Blog: Aviation Cyber Security
EFB Tampering 3. Take-off pt2
Take-off Performance Part 2: Flap, Trim, Database and Sources of Data
Target: FLAP SETTING
There are various forms of flaps and slats. The difference between the two and the technicalities of how they work is outside the scope of this blog. As a general rule flaps extend from the rear/trailing edge of a wing and slats extend from the front/leading-edge, extending them allows the aircraft to fly at a slower speed. This is why you’ll see the flaps deploy prior to take-off and also prior to landing – without them the pilots would have to fly much faster to perform the take-off/landing.
Flap degrees and settings vary significantly between aircraft. What is generally consistent is that most aircraft allow more than one flap setting for take-off. For example, on the Airbus A320 a take-off can be performed at either Flap 1 (10⁰), Flap 2 (15⁰) or at Flap 3 (20⁰). On the Boeing 777 take-off can be performed at Flap 5, Flap 15 or Flap 20.
The flap setting used on take-off depends on the parameters entered into the EFB performance application. This flap setting then helps to define the V speeds, if a different flap setting is used then the V speeds are invalid because they have been calculated based on a different wing shape. Attempting to take-off with the wrong flap has had disastrous consequences in the past.
Stall/low speed risk. If the EFB software was manipulated to output a different flap setting than the one required then pilots may rotate the aircraft at a speed that is only valid for a different flap setting. On some aircraft this would be picked up by the FMC (Flight Management Computer) highlighting that the speed selected for take-off is too low when compared to the minimum speed for that flap setting. However when combined with a manipulated weight (i.e. the aircraft thinks it’s lighter than it is) then it is possible the FMC would not pick up the discrepancy and the lower speed would, incorrectly, be deemed safe for that flap setting.
Spanair MD-82 at MAD in 2008, flaps not selected for take-off resulting in crash:
Lion Air 737 at PKU in 2002, flaps not selected for take-off resulting in runway excursion:
Target: TRIM SETTING
The tail of an aeroplane has various moveable components including a rudder, an elevator, and a horizontal stabiliser. The elevator and horizontal stabiliser are used for pitch control by the pilots. When the pilots move the control column/joystick forwards and backwards it moves the elevator upwards and downwards. Most commercial aircraft also have a trimmable horizontal stabiliser.
Image credit: Miguel Ángel Sanz
The horizontal stabiliser trim setting enables the pilots to relieve control forces on the flight controls. Prior to take-off the pilots set the stabiliser trim setting using either a trim wheel or using trim switches. For take-off it is set to the optimum position for the centre of gravity – this is calculated by the EFB performance application based on various parameters and is significantly affected by positioning of cargo and passengers on board.
For example, with a particularly heavy forward cargo hold then the trim setting is likely to be more “nose up” on take-off to enable the pilots to rotate the nose. This is also why passengers are asked not to change seats prior to take-off as the performance calculations are based on the weight being distributed as it was planned. This ensures optimum elevator effectiveness and ensures aircraft control by the pilots.
Having calculated the trim setting for take-off on the EFB, the trim wheel is then set for by the pilots.
Loss of control/runway excursion. If the horizontal stabiliser trim setting for take-off were to be modified, the aircraft may rotate prematurely (tail strike or potential stall) or alternatively may require excessive force to rotate (late or even impossible rotation resulting in runway excursion). This could be either manipulated through the output of the performance calculation or alternatively through the manipulation of the calculation method of the MACTOW (Mean Aerodynamic Chord Take-Off Weight). Whilst some aircraft have aids for trapping the trim setting, many only trap the error if it is extreme and there are many aircraft that have no function whatsoever to prevent an incorrect trim setting for take-off.
737 at MLA in 2017, loadsheet displayed an incorrect trim setting – aircraft rotated late resulting in risk of runway excursion.
BmiBaby 737 at BHX in 2009, incorrect trim setting for take-off resulting in failure/inability to rotate the nose and subsequent rejected take-off from speed above V1:
For all the issues discussed in the Take-off Performance section, many of them rely on a database when performing calculations. Whilst there are methods for manipulating all the discussed items without modifying the database, malicious modification of the database could present a whole variety of outcomes (too many to discuss in this blog), so some of the more significant items are discussed below.
As mentioned previously in the blog, PTP has already demonstrated many of the items discussed i a performance app we wrote for ourselves for this purpose.
We found that accessing the Take-off Performance database created a whole host of issues. All the critical data used for calculating the take-off performance could now be modified, producing incorrect calculations. It shows us just how important the security of these databases is – changing just one digit inside could have catastrophic consequences.
This underlines the importance of both the EFB device lockdown and the security of software running on it.
Aircraft performance database
Runway excursion risk. Modification of the database to suggest the runway has more TORA (Take-off Run Available) could result in pilots using a lower thrust setting for take-off than that which is required. This is a similar issue to pilots using incorrect intersections for take-off having calculated their performance for a longer take-off roll – a relatively common (albeit very serious) issue. Instead of changing the data for a runway, a malicious hacker could simply swap the data between different runways thus providing a correct performance calculation but for a different runway.
