MRCA Discussion - October 2, 2010

[VinodTK]

India’s MMRCA contract may force defence offsets policy change

“The 50% offsets for the MMRCA cannot be fulfilled under the present policy of direct offsets”, said the industry source pointing out that international vendors have a pool of just about 160 companies including 9 government-owned firms to choose from as potential offset partners. From the private companies, only those which have been granted an industrial licence to manufacture a particular defence equipment or system can be partnered with.

[Indranil]

The Hunt for the Kill Switch
Don't expect IEEE to accuse US or Israel Openly

Thank you. I have spent some of my years behind computer architecture. The ways of corrupting the processor circuitry as discussed in the paper are completely valid and is actually quite well known in academic circles.

One can certainly program an ASIC to fail much faster than its design life or at a random time (though it is economically very very expensive to build such customized chips, in the millions) . But to make it fail or grant a "backdoor" when we want it would require us to convey the message across to the circuitry. Thus the article mostly speaks of routers. Even the Syrian attack seems to be a network attack where the Gulf Stream systems hacked into the network and hopped from network to network till it got to the actual place. This was accompanied by ground-based network attack. In both these cases there is a medium to speak to the machinery.

The following is the source of the IEEE reference on the Syrian bombing.
Israel Shows Electronic Prowess

I am thinking of how could this kind of mechanism be put on board a small fighter jet. How will they hide the antenna? And how should we make this real time for a flying object which can be in an area of thousands of square kilometres. In this regard the following is interesting.

According to a U.S. defense contractor who spoke on condition of anonymity, a ”European chip maker” recently built into its microprocessors a kill switch that could be accessed remotely. French defense contractors have used the chips in military equipment, the contractor told IEEE Spectrum. If in the future the equipment fell into hostile hands, ”the French wanted a way to disable that circuit,” he said.

.
I don't know what kind of device this is. I wouldn't like to speculate either. Let me try to get some information on this (although it seems very very unlikely that I will find any).

None the less thanks a lot for a good read.

Meanwhile we can ponder on a communication channel to the F-16/F-18 or its armament to act out of place. This has to be done without adding any hardware.

[Indranil]

On a side note the US is more worried about its own security ... The chips they use are not built in USA ... I had heard about the Trust in IC program amongst some friends ... hadn't given much thought then. That program is to safeguard themselves because they have to build systems around consumer chips.

I have some knowledge in this field and find this an incredibly intriguing and difficult problem to solve.

[Luxtor]

Yeeeeahhhh!!! Thomas to the rescue. Thanks for posting that article. Frankly, I didn't need to read such an article to imagine that such a thing as a "kill switch" may exist but apparently other people do need to read it to realize it. But I'm going to read it because it looks very interesting. Despite this thread being acrimonious for the last two pages because of the kill switch controversy, we did advance the discussion to this point, which is a good thing. But when a member takes things personally and launches personal attacks on other members with such comments as do you know this or that, have you read this or that, refrain from guessing, ...what is your expertise etc then the discussion degenerates and does not serve to advance knowledge.

[Kartik]

Not directly related to MRCA, but this is the first time that an article has been written about it. BRF of course has had discussions or at least inferences to this type of behaviour for gaining a lobby in India. Of course, the writer is the much maligned Rahul Bedi.

article link

[Surya]

I used to say I liked the Gripen

Still like it but if the Swedes behave like this for Wikileaks then what faith would I have in them for the Gripen.

I might as well depend directly on the source and get some traction

[Thomas Kolarek]

On the line of kill switch discussions, interested reader should read about Stuxnet which modifies code on Siemen PLCs - Dragons, Tigers, Pearls, and Yellowcake: 4 Stuxnet Targeting Scenarios by Jeffrey Carr. Jeffrey Carr advised Indian govt. on Stuxnet attack very recently.
You can see a sample demo by Symantec of how this Stuxnet attacks PLC's (this demo is on industrial scale, use your imagination on military level attack)

Wonder if India's RAW has similar Unit8200 like Israel and US.

[Craig Alpert]

India has an exceptionally strong SIGINT division, it is COMMINT & HUMINT where it lacks.. The EW is somewhat commendable, but Commint is just plain pathetic..Hopefully RAW and other agencies are already working on strengthening Commint, as Humint is already a work in progress..

[Indranil]

Yeeeeahhhh!!! Thomas to the rescue. Thanks for posting that article. Frankly, I didn't need to read such an article to imagine that such a thing as a "kill switch" may exist but apparently other people do need to read it to realize it. But I'm going to read it because it looks very interesting. Despite this thread being acrimonious for the last two pages because of the kill switch controversy, we did advance the discussion to this point, which is a good thing. But when a member takes things personally and launches personal attacks on other members with such comments as do you know this or that, have you read this or that, refrain from guessing, ...what is your expertise etc then the discussion degenerates and does not serve to advance knowledge.

With all due respect sir, you are yet to specify how are you going to communicate to the circuitry. This from one of my very first post.

One can easily build the switch on the ASIC. But there will be a antennae sticking out of that board to receive the command to switch it off.

.
I didn't want to make any personal attacks. But please go back and read your own posts. And answer one question,is there one data point which you have added? Give a good reason why I shouldn't be caustic about such posts?

[Indranil]

On the line of kill switch discussions, interested reader should read about Stuxnet which modifies code on Siemen PLCs - Dragons, Tigers, Pearls, and Yellowcake: 4 Stuxnet Targeting Scenarios by Jeffrey Carr. Jeffrey Carr advised Indian govt. on Stuxnet attack very recently.
You can see a sample demo by Symantec of how this Stuxnet attacks PLC's (this demo is on industrial scale, use your imagination on military level attack)

Wonder if India's RAW has similar Unit8200 like Israel and US.

Thomas, Nobody here is contending that a switch(software/hardware) can not be made/hidden. Questions are as follows

1. But how does one operate it remotely. All the examples in the last page have an established communication method. How would we communicate with the aircraft/weapon?

2. Getting back to the MMRCA, since most of the microprocessors are coming from US based companies, how is any other plane, less susceptible?

[Raveen]

Yeeeeahhhh!!! Thomas to the rescue. Thanks for posting that article. Frankly, I didn't need to read such an article to imagine that such a thing as a "kill switch" may exist but apparently other people do need to read it to realize it. But I'm going to read it because it looks very interesting. Despite this thread being acrimonious for the last two pages because of the kill switch controversy, we did advance the discussion to this point, which is a good thing. But when a member takes things personally and launches personal attacks on other members with such comments as do you know this or that, have you read this or that, refrain from guessing, ...what is your expertise etc then the discussion degenerates and does not serve to advance knowledge.

With all due respect sir, you are yet to specify how are you going to communicate to the circuitry. This from one of my very first post.

One can easily build the switch on the ASIC. But there will be a antennae sticking out of that board to receive the command to switch it off.

.
I didn't want to make any personal attacks. But please go back and read your own posts. And answer one question,is there one data point which you have added? Give a good reason why I shouldn't be caustic about such posts?

Thank you Indranroy for standing with logic and rational scientific answers on this one, I do not feel like your posts have done anything other than advance the conversation in the right direction over and above noise and emotions, reactions based on hearsay, voodoo science and Rajnikanth. Your contributions are welcome and very appreciated.
I too did not make any personal attacks on anyone...all I am asking my fellow BRFites to do is bring back logic to the discussion and progress it in the right direction...kick the emotions to the curbside.

[Kartik]

Terma (Denmark) and BEL have signed a MoA for cooperation mostly with regard to offsets for the MRCA. Terma is going to supply the Self Protection System for the F-16IN.

article link

The company also is teamed with Lockheed Martin in the Medium Multi-Role Combat Aircraft tender—if the F-16IN wins the competition, Terma will supply the self-protection system.

Possibly for the PIDS+ ? See page 6 of this brochure
and this link for more details

[koti]

I think there is a general consensus now about the possibility of a kill switch now.

