Month: September 2019

The two 737 MAX crashes that killed 346 people and led to what is, so far, a six-month grounding of the jet, stemmed in part from Boeing’s failure to accurately anticipate how pilots would respond to a malfunctioning feature that pointed the jets toward the ground. That’s the key finding from a report the National Transportation Safety Board published Thursday, which included a series of recommendations to the Federal Aviation Administration. The NTSB advised the regulator to have Boeing consider how 737 MAX pilots would handle not just problems with the MCAS system alone, but how they respond to multiple simultaneous alerts and indicators. In short, the NTSB says Boeing was wrong to assume pilots would respond correctly to the problem that ended up killing them.

The crashes of Lion Air Flight 610, in October 2018, and Ethiopian Airlines Flight 302, in March, stemmed from a feature Boeing designed to prevent stalls. In both cases, the Maneuvering Characteristics Augmentation System, or MCAS, activated in response to a false reading from a faulty angle of attack sensor. The pilots fought to counteract the system, which pushed the nose of the plane down, but ultimately failed.

When Boeing tested what would happen if the MCAS malfunctioned, it didn’t account for other elements. The Lion Air and Ethiopian pilots on the doomed planes dealt with a cascade of problems and warnings: Their control sticks shook. Various alarms sounded. When the pilots retracted the flaps, the plane’s downward push required extra force to keep the jet aloft. The result: Their reactions “did not match [Boeing’s] assumptions,” the NTSB found. “An aircraft system should be designed such that the consequences of any human error are limited.”

The FAA hasn’t said whether it will adopt the recommendations of the NTSB, which has no regulatory or enforcement power. And this is far from the end of the 737 MAX saga: Boeing and the FAA are still negotiating a fix to the plane’s software, and congressional, international, and criminal investigations into the crashes are ongoing.

But as its title—“Assumptions Used in the Safety Assessment Process and the Effects of Multiple Alerts and Indications on Pilot Performance”—indicates, the NTSB report is about more than one troubled jet, one feature, one company, or even one country. The safety board wants the FAA to apply this sort of thinking to all the planes it certifies. And it hopes the agency will encourage its peers around the world to do the same. That’s because the report is all about the question at the core of modern aviation safety: How to ensure that pilots can work with the computers that have taken on more of the work in the cockpit. It’s about a field of study called “human factors.”

“The field of aviation has been the cradle of human factors, and its biggest beneficiary,” says Najmedin Meshkati, who studies the field at the University of Southern California. Where ergonomics and biomechanics center on physical responses, human factors tends to center on the gray stuff packed into their skulls. It matters in fields from self-driving cars to coal mines—anywhere people interact with machines. It’s long been a major focus in aviation because so many crashes trace back to pilots’ failure to understand what the plane’s myriad and complex systems are doing, why, or how to influence them. “Whenever you have a human error, and the consequence isn’t immediately noticeable or reversible, human factors is important,” Meshkati says.

That’s often the case in aviation—and the error doesn’t always come from the human. The rising use of automation in aviation has produced major safety and practical benefits, but also distanced humans from the workings of the planes they’re commanding. Meshkati draws a distinction between decision making and problem solving. The former is usually routine and procedure-based, like using your altitude, airspeed, and heading to calculate a landing path. Computers are very good at this. Problem solving comes in when some combination of factors means the procedures don’t work, when a person needs to absorb information and devise a new formula that will keep them safe. This is where humanity has the edge, but hardly a guaranteed victory.

According to the NTSB report, Boeing counted on pilots following a procedure that would get them out of a situation where MCAS malfunctioned. But Lion Air 610 and Ethiopian 302 demanded problem solving: Each set of pilots was fighting a plane that wanted to dive, while considering a cascade of malfunctions and signals. Better human factor thinking, Meshkati says, would have required less, or easier, problem solving. It could have produced a procedure that fit the actual conditions of the flights, allowing for good old decision making.

