This writeup may seem a little cold and mechanical to some people, in the aftermath of the atrocity in New York this past week. I am as distraught as anyone that someone thought it would be a good idea to kill thousands of innocent people. But when tragedy strikes, I tend to dwell on solutions, rather than on the tragedy itself - that's just who I am. So if this offends you in any way, I apologize, but I feel the need to get these ideas out.

On Tuesday, September 11, 2001, it became painfully aware that passenger airplanes, especially those in the United States, are extremely susceptible to hijacking. Ironically, a friend and I were discussing this very subject, a little over a month ago: "Why do terrorists hijack airplanes, and why are airplanes so susceptible to hijacking?"

Why do they hijack airplanes? Several reasons:

  • Once they are in the air, there is (essentially) no way for anyone outside of the airplane to give any resistance to the hijackers.
  • Planes are typically worth between 50 and 100 million dollars - not bad for a few days' work. (If you can find someone to take it off your hands, that is...)
  • If you can take control of the right kind of plane, you can fly to virtually any destination in the world
  • Planes are usually filled with a large number of generally docile civilians, who make good hostages.
  • If you want to inflict a large amount of damage to a structure, with a minimum financial cost to yourself, and don't mind dying in the process, crashing a plane is apparently an effective way to do it.

Why are airplanes so susceptible to hijacking? In a typical scenario, a terrorist armed with some high-damage-potential weapon (a bomb, a gun) gets control of the plane's cabin, and once that is under control, proceeds to coerce the pilots in the cockpit of the plane to either surrender control of the plane, or to direct the plane according to the instructions of the hijackers. Now, there are three main ways to gain control of the cockpit:

  • Kill the pilots, seize control. This is only effective if you are on a suicide mission and don't care about skilled flying, as was the case in the World Trade Center attack, or if one of the hijackers is a skilled passenger-airplane pilot.
  • Coerce the pilots to fly where you want, by threatening their lives directly. Most people won't say "no" to pretty much anything you demand (except for something like "fly into that building over there"), if they have a gun to their head, or a knife to their throat, so this is a pretty common way of doing things.
  • Coerce the pilots to fly where you want, by threatening the lives of their passengers. Unless they are totally heartless, people will comply in order to save someone else's life.

Ok, so how do you counteract all of these methods of taking control? Clearly the planes currently being used in the United States have little innate defense against hijacking. No, a lockable, flimsy door between the cabin and cockpit does not count. If you have been watching the news for past few days, you will have heard members of the media decrying the pitifulness of these doors.

However, their proposals as to what should be done about it are almost as lame as what we have now. So far I have heard:

  • Do as the Israeli airline does, add armed guards at the door? Well, that would probably help, but the problem is still present: the guards, like the rest of the crew, can be overpowered, killed, etc.
  • Beef up the door's strength. Well, the fact is that flight attendants all carry the keys to the door, and are in the vulnerable cabin means that no matter how strong the door is, either side can open it. Even if you remove the keys, a door is a door, and unless it is a bank vault, it's going to be fairly easy to open, with the appropriate application of brute force and ignorance. Also, even if only openable from the inside, hijackers can always lure pilots out by threatening or killing passengers.1,
  • Arm the pilots.2 Allow passengers to carry guns onto the plane. While I would support both of these, and they certainly would help, they have nothing to do with the design of the plane, and they just lower the probability of a succesful hijacking, they do not eliminate it. Current political attitudes toward gun control in the US are not conducive to this anyway, so it's probably not feasible...

What I have not heard, but I have now discussed with several people (my roommates, some friends), are two sets of design changes. According to the roommate I discussed this with the most, he had thought of similar ideas, also a few weeks ago. They're not terribly complex or unreasonable ideas, so I would have expected for someone to think of them before, however, searching the Web, and listening to the news, I haven't found anything like this. (Perhaps some Boeing engineers have already had these ideas and been forced by management to abandon them? Who knows? And far be it from me to accuse "management" of pooh-poohing good ideas...)

