in real-time for the security of our nation and substantially reduce fatal crashes.

Sy Levine(310) 559-2965

sy levine March 15, 2007 12:37 PM

One further point needs to made. If a remote pilot system was available when Payne Stewart’s plane and the Helios plane deviated from their approved flight plans the passengers and pilots would probably be alive today. The reason for this is that when it was noted that the planes substantially deviated from their approved flight plan and no contact could be made with them then the remote pilot would take the planes down to an altitude where, after flying for more than 15 minutes most if not all of the passengers and pilots would have recovered. If at that time the pilots were in a condition to resume the pilotage of planes that function would be transferred back to the onboard pilot. The onboard pilots would than safely land the aircraft.

Student March 16, 2007 8:07 AM

@Sy levine

You are at a security blog where many researches discuss things, so please cut the marketing.

“Instead if it was used in real-time to prevent crashes in a proactive mode, as well as of its present autopsy mode, approximately 70 % of all fatal crashes could be avoided.”

I call. Provide research data that proves this point.

Also give me the specifications of a secure large scale high speed mobile radio network that can be trusted to control airplanes and has enough coverage. To my knowledge no such network exists.

Most of the problems described sounds to me like they could more easily be handled by onboard systems. Setting up a high bandwidth data network for remote monitoring and control of airplanes is a huge project and would introduce security issues. Issues people who are reading this blog are working with every day.

By the way, you use 11/9 a too many times.

sy levine March 19, 2007 3:54 PM


I don’t know much about you or what credentials you have in aviation, safety, and security. It would help in further communication with you.

As for myself, I was the Chief Engineer of Northrop’s Electronics Division and designed the first Inertial Nav. System put on commercial aircraft while at Sperry Gyroscope Company. As to the safety and security data, it is a composite of published data that came from reliable sources including Boeing. The data was published at the National Transportation Safety Board’s Symposium on Transportation Recorders in Washington May 1999. It also was presented at Internatioal Aviation Safety Association in New York (Nov. 2000) and as recently as the IEEE meeting vehicle technology and communciations in February 2007. In these technical meetings the data was scrutinized by many technical competent people who came up with the same results.

I started looking into commercial aviation safety when I was the Chief Engineer of Northrop’s Electronics Division working on the B2, Stealth Bomber and the Peacekeeper missile. I sent a friend on a work assignment in Chicago. He died in the Alliquipa Crash due to a 737 rudder problem. The rudder problems, which was responsible for mulitple fatal crashes, were only fixed after England (not the FAA or Boeing) definitized the failure mode. England had QAR recorders that were more advanced than what were allowed to exist in the US. England using the QARs gathered the necessary critcal failure/crash information. The QAR data was cooperative shared with the NTSB.

Lastly there are a multiple of secure communication links that have never been compromised. They are used to direct AWACS planes, Ballistic Missle Submarines, etc. This is not the venue to discuss secure links that exist.

Lastly, I don’t believe that I use 911 too much because I seriouly believe that it can reoccur in a manner similar to the 737 rudder problem. It may take years, but I feel certain, that unless we fix the system that it will recur. Also for your information, the flight recorders did not originate in the US simply because the US aviation industry resisted putting them onto planes for fear of liability. Other nations already had flight recorders on their commercial aircraft prior to the US. Even when the industry allowed flight recorders on US planes so few points were allowed to be monitored that many of the fatal crashes reocurred since the NTSB didn’t have enough critical data to definitize the cause of a crash when they ran their autopsy mode simulations.

I hope Student that this answers your points.

Sy Levine

Xlotta September 11, 2007 8:50 PM

I disagree with pretty much everyting I see here. This is a colossal waste of money, and this taxpayer is tired of the govt wasting his money, especially since they take it without even asking. First-off, let me inform you all that there is NO such thing as ‘unjammable’ This word should not exist at all. If your equipment can pick up the signal, then it can be muddled by a more powerful signal. Period.

