 We are in the Aerospace Village at DEF CON 30 and this is a really hard thing to miss. Can you tell me what this is? Obviously it's an airplane but like what am I looking at? So we brought our Airbus A320 simulator with us. It comes in a little custom flight case and it's shipped out here to DEF CON. DEF CON kindly gave us the screens to save us the weight but yeah it's an Airbus A320 cockpit. It's exactly life-size. It's exactly as you would find on an aircraft. And is the goal to learn how to fly? Is it to hack away? Is it to plug in dumb firmware? What's the purpose? So we brought some electronic flight bike vulnerabilities. Electronic flight bikes are used by commercial pilots to work out how long a runway they need to take off, what settings they need on the aircraft. So we brought it to demonstrate that but frankly we've had such a huge queue that people just want to do some landings and stuff so it's been really good fun to see people get involved and do that. That's awesome. So in that case, you know what? I want to keep hearing about it but I also want to fly it so can you show me how to fly this thing? Yep let's go in and have a fly. Excellent. Right, let's make it there. There you go. So I sit here? Yep. Alright, give me two seconds. But at the same time I'm afraid that like I'm totally going to break something. You think when you look at these buttons you would expect to like recognize any of them like an on-off or an AC switch. Well interestingly there's no keys on an aircraft. If you think about it there's no keys for the doors, there's no ignition key or anything like that. That's hilarious. I guess yeah I never really thought about that. But starting it from cold and dark is actually quite difficult so yeah unless you know what you're doing. Yeah I'm just like it's funny like I'm looking at some of these like rows LS, VOR, NAV, ARC, PLAN, like I don't like some acronyms you intend to make some sense of but like I can't make sense of any of this. I know obviously like radio but can you walk me through just some of this and I'm guessing that's part of the simulation too. Sure so I mean I think that's one of the challenges and one one of the things that Aerospace Village does really well is that where you've got IT language and you've got Aerospace Language that they're really difficult. Everyone uses lots of acronyms and you bring the two together and it's something like a complete nightmare. So that's part of what we're doing is kind of to speak through this. So the top is the glare shield and this is the aircraft also pilot settings. This is pretty much how 95% of the time a pilot would fly the aircraft. Okay. So they would be given a speed or a heading or an altitude to fly out by air traffic and they you know will just change these to an aircraft will then fly itself. In front of you you've got your primary flight display and your navigation display. Okay. So again this is pretty much where the pilot when they're hand flying is going to be looking. So your artificial horizon, blue sky, brown is ground. Yep. And you've got your speed and your altitude and other things on there as well. Okay. This is the the ECAM. So this is to do with monitoring aircraft. So this is our engine performance, our wheels currently, we can bring out fuel information, electrical, hydraulics, all that kind of stuff. So all these buttons are what kind of brings me through these other screens. It's a quick question. I see that I have two of these screens. Are these duplicate like redundant or is one showing different? Right. So unfortunately US customs broke our other monitors. So I would have one in front of me as well. But yeah, each the pilot, the co-pilot would have their own screens. They can actually change what's on them independently. This is the standby instrument. Okay. So if we lose all power, all engines, this will still work. Okay. So we'll still fly. You've got the same kind of information, the very basic information you need to fly the aircraft on that. Okay. What about, so we covered this one, we covered switching. This is radio nav it looks like. Yeah. So pretty much actually this is how you program an aircraft. It's called the MCDU. It does a variety of different things. So we can bring up how we would configure our flight plans. If we want to, as we're about to do now, follow a particular radio beacon to an aircraft, that's how we would configure it. But the MCDU, it's a multi-configuration display unit. So interfaces with lots of different things. And this is how you would fly. So each, the pilot and co-pilot will have their own and they would have different settings on their different phases of the flight. Can you run me through some of these other ones too? Yeah. So we've got radios on both sides. Again, for redundancy, there's one for each side. We've got how you would want to interact with the radios because you can actually have three VHF radios, a HF radio, variety of things on here. You actually have the active frequency, the people that we're talking to currently. And we often kind of know who we're going to speak to next. So we would configure up the standby and then you can just use the button to switch. Okay. So when you leave an airport, for example, you take off, you're just speaking to the ground or whatever, but then there'll be a departure frequency. So we'll have that set up and then they'll tell us