October 21st, 2014

Wireless USB makes airplanes disappear

Wireless USB, the USB consortium’s solution to the rat’s nest of wires found behind a typical PC, has been in the news a lot lately as products begin to roll out. Wireless USB uses a technology known as ultra wideband, or UWB, to get the 480 MBits/sec of throughput required by the top tier of the spec, and it seems to have some problems.Plane crash

NASA’s Langely Research Center did some testing with United Airlines on a 737 way back in 2002 to see if UWB transmitters could interfere with the aircraft’s electronics. After setting up the test rig and testing some of the cockpit units with no effect, they tried the TCAS unit with these results:

The “ATC Fail” indicator lamp on the cockpit display panel illuminated, and airplane targets disappeared from the TCAS display when the UWB signal source was turned ON.

You’re probably wondering what the TCAS display is. Well, in layman’s terms, the TCAS computer is the thing that keeps the pilot from crashing into other planes. There’s a little picture of your plane, and little pictures showing you where the other planes are, and just like in Tron, when the two players touch it’s very very bad. When the RF testing group says things like “airplane targets disappeared from the TCAS display,” so the pilot suddenly is unaware of the other planes, it gives the manufacturer’s insurer a serious case of the heebie-jeebies.

This kind of evidence muddies the waters in the binary blob debate the OpenBSD folks are having with the wireless vendors. Implementing 802.11 is hard, really hard. There’s all these timers and responses you have to give while connected to a BSS, and having the host processor do all of it can suck up quite a few cycles. So, most of the wireless chipset vendors decided to do it using firmware and a coprocessor (the so-called “hard MAC” approach), which means the guts of the radio become fair game for hackers.

Now, when hackers start screwing around with the inner workings of things like software controlled radios, they can make it do some pretty bizarre things. Some of these things may or may not be FCC compliant, so the wireless chipset vendors get kind of nervous when the OpenBSD guys start doing things like publishing reverse engineered specs for the baseband MAC in Intel’s wireless chipset. Say, for example, that we were using those specs to do some WEP cracking on an international flight. If the frame injector was talking to the radio using custom firmware, and the radio started emitting things that the airplane’s electronics didn’t like, then there’s no end to the bad things that could happen to the airplane.

Leave a Response

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS