Israel Implementing IFF System for Commercial Aircraft

Israel is implementing an IFF (identification, friend or foe) system for commercial aircraft, designed to differentiate legitimate planes from terrorist-controlled planes.

The news article implies that it’s a basic challenge-and-response system. Ground control issues some kind of alphanumeric challenge to the plane. The pilot types the challenge into some hand-held computer device, and reads back the reply. Authentication is achieved by 1) physical possession of the device, and 2) typing a legitimate PIN into the device to activate it.

The article talks about a distress mode, where the pilot signals that a terrorist is holding a gun to his head. Likely, that’s done by typing a special distress PIN into the device, and reading back whatever the screen displays.

The military has had this sort of system—first paper-based, and eventually computer-based—for decades. The critical issue with using this on commercial aircraft is how to deal with user error. The system has to be easy enough to use, and the parts hard enough to lose, that there won’t be a lot of false alarms.

Tags: , , , , , , ,

Posted on March 10, 2008 at 12:24 PM34 Comments

Comments

Petréa Mitchell March 10, 2008 12:49 PM

Just off the top of my head, I wonder how it plays out in these situations:

  • Some kind of critical equipment failure means the pilots are too busy trying to keep the airplane from crashing to use the device
  • Some kind of equipment failure onboard means the plane’s communications aren’t working well enough to do the challenge-response thing
  • Hijackers cripple the plane’s communications so it looks like the previous scenario
  • A hijacker has enough pilot training to use the device him- or herself
  • Someone cracks the algorithm for generating responses, everyone is supposed to update their software, and then a plane enters the controlled airspace with old software
  • The device becomes nonfunctional during a flight

omg March 10, 2008 1:18 PM

If a pilot may choose between being killed in a suicide attack using the plane, or being shot down by the military after typing in the special ‘distress PIN’, I think he may prefer the first alternative because there is a chance overpower the highjackers until the very last moment .

Dan Linder March 10, 2008 1:23 PM

@Petréa:

When this is implemented, you’ve just supplied Hollywood with their first six episodes of a new spin-off series titled “Dying Harder”… 🙂

Here are my responses:
1: During a flight problem, there are probably a number of ways to determine this. Most notably, smoke, and/or other externally visible problems a chase plane could view and confirm. Also, there’s a reason that the buzzers are noisy – the ground control can hear and get an idea of what’s going on if there is no other audible communication.

2: Maybe they could design it so it has an emergency tranciever that would work through the window to a chase plane (low power radio, or line-of-sight)?

3: (Same as #2)

4: True, but I would imagine that each pilot will have a personally unique set of PINs.

5: That’s my issue with high-tech solutions. Maybe make the software revision part of the response, and if it is too old or suspect the ground asks for a secondary identification?

6: (Same as #5? Maybe a paper pad as mentioned earlier in the article?)

Dan

Joe Buck March 10, 2008 1:41 PM

omg: you assume that the response to the distress PIN would be the destruction of the aircraft. This would be stupid, as no pilot would ever use it if this were the case.

Noz March 10, 2008 1:55 PM

Yes I see the need…since Israel is being hit by terrorist planes all the time….

MORE of our hard earned tax money going to Israel through “legitimate” channels…

When will you suckered Americans learn.

jeffd March 10, 2008 2:12 PM

@noz:

The article never mentions US government money funding this. They mentioned some cooperation with individual airlines, but nothing about our “hard earned tax money.” Sorry.

Justin March 10, 2008 2:23 PM

In the United States, there is a designated transponder code (7500) for broadcasting “unlawful interference” (hijacking.) More often than not, a pilot squawking such a code has their transponder set to the wrong code, particularly because 7600 is lost communications, and in the event that you the code is set incorrectly and you have lost your radios, there’s no way to correct it.

I’m not sure how a challenge/response system improves on this very much, with the exception of a hijacker being less aware you’ve outed them.

Andrew March 10, 2008 3:28 PM

omg: you assume that the response to the distress PIN would be the destruction of the aircraft. This would be stupid, as no pilot would ever use it if this were the case.

The scenario proposed would be:

1) No IFF, aircraft is forced to land or destroyed immediately

2) IFF green, aircraft is under normal flight control

3) IFF red (“hijack” / distress PIN), aircraft is forced to land and destroyed only as a last resort

What you gain, aside from social responsibility which most pilots have quite a bit of, is the knowledge that the military is trying to save your life, if convenient, as opposed to blasting you out of the sky at once.

The implication is that an IFF failure will “fail deadly,” i.e. a non-working IFF or failure to present an IFF will result in the destruction of the aircraft.