Of course, the FAA has other things to consider. The NTSB’s recommendations are “absolutely valid,” says Clint Balog, a flight test pilot and human factors expert with the College of Aeronautics at Embry-Riddle University. But, he says, the safety agency trends toward idealism. “The FAA has to consider, what is realistic testing?” If airplane makers had to test for every possible combination of malfunctions and cockpit alarms, they’d never get another plane certified, he says. Not all pilots are equally skilled, by virtue of their natural talent, training, or experience. It doesn’t make sense, Balog says, to design for the worst of the bunch—or the best. Cockpits as physical spaces, he points out, are designed for pilots of many shapes and sizes. But designers had to settle on limits on who can sit comfortably or reach every control. “We’ve got to figure out how to do the same thing for cognitive capability,” Balog says.

This story first appeared on wired.com.

Often, when new iOS jailbreaks become public, the event is bittersweet. The exploit allowing people to bypass restrictions Apple puts into the mobile operating system allows hobbyists and researchers to customize their devices and gain valuable insights that may be peeking under the covers. That benefit is countered by the threat that the same jailbreak will give hackers a new way to install malware or unlock iPhones that are lost, stolen, or confiscated by unscrupulous authorities.

Friday saw the release of Checkm8. Unlike just about every jailbreak exploit released in the past nine years, it targets the iOS bootrom, which contains the very first code that’s executed when an iDevice is turned on. Because the bootrom is contained in read-only memory inside a chip, jailbreak vulnerabilities that reside there can’t be patched.

Checkm8 was developed by a hacker who uses the handle axi0mX. He’s the developer of another jailbreak-enabling exploit called alloc8 that was released in 2017. Because it was the first known iOS bootrom exploit in seven years, it was of intense interest to researchers, but it worked only on the iPhone 3GS, which was seven years old by the time alloc8 went public. The limitation gave the exploit little practical application.

Checkm8 is different. It works on 11 generations of iPhones, from the 4S to the X. While it doesn’t work on newer devices, Checkm8 can jailbreak hundreds of millions of devices in use today. And because the bootrom can’t be updated after the device is manufactured, Checkm8 will be able to jailbreak in perpetuity.

I wanted to learn how Checkm8 will shape the iPhone experience—particularly as it relates to security—so I spoke at length with axi0mX on Friday. Thomas Reed, director of Mac offerings at security firm Malwarebytes, joined me. The takeaways from the long-ranging interview are:

• Checkm8 requires physical access to the phone. It can’t be remotely executed, even if combined with other exploits
• The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
• Checkm8 doesn’t bypass the protections offered by the Secure Enclave and Touch ID.
• All of the above means people will be able to use Checkm8 to install malware only under very limited circumstances. The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don’t have the unlock PIN, to access the data stored on it.
• Checkm8 is going to benefit researchers, hobbyists, and hackers by providing a way not seen in almost a decade to access the lowest levels of iDevices.

Read on to find out, in axi0mX’s own words, why he believes this is the case:

Dan Goodin: Can we start with the broad details? Can you describe at a high level what Checkm8 is, or what it is not?

axi0mX: It is an exploit, and that means it can get around the protection that Apple built into the bootrom of most recent iPhones and iPads. It can compromise it so that you can execute any code at the bootrom level that you want. That is something that used to be common years ago, during the days of the first iPhone and iPhone 3G and iPhone 4. There were bootrom exploits [then] so that people could jailbreak their phone through the bootrom and that later would not be possible.

The last bootrom exploit that was released was for iPhone 4 back in 2010, I believe by Geohot. After that, it was not possible to exploit an iPhone at this level. All the jailbreaks [that] were done later on [happened] once the operating system boots. The reason that bootrom is special is it’s part of the chip that Apple made for the phone. So whatever code is put there in the factory is going to be there for the rest of its life. So if there is any vulnerability inside the bootrom, it cannot be patched.

Persistence and Secure Enclave

DG: When we talk about things that aren’t patchable, we’re talking about the bug. What about the change to the device itself? Is that permanent, or once the phone is rebooted, does it go back to its original state?