to, as we've taken off, contact departures, push the button and then we can contact them straight away. Now, so much of this obviously is like pre-programmed and things like that. Is any of this networked, like connected in a way where an external entity can connect into it? Or is it closed loop? Not so much. So aircraft are split into three domains, a bit like DMZ. You've got a flight services domain and that is anything that is critical to flight. And that's pretty much isolated. You've got a passenger domain, people at the back, we don't trust them at all. So they can connect to Wi-Fi, they can look at the IFE, but that's pretty much segregated away. You've got an intermediate information services domain and that's stuff that's nice to have, but if it stops working, then the aircraft isn't going to fall out of the sky. So a lot of the attacks which you had mentioned, the vulnerabilities which are a little too busy where everyone just wants to fly it, those vulnerabilities, the way you would attack those would be physical, like plugging a console port in or plugging into the system. Yeah, so there are maintenance terminals and things in the cockpit, but for commercial transport anyway, everything is physically secured. There's an armored bulletproof door, things at airside at an airport. So the things that we're interested in are the electronic flight bags, the iPads, that the pilots take home with them. And we know from speaking to pilots that they're often given to their kids to watch Netflix on. So it's the hardening of the flight bags that are the issues that we feel. And if someone is able to tamper with the way that these apps create this performance data, then that's the issue that you can get. So pilot has an iPad, it brings it home, someone malicious grabs it, edits it, then they bring it back. Does they get plugged in somehow or they're not supposed to? Typically they're not plugged into the aircraft, but they use them to calculate performance data which is then used by the aircraft. So if I can modify that information that they get out, also a lot of pilots, they stay at the same hotels, they lay over at exactly the same places. You have to update the data on your iPad every four weeks around an airack cycle. So if I know where you are, I know you're on a dodgy hotel Wi-Fi and you've got to update your iPad, then there's an opportunity there to sit in the middle and modify that data. So the piece I'm missing is you, you've modified the data, they bring it into the cockpit. Do they manually look at that data and then input it or is there like if they plug it in and it uploads it? Yeah, so currently most aircraft, it would be a manual entry. So they would calculate those V speeds, then they would go into the MCDU and they would configure those speeds on the aircraft or the flex stem. However, we're starting to see connections from portable EFVs into the aircraft. The idea is that you reduce the risk of transposition error because you can just download kits straight into the flight management system. But obviously there's now an increased risk that we can start to push data onto the FMS because there is some connectivity. Okay. You still have to accept it. I can't just push it and then have the aircraft do something. A human still has to review what has arrived on the MCDU and then accept it. I'd imagine there's a whole other level also of like that's pushing data down expected data. So if I can figure it in expected data, but these systems probably, I'm guessing, aren't built for, we'll say, unexpected data, which would be if I start doing protocol fuzzing. Like how does the data get down? I'm guessing it's just a SDR or some Telnet port or something. Sometimes there's Wi-Fi, but there are very specific ARINC protocols that govern data load and data transfer. They are very prescriptive. Okay. So I would not imagine that fuzzing will work particularly well against them, but I think that's an interesting area for exploration. I don't really know the answer, but I wouldn't expect that to be a problem. All right. Last question before I know we get to flying is, this is fascinating to me. One of the things I was thinking about is the use of transposition errors. If that data would be modified, would it be clear to a pilot to be able to go, oh, that number looks off? Right. Or is it more, you're using a device because it's hard to calculate in your head. So would you be able to do that with a pilot? Again, I know pilots are going flight after flight after flight after flight. All the numbers probably get like a little garbled up. I mean, I think that there's two things. One is that you've got two really highly trained pilots who are trained to deal with unexpected situations. So things that don't pan out the way that you're expected. They're designed to deal with that. So that thing, that's a really important thing. You've always got two humans in the loop who can, even if things aren't right, they'll be able to recover. And crushes are mercifully rare, right? But we do know that there are crush reports where people have used the wrong information in their performance calculations and gone off the end of the runway or rotated too soon and tail strike and things like that. I think that's a really positive thing in the aviation industry, in that we learn from our mistakes, we publish what went wrong so that other people can