Hacker News new | past | comments | ask | show | jobs | submit login
Norwegian F-35 Sending Sensitive Data Back to Lockheed Martin (2018) (fighterjetsworld.com)
173 points by dsego 22 days ago | hide | past | web | favorite | 98 comments

Apparently, in Austria, Eurofighter jets can't start until an NSA contractor on base types in an ignition key[1].

[1] https://news.ycombinator.com/item?id=18642194

>In order for the 15 Eurofighters to start, Austria's federal army paid 1.5 million euros over three years to a private US security company. Now, the costs for those two "civilians" stationed at the Zeltweg airbase have been confirmed, who have to allow every start with the current US-"Crypto-Keys" for navigation and friend or foe identification.

The ministry of defense denies that the two Americans from a not named US company are NSA contractors. They claim the jets would fly without the keys but without encrypted navigation and communication. He also mentions the same situation for Sweden and Switzerland.

That article is not entirely accurate and is based on a misunderstanding of what those contractors are doing. They're loading NATO MIDS/Link-16/IFF keys, not 'starting' the aircraft.

The Austrian Eurofighters can fly and operate without those keys, they just won't be able to join NATO Link-16 networks or other encrypted NATO communications or navigation networks. This is standard practice for all modern combat aircraft, incidentally, as encryption keys are rotated on a regular basis and need to be loaded into the aircraft's onboard systems before flight. The data can also include additional interoperability elements such as TDMA slice allocations in the case of Link-16.

The reason it has to be done by the unnamed contractor is because Austria is not a member of NATO, so it can't be given control over key handling. The same is true for Sweden & Switzerland.

It's a logical tradeoff. Austria, Sweden, and Switzerland get access to encrypted NATO networks and can therefore interoperate seamlessly with NATO forces, but they're always free to opt-out. Sweden for instance has fall-backs to national data links and communications networks to which only it has the encryption keys.

How does one know so much detailed info about this topic?

It’s not a secret, despite the MIL-STD-6016 doc technically being classified one of my favorite documents on the subject is the Wireshark dissector the Australian government wrote and then published the document of how they’ve achieved it including pretty much the entire protocol: http://willrobertson.id.au/resources/wireshark/DSTO-TN-1257....

Well thank you, very nice.

In my case, it's the result of a research project I carried out a few years ago. While that went into somewhat deeper detail, the kind of information I've shared here is quite openly available from official and academic sources.

Ah, makes sense, especially since you did a research project and reviewed the academic literature.

FYI (other commenters) I wasn't doubting or implying access to secrecy.

Just impressed at the depth of knowledge that appears with high fequency on HN here.

Why would such information be particularly secret? Only secret keys are secret; knowing how to use them is a basic skill for all military pilots and a lot of other aviation personnel.

Generally speaking, most NATO / military standards have some level of classification that prevents dissemination to a random member of the public.

That said, for the non-sensitive stuff, there's usually access out there because someone's posted it or it's been discussed in a presentation.

Reasons you would want such information controlled: if an adversary were to get in a shooting war with NATO, knowing the entire sequence required to launch fully operational aircraft makes interrupting that sequence much easier.

Read background, dissect, probe, attack.

It seems strange that Austria is not a member of NATO, the aftermath of WW2 has them sworn for 'prepetual neutrality'.

Isn't that the exact reason, as joining NATO would violate said neutrality?

"Austria declared 'its permanent neutrality of its own accord.' The second section of this law stated that 'in all future times Austria will not join any military alliances and will not permit the establishment of any foreign military bases on her territory.'"


Joining an alliance is pretty much the way to not be neutral. They signed a treaty in 1955 to end allied occupation, with the condition that they don't join any alliances. The intent was that this would prevent them from joining with the Soviets. Times have changed, but the treaty has not, so they are not allowed into NATO since it is an alliance. I'm sure if they really wanted to join all the former Alliance signatories (which are now part of NATO) would be willing to renegotiate the treaty and let them in.

Sweden and Switzerland don't fly Eurofighter jets. They are also not members of NATO so I'm not surprised that they can only get NATO IFF codes under restrictions.

No idea what is going on with Austria.

EDIT: Austria isn't a member of NATO.

Are we paying for these codes in Sweden? Would be quite interested to learn more about this.

For the codes directly no, for contractors with sufficient clearance for handling the keys yes.

You can’t have it both ways as in want to interoperate with NATO forces as well as being covered by NATO CAPs and not be a member of NATO.