The first, and most easily-implementable via retrofitting is this:

  • Remove the door between the cabin and cockpit, and replace it with a bulkhead, so that it is not possible to access one from the other. Pilots would enter through one entrance, passengers through their own. With no way to get to the cockpit from the cabin the first two methods of taking control of the airplane (killing the pilots, holding a gun to the pilots' heads) are negated due to physical impossibility. The third (using hostages to coerce the pilots) is still viable, which brings us to the next point:
  • Remove all ability for the cabin to communicate with the cockpit, except for a button that tells the cockpit "There is an emergency situation in the cabin, please land the plane immediately". Since that is really the only thing a pilot can reasonably do in an emergency during a flight anyway, it makes sense that that is all the cabin should be able to communicate to the cockpit. Of course, the cockpit should still be allowed to talk to the cabin - "We are now cruising at an altitude of thirty thousand feet", and such. With this measure in place, the third and only remaining cockpit-takeover-option, "threaten the cabin members to coerce the pilots" is no longer possible, since there's no way for the pilots to actually know that such a threat is being made...

The second approach is similar to the first, but quite a lot harder to implement, mainly because it would require a lot more engineering than is required for a bulkhead and an external door...

  • As in the first situation, remove the ability for the cabin to talk to the pilots.
  • Take the pilot-passenger separation to a new extreme: remove the pilots from the airplane entirely, and fly via remote control! More specifically, instead of having a cockpit with instruments and controls, send a signal to a ground-based flight simulator, which houses the pilot.*
If that last step seems somewhat outrageous, let me point out why it really isn't:
  • Modern passenger aircraft are flown largely by instrumentation these days anyway (in fact, pilots are trained to be able to fly and land in zero visibility, using only the instrument panel). The ability to actually "be there" to see what's going on outside is quite unnecessary, and could be quite effectively replaced by having external video cameras.
  • Large commercial aircraft are not very manouevrable - everything in smooth, slow movements - so any latency introduced in the process of getting signals between the pilot on the ground and the plane in the air is more-or-less masked by the latency inherent in controlling the aircraft itself.
  • Control and instrumentation information would have to be transferred over a secure channel, of course, possibly with a one time pad, possibly with public key encryption, but whatever it is, it would have to be strong encryption. Otherwise, it would be extremely vulnerable to being cracked. Well, to be able to overide an existing connection would require a lot of radio power - power which would be very traceable to the source, and breaking strong encryption is, well, "hard". So while it's an issue, it isn't an insurmountable one. The other vulnerability is signal jamming - this is easily handled though, since any jamming signal can, by nature if it being intensely strong, be traced to its source and stopped, extremely quickly - this applies even more than in the overriding-signal attack. In any case, during a jamming attack, the autopilot can do its thing, until the jamming signal stops, or enough distance is put between the jamming signal and the plane is enough that the real control signal can get through.3
  • It has already been done, and reliably - the Predator, Pioneer, Hunter, and Outrider are all examples of remote-controlled aircraft ("Unmanned Arial Vehicles", or "UAVs") in military use.

So why would you go to these lengths to hijack-proof a plane? Well, ask yourself this: if hijackers are no longer able to take over an airplane, why would they try? Answer: "They wouldn't."

I hope the next plane I fly in is hijack-proof. (If anyone out there works at an aircraft manufacturer, or knows someone who does, I'd love it if you suggested these things to them.. I would, but I don't know anyone there.)

*Of note is the fact that this system also provided some other advantages: pilots can work in shifts, if they get tired, they can be replaced, emergencies can be handled by more experienced pilots, instrumentation can be less space-constrained, planes can be lighter, pilots wouldn't be restricted to flying from where they land, or even flying only one plane at once! ... well, you get the picture. That's all for another node, anyway.

1thanks to mr100percent for pointing this out - I was unaware of it, before.

2thanks to X Omniverse for reminding me that I had heard this..

3 Chaboud reminded me of the security considerations of this... I guess they were sort-of handled by the "the military does it" line, but not addressed directly