Electronically Hijacking the WTC Attack Aircraft
By Joe Vialls, October 2001
On Sept. 10 2001, just 24 hours before the WTC attack, The Washington Times ran an article quoting intelligence sources who described Israel’s Mossad as “Wildcard. Ruthless and cunning. Has capability to target US forces and make it look like a Palestinian/Arab act.” Moreover, they said, it was generally known in the intelligence community that the Mossad had penetrated every Muslim organization and would have little problem in finding any number of fanatics to carry out a suicide mission in the belief they were serving Allah. Ed.
In the mid-seventies America faced a new and escalating crisis, with US commercial jets being hijacked for geopolitical reasons. Determined to gain the upper hand in this new form of aerial warfare, two American multinationals collaborated with the Defense Advanced Projects Agency (DARPA) on a project designed to facilitate the remote recovery of hijacked American aircraft. Brilliant both in concept and operation, “Home Run” (not its real code name) allowed specialist ground controllers to listen in to cockpit conversations on the target aircraft, then take absolute control of its computerized flight control system by remote means. From that point onwards, regardless of the wishes of the hijackers or flight deck crew, the hijacked aircraft could be recovered and landed automatically at an airport of choice, with no more difficulty than flying a radio-controlled model plane. The engineers had no idea that almost thirty years after its initial design, Home Run’s top secret computer codes would be broken, and the system used to facilitate direct ground control of the four aircraft used in the high-profile attacks on New York and Washington on 11th September 2001.
Before moving on to the New York and Washington attacks, we first need to look at the ways in which an aircraft is normally controlled by its pilot, because without this basic knowledge, Home Run would make no sense. In order to control an aircraft in three-dimensional space, the pilot uses the control yoke (joystick) in front of him, rudder pedals under his feet, and a bank of engine throttles located at his side. Without engine thrust the aircraft would not fly at all, so the throttles are largely self explanatory: For more speed or altitude increase throttle, for less speed or altitude decrease throttle.
In order to raise or lower the nose of the aircraft, the pilot pulls or pushes on the control yoke, which in turn raises or lowers the elevators on the horizontal tailplane. To bank the aircraft left or right, the pilot moves the control yoke to the left or right, which in turn operates the ailerons on the outer wings. Lastly, to turn left or right at low speed or “balance” turns at high speed, the pilot presses the left or right rudder pedals as required, which in turn move the rudder on the vertical stabilizer.
Back in the early days of flight, the control yoke and rudder pedals were connected to the various flight control surfaces by thin cables, meaning the pilot had direct physical control over every movement the aircraft made. This was no great problem for an average man flying a small biplane, but as aircraft grew ever bigger, heavier and faster over the years, the loadings on the control yoke and rudder pedals became huge, certainly well beyond the ability of a single pilot to handle unaided.
By the late fifties we were well into the age of hydraulics, where just like the power steering on your automobile, hydraulic rams were placed in line between the pilot’s control cables and each individual control surface. Now when the pilot moved the control yoke, the cables activated sensors, which in turn activated one or more hydraulic rams, which in turn moved one or more control surfaces. For the first time since Bleriot and the Wright brothers, pilots were of necessity being steadily distanced from direct control of their own aircraft.
When the multinationals and DARPA finally came on the scene in the mid-seventies, aircraft systems were even more advanced, with computers controlling onboard autopilots, which in turn were capable of controlling all of the onboard hydraulics. In combination these multiple different functions were now known as the “Flight Control System” or FCS, in turn integrated with sophisticated avionics capable of automatically landing the aircraft in zero visibility conditions. In summary, by the mid-seventies most of the large jets were capable of effectively navigating hundreds of miles and then making automatic landings at a selected airport in zero-zero fog conditions. All of this could be accomplished unaided, but in theory at least, still under the watchful eyes of the flight deck crews.
In order to make Home Run truly effective, it had to be completely integrated with all onboard systems, and this could only be accomplished with a new aircraft design, several of which were on the drawing boards at that time. Under cover of extreme secrecy, the multinationals and DARPA went ahead on this basis and built “back doors” into the new computer designs. There were two very obvious hard requirements at this stage, the first a primary control channel for use in taking over the flight control system and flying the aircraft back to an airfield of choice, and secondly a covert audio channel for monitoring flight deck conversations. Once the primary channel was activated, all aircraft functions came under direct ground control, permanently removing the hijackers and pilots from the control loop.
Remember here, this was not a system designed to “undermine” the authority of the flight crews, but was put in place as a “doomsday” device in the event the hijackers started to shoot passengers or crew members, possibly including the pilots. Using the perfectly reasonable assumption that hijackers only carry a limited number of bullets, and many aircraft nowadays carry in excess of 300 passengers, Home Run could be used to fly all of the survivors to a friendly airport for a safe auto landing. So the system started out in life for the very best of reasons, but finally fell prey to security leaks, and eventually to compromised computer codes. In light of recent high-profile CIA and FBI spying trials, these leaks and compromised codes should come as no great surprise to anyone.
