Blog: Aviation Cyber Security
Schiphol hijack false alarm. An insiders view of what happened
I had the misfortune of being at Schiphol last night as this unfolded:
https://www.bbc.co.uk/news/world-europe-50325887
All ended well, delayed by about an hour. Had the incident been real, it could have been much worse.
Here’s what the pilot had to say about it (thanks to @asantosb):
https://twitter.com/asantosb/status/1192199664910688258
Our flight was at D16, the incident flight was directly the other side of the pier:
Initial reports on Twitter suggested a GRIP-3 situation. It was speculated, attributed to airport staff, that a hijack incident was in progress. Special forces and first responders were quickly on site.
There was also confusion around which gate. This could quickly have been determined by looking at ground ADS-B traffic, but I didn’t think about this until after the event was over. Fortunately my colleague Alex did:
It was quickly identified as Air Europa flight UX1094 AMS-MAD.
There was an alert at Utrecht station too, though this was quickly dismissed.
Then this was tweeted. So how did it happen?
All commercial aircraft have transponders. These give air traffic controllers far more precise information than a ‘blob’ on a screen as would be seen in a primary radar return.
Aviation transponders were invented during WWII to help radar operators distinguish friendly and enemy aircraft. The system was known in the US as IFF (identify Friend or Foe) and ‘Parrot’ in the UK.
Incidentally, this is where the term ‘squawk’ comes from – an operator request to the pilot to turn on the transponder was ‘squawk your Parrot’.
Developments allow the pilot to select a numeric transponder code. Most of the airplanes I learned on had simply rotary knobs, like this:
When selecting the code, one was taught to switch the transponder to ‘standby’ otherwise the controller would have a series of changing codes displayed on their screen.
Remember this, as it’s relevant to the Schiphol incident.
The ‘Alt’ setting also returned the airplane’s height to the controller. Also known as ‘Mode C’ – this is very useful around controlled airspace, which rises in ‘steps’. Hence knowing the height of all aircraft is very helpful for avoiding airspace busts.
The transponder interface on the Air Europa A330 would have looked more like this:
Just to the right and aft of the co-pilots trim wheel and the throttle:
The transponder in commercial planes has additional functionality – it integrates with the TCAS – the traffic collision and avoidance system. The rest of the transponder performs essentially the same task as the analogue-wheel version above.
The TCAS side is quite interesting. It provides traffic alerting AND actions for the pilot to take to avoid a crash. That’s the TA (traffic advisory) and RA (resolution advisory) switch on the right. It can be fooled by misreporting transponders in light aircraft, making it think traffic is at the wrong altitude and therefore a potential conflict.
So what went wrong?
Typically, a commercial airliner is given a squawk for its flight:
1200 is actually a special ‘conspicuity’ code in the US that light aircraft transmit even when they are not receiving a radar control service. It’s known as the VFR code, 7000 in the UK.
But, there are emergency codes. The idea being that a pilot can inform ground stations of an issue even if radios aren’t working or they aren’t able to transmit as a result of a threat.
- 7700 – general emergency
- 7600 – lost communications (often a radio failure)
- 7500 – unlawful interference (hijack)
My strong suspicion with the Air Europa flight was that the pilot was explaining the transponder functions to someone, showing how to punch in various codes.
Either through the transponder being set to ‘On’ instead of ‘standby’ during this demo, 7500 was inadvertently broadcast. This triggered a hijack response from the airport.
There’s one other possibility: I believe that ‘auto’ mode is present to ensure that the transponder doesn’t broadcast whilst on the ground. In the past, I’ve heard that transponder returns on the ground can cause issues for the radar operator.
This relies on the undercarriage microswitches working correctly. If those weren’t disabling the transponder correctly, it’s possible that the pilot believed that the transponder wouldn’t return data until he became airborne. I find this unlikely though, as those microswitches affect lots of other functions on the plane too.
Later transponders also support Mode-S which offers additional functionality. The most modern offer EHS, or enhanced surveillance, but that doesn’t really have much bearing on the Schiphol incident. Fat fingers and/or user error will always be a problem!