DEF CON 30. Hacking EFBs. Engine Performance

At DEF CON 30 this year we demonstrated some vulnerabilities in electronic flight bags and the potential impact on flight safety.

There’s plenty more detail of EFB security issues here.

As part of the Aerospace Village at DEF CON 30, we invited people to fly our flight sim under instruction from our own pilots, showing the effect of tampered engine and braking performance data.

The video

We have set our A320 simulator up with tampered performance data from the EFB. The plane, heavy with passengers and fuel, is sat on the threshold of London Heathrow’s 27R runway which is 3,901 metres long.

However, we have tampered with the underlying data to make the flight management system think the plane is much lighter than it actually is.

As a result, the thrust commanded is less than required, plus the V speeds (particularly Vr, the rotation speed) are set too low.

Heathrow’s runway is plenty long enough, so we do successfully depart, but the plane tailstrikes before taking off. Consider a much shorter runway used for commuter and holiday flights such as EGGW (London Luton) at 2,162m and one risks a runway excursion.

Think this sounds far-fetched? Here are some real, very similar examples:

In this incident the pilots used the incorrect weight of the plane when computing required performance. Significant damage was caused, preventing the plane from pressurising. Debris from the tailstrike left on the runway punctured one of the nosewheel tyres of a subsequent plane, the 7th departure after this incident.

The mis-computed rotation speed (Vr) was nearly 40 knots slower than required. The full accident investigation report in Spanish is here (PDF),  from which this photo is taken:

A summary in English is here.

In another incident (PDF), pilots again used the incorrect weight of the plane, resulting in a rotation speed that was 13 knots less than required. A tailstrike then occurred, resulting in some damage.

One large airline had 5 performance errors in a single month earlier in 2022. Each one of these could have led to a tailstrike or runway excursion

YouTube has many videos of near-tailstrikes, such as this one:

Mitigating factors

Well trained pilots will recognise the lack of performance and may reject the takeoff, or apply full power (‘TOGA’) . This doesn’t always happen, particularly if one is between V1 and V2.

Increasing power during a tailstrike is not advised either, as the increased rotation moment from the engines may make the tailstrike worse.

A well secured EFB device build, plus performance apps without security vulnerabilities, together with good airline standard operating procedure and cross-checks will also dramatically reduce the chance of airplane performance issues.

Conclusion

We believe passionately that an electronic flight bag is a safety-critical device, despite it not often being directly connected to the aircraft.

Security flaws in the EFB device build and the performance apps running on it create opportunity to compromise flight safety.

Flight safety regulations around the world differ, with some developed nations having more robust EFB regulation and some developed nations having almost none. This needs to change to assure our safety.