This is fairly dangerous. My suspicion is that like other similar systems, the IFF box will “fail safe.” In other words, failure to carry or activate an IFF will not trigger a response, and activation of your IFF using a valid code will not trigger a response, but improper activation of your IFF (or distress PIN) will ALWAYS be a hijack warning. That makes more sense from a systems perspective:

1) No IFF, normal procedures apply

2) IFF green, normal procedures apply

3) IFF red (improper activation), unauthorized aircraft under terrorist control, destroy at once

4) IFF distress (PIN), hijacked aircraft, force to land, destroy only if necessary

I would expect pilots to pay special attention to IFF activation procedures. 🙂 I think that’s the point.

Kadin2048 March 10, 2008 3:29 PM

I think there’s a simpler and possibly more useful alternative: put the fuel-dump lever in a place where it’s easily reached (but requires a fair bit of force to use, perhaps breaking something in the process) and can be pulled at the first sign that anything is amiss.

Then link a distress signal that requires no pilot interaction at all to the action of dumping the fuel. That alert, plus a lack of response from the pilots, would be pretty telling, plus you’d also have limited the hijackers options substantially by giving them a plane that’s running on empty and needs to land immediately.

Quercus March 10, 2008 3:30 PM

To add to Petrea’s list:
* The pilot suffers a medical emergency that renders him unconscious; passenger Ted Striker knows how to fly the plane, but can’t type in the correct PIN
(yeah, it’s a movie-plot scenario, so?)

moo March 10, 2008 3:47 PM

@Kadin2048:

Dumping fuel is not something that should be done lightly, even by a jumbo jet pilot who is about to lose control of his plane to a hijacker.

What happens if the plane is not able to make it to a safe landing area in time with the reduced amount of fuel they are carrying? Do you really want to force a potentially suicidal bunch of hijackers to choose between a crash landing, and a landing somewhere they don’t want?

Far better to surreptitiously signal that the plane has been hijacked, and then do everything the hijackers tell you to until they tell you to do something so heinous (such as flying it into a building) that you are willing to be shot in the head rather than comply.

GauntletWizard March 10, 2008 3:49 PM

@Quercus:

Presumably, you’d have a co-pilot. Also with a device and pin. Certainly, both could be knocked out, but it’s that much more unlikely. The simple solution to horribly improbable scenarios? Deal with it with human intuition when it comes to it.

moo March 10, 2008 4:43 PM

…I’m re-thinking my comment above about dumping fuel.

It now occurs to me that airliners would be a less attractive target for hijacking, if the hijackers knew that the standard procedure was for pilots to dump fuel immediately at the first indication that the plane was being hijacked. In effect, unless they could get into the cockpit with no advance warning and put a gun to the heads of the pilot and co-pilot, they would not be able to use the plane as a long-range missile or even to land it in some other country of their choice.

One downside of this plan is that it would probably lead to a couple of expensive false positives. And some nutter would probably pretend to be a hijacker just long enough to freak out a stewardess and the plane would dump fuel and divert, wasting a tonne of people’s time and the airline’s money. (Then he’d get detained as an enemy combatant and shipped to Guantanamo, but that’s another story).

And anyways, commercial airliners are already an unattractive target for hijackers. Too much hassle and inconvenience. I agree with a comment I read on Slashdot today, that basically stated that a 9/11-style attack using planes could only work once. Before 9/11, the safe bet for the passengers was to sit quietly and wait for the hijackers to negotiate, then they’d get released. After 9/11, the passengers are not going to wait until they find out if their plane is being used as a WMD–they’re going to storm the hijackers and take them down, and probably nothing short of automatic weapons could stop them.

So all the security theatre around airlines is doubly-annoying: both because its degrading and time-consuming, and because its a disproportionate response to what is now nearly a movie-plot threat.

moo March 10, 2008 4:54 PM

Also: suppose you are a terrorist, wanting to cause the maximum amount of fear and inconvenience for people.

9/11 has already accomplished that goal re airline flights involving the USA (and to a lesser extent the rest of the world): flying is now more inconvenient, and requires more privacy-invading “security”, than it was before 9/11.

So the way to shock people now is to attack some other thing like a continental commuter train. Then there’ll be a few years of knee-jerk legislation and security theatre around trains, until travelling by train is just as inconvenient as travelling by air is now.

The only real advantage that airline flights have to an attacker, is that some of them originate in other countries.

…I can think of a dozen things which are easier to attack today than a commercial airliner, but which could still cause mass fear and economic disruption. I guess we’re all lucky that I’m not a terrorist, but if I can think of these things, then any real terrorist who could get into the U.S. as a visitor and travel around for a week or two would easily come up with some high-impact targets.