A: This exploit works only in memory, so it doesn’t have anything that persists after reboot. Once you reboot the phone… then your phone is back to an unexploited state. That doesn’t mean that you can’t do other things because you have full control of the device that would modify things. But the exploit itself does not actually perform any changes. It’s all until you reboot the device.

DG: In a scenario where either police or a thief obtains a vulnerable phone but doesn’t have an unlock PIN, are they going to be helped in any way by this exploit? Does this exploit allow them to access parts of this phone or do things with this phone that they couldn’t otherwise do?

A: The answer is “It depends.” Before Apple introduced the Secure Enclave and Touch ID in 2013, you didn’t have advanced security protections. So, for example, the [San Bernardino gun man’s] phone that was famously unlocked [by the FBI]—the iPhone 5c— that didn’t have Secure Enclave. So in that case, this vulnerability would allow you to very quickly get the PIN and get access to all the data. But for pretty much all current phones, from iPhone 6 to iPhone 8, there is a Secure Enclave that protects your data if you don’t have the PIN.

My exploit does not affect the Secure Enclave at all. It only allows you to get code execution on the device. It doesn’t help you boot towards the PIN because that is protected by a separate system. But for older devices, which have been deprecated for a while now, for those devices like the iPhone 5, there is not a separate system, so in that case you could be able to [access data] quickly [without an unlock PIN].

DG: So this exploit isn’t going to be of much benefit to a person who has that device [with Secure Enclave] but does not have the PIN, right?

A: If by benefit you mean accessing your data, then yes, that is correct. But it’s still possible they might have other goals than accessing your data, and in that case, it’s possible they would get some benefit.

DG: Are you talking about creating some sort of backdoor that once the owner puts in a PIN it would get sent to the attacker, or a scenario like that?

A: If, say, for example, you leave your phone in a hotel room, it’s possible that someone did something to your phone that causes it to send all of the information to some bad actor’s computer.

DG: And that would happen after the legitimate owner returned and entered their PIN?

A: Yes, but that’s not really a scenario that I would worry much about, because attackers at that level… would be more likely to get you to go to a bad webpage or connect to a bad Wi-Fi hotspot in a remote exploit scenario. Attackers don’t like to be close. They want to be in the distance and hidden.

In this case [involving Checkm8], they would have to physically hold your device in their hand and would have to connect a cable to it. It requires access that most attackers would like to avoid.

A nonprofit organization that provides free online access to broadcast TV stations has accused TV networks of colluding to limit access to those channels.

The nonprofit that runs Locast, the free TV service, made the allegations in an answer to a lawsuit filed by ABC, CBS, Fox, and NBC. The networks alleged in July that Locast is violating their copyrights and are seeking a permanent injunction to shut the TV service down. The Locast operator filed its answer to the TV networks’ complaint yesterday and tried to turn the tables by making several counterclaims against the TV networks.

“Plaintiffs have colluded to limit the reasonable public access to the over-the-air signals that they are statutorily required to make available for free,” Locast’s court filing says. “[The networks] have opted instead to use their copyrights improperly to construct and protect a pay-TV model that forces consumers to forgo over-the-air programming or to pay cable, satellite, and online providers for access to programming that was intended to be free.”

Locast cites nonprofit exemption

While broadcast TV networks are available for free over the air with an antenna, the networks reportedly collected $10.1 billion in 2018 via retransmission fees they charge TV providers for the right to carry those channels. The networks want to shut Locast down because free, widespread availability of their channels over the Internet would threaten their retransmission business.

The TV networks’ lawsuit was filed in US District Court for the Southern District of New York against Sports Fans Coalition New York (SFCNY), the nonprofit that operates Locast, and SFCNY founder David Goodfriend.