learn from that and avoid the same mistake again. But coming back to transposition errors, if it was two numbers, what round, I mean, and they were very close to each other, would you necessarily notice that? Possibly not. I know for me, obviously, all of this is a different language to me, so I wouldn't be able to, but I could see a pilot. If it's a close error, if my calculation for, you know, my runway distance should be something like three and a half thousand meters, but my app tells me it's 900 meters, I'm probably going to notice that just by looking out the window. Okay. It's not under a kilometer long. So that might give me an inclination, but I think the issue is these corner cases. So in aerospace, we call it hot, fly, and heavy. So if we're very high altitude, where it's warm, the air is thin, we're carrying a lot of weight, and we're on the right on the margin of performance where we need every single centimeter of runway to get off safely, that's when potential issues occur. It's not like, you know, if we've got a 10,000 meter long runway, who cares? Yeah, there's so much to think about because I'm turning over attack paths and things like that, but we talk about this forever. Let's jump on then. Yep. Okay. So what I'll do is I'll set the aircraft up and I'll run through the briefing, and then you can have a go at landing. That sounds great. Okay. So give me one second. So what I've done is I've set us up for a landing on two seven right. So I'll right hand run right here. And the aircraft is actually going to fly itself all the way. So it's on the instrument landing system. So we would follow this imaginary glide slope to the ground. In fact, this aircraft will do a full auto land. It will fly to the runway, flare, roll out, break, even turn off automatically if that's what we wanted it to do. That's the kind of thing you would need in really poor weather. But what we're going to do is get you to fly the last bit. So as a quick question, you had mentioned that's what would happen in really bad weather. You'd use the autopilot in bad weather. Yeah. That feels like it would be reversed in my mind that you would use the autopilot in good weather and bad weather. I would have to take manual controls. Well, we have categories of landing one, two, three. And categories one and two require the pilot to still make a visual landing. And that requires them to drop out of cloud and see the runway. A cap three landing means the cloud is at the floor, there's fog, you're not going to be able to see the runway in time. So the only way to do it is like the aircraft deal with it. Okay. So in your case, if you've never flown before, never fly, is what we're going to use. Don't move it just yet. But what you want to do is keep these purple diamonds in the middle of these yellow ticks here. So the moment they have their scented, okay, there are left and right of the runway, and above and below this imaginary glideslope in the sky. Okay. The other thing that's really important to you is the descent rate. Want to keep that around seven to eight hundred feet per minute. So roughly what it is now. So everything else is automatic, the frottles, trim, everything else is set and ready to go. So when you're ready, about a thousand feet, it's your aircraft. Oh boy. So I would say that small inputs go a really long way. You don't need to make two big adjustments. Keep looking out, look in, look out, don't get too fixated on the inside. Yeah. Right as you said that, I realize I'm staring down here and I haven't even looked where I'm going. Flying instructor tells me the same, right? So we're quite close. I'm sitting in a simulation. Why is my heart beating so fast? Oh gosh. Am I going the wrong way? Oh gosh. You're a little bit high, but it's okay. It's a really long runway, don't worry. Push forwards, push forwards. Oh push forward. Oh gosh. Oh gosh. Oh gosh. So I think I'll do the frottles for you. I think I've lost the diamond. Oh gosh. There we go. We've got reverse as well and I'll break for you. Okay. At one point I completely lost the diamond on this side. As you get closer, because it's a radio beam, you know, the angle will start to get much larger. Oh okay. I was totally expecting to crash there when I saw the diamond just completely start shooting down. Nice job. Great landing. I mean, I'll give you a flight. I could have threw it. I haven't got one, but you can get a flight tag. Nice landing. Well done. Thank you so much. This is incredible. It's funny. As you're approaching and things like that, you hear this thing low landing, up landing and I'm sitting here going, oh crap, what do I do? I see the diamond shoot down and then you're saying that's radio waves. There's a lot of information on the flight display to take in, but pilots are trained to just at a glance get what they need. And I'm laughing because all I'm focused on is, all right, keep these diamonds inside the lane. And all of a sudden you're like, I got the thrusters. I have the break and I'm thinking, like, oh gosh, like I can, at this point, I think I can handle driving a car this, I think I maybe need some more training. Well, that's what they're trying for a long time, a thousand hours, isn't it? That's a lot. Thank you so much. This is so cool. Thanks for bringing this. Thank you for going through the explanation with us. Thank you for watching and as always, hack on.