What restrictions do you think Sweden has with regards to NATO IFF codes?

I assume these are processed by secure hardware inside the plane, if you could just copy them after being loaded the entire exercise with the contractors would be rather pointless. So I assume after the contractors load the codes into the plane, they are already protected by regulations governing access and sale/export of the plane, which probably amount to roughly "Remember, no russians".

I have seen the army in my country to emphasize on having total control on each and every equipment they have. They boast on being able to completely disassemble and reassemble all the mechanical war machines.

I wonder how that works for software heavy war equipment, such as F-35. Does the seller provide full source code and control (and probably training?) over modification of the software? Do they agree on the paper only that the buyer can never get to use those weapons against the seller? Or, do they set those policies right inside the control units of those weapons?

If the seller country have significant control on the control units of the war instruments sold to another country, and if the seller country is able to update/modify/ control/restrict devices over the air, won't that make the buyer country just an outpost of the seller country?

> If the seller country have significant control on the control units of the war instruments sold to another country, and if the seller country is able to update/modify/ control/restrict devices over the air, won't that make the buyer country just an outpost of the seller country?

No. That would entail rather complete political control. Not just control over certain parts of the buying country's equipment. Still, it is clearly in the interest of the buyer to want more control over the equipment they buy, especially on such a delicate matter.

F-35 source code is only available to a limited subset of trusted allies. Mainly the UK, but it appears that a few other countries such as Israel have at least partial source code and the ability to build custom branches.


DoD/DoE contractors and manufacturers retain a large portion of military contracted IP material. For example, CNWDI in the nuclear world does not allow a anyone in the military access/knowledge portions of bombs/warheads below the maintenance plates. Sandia/LLNL/LANL keeps a (literal) tight lid on that knowledge, much less the very physical appearance.

If the same schema were applied to airframes, it’s likely that Lockheed and NG retain rights to the manufacturers specific IP, which would include the source code to any avionics packages.

In the case of new fighter jets. Absolutely not. Other countries do not get the full packages either. There are some parts they likely take out or give them slightly inferior parts.

As far as I remember there was information released about the French having our backdoors into radar systems it sold. I am sure most countries do something like that but this time the for caught.

Unless specified in the contract, the US may not even get full source code for something produced by the defense industry for them.

It probably does a lot more than that. It’s alway been rumored some US military tech could suddenly be turned “off” in the event of a war.

I couldn’t imagine a situation that would put Norway and the US on opposite sides. Since the military allows Norway to get F-35s they probably agree.

I have the feeling that if there were ever a war between major powers breaking out, the first thing that would happen is that a large chunk of military equipment and critical infrastructure on both sides would get bricked pretty much immediately.

And its financial system cut off. Like US disconnected Iranian banks from SWIFT, and there is no way today to bypass US financial system for international payments.

I've heard rumors of something similar about US anti aircraft systems, and this being a motivating factor in Turkey buying S-400s.

The S-400 is just objectively better than anything US is selling. The possibility of Patriot having a US killswitch is an afterthought if it was considered at all. It's also equally probable that the S-400 has a Russian killswitch.

The actual motivation for Turkey to pick the S-400 was entirely political. They are signalling allegiance to Russia. The US is now cancelling Turkey's F-35 order in response.

Turkey also wanted to have a technology transfer while having patriots. So, Turkey can use it for its own missile defence system. Apparently, It didn't happen.

Yet ironically, Turkey didn't get a technology transfer from the S-400 either. Once Putin got Erdogan committed, Putin knew he didn't have to offer much - Erdogan couldn't suffer a reversal.

Note that he doesn't have anything specific to point to - that's because he's merely trying to justify Erdogan. He must know that Turkey is going to get very few tech transfers:


Turkey has already a rocket-missile company [0]. So, I'm pretty sure Turkey does not need everything but only specific parts. What I think is that Roketsan will be able to manufacture its own s400-capable Triumph missiles. So, Everytime Turkey launches its own missile, It won't need Russia to replace its stockpile.

[0]: http://www.roketsan.com.tr/en/

It's likely that Russia will allow Turkish missiles. However, that would not be a significant technology transfer. Technically Russia could do this merely by passing on protocols to 'talk' with the S-400, and letting the Turks create their own missile.

Even if some missile tech were to be transferred (I rather doubt it), the key part of S-400 is not the missiles - but the very sophisticated radar, control and EW systems.

Either way, it doesn't get Turkey much ahead in designing their own missile defence system, and leaves them dependent on a potential (even likely) enemy.

you wouldn't like to bet that the US are the only ones capable of turning it off, either.

“Off” in quotes. I bet it’s more like a software license. “you missed your 60 day update from Lockheed, your jet will stop working”

They fail to be fully operational after 30 days without connection to Lockheed servers, which is a problem even for USA because the connection is bandwidth intensive.

Reading your comment I pictured Geohot attempting to jailbreak an f35. It made me wonder can you brick an f35?

F35s do a perfectly good job of bricking themselves. On a consistent and routine basis.

I believe the F-22 software is written in Ada. I had a classmate in college who was in the air force. He said updating an F-22 took hours and if something happened you had to start over which happened often.

I can confirm that. Interviewed at skunk works in Lancaster. They shared this exact knowledge.

Command disablement is present on airframes dating as far back as the B-52.

Nondestructive remote command disablement (what you’re referring to) is probably a real thing. It would fit the same schema that other weapons systems already have (nuclear weapons, drones, satellites).

starting with the GPS network.

A prime reason why other constellations have been deployed or are currently being deployed, such as GLONASS (Russia), Galileo (EU), and BaiDu (China). India I believe also has their own, but it's not global, just regional.

With different definition of deployed for each constellation; Galileo has been down for weeks recently.

Galileo is still in deployment and a month ago they had an issue in the not-fully-redundent-yet ground segment that lead to 6 days with increasingly pure accuracy and partial outage.

Galileo was down for one week. It's also not yet at full capacity. I think it's expected to be finished next year.

They only need to switch it to airplane mode!

Kidding aside, the concerns over the possibility for such actions were the primary reasons why the Turkish public was totally O.K. with being expelled from the F-35 program.

One has to do wonder why a country would even consider buying a foreign plane that does this...

Data should be under the control and scrutiny of the owner of the plane, who would pass on only what they are happy to.

First of all, Norway shares their border and coastline with Russia, who would like nothing more than to gain more control over Norway’s fisheries and oil fields, although they’re certainly more friendly now than they were during Soviet times. Second of all, the EU also wants a cut of Norway’s fisheries and oil, although on far better terms. As such, the USA has always treated Norway fairly and favourably in order to gain access to our oil fields. Thus it’s only natural that the favour is returned.

On top of that, Norway has for at least a hundred years had very close ties to the USA due to emigration. Compare that to the rather lukewarm political help Norway got from Sweden during WWII (though their hands were obviously tied) and the strategically insignificant position they’re in to help in future conflicts, given that they are still outside the NATO—where Norway is of course heavily entrenched with their former P.M. Jens Stoltenberg as the current General Secretary. Thus it was an easy call to ditch Sweden’s JAS Gripen in favour of the F35, despite some issues with data transmissions.

While the JAS Gripen perhaps has similar capabilities to that of the F16—which is in fact a far superiour defensive dogfighter compared to the F35—the F35 is a better ground attack plane, and it has stealth.

If an F35 is ever in an actual dogfight it has failed already- it should kill an opponent before the opponent is ever aware of its presence.

You are of course correct, but see it from Norway's perspective: They're looking to replace their aging fleet of F16's. Their goal was air defence; to shoot down incoming threats. The Fighting Falcon's really excel at that. By purchasing the F35 Norway is forced to take a more aggressive and preemptive stance. That might not be in Norway's best interest given it small size and comparably small, though technologically advanced, army.

Because developing good warplanes is extremely expensive and difficult. Also using same equipment as your allies has advantages - can secure external parts supply during a war, foreign planes can easily use your fields, etc. Of course, buying foreign planes comes with risks as well - parts supply might be embargoed, other countries will know something about your plane, etc.

Judging by Norway's likely adversary (Russia), in all likelihood the risks were judged to be small compared to the advantages of using the best available plane from a country (US) usually not in good terms with Russia.

Norway is way too small of a country to develop its own weapons and airplanes. It has 2% of the GDP that the United States has. The cost of the F-35 project would deplete the entire Norweigan sovereign wealth fund. Secondly, what is the likelihood that Norway gets into a war with the United States versus Russia?

If Sweden can develop fighter airplanes, why can’t Norway?

Sweden can't develop a fifth generation fighter airplane. It's just too expensive.

It will be interesting to see if France tries next time. The UK, Germany and Italy certainly can't.

The plan seems to be to do it in common with Germany and Spain: https://www.iiss.org/blogs/military-balance/2019/06/franco-g...