Locast, available in 13 US markets so far, retransmits local broadcast signals via an online streaming service and detects users’ locations so that each channel’s stream is available only in the local broadcast area. SFCNY argued in its court filing that US copyright law “unambiguously states that retransmissions by non-profit entities do not constitute copyright infringement.” Specifically, the law says that secondary transmissions are not copyright infringements if they are made by a “nonprofit organization, without any purpose of direct or indirect commercial advantage.”

Locast doesn’t charge users for its service but solicits donations to pay for its operation.

Locast: TV networks limit reach of channels

The TV networks have deliberately made it difficult to access their channels over the air despite the US government granting them “free licenses to portions of the limited, publicly owned broadcast spectrum,” SFCNY alleged.

“The broadcasters have colluded to limit practical access to the over-the-air signals by broadcasting signals that they know are of insufficient strength to be accessed by all members of the public within the relevant local geographic areas,” SFCNY wrote. The networks thus are not fulfilling their spectrum-license requirement “to operate in the public interest,” SFCNY wrote.

The SFCNY/Locast filing continued:

This failure has led to poor quality over-the-air transmissions in many markets, forcing consumers to pay for video services that include local or national television programming, including: (i) through cable or satellite providers; (ii) online through the cable or satellite providers’ authenticated video services; (iii) over-the-top streaming services offered by the broadcasters for a monthly fee (e.g., CBS All Access); or (iv) virtual pay-TV providers (e.g., YouTubeTV).

SFCNY claims that broadcasters “intentionally purchase low-end equipment even though other equipment is available for sale that could provide better over-the-air coverage,” but doesn’t seem to have direct evidence for this claim. The filing says that Goodfriend got this information “from a major market participant” who had in turn been given the information “by vendors of transmitter equipment.”

SFCNY also wrote that networks have prohibited their local broadcast affiliates from providing online streaming of over-the-air live television broadcasts, the court filing said.

No Locast on YouTube TV

TV networks have also pressured TV providers to avoid partnering with Locast, according to Locast’s filing. For example, when Locast met with senior executives at YouTube TV in April 2019, “the executives indicated that they had been told that if YouTube TV provides access to Locast, then YouTube TV will be punished by the Big 4 broadcasters in negotiating carriage agreements for other non-broadcast programming channels,” SFCNY’s court filing said.

Pay-TV providers have complained about the high cost of retransmitting broadcast TV channels and could benefit from an expansion of Locast service. Locast received a $500,000 donation from AT&T but says the TV networks pressured others to refrain from donating.

In addition to filing “a sham copyright infringement claim” against Locast, networks have been “threatening business retaliation and baseless legal claims against any current or prospective donors, supporters, or business partners of Counterclaim-Plaintiffs,” Locast claimed. Cable company RCN “committed to donating $750,000 to SFCNY” but later decided not to because of “intimidation from the broadcasters,” SFCNY claimed.

The TV networks argue that Locast isn’t eligible for the nonprofit exemption under copyright law because it has “commercial purposes.” The networks’ evidence for this is AT&T’s $500,000 donation and the fact that Goodfriend is a paid lobbyist for Dish. SFCNY says it hasn’t received any funding from Dish.

SFCNY accuses the TV networks of conspiracy in restraint of trade and other violations of competition laws and seeks financial damages and an injunction that would prevent the networks from continuing their copyright infringement lawsuit. “Plaintiffs’ litigation is meant to intimidate Defendants into shuttering the Locast service—and should that strategy not work, to bury Defendants under costly and needless litigation,” SFCNY wrote.

The law firm representing broadcast networks in the case contacted Ars with the following statement responding to the Locast filing:

Locast’s filing only confirms that it has no answer for its industrial scale violations of the law. Sixteen million households receive broadcast television free over the air, which represents a nearly 50 percent increase in the last eight years. Locast does nothing for those households; it serves the interests of its pay-TV patrons, who have provided Locast and its founder with hundreds of thousands of dollars in lobbying fees, donations and nationwide distribution on certain pay-TV platforms. We trust the courts to see right through this façade and recognize Locast for what it is—not a public service organization, but a creature of certain pay-TV interests with an entirely commercial agenda.