But I believe we are looking at the wrong locations. Though hardware Bug(Kill Switch) is a sure shot possibility, there is an even more dangerous and seemingly impossible way to implement a kill switch/Bug. In the software.

The Bugged software can very well use the platforms very own sensors(any one) to receive the fire command or to deliver the ELINT/SIGINT to appropriate sensors.

I believe getting the source code is the only way that this kind of a possibility can be avoided.
And that is completely impossible to get for the teens.

Refer to Star Wars: Attack of the clones to achieve paranoia.

[nike]

Yeeeeahhhh!!! Thomas to the rescue. Thanks for posting that article. Frankly, I didn't need to read such an article to imagine that such a thing as a "kill switch" may exist but apparently other people do need to read it to realize it. But I'm going to read it because it looks very interesting. Despite this thread being acrimonious for the last two pages because of the kill switch controversy, we did advance the discussion to this point, which is a good thing. But when a member takes things personally and launches personal attacks on other members with such comments as do you know this or that, have you read this or that, refrain from guessing, ...what is your expertise etc then the discussion degenerates and does not serve to advance knowledge.

I don't think thread is going acrimonious, instead it's a very healthy discussion, and arguing with logic can't be considered as been taking things personnally .
But I think we are OT

[Indranil]

Koti sir once again, how will you command the software to change behaviour. In software, you will have to ask the control to branch differently at some point than the "normal" execution. From within the software, one can do it randomly, one can do it after a certain number of times. But how will it do it at somebody's command?

The platforms have their own receivers but antennas don't double up. The AESA can't listen to radio or the GPS or vice-versa.

One could send a command through AESA if it is in range of another AESA which can communicate with it. So the Paki F-16s have to come with AESA compatible with the AESA of the F-16 IN and the F-18. Then somehow they will have to bypass all the encryption to get the command through (I believe the last part can be done in hardware through a bypass check logic which forks the inputs to free transistors for parallel lookup or string matching and raising a suitable interrupt thereafter. The same logic has to be used to send this interpretation to the system computer that AESA will be hooked up to.

However for this every boards/ICs of all the participating unites will have to be custom-made for theF-16IN/F-18IN. Otherwise, the Paki plane will also behave in the same was as the Indian. Perhaps it is not clear here how expensive that it to build such custom chips. Even for the thousands of planes that the Us/Russia/EU makes, they can't afford custom made chips now. They all have general purpose chips. A custom made chip (an IC fabrication is millions and millions of dollars) will be as expensive if not more expensive than the radar itself.

Similarly the GPS unit can receive a command from a US satellite, if we use US GPS.

There are much easier/cheaper ways of providing a switch .

[SaiK]

The RAF version of Typhoon carries a DASS TRD. Never read more about its tests and how it jams the incoming missile. Being towed decoy sounds interesting technology for us to learn. I guess external pods could be freed if couple of the TRDs are available for being towed that buzzes away the missile. If it incorporates a jammer, awesome. BTW, does SAAB supplies this to eurofighter from Unkill or it is all their indigenous one?

Coming to think of it, a retractable tow would be awesome for reuse.

[koti]

Koti sir once again, how will you command the software to change behavior. In software, you will have to ask the control to branch differently at some point than the "normal" execution. From within the software, one can do it randomly, one can do it after a certain number of times. But how will it do it at somebody's command?

It is not that difficult to implement this logic.

Every radar ultimately ends up feeding binary or hex as the final input to the digital signal processors.
So, it isn't much difficult to reserve certain sequences like 256 bit long words to specific purposes to initialize a different routine which in-turn will communicate with other sub systems and do the necessary damage.

And this trigger word can very well be generated from a particularly modulated radar wave that could be fed to Radar receivers or GPS Rx or Comm Rx or any other receiver that it is properly integrated to the system.

In higher programming languages like C, the "if-else" or "goto" clause can very well be used for similar purposes.

PS: "goto" is not that bad after all guys.

[koti]

And regarding Encryption, it is only strong if there is no master key design.

[Indranil]

These 256 bits can't come through the general route Koti sahab. The opposition will not be able to sign it.

It has to come through a bypass. This bypass has to be before the decryption module. If you can see data lines diverging before the decryption logic and the module input, you will smell something very fishy. fortunately this route is really very small.

Besides who will be generating this "particularly" modulated radar wave? What will happen to the F-16 of PAF, they will also "shut down", right? as will any other F-16 with the same radar. What will be the cost of this special radar made for India.

To give a very conservative figure just the design of a modern day processor is 100 million (very conservatively). And this is just for the design. Fabrication of this custom made chips is even more expensive.

[Indranil]

And regarding Encryption, it is only strong if there is no master key design.

What kind of encryption are you talking about?

Master key is no encryption at all! It was first thing in an encryption book which speak of Bob, Alice and Eve.

The very minimum that is used is a Public-key cryptography (this is from years back). Unless you know both the public key and your private key, you can't send any legit information. I don't think that the Indians will share the public keys and the private keys that they would be using.

[Philip]

Koti,the alleged Israeli/US cyber attack against Iranian nuclear centifruges,very successful and acknowledged by Iran,making them vibrate to destruction,using specially designed viruses which self-destruct after a time period,indicates that the simplest way to destroy any fighter in the future is through cyberwarfare,especially if you have supplied the aircraft/key components! 6th-gen tech is supposed to contain more cyberwarfare systems than traditional hard kill ones.

[Indranil]

^^^ I agree with you. We have to take care of cyber attacks. It is just my opinion and would be glad to be proven wrong, but I think we are lagging far behind in this respect. Far behind the US/Israel and most probably even China (which has forged ahead by leaps and bounds in recent years).

[Mukesh.Kumar]

@ Indranil- Why are we thinking about a redesign of the whole processor. I believe processors will have redundant circuity built in during original design so as to accommodate newer tasks if they come up over the design life of the chip. (like a FPGA) Isn't it possible that there would be already planned back doors already. All you have to do when you decide to sell a batch of XYZ hardware to a new source is program the circuitry to do additional stuff. Maybe each lot designated for a different party will have a different activation sequence which will render the software to do the same "Kill/ Malfunction Routine". For that matter even hardware planned for the host country's forces should logically have "Kill switches" so that they can be rendered inoperative if they fall into the hands of an enemy.

All weapons systems today are incredibly complicated and all it needs is to disrupt a small link in the change to render it inoperative.

[Indranil]

FPGA are very different from ICs. ICs can't be re programmed. You would create the cast and build the die. For a different IC one needs a different cast.
On the other hand a different logic can be "burned" into the FPGAs and generally this is why it is not used in military hardware. FPGAs are good design tools, where you don't need to fabricate a new circuit everytime to validate. FPGAs also provide a way of hardwiring software logic without building an IC (for huge cost benefits). It is good for things where the programing might change like a TV desktop box. None of this is the case with military hardware.

Your contention is that every IC made is built with the backdoor. Only the designers know that the backdoor is there and can use it at will. Well this can be done but is fraught with risks.

1. It was also talked about in the IEEE paper discussed above. The problem is that it is only a matter of time before the manufacturers/others figure it out. In fact the US is much more worried that the manufacturing countries might be adding "extra" circuitry which is very difficult for it to detect. It doesn't make economical sense to make circuitry exclusive to the military and they have to get consumer products built elsewhere. Adding backdoors from ground up is only going to add to the combination of problems that might arise. Besides this is a huge risk for the manufacturer. If somebody finds this out, all the computers using this circuitry would become susceptible to attacks. No producer will risk that. In the IC industry 2-3 chips can break even the biggest of names. Such is the cost of each design. It takes 4-5 years to come with the next one and billions of dollars.

2. If these backdoors are available on every consumer processor, then they will be present in any of the MMRCA (including the Mig-35). So if you have to inject a message, it can be done on any of the planes.

3. Even if you have a backdoor you have to send something to activate it. How will you do that? We will be back to square one.