Activating the primary Home Run channel proved to be easy. Most readers will have heard of a “transponder”, prominent in most news reports immediately following the attacks on New York and Washington. Technically a transponder is a combined radio transmitter and receiver which operates automatically, in this case relaying data between the four aircraft and air traffic control on the ground. The signals sent provide a unique “identity” for each aircraft, essential in crowded airspace to avoid mid-air collisions, and equally essential for Home Run controllers trying to lock onto the correct aircraft. Once it has located the correct aircraft, Home Run “piggy backs” a data transmission onto the transponder channel and takes direct control from the ground.
This explains why none of the aircraft sent a special “I have been hijacked” transponder code, despite multiple activation points on all four aircraft. Because the transponder frequency had already been piggy backed by Home Run, transmission of the special hijack code was rendered impossible. This was the first hard proof that the target aircraft had been hijacked electronically from the ground, rather than by [FBI-inspired] motley crews of Arabs toting penknives.
The Home Run listening device on the flight deck utilizes the cockpit microphones that normally feed the Cockpit Voice Recorder (CVR), one of two black boxes armored to withstand heavy impact and thereby later give investigators significant clues to why the aircraft crashed.
However, once hooked into Home Run, the CVRs are bypassed and voice transmissions are no longer recorded on the 30-minute endless loop recording tape. If Home Run is active for more than thirty minutes, there will therefore be no audible data on the Cockpit Voice Recorders. To date, crash investigators have recovered the CVRs from the Pentagon and Pittsburg aircraft, and publicly confirmed that both are completely blank. The only possible reason for this, is data capture by Home Run, providing the final hard proof that the attack aircraft were hijacked electronically from the ground, rather than by “Arab terrorists”.
Many readers might by now be indignant; convinced this is incorrect or misleading information because of “those telephone calls from the hijacked aircraft”. Which telephone calls exactly? There are no records of any such calls, and the emotional claptrap the media fed you in the aftermath of the attack was in all cases third-person. We had the media’s invisible “contact” at an airline who “said” a hostess called to report a hijacking, and we had a priest (?) who “said” he received a call from a man asking him in turn to call his wife and tell her he loved her. Presumably this man would have had his wife’s name filed in his cellphone, and faced with imminent death would have called her direct. The FAA helped out by claiming that it had “overheard” a heated argument from a cockpit where the radio transmit switch had been left in the “on” position. When push came to shove, the FAA was forced to retract, and admit that the mythical argument was not on the tapes at all.
Whether more information will be forthcoming about Home Run is unknown, but nowadays there are large numbers of people apart from the author privy to the basic data. As long ago as the early nineties, a major European flag carrier acquired the information and was seriously alarmed that one of its own aircraft might be “rescued” by the Americans without its authority. Accordingly, this flag carrier completely stripped the American flight control computers out of its entire fleet, and replaced them with a home grown version. These aircraft are now effectively impregnable to penetration by Home Run, but that is more than can be said for the American aircraft fleet. A casual count indicates around 600 aircraft in the USA and elsewhere are still vulnerable and could be used in further attacks at any time, which might help explain why America has lately been bombing the Afghans primarily with bags of wheat. For the first time in US history, American officials appear to be genuinely fearful of future reprisals, and justifiably so with 600 giant bombs parked on the wrong side of their missile defence shield.
It is a “Catch 22” situation. In order to make all of the aircraft safe, the flight control systems would have to be stripped out and replaced, at a cost of billions of dollars the airlines cannot afford because they are going broke. Nor is there enough time. The most innovative anti-hijacking tool in the American arsenal, has now become the biggest known threat to American national security.
For the purpose of public reassurance I would like to publish a complete list of aircraft which cannot be affected by Home Run, but I cannot do so for legal reasons. Any aircraft manufacturer not on the list might feel inclined to sue me for defamation and I can’t afford that. However, there is nothing to stop me publishing my personal choice of aircraft for a flight from, say, Atlanta to Singapore via JFK, Frankfurt, and Kuala Lumpur.
From Atlanta to JFK I would probably travel on a Boeing 737, and connect with a Boeing 777 for the onward flight to Frankfurt. At Frankfurt I would probably board an Airbus A340 for Kuala Lumpur, and finish the journey to Singapore on a DC9 or a Fokker 100. Naturally I might be unlucky enough to pick an aircraft with an intoxicated pilot, or an unrelated mechanical problem, but apart from those minor risks I’d feel pretty safe.
Joe Vialls is a former member of the Society of Licensed Aeronautical Engineers and Technologists, London.