Never doubt that someone WILL crack ANY code you make. For example, I saw mention of phone companies being secure, that CDMA is jamproof, which is also not true. CDMA is nothing more than the integration of multiple data streams into one stream, or ‘compression’ which means not only can you jam one signal, but all of them at once.

CDMA itself has absolutely nothing to do with security. It’s simply a protocol for compression of data, and subsequent de-compression of said data. In short, a way to push more data through the same lines. Cell compaines actually ran out of virtual circuit, each tower supposrting a certain number of connections, and CDMA was invented to expand their capacity with minimal costs.

Hell, point a directional antenna with a 20kW linear amp at their tower and I’m betting it will jam everything. Failing that, just EMP it and it’s done.
The last algorhythm produced took what… 7 hours to crack for people to continue cloning ESNs? These people did it to prove a point, not out of the desperation terrorist sects have to get back at the big bad USA. Necessity is the mother of invention, right? If someone wants in bad enough, they will get in. No communication is secure. None. Cellphone ESNs can be cloned by use of a $4 piece of equipment called a dumbmouse, which can be made at home.

Second, removing human control is not going to be a viable option, as delivering a single EMP will possibly knock out this system along with nearly any other. Ball lightning could even have this effect, were the plane to fly through a storm front where this is taking place, and your equipment ionized.

Also, if the systems are controlled by remote, there must be actuators onboard the plane to make the necessary control surface adjustments.

Following this mechanical logic, one must simply create a program on their laptop computer that could even be so simple as to provide data + and – through rs232, which they could hook the actuators to and fly it themselves like a real life flight simulator program. One might even modify a nintendo game boy to provide this control program thru the use of the link cable port, and a game cartridge with a custom burned EEPROM. I could list ways to defeat this system all day.

I won’t pretend to be nearly as knowledgeable as some posters here. I’m no scientist, nor do I have any formal education in avionics.
However, I do dabble in my hobbies, coding, unmanned recon vehicles, alternative power, etc. I feel like this forum is a place many minds more knowledgable than mine converge, so I wanted to take advantage of it to voice my opinion on this matter.

Every train of thought on this subject is leading me back to the paramount problem of the systems responsible for control being onboard the plane, which is in itself the greatest threat to this ultimately flawed system. Control devices = signal wires = vulnerable to compromise.

I did see ONE post I agreed with. You can’t do any better than an airborne incapacitant. If you want minimal losses and near-immediate situation control, this is the most viable option in my opinion, as it’s not difficult to disarm an opponent in a forced state of slumber.

I do realize this would result in a slight pressure change in the cabin, and some people might experience adverse effects or allergic reactions, but coughing or rash is a small price to pay for being alive.

I also feel that every plane travelling through CONUS airspace should have a fire team of Marines with repeating taser rifles, that would rapidly deploy 30-70 taser electrodes to a specific target to wit incapacitation.

Just the presence of these 4 Marines will mosy likely be enough deterrent to a potential problem, if the broad public knowledge of the plane’s airborne particulate security system isn’t enough.

I absolutely promise, that if this remote control failsafe system is implemented, our entire air travel system will be destroyed within months if not sooner. ( Not by me of course, but by enemies of our country)

There exist NO secure communications channels today. Even the naval systems can be compromised, and I fervently disagree with a previous poster claiming these systems are secure. These systems are most definitely NOT secure, which is why data encryption exists. These algorhythms are complex and frequently changed or recomputed to new variations, however they are NOT secure. Even in WW2 the german uboats could read our transmissions, which were then given to the code teams to decipher. These systems are high power output, which makes them even easier to pick up, which is why the pilot MUST relinquish control of their jet to the AWAC operator, and why submarines send code blocks rather than clear text.
Again, let me re-iterate…
THERE IS NO SUCH THING AS SECURE COMMUNICATIONS. Only encrypted information. Belief otherwise is foolish.