Agreed all weapons are complicated and it takes a small thing to make it misbehave, but you have to ask it to misbehave. Question is how?

Philip sir gave a very valid point. It will most probably not come from another aircraft or alienware. It will come through our networks which would have been hacked and a worm injected. Our planes will trust our networks. There is a plethora of ways which can be made to go wrong this way. Infact, if you see the Syrian, Iranian, Stuxnet attacks are all cyber based.

My contention is not with intent or feasibility of a "kill-switch"/"back-door". My contention is that it can't be so easily hidden. The logic can be buried in the hardware/software, but the communication medium can't be. If we would be building these planes here, I am very sure they would be very carefully scrutinized, as was the Boeing for Chinese, and additional hardware sticks out to a trained eye.

[Kailash]

MMRCA might force defense offsets policy change

“The 50% offsets for the MMRCA cannot be fulfilled under the present policy of direct offsets”, said the industry source pointing out that international vendors have a pool of just about 160 companies including 9 government-owned firms to choose from as potential offset partners. From the private companies, only those which have been granted an industrial licence to manufacture a particular defence equipment or system can be partnered with.

[koti]

I guess we should continue the technical aspects of the discussion in another thread.

[chiragAS]

this is going too OT, anyways indranil, Antenna need not stick out. the higher the frequency the smaller the antenna
Heard about embedded antennas? 2.4 GHz ones are old school now. the last time i heard was 10 gigs in the smaller package.

Also AESA can be used for sat reception for starting the kill circuitry.
you know the small dish antenna which you use at home for dissh TV etc work on Ku Band. Don't you think a state of the art AESA can! If some tx/rx array go dead, does the AESA stop? now put this logic cant some array be used as sat receivers!
its a matter of little tweaking!

anyways i hold my ground you can hold yours. Peace!

[Mukesh.Kumar]

@ Indranil:

Indranil, all hardware, or for that matter software, is always built with some backdoor during the design stage for testing, debugging and as a backup for programmers. So, yes, even when building with commercial chips vulnerabilities will be available for exploitation.

Also, for real time applications in avionics, I believe that the software would be hardwired, at the same time there would be scope for upgrades and fixes, so there should be reprogrammable elements which can hide away malicious code.

As for how it can be programmed, well Phillip's contention that the message would come through our networks seem the most plausible one.

Would love to discuss more, but would rather take this discussion offline for fear of clogging up bandwidth. Let me know if there is a epatri address I could reach you at.

Added later: ChiragAS actually mentions something that I had plumb forgot. Even in the known spectrum a properly encoded signal can trigger a kill as all other signals received by the antenna can be filtered out as garbage.

[chiragAS]

Even if you find a antenna sticking out what if its designed for some other work also. multiplexed
why do you think CISMOA is necessary for high end equipments.
even if you find a antenna sticking in eadar control module; will you dare to pluck it out

[Philip]

Many moons ago,I met a cute USAF chick-don't ask how,whose sole marital, sorry....martial activity appeared to be "software and hardware interconnectivity ". Boys,no double-entendre intended at all! Her sole job,from what I could gather was,was to check and change the relevant software before every fighter op.With the controversial on-site "inspections" of US equipment,ostensibly to see that it had not been tampered with,or missing,blah,blah,inserting malicious software or even viruses would be a piece of cake,especially if this is carried out by voluptuous USAF bimbos,whose nose-cones,intakes,fuselages and tails would distract any normal virile IAF technician's attention while the "deed" is done by another.

Therefore,the risk of acquiring and operating key weapon systems of US origin,remains very high,particularly when the US will enforce its right of "inspection",after-sales servicing,et al.When it is the chief provider of high-tech arms to our mortal enemy Pak,the danger is obvious even to the three proverbial monkeys.

[Lalmohan]

sounds like the IAF's focus on WVR combat is a smart move then!?

[koti]

Just another link:
http://www.infoworld.com/d/security-cen ... penbsd-423

This re-iterates the possibility of Buggy equipment we could be getting if we opt for the teens.

But if its complete(insha allah) ToT, Even the Super Viper will be a good enough plane.