Imagine what would happen if terrorists car-bombed a couple of shopping malls around the country on the same day. Or caused a large power outage. Or blew up a stock exchange. Etc etc.

inkling March 10, 2008 5:17 PM

It sounds like the keypad part of this authentication scheme is part of the protocol itself, which would make the protocol vulnerable to a relay attack: upon receipt of an interrogation message, just send the same message out to a legitimate aircraft, then send the reply you get to the interrogator. This is essentially the “mafia fraud attack” / “chess grandmaster attack” pointed out by Desmedt’s “Major Security Problems with the ‘Unforgeable’ (Feige-)Fiat-Shamir Proofs of Identity and How to Overcome Them” twenty years ago. That attack has since been specifically discussed in the context of IFF by several authors. The only real defense against relay attacks is to use a distance-bounding protocol of some kind.

Perhaps the protocol individually authenticates aircraft and gives the interceptor information about each aircraft’s manufacturer, model, livery, tail number, flight plan, etc. That would be reasonably secure – at least in visual meteorological conditions – as long as the threat model doesn’t include an attacker who can obtain and repaint an aircraft of similar type. In any event, cryptographically authenticating the communication channel is the easiest and least important part of this protocol; if they want this to be secure, they’d better be using some sort of verification that the aircraft they’re seeing on radar is really the one that’s participating in their authentication protocol.

Jeff Bell March 10, 2008 5:25 PM

I agree with moo that the passengers would react much differently.

The learning period on that form of attack was about 3 hours.

Hm March 10, 2008 5:50 PM

Why don’t they just put cameras in the cockpits?

If an Air Traffic Controller suspects some sort of fowl play, they call up the “webcam” and take a look inside the cockpit. Hell, put a mic and speakers and you can have a chat with Joe Terrorist — if they knew they were going to be shot down and miss their targets, thereby defeating the purpose of their deaths, they may reconsider.

Maybe. Worth a shot, and it’s fool proof: no challenge, etc; there’s either someone in the cockpit who shouldn’t be or there isn’t.

Anonymous March 10, 2008 6:40 PM

@moo

“After 9/11, the passengers are not going to wait until they find out if their plane is being used as a WMD–they’re going to storm the hijackers and take them down, and probably nothing short of automatic weapons could stop them.”

Let’s not be stupid, shall we?

If some kook stands up with a hand grenade in one hand demanding to be flown to Cuba or else, I will happily snap the neck of any individual who poses a threat to that person if only in the interests of my own self preservation. I suspect almost everyone else will do likewise. Fly the plane to Cuba, arrest the miscreant when the plane lands, and everyone gets on with life.

If, however, some kook gets up and starts hacking away at the cockpit door, or is futzing with a switch, or a lighter or whatever, sure, fine, storm the nut-job. You have nothing to lose at that point.

Escalation is something you, the victim, need to avoid. The attacker has gotten the drop on you, and short of a profound screw-up on his part, you are at a tactical disadvantage. Leave the escalation to him.

Honest to god, 2001-09-11 changed nothing.

Anonymous March 10, 2008 6:46 PM

@moo

“It now occurs to me that airliners would be a less attractive target for hijacking, if the hijackers knew that the standard procedure was for pilots to dump fuel immediately at the first indication that the plane was being hijacked.”

Right, if hijackers knew that the pilots and crew would down a cyanide pill on the event of a hijacking, not many people would be hijacking planes. At least not successfully. We could even install nerve gas dispensing vents in the cabin to make sure all the passengers are dead in an instant too. Never know, some of of them might have flown a few FSX missions…

Infosponge March 10, 2008 6:53 PM

At best, this thing is a response to a movie plot threat. The kind of people who do damage to Israel don’t tend to need commandeer aircraft: walking suicide bombs are much cheaper.

Fundamentally, however, commercial IFF is nothing more than yet another misguided attempt to paste a technological band aid over a political and social problem.

The root problem lies with the fact that Israel is an apartheid state which brutally represses segments of its population within its defacto boundaries. Until these conditions are addressed, no weapon, wall, or technological quick fix can remove the threat of terror stemming from hatred stoked by fundamental injustice.

Anonymous March 10, 2008 6:59 PM

@Infosponge

“Fundamentally, however, commercial IFF is nothing more than yet another misguided attempt to paste a technological band aid over a political and social problem.”

What scares me is that systems like this give essentially a kill-switch to the lives of hundreds of people. Some small error along the way and and entire plane is blown out of the sky, with the disgusting spectacle of Official Government Mouthpieces pointing at the Official Process and saying “Look at what they made us do!”

Given the rarity of the attacks, it’s more likely accidents will inconvenience or kill more people over time than the real attacks supposedly being prevented.

Yet one more reason not to fly into Israel.