All it takes is the interception of 1 packet during each new algorhythm’s life cycle to establish a schedule and find the operational window, then it’s a simple matter of finding the passkey, which can probably be done relatively fast via the internet using one of several serial processing applications already out there serving their harmless roles and working within the remainder of that window.

I can concieve of many ways this system could be used against its makers more than benefit them. Now imagine someone who wants to do it for their own malicious purposes? This is doomed to failure.

That’s my $.02 on the subject of remote operation of commercial airlines. As far as the rest goes, I can’t tell you how to prevent terrorists from flying into buildings, other than just don’t allow them to have control in the first place, but I’m pretty sure there are systems that avert these things, that must be turned off first.

I think you have a great thought, but I think it’s better applied towards other things. For instance, you could build an electronic device that seeks out the guidance system of a missile, and assumes remote control by force, and diverts its path, or a sattelite guidance system which allows for computer controlled docking manuevers or orbital stabilization. Keep up the good thinking, but this isn’t a winner IMO.

sy levine December 10, 2007 5:11 PM

For those interested in this field. I presented a paper on this subject at the 26th DASC (Digital Avionics Systems Conference)on Oct. 25, 2007 in Dallas, Texas. The conference was sponsored by the American Institute of Aeronautics and Astronautics (AIAA) and the Institute of Electrical and Electronic Engineers (IEEE). The paper “An Onboard Pilot and a Remote Copilot for Aviation Safety, Security and Cost Savings”, was awarded the best session paper. Everyone asked why isn’t this being done now. The answer is easy. If only our politicans were more interested in preventing disasters than in gaining free press when a disaster occurs it would have been operational. That would have prevented 9/11 and a host of other fatal crashes.

Sy Levine

sy levine December 10, 2007 5:12 PM

For those interested in this field. I presented a paper on this subject at the 26th DASC (Digital Avionics Systems Conference)on Oct. 25, 2007 in Dallas, Texas. The conference was sponsored by the American Institute of Aeronautics and Astronautics (AIAA) and the Institute of Electrical and Electronic Engineers (IEEE). The paper “An Onboard Pilot and a Remote Copilot for Aviation Safety, Security and Cost Savings”, was awarded the best session paper. Everyone asked why isn’t this being done now. The answer is easy. If only our politicans were more interested in preventing disasters than in gaining free press when a disaster occurs it would have been operational. That would have prevented 9/11 and a host of other fatal crashes.

Sy Levine

sy levine December 11, 2007 10:51 AM

Communication System is Secure:

There are many secure information systems that are used by the military to control ballistic missile, submarines, AWACS strategic aircraft, etc. These systems are specifically designed to be secure.

None of these systems have ever been compromised. Compromising many of these systems would have much dier consequences for the US than what transpired on 9/11 and yet they are secure. Terrorists would have loved to compromise these systems since they are strategically more lethal than what occurred on 9/11. Thus systems can be made secure if handled by compitent, experienced software and hardware engineers who are experienced in this field.

As to the cost of a such secure system it would have been less than 1/4 the cost of the 9/11 disaster. It should have been done not only for the people that died needlessly but it was/is more economical than what has transpired (e.g.: air marshals, fighter planes in the air to shoot down commercial aircraft, etc.). Having a remote copilot and visibility not only prevent a 9/11 disaster , it also prevents decompression crashes, runway collisions/incursions, etc. and many other types of fatal crashes.

Sy Levine

Anonymous March 19, 2008 3:36 AM

The United States (NORAD) has had the capacity for remote controlled flight since the 1950’s. Too, in 2000 an aircraft the size of a boeing 737 was flown from Andrews AB in California, to Edinburgh AB, South Australia by this method. All the while the “remote controller” was sitting in an “office” at Edwards AB. There was a pilot onboard the craft and the ground “controller” took over at whim. The onboard pilot had ZERO control over what the ground “copilot” decided to do.

Xlotta February 3, 2009 10:45 PM

This might be a little far fetched, but I’d suggest as a more effective counter-hijacking measure, to install nitrous oxide tanks in passenger compartments, and wall off the cockpit entirely, allowing access only from the outside of the plane via a private ramp on the tarmac. If a hijacking is attempted by some idiot that thinks he can use the plastic silverware to cut his way through to the cockpit, flood the compartment for a few moments with a strong enough mix to have its intended effect but not suffocate anyone, disable the oxygen masks while this takes place, simply put everyone to sleep, and restrain the hijackers, awaken everyone, then unmercifully throw the attempted hijackers out the door at 36000 feet for all to see. It is fairly inexpensive, not coming anywhere close to $45m, and will send a clear message to future prospective hijackers as well, plus save costly legal fees and taxpayer money to room and board them during their trial and incarceration.

Clive Robinson February 4, 2009 1:01 AM

@ Xlotta,

“I’d suggest as a more effective counter-hijacking measure, to install nitrous oxide tanks in passenger compartments”

No, there is a myth that anasthetics can be used as “sleeping gas” to overcome terorists / undesirables.

For a number of reasons it does not work very well and you end up with quite a few deaths of inocent bystanders.

Also Nitrous is a very good oxidizer and is used in the likes of car engines and rocket motors (with organics or plastics as fuels). It is known to affect the likes of aluminium and other metals making them easier to ignite.

So Nitrous is not something you want in an aircraft cabin as a small spark could result in rapid oxidization of plastics etc causing a rapid rise in temprature and thereby significant over pressure (ie an explosion).

As a minor surgury anasthetic nitrous is very usefull as it has good analgesic properties with rapid recovery times whilst being relativly bad at making people sleep.

This is one of the reasons it is used by dentists as it enables the patient to still follow simple verbal commands effectivly.

Also for women in labour in that they can get a lot of “self medicated” pain relief quite safely by holding the mask themselves. If they breath in to much they have difficulty holding up the mask to their face without losing sensibility or conciousness.

In general surgery Nitrous is used as a “carrier gas” for other more effective anasthetic gases. A “suped up” version of which was used by the Russians in an attempt to overcome “terrorists”. The result was a large number of innocent deaths due to repritory failure.

The suppression of the respritory system is one of the major disadvantages of modern anasthetic gases and one of the single biggest causes of fatalities during operations. Which is why the anethatist is actualy in charge of the operation not the surgeon.

As for opening doors at 36,000ft, next time you get on or off an aircraft have a look at the door, they are designed not to be opened when the internal pressure is moderatly higher than the external pressure. And if you did get the door open most people would be unconcious within a very short period of time at that altitude, and dead shortly thereafter without oxygen.

Ted December 1, 2009 12:07 PM

I have heard a lot of ideas (nitrous oxide, flying horse and buggies, depends for pilots) but can we go back to the remote control software idea? Essentially, you are taking the little toy plane, the one eight-year-olds play with all over the country, and you are putting that idea into action- with human lives attached. I think the purpose of this software is to add a security measure to flying. A digital back-up plan to TSA security. But I don’t love this idea. I can get behind thicker doors. (And for the record, I think pilots deserve a bathroom. If you take away their bathroom, they stop drinking coffee. Do you want your pilot decaffeinated?) Anyway, I think there are too many evil people out there who know their way around a firewall. Installing this software basically turns each plane into a real-live video game. Those always end in a large crash.

Larry September 10, 2011 10:15 AM

I see NO PROBLEM with being able to take control of an airliner if it acting out of ordinary! If the control is not possibope you le through the satilites it could be controled by someone at the many airports across the world. The system could be so good that the best hacker could either NOT get into it or that if it is being tried the computer sofeware is SO sofisticated that it would shut the hacker down! For those that have said it is a bad idea….I hope you never have to suffer the loss of a loved one.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.