The UK is already in early stages of design for a potential replacement to Eurofighter.


We will be working with Sweden on it as well.

The Gripen first flew 31 years ago, even at the time was considered an outrageously expensive project given the market size (Wikipedia tells me only 247 were ever built!), and frankly there's significant disagreement as to whether it even represents an improvement over the F-16's everyone else was buying at the time.

It was a stretch, and they made it work. But I don't think you'd call this a success. The Viggen was closer to that, and it was a 1960's design.

Actually we can. The US is a big customer. https://en.wikipedia.org/wiki/Kongsberg_Defence_Systems

I'm not saying Norway doesn't have technical or defense capabilities. I'm merely noting that Norway doesn't have the budget to develop state of the art fighter jets solely to provide the Norweigan government. In the case that it did develop one, it would still need to sell the plane to other countries like the US, and then the original OP's question comes back into play of why would the US do that given it has the leverage? International trade can help breed specialization alongside monetary and strategic alliances. I gather Norway would rather have the state of the art weaponry to defend itself from Russia and the US would want that as well.

You said above:

> to develop its own weapons and airplanes.

This can be read in two different ways I guess, and ccsalvesens reply is a valid reply to the way I'd read your post, -namely that "Norway can neither make their own weapons nor their own planes".

You seem to have meant that Norway cannot develop both weapons && planes, true?

Just trying to clear out the source of the misunderstanding here.

Because you're not going to use weapons against the nation that you bought them from.

Funny story: in the 80s the Iraqis were our allies and we (the British) sold them a bunch of kit, including their camouflage uniforms.

In the first Gulf War happened and the British forces deployed in regular temperate camo. Everyone assumed it was because the supply chain was incompetent but the real story was it was too risky to fight in the same kit as the Republican Guard!

Iran is still flying F18 Hornets at last check.

If you look to history, this really is not the case. Part of UK military strategy from the beginning of empire to the present day, is to sell arms to the people that you end up invading.

Meanwhile America made and sold a lot of guns into the middle east that are now used to kill Americans (among other people).

Well, people buy Teslas...

This reminds me of Windows 10 being used in countless non-US governments even though it has telemetry enabled.

> you get calls from the US ambassador and it's not just economic reasons...

Do you have details/links about that.

I can't find any sources about it any more but I vaguely remember reading about it. I'm sorry. As I can't find it, it certainly wasn't covered by big press. I'll remove that part of the comment to be on the safe side. It's not what my comment was supposed to be mainly about anyway. The main part of my comment was more to point out that this is a pattern: the USA is supplier of a major amount of technology that lends itself very well to mass surveillance and the western world uses it. The US got the unique chance to make the technology spy onto the customer nations.

> The US got the unique chance to make the technology spy onto the customer nations.

I dunno how unique that chance is any more. The whole world runs so on hardware made in China which could be compromised to do pretty much anything.

What you are saying basically (if I got it right) is that US ambassadors are in some way threatening the target country if they move out of a potential spying system. That's quite a statement and more like wikileaks material.

Norwegian Unix User Group (NUUG) have campaigns from time-to-time where they highlight stuff like that to Norwegian state owned institutions, counties and municipalities.

> “Due to national considerations, there is a need for a filter where the user nations can exclude sensitive data from the data stream that is shared by the system with the manufacturer Lockheed Martin,” Gjemble ter.

> “Norway has entered into a partnership with Italy to jointly finance the procurement and operation of a laboratory where we can enter nationally sensitive data, as we currently do on F-16,” Gjemble said.

Why do these sites have to implement smooth scrolling - for a blog of all things? I don't understand what goes through their heads

It's annoying, but there was this fad a few years ago and many websites did it, and probably this one was designed at that time.

I'm curious about the actual communication here. Does each plane have a satellite uplink or something? If they do, I would expect that they would be configured to use Norways military satellite comms network. I'm not sure how or why that network would be able to contact Lockheed. So are there multiple communications systems? What portion of them are military and what portion, if any, transit the public Internet? Lockheed might own their own communication satellites, I'm not sure, but I really don't think they have carte blanche to use the US military communications networks for their own products. Details might be sensitive or classified so I'll probably just be kept wondering, but the mechanics of the actual physical communication of data aren't clear to me.

A horribly shitty software package called ALIS is required to operate F-35,this software communicates from ground facilities to Lockheed servers.

Having dealt with the output of the part of Lockheed that makes logistical software, I say run for the hills.