[Indranil]

koti sahab, I used to work for an embedded hardware system firm in Bangalore. The term embedded antennas is very generic. Please let me know specifically what you want to discuss and we can go from there. An antenna element looks very very different from any other circuitry on a board. An antenna has volume restrictions which are restricted by the wavelength (inversely frequency) of the wavelength. You are right when you say the the antenna length decreases with frequency, but I don't know whether you purposely left out the gain discussions of those antennas. May be you have decent exposure to electronic boards and embedded technology too. If you have, you would already know by now what I am saying. If not please do ask a friend in the field. If you give me a green board, it will me much less than 1 hour (for a very complex board and a very miniaturized antenna to tell you where the antenna is.

And backdoors are nothing new of today. They have been there since WW II. But to trigger you have to communicate. US can provide us with buggy hardware, but if we were to just accept it without any inspection, we might be canned. However, I doubt that process.

Mukesh sir, the development boards and production boards are very different. Development boards generally have an (JTAG) interface to communicate to the board. The production boards don't.You would be surprised to read how ICs are tested. They are only for functionality. Nothing is stuck into it.

If you were testing, you would have a way to communicate with the device. That communication will be a port to be wired to or an transceiver (atleast a receiver) antenna. and those things can't be hidden.

[Indranil]

Many moons ago,I met a cute USAF chick-don't ask how,whose sole marital, sorry....martial activity appeared to be "software and hardware interconnectivity ". Boys,no double-entendre intended at all! Her sole job,from what I could gather was,was to check and change the relevant software before every fighter op.With the controversial on-site "inspections" of US equipment,ostensibly to see that it had not been tampered with,or missing,blah,blah,inserting malicious software or even viruses would be a piece of cake,especially if this is carried out by voluptuous USAF bimbos,whose nose-cones,intakes,fuselages and tails would distract any normal virile IAF technician's attention while the "deed" is done by another.

Therefore,the risk of acquiring and operating key weapon systems of US origin,remains very high,particularly when the US will enforce its right of "inspection",after-sales servicing,et al.When it is the chief provider of high-tech arms to our mortal enemy Pak,the danger is obvious even to the three proverbial monkeys.

The hot chick distraction aside, this inspection is risky business.

Very legit concern, shared by the IAF and the MoD. I am not sure of the F-16 and the F-18 but the F-22 mission could be supposedly fed through a memory stick. I think it is because of this reason that we ensured that the inspections happen where we want it.

But then if India is going to war (where US doesn't want it), will the Indians allow the annual checks to continue at that time?!!

However, the bug could be introduced into such a "memory stick" or any communication from our network if our network is hacked.

[Lalmohan]

one must assume that unkil will actively hack our networks, if only to know what is going on

[Indranil]

It won't be just unkil, I fear China much more in terms of capability and intent.

[Lalmohan]

sorry, i meant unkil will do it regardless of being 'our friend' (unkil will do it to everyone)
china will do it as a key strategic imperative

[Indranil]

Even if you find a antenna sticking out what if its designed for some other work also. multiplexed
why do you think CISMOA is necessary for high end equipments.
even if you find a antenna sticking in eadar control module; will you dare to pluck it out

You won't pluck it out ... you won't accept it if you see anything fishy.

[Indranil]

Also AESA can be used for sat reception for starting the kill circuitry.
you know the small dish antenna which you use at home for dissh TV etc work on Ku Band. Don't you think a state of the art AESA can! If some tx/rx array go dead, does the AESA stop? now put this logic cant some array be used as sat receivers!
its a matter of little tweaking!

No sir, the AESA modules can't communicate with the satellite. All planes with the AESA radar have a separate sattelite communication system.

One could replace one of the modules of the antenna, but then we would be fools if we couldn't find that out. If that is the tech know how in our country then we might to be conned with "kill switches". Thankfully we are not .

[kmkraoind]

FBI accused of planting backdoor in OpenBSD IPSEC stack

Slightly OT, but relevant since discussion is around on back door entry.