An obvious error (e.g. changing the runway length to 10,000,000 metres) would be spotted by the pilots. But a smaller error (e.g. changing the TORA of EHAX to 3409m instead of 3049m) is would be more difficult to spot. The result would be the pilots expecting to have an extra 360m of runway available and the EFB calculating a thrust setting based on a longer runway.
A320 at LIS in 2019, crew calculated their take-off performance based on full length but departed from an intersection. Aircraft passed upwind end of runway at 100’ AGL. Note from report “The operator uses an EFB to calculate the weight and balance of the aircraft as well as take-off performance.”
A320 at LIS in 2019 (14 days after the above incident), crew selected the full runway length in their EFBs for the TORA but departed from an intersection. Aircraft became airborne with 110m of runway remaining.
Unassured terrain clearance. Modifying the terrain database on the performance calculator would alter the thrust setting with regards to obstacle/terrain clearance height on departure. Removal of obstacles would result in a lower thrust setting being calculated because the performance application would presume there are no obstacles beyond the end of the runway.
Multiple/factors. Modification of either the calculation method or alternatively the factor to apply in the event of certain conditions could have severe consequences. For example, if an aircraft has an allowable defect e.g. one brake inoperative, this will be accounted for on the take-off performance and a factor will be applied. This would generally involve an increase in required runway length and/or an increase in required take-off thrust (essentially because braking efficiency is reduced hence stopping distance will be increased in the event of a rejected (aborted) take-off).
Sources of data for Take-off Performance calculation
Source: Generally will originate from the company CLC (Central Load Control). This will often be created on an application and then either sent to the EFB or alternatively printed by the dispatcher and handed to the pilots.
Data used for T/O: Various, significant items:
- Zero Fuel Weight (modifies the Take-off Weight)
- Take-off Weight
- MAC TOW (horizontal stabiliser setting for take-off)
Weather & Airfield Information
Source: ATIS and/or METAR, obtained commonly via ACARS request, occasionally by VHF.
Data used for T/O: All airfield and weather information. Runway in use, wind direction & speed/gust, OAT (air temperature), QNH (pressure setting), runway specific data e.g. runway surface condition (contamination), RVR/visibility, additional information e.g. “Birds observed near runway” / “Temperature inversion at 1000 feet” / “Windshear reported”.
Operational Info/Emergency Turns
Source: Company database (from EFB or paper manuals), Briefing Pack (AIP & NOTAM).
Data used for T/O: Multiple. In the Emergency Turn case a predefined company procedure is created and recorded. Pilots then memorise the profile to fly in the event of a loss of take-off performance. This is generally only used in areas where terrain clearance is not assured on the SID path and deviation from the standard departure is required to remain clear of terrain in the event of a loss of performance (e.g. engine failure).
Take-off Intersection Information
Source: Overview from airfield chart/plate as to what a “sensible” intersection to plan on would be.
Data used for T/O: Position selected by viewing the chart, the name of the intersection is entered into the application which will in turn output the data for the given TORA. This could be obtained from either an EFB application or alternatively paper charts.
Multiple extras are “options” on take-off performance and can be added separately. E.g. pilots may choose to depart with PACKS OFF (air conditioning/pressurisation). This will enable a greater flex/derate of the performance – a code would need to be entered in order for the performance calculator to recognise the take-off will be performed “PACKS OFF”. Similarly if Engine Anti-Ice or Wing Anti-Ice is to be used, this will degrade engine performance as it requires bleed air.
Defects also need to be accounted for – e.g. if an aircraft has a thrust reverser/spoiler/brake U/S then the take-off performance will need to take this into account as it will affect the stopping distance in a rejected take-off.
All of the discussed items highlight the importance of EFB security. The reliance on access prevention to ensure EFB security cannot be compromised is not on its own effective protection.
The Defence-in-depth model as a concept would be well suited to EFB security. This is the idea that the best defence of a system against any particular attack is by using several independent methods.
The following shows just some examples of possible defence layers (not an exhaustive list). If these are applied correctly, they will not be applied in their most basic form but to a level deemed appropriate by independent assessment.
All the security at airports including preventing access to flight-decks becomes irrelevant as soon as a portable EFB is used, because they’re removed from the aircraft and airport.
- Installed EFBs offer better protection from physical access compared to Portable EFBs
- Where Portable EFBs must be used, accurate risk assessment of physical access and enhancement of other security layers are both critical
- Do not permit that EFBs can be used as personal devices
- Strong passwords required for access
- Data encryption
- Data integrity monitoring
- Multi-factor authentication
- Layered privileges
- VPN use
- Mobile Device Management with secure policies
- Pilot security awareness training
- Threat modelling, penetration testing, and vulnerability assessment
Whilst physical access would still be an important layer of defence, other layers should also be used to prevent EFB manipulation should the physical access layer fail. Many of the layers described above would go a long way to preventing malicious tampering of the sort demonstrated in the blog.
There are currently four posts in this series on EFB security:
- EFB Tampering 1. Introduction and Class Differences
- EFB Tampering 2. Device Integrity
- EFB Tampering 3. Take-off part one
- EFB Tampering 3. Take-off part two
Related: EFB Safety Advice for Pilots