Cloud security of a whole new sort! Airbus issues plane patch for “cosmic ray” vulnerability

News in brief

You’ve heard of cloud security, but this is up-in-the-clouds security!

Airbus has announced that many of its aircraft need patching against what we can’t resist describing as a “cosmic ray” vulnerability:

Analysis of a recent event involving an A320 Family aircraft has revealed that intense solar radiation may corrupt data critical to the functioning of flight controls.

Solar radiation, it seems (which increases with altitude as the atmosphere gets thinner), can cause intermittent errors in on-board software data transmissions used to signal changes to move the plane’s elevators – adjustable surfaces at the rear of the aircraft that control its pitch.

These errors apparently don’t get detected or corrected on their way to their destination, with the result that control surface changes selected in the cockpit may not necessarily be the changes that actually happen on the outside of the plane.

In a very crude analogy, imagine that you signaled to turn left in your car, and the dashboard helpfully blinked back at you to confirm your intentions, but the external turn signals on the right-hand side of the car started flashing. If it happened only very occasionally, you might not figure out what was going on, let alone why, until it was too late.

Planes fly in 3D, so they can rotate in three directions – the X, Y and Z axes we know from geometry.

When the end of one wing goes up and the other goes down, that’s roll; when the front of the plane slews left or right and the rear end goes in the other direction, that’s yaw; when the nose pitches upwards or downwards, well, that’s pitch.

Pitch determines what’s known as the angle of attack, which determines how much lift the plane generates.

Reduced lift, and the plane can’t maintain a steady altitude, which means it will descend.

Far too little lift, of course, and․․․ well, you get the idea.

Intriguingly, many affected Airbus planes can apparently be “fixed” with a software-only patch, and don’t need to be taken into a hangar for physical maintenance such as adding additional radiation shielding.

Some older planes, however, may need hardware modifications.

Some disruptions expected

Reports suggest that these software updates have been made mandatory for affected planes before their next scheduled flights.

The patches are supposed to take a matter of hours, which should minimize timetable disruptions.

But that’s a lot longer that the typical turnaround time for short-haul flights to and from popular destinations, which are often done in 20 to 60 minutes. (Take inbound luggage off, put outbound luggage on, clean the passenger areas, add more fuel, top up on beer and peanuts, etc.)

Quite how radiation-related data corruption problems can be solved with a software-only fix hasn’t yet been explained by Airbus.

Perhaps changing various data rates or adjusting error-correction settings is enough to satisfy the regulators that invalid control surface adjustments can be reliably avoided in future?

Anyway, it seems that many airlines with Airbus planes will experience modest travel disruptions this weekend, but this feels like one case where passengers won’t want to contest the delays.

Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!