Infosponge March 10, 2008 9:36 PM

There are standardized methods established by the ICAO for interceptors to direct civil aircraft to change course.

I would assume the IAF would attempt to direct any airliner which failed the IFF test away from Israeli airspace and only shoot if the airliner refused to turn away. Problems could arise in the event of IFF failure combined with other aircraft problems, such as insufficient fuel to divert or flight controls failure.

Overall, Israeli interception policy will have much more effect on the risks of destroying non-hijacked aircraft than any IFF device. If Israel is going to behave itself and stick to ICAO interception standards, then this IFF gizmo isn’t going to raise the risks too much as failures will be intercepted and assessed at close range. In contrast, if Israel has decided to shoot first and ask questions later, then all approaching aircraft are one transponder error away from destruction already and this IFF won’t make things worse.

Mark March 11, 2008 2:44 AM

@Kadin2048
I think there’s a simpler and possibly more useful alternative: put the fuel-dump lever in a place where it’s easily reached (but requires a fair bit of force to use, perhaps breaking something in the process) and can be pulled at the first sign that anything is amiss.

The only reason for a plane to even have a fuel dump system is to make it light enough to land.
Planes such as the 737 (all versions) do not have one at all. Since it would be perfectly possible for one to take off, make a wide 180 degree turn and land back on the same runway.
There’s a video somewhere on youtube on a plane swallowing a bird on takeoff then landing on a parallel runway. (The one they had taken off from was closed due to bits of bird and jet engine.)
Even on planes which are fitted with a fuel jettison system it may only be connected to the centre wing tank or other auxillary tanks. IIRC this is the situation on the 767ER.

TheDoctor March 11, 2008 3:22 AM

Plain nonsense.

Bribe or blackmail a pilot of a freightliner, make the flight instead of him, load onto the plane whatever you consider usefull, fly into the airspace you want to target, give the correct response with the gadget from the pilot, hit your target.

Spark March 11, 2008 5:07 AM

Unless the responds to the same challenge would not be the same twice (meaning the device has to keep some state, possibly just the time or something), an attacker could verify the PIN code that the pilot has entered, by entering a past challenge and checking the responds, because both the challenge and responds are transmitted over an insecure channel (unencrypted radio link).

This could of course be solved by appending the current time, with an accuracy of say, 1 minute, to the secret. Air traffic control could have to check the responds against 2 valid responses, when the responds is received close to a minute boundary. This would, effectively, give the responds a 2 minute lifetime, and should give the attacker only 1 minute (worst case) to check a known valid responds against a PIN code given by the pilot.

Infosponge March 11, 2008 10:58 AM

@Mark:

All transport category aircraft can land at full weight in an emergency. A 744 at MTOW can be turned around and landed on the same runway without delay in the event of a severe emergency such as a fire or dual engine failure.

Fuel dumping is legally required by both FAA and European rules to ensure that a heavy aircraft can meet minimum required climb performance in the event of an engine failure. It is also useful for emergencies where it’s not wise to continue to destination but not time critical enough to require an immediate landing. It’s easier on the airframe to dump fuel rather than land overweight.

On aircraft capable of dumping fuel, the switches are already located in an easily reachable place.

Cristian March 11, 2008 5:17 PM

What happens to all other planes flying to or from israel that are not israeli?

So this whole box thingie is moot. The hijackers will just hijack an Air-youtellme plane.

Doug Coulter March 12, 2008 1:12 PM

I really like the vidcam in the cockpit idea. Though it’s not perfect, it seems way better than the rest stated here so far. Someday, someone might come up with a way to transmit false video, or hide in a place the camera doesn’t cover, while still holding a weapon on a pilot, and so forth, but it’s still better and less prone to trivial deadly failures than any of the other ideas.

I agree with the slashdot (and other places) comments that using a plane as a WMD is probably now a movie plot threat. “Air rage” is now a problem for airlines, and I wouldn’t want to face it, when for once it was fully justified. The hand grenade idea is, to quote its author, stupid. Can’t use a broken plane as a WMD very well, while dead oneself! Truth is, it wouldn’t likely even make the plane crash, or kill more than a few passengers. It would certainly kill the guy who let it go. There is even a non-zero chance one could get the grenade away from the guy, it was fake, or defective. Not a big chance, but not zero.

I can’t build a realistic hijack scenario around this given current situations and any passenger resistance.

Believe it or not, there are still people alive brave enough, and moral enough, to give their lives for others. Some are doing it right now in the belief it is making the rest of us safer. The correctness of that belief doesn’t affect the fact that they do it.

Don’t assume everyone is as purely self interested/cowardly/immoral as you seem to think yourself. Though perhaps not in the majority, there are still truly good humans on this planet.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.