Thank you for wondering out loud, your thoughts have been noted

This article is over a year old. June 4th 2018. Norwegian blogs and press wrote about similar conserns already back in 2017. Not sure why this is pushed to the top at HN now :p

We've been carrying spy devices in our pockets. Now spy devices carry us.

Is anyone genuinely surprised at this?

I think Patriots do the same thing. But not S-400s.

That sounds overly optimistic.

The title makes the data collection sounds sinister, but this is just a case of a company wanting to make the best product possible. It's necessary to collect data to improve systems.

Norway (and all of Europe) has outsourced much of its collective defense to the United States, so if Norway and the Europeans are comfortable with the entire US military apparatus protecting them, it is quite surprising that Norway would have a problem with something as comparatively insignificant as flight data being sent back to Lockheed.

In fact, given the protective relationship the US has with Europe, wouldn't Norway want to provide as much data as possible to help improve Lockheed's technology and hence the West's future defensive capabilities?

I give for granted that those data will be shared with US military. In any case the company is free to collect data from its own planes, not those that it already sold

When that company is foreign and may have different interests to that of the country which bought the product it is a problem

Shortsightedness aside, it doesn't really matter what the intentions are, certainly not for the military.

Now say the exact same thing but referring to Huawei. How did that sound to the whole world, and especially to the US?

This isn't your thermostat sending temperature data to the manufacturer, it's a war plane sending critical information that the owner of the plane wants to keep secret.

To be fair, I cannot imagine any nation to sell a current-generation hi tech stealth fighter jet to foreign countries without hiding some kill switch somewhere in the firmware. I always thought this is somehow implied and that countries who fear to become the enemy of former allies diversify their weapon systems appropriately. At least, that's what I would do if I was in charge.

We more or less know this concept to be a fact since the Snowden leaks. Alliances are very fluid things and it was already revealed that the US had infiltrated power and utilities companies in Europe and Japan and prepared kill switches in case they are needed in a conflict.

I imagine this is the general practice to make sure your own tech is not used against you. I am also not surprised that some people find it perfectly acceptable when coming from one side, and unacceptable when coming from another.

Reminds me of this: https://pics.onsizzle.com/nationalis-our-blessed-homeland-th...

The difference is that Norway and the US are liberal democracies and allies. China, quite the opposite.

In fact, Norway (and all of Europe) has outsourced much of its collective defense to the United States, so if Norway and the Europeans are comfortable with the entire US military apparatus protecting them, it is quite surprising that Norway would have a problem with something as comparatively insignificant as flight data being sent back to Lockheed.

In fact, given the protective relationship the US has with Europe, wouldn't Norway want to provide as much data as possible to help improve Lockheed's technology and hence the West's future defensive capabilities?

>"wouldn't Norway want to provide as much data as possible to help improve Lockheed's technology"

Given the article, I'd say that we know the answer to this and it is something of a resounding 'no' -

"Norway says it has become impatient with continued delays in the promised provision of a data “filter” by Lockheed Martin. So it’s started its own project to find ways to block its new F-35s from reporting back to their former US masters.

It’s also worried that it won’t be able to optimize — or protect — the extremely sensitive Mission Data Files. These data packs optimize aircraft performance under different conditions, as well as provide a database of regional challenges and conditions.

Again, Norway wants Lockheed Martin out of the loop."

> The difference is that Norway and the US are liberal democracies and allies

And yet Norway wants to retain control over that data. Are you saying this should be overridden? Outsourcing doesn't imply handing over everything to the party providing the service. If India starts taking sensitive Boeing data is it ok because Boeing outsourced the coding of critical components there?

> Europeans are comfortable with the entire US military apparatus protecting them

Yes. But it's not kindness, it's business and it doesn't come for free. They'll keep doing it to keep said Europeans from finding other allies. So they can have a military presence close to their enemy. So they have a witness when WMD or dictators need a democracy treatment.

> wouldn't Norway want to

Obviously not.

We aren’t talking about two IT companies.

Norway and US are allies that’s how Norway is comfortable to host most of its government data on AWS for instance, or to use US made products everywhere. But for obvious reasons there is always a limit when it comes to sensitive data.

I’m sure they do all sorts of intelligent cooperation and data sharing on demand. But we are talking about military and this is not on demand data sharing.

Do you expect US military to accept sharing the same type of data back to its allies for the same reasons? Norway’s military is simply asking for a way to filter these data.

There are data that they never want to share (e.g. secret missions), and there are sensitive data that they want to always filter.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact