How to stop commercial air hijackings without increasing security

Reader comments

Here are the comments I received in response to my idea posted on How to prevent air hijackings. Unfortunately, I don't have the time to respond to each one, but so far, no real showstoppers. There were a wide variety of intriguing suggestions and alternatives... many could be better than my original idea. 30 of them are included below. A lot more are on the Anchordesk website. Hopefully, someone at the FAA can assemble a small team of cross-functional experts (pilots, aircraft manufacturers, terrorist experts) to evaluate and act on one or more of these ideas!

Also, there were several variants of the idea floating around (the AnchorDesk version is not the same as the more refined version on my website), so keep that in mind when reading these comments.

I've received hundreds of other emails with excellent suggestions that are not included below. If you are with the FAA, Congress, an airline, or aircraft manufacturer, I can forward you the email archive if you email me stk@

Airplane Security

Your coverage is generally good, in particular your comment on air marshals (it gets little press, but Israel has such marshals on all flights to and from Israel, El Al or otherwise). However, there are several procedures that Israel follows which you may not be aware of:

Most flight attendants on El Al are trained in self defense and have gone through hijacking simulations. In addition, several are armed with a slightly flexible telescoping rod that enlarges to about 2.5 feet in length. This combined with the sky marshals reduces the probability of panic in the event of a the plane being seized. Israeli studies have found that the crew being calm and collected was essential to averting loss of life.

In the event of the plane being seized, Israeli pilots are not only ordered to never give up the cockpit, they are also told to depressurize the cabin and use fast maneuvers to render any terrorists incapacitated.

You are right about the fact that you cannot keep someone from getting on an airplane with a sharpened credit card to kill someone. That is why Israeli security focuses exclusively on guns and explosives because those are the only methods to actually hold a plane with a trained crew.

Finding Bin Laden

While I like your idea of offering an absurdly large reward (not unlike the Roman's did to Sertorius in Spain) I think there are several things to consider.

You are right that Hezbollah almost certainly played a part in the attack on the WTC, the US press has given little attention tot he fact that Hezbollah is associated with Al-Qaeda. While I have read reports saying that Iraq sponsored Hezbollah on this mission that would seem both unlikely and unnecessary. Unlikely because Hezbollah is backed by Syria and Iran with minimal contact with Iraq. Unnecessary because Hezbollah is quite rich from donations from Iran and the Gulf states.

Many Americans are calling for sending in lots of US Special Forces, like the SEAL's into Afghanistan. It is worth remembering that the Muhajadeen fought of the Spetznatz, Russia's special forces, for better than a decade. Bin Laden's forces are probably the best trained, most experienced non-conventional fighters in the world today. US special forces should approach them with some trepidation.

Infiltrating Al-Qaeda would be quite difficult, given that most of its members are related to other members through clan and family affiliation.

The most effective infiltration of such an organization was actually done not by Israel, but by Jordan. Years ago when Abu Nidal targeted king Hussein, Jordanian security went around the Middle East kidnapping the families of members of his organization. These families called their Abu Nidal agent relatives and told them that if they did not give information over to Jordanian intelligence, they would kill the families. Jordan than passed the information onto the Mossad who attack Nidal's infrastructure. Such methods are unpalatable to Americans but highly effective.

Last Thought

We have put way to much attention on Bin Laden the man. While his organizational skills are considerable, terrorists can only work if they have two things: secure bases of operations and money. Unlike in b-movies, we know where the bases are. In no particular order, they are in Sudan, Eritrea, Lebanon, Syria, Yemen, Iraq, Iran, Afghanistan, and Pakistan. Not all of these countries directly aid Bin Laden (though a surprising number host organizations affiliated with Al-Qaeda), but all provide crucial logistical support for terrorism. The question is whether we will actually step back and decide to do something meaningful or just take out one man?

Rand Allen forwarded Steve Kirsch's proposal for consideration and comment. As it happens, some of us in the firm were discussing a similar concept just last night, the major difference being that the aircraft, once despatched, could not enter controlled airspace surrounding major metropolitan areas such as NYC and Washington, without affirmative imput by the pilot-in-command (PIC) of the discrete code. Once entered, the PIC would then go to "dead man's trottle" mode, so any release of pressure from a button on the control column would cause the aircraft to abort and go to another airport selected from the GPS database and autoland. Also, for flights near and over controlled airspace (i.e., over 10,000') the Flight Management System (coupled to GPS) would only allow pitch or bank changes within a limited range to preclude diving on targets from high altitude.

It would seem that Steve Kirsch's proposal (or variations of same) could readily be incorporated into existing systems. The GPS/FMS/autoland all exist on modern aircraft. The GPS nearest suitable airport selection criteria may need some reprogramming and making the system tamper proof and inaccessible would need to be done. Also, the possibility of override commands from ground stations could be considered. I would think that our client ARINC (the airline-owned radio communications company) would be a logical player, and obviously the major airframe manufacturers and avionics companies and the airlines. We represent Boeing and UPS which are both dedicated to satellite-based navigation and ATC control using ADB-S, as is ARINC. We also represent the International Air Transport Association, the trade association for all the world's scheduled air carriers. Putting together a highest-priority task force to explore Steve Kirsch's proposal (or variations of same) should therefore be considered. The FAA has also recently demonstrated ability to act swiftly on certificating new systems when crises arise (e.g., the industry-wide implementation of enhanced ground proximity devices following the American Airlines Cali crash), so there is hope that even that beleaguered agency would not slow things up if a workable autoland default system were proposed by a responsible task force.

Dear Steve:

Thanks for writing back. I read your web site. It is excellent. Here are my comments. I know you’re busy to I tried to keep this stuff short.

1. My “Safe Mode” is an emergency button inside the cockpit (and other on board locations). Your “Safe Mode” is on the ground. Why not have a “Safe Mode” button coded to each auto pilot in BOTH locations, so as soon as a highjack is reported, even if they couldn’t activate the Safe Mode on the plane, they can still do it also from the ground.

SK: That is incorrect. My SAFE mode is triggered on board their aircraft. Triggering it on the ground is optional.

2. I like the idea of your abort possibility in case the Safe Mode is accidentally pressed. However, there are a lot of “bad buttons” to press when a plane is in flight, including engine reversal control surfaces. Most pilots really know what buttons they not dare activate while in flight. But, since there is always a risk that the military will shoot down a plane that they “think” has been highjacked, an abort mode should be in place.

3. Land at the nearest airport while in “Safe Mode?” Trouble with that is that the plane is probably still filled with lots of fuel and make the fire the downed airliner creates worse.

On the other hand, “forcing” the plane to remain in the air for say another 4 hours with a team of hijackers on board definitely puts passengers at greater risk. It might also give a group of determined travelers a better opportunity to disable the highjackers. Related to this issue is the wonderful advantage of “arming” all passengers with pepper spray. My cousin is a retired CHIP officer. He has told me that pepper spray is absolutely agonizing. Had all the passengers been armed with pepper spray, I can hardly think that ANY of the highjacked planes would have gone where the terrorists wanted them to go last week. However, the planes would still probably have crashed.

4. There are some severe problems with allowing REAL weapons on planes, even if they are “managed” by “well trained” travelers. I’d forego this program, and leave the handling of REAL weapons to professional sky marshals who have training in guerrilla hand to hand combat. Arming every passenger with pepper spray is a marvelous idea, because at worse, it won’t cause accidental deaths, even if your eyes tell you that you “feel like it.” Any weapon on a plane can be confiscated by hijackers and used on passengers and crew, so “training” passengers is vital. Timing is the key element. But having 150 determined passengers with pepper spray is a DAUNTING adversary to hijackers. If their “determination” is matched by some expertise, such as a training film showing small passenger “commando groups” on each flight, their efforts would have a much better likelihood of success. Advise them not to worry about “accidentally spraying” other passengers. If necessary, fill the entire cabin with the spray. If you or I become disabled, so what? Other passengers can take over our battle. Once hijackers are disabled, I don’t give a shit about my sinuses.

5. Dick Dittenberger and I are less concerned about small planes, since they don’t carry much fuel as compared to a commercial airliner. Even attacking the WTC with small planes containing regular “bombs” would not have brought them down. It took thousands of gallons of jet fuel, burning for over an hour to bring the towers down. Remember, the more TIME people have to escape, the more people are saved. Small planes are always a concern, but unless they carry a nuclear weapon, they are not a real concern. (THAT’S something to think about!)

The FAA is a joke. There was a horrendous report on airport security by 60 minutes last night. The FAA is guilty of criminal negligence. It may be literally appropriate to put their bureaucrats on trial and give them lengthy prison sentences.

Mike Rosenblatt 

Another note about thwarting this sort of attack. All that is truly necessary is that there be a system whereby anybody -- pilots, flight attendants, perhaps even multiple passengers -- can signal that there is a hijacking in place. For example, the maker of the airphones found in almost all planes could modify them so that if a hijack code is entered on their keypad, the signal is given to the FAA.

This thwarts the suicde attack because fighter jets can quickly be scrambled. If it's a normal hostage situation, they can escort the plane where the hijackers demand it go, as long as it's not near a ground target. (The main flaw is that busy airports could make a great ground target.)

If the hijackers demand the escort leave or they will kill hostages, the escort can respond that because of the threat of another WTC, they can't comply -- and the public will accept that and the hijackers will believe it.

If they are suicide hijackers, this may cause them to suicide, but not into a building, or they will be shot down (ideally disabled with special anti-civilian-jetliner air to air missiles)

Next step? Cut the engines and release the parachute. Yes, they make parachutes that can drop even a 747 to the ground safely, perhaps even after an EMP shut down the plane. They are expensive, but perhaps they are worth it.

The main point here is that if the suicidal terrorists know that they can't take over all the warning systems at once, the word will get out, and they won't be able to get to a target. Thus it's not worth trying. Sure, they can kill all the passengers, but there's a million places a suicide terrorist can kill a few hundred people.

STK: this is a really good idea from Brad Templeton.. I like this. It could be implemented immediately and is super cheap and super safe!



I am pilot in the Swedish Air force where I fly Business-jets with VIP´s. Maybe I'm not really at risk with the kind of passeangers that we carry but as a pilot I find among others Mark Zanzig´s idea very interresting. But the main thing should be to COMPLETELY lock out any kind of control and just let the computers land the airplane. With today´s technology there is no problem with avoiding weather, letting the airplane stick to airways without disrupting other traffic etc. Today, before takeoff the route that I'm about to fly (or the autopilot really...) is preprogrammed so why not have the computer follow this route to the destination? If the airplane sticks to the preprogrammed route, you have the least of problems regarding "planes turning "out of an airway to land at an airport close by etc. The fact that all airplanes fly with atleast one alternative landingsite where the weather needs to be pretty good, the only thing the pilot could maybe control is if the airplane should land at the original destination or go to the alternative landingsite. And of course when the "panic-button" is pressed the airplane notifies the ATC. Just like when I as a pilot would enter 7700 (emergency) on the transponder. Then the ATC cleares the space surrounding the aircraft. But the main objective should be to take away the control of "flying" the aircraft from crew and passangers. When the button is pressed that´s it, you as a pilot is out of the loop. And if it was an accident to press the button, the person in the crew who did it needs some more training and if it was a passanger, that person needs maybe to do some jailtime.


Thats why control of the airplane not should be able to be reactivated. If the crew has a code to use then a hijacker only needs to threaten to kill or actually kill some people to have someone in the crew enter the right code. You can't ask the crew to act as God in a case like that.

The idea that the ATC also could "push" the button from the ground is very good. For example not only hijacking situations but maybe when the cabin is decompressurased and the crew and passangers is inmobilized, by pushing the button from the ground will land the plane safely after initiating a emergency descent to a safe altitude.

Thera are alot of good ideas here and I hope that the aerospace industry listens.


Captain Richard Bona Swedish Air Force

Dear Steve, As the most travelled person in civil aviation I would like to give my full support and endorsement to your idea's. I have also been in an attempted hijack scenario as well as bombs on board in my travels. I am living currently in the UK I an Uk born but awfully proud to be a US citizen. I enclose the page from the page for your info. Please come back to me if I can help to further your ideas or we can speak on the phone. I am convinced that something like this has to be accomplished. I look forward to hearing from you. Fred

The World's Most Travelled Man Guinness World Records 12 Million Miles and 714 Flights On "Concorde"

Hello, Steve!

My name is Deborah Jones and I'm a 27-year international flight attendant for American Airlines. I just read about your "safe-mode" idea on I know a lot of people at my company's top management level, as well as influential people in the flight (pilot) department. I think your idea is brilliant and would do anything in my power to help you present it to the right people. Please feel free to contact me at my home in Dallas, TX either via email or by phone at ........

The events of the past few days are unthinkable to everyone in this country. I know we are all looking for safeguards to prevent this type of situation from ever occurring again. Thank God for people like you and many others.

They may have bombed our buildings....but, they didn't bomb America.

I look forward to hearing from you.



I loved your idea. But I believe it is problematic to try landing automatically when so many civilians are on board.


We install the hardened cages for the pilots. We establish multiple geographical "waiting areas" in the skies equally spaced out across the nation. IF, for any reason, the hardened cage of the pilot is broken while in flight, the plane immediately goes to 25K feet and begins to circle within the "waiting area". The radio automatically notifies the military on a predetermined setting. The plane cannot be removed from this mode until it receives the proper ping from a military escort's IFF. Upon receiving that ping the plane can be piloted by anyone left on board. If it attempts any shenanigans, the military escort eliminates the problem. I would recommend slight changes in the way we "arm" our transponders with the appropriate codes for total security.

Regards, Don Gardenhire

SK: Nice and simple, but the terrorists didn't "break into" the cockpit. They "persuaded" the pilots to come out.

I know you have been bombarded with ideas but I feel the need to add some additional enhancements to your suggestions. I travel by air almost weekly in the IT world and want to be assured of safety.
        A.  Safety mode should also be implemented by GPS system, other satellite communications, or ground control:   
             1.  If there is a extended loss of verbal communication between ground controllers and pilots. This was realized with Payne Stewart's plane. That plane was traveling pilotless for hours on auto-pilot. Even though military jets were activated to interrogate the situation, there was nothing that could physically be done, other than shooting the plane out of the sky. Obviously, this pilotless plane could have compromised buildings and people. If this plane was placed in safety mode and recovered, the NTSB and manufacturer could have discovered what actually caused the failure.
            2.  If a pilot doesn't respond, manually or verbally, to a pre-determined timed autopilot continuance light or alarm. Recently, there have been alarming reports of both pilots falling asleep in the cockpit. 
            3.  If a plane drastically deviates from pre-determined flight plan not caused by weather or emergency situations. The plane would be placed in safe mode by FAA, as warranted.
            4.  If cockpit air pressure is not maintained within human consciousness limits. This would have saved Payne Stewart, colleagues, and crew. This would require a different flight program activation to immediately reduce altitude to below 10,000 ft.    
            5.  If transponders are turned off without cause or justification.
            6.  If a plane enters the highest level of restricted airspace.
You have my permission to publish these points, as you deem necessary. I applaude your efforts.
Thank you.
Bill Lindner
Phone: (757) 430-1520

As some of your readers have already pointed out, suicide mentality is difficult to defend against. We might however, at least look at the system put in place by Ethiopian Airlines, two armed assassins on every flight, no hyjacker lives, and they have never had a successful hijacking! All it takes is a higher level of commitment.

Derk Schaupmeyer

SK: Sounds like an interesting short term solution.

Great Idea, but if the FAA gets involved in certification, this would take years and years. Eliminate the FAA, and it will be certified faster.

Also, even if it is unavailable in light aircraft, the damage cause by a light plane's fuel load is substantially less anyway.

Hi Steve,

Read your note and I'm glad to see that at least people are thinking innovatively about issues like this. Hopefully, the right people will be jerked out of any inertia they may have and investigate some of the awesome ideas on your site. Even with the panic button, anything we do should be to try and save the lives of people and what you have proposed acts as a logical deterrent but what price logic with those who are fanatic. A terrorist may try hijacking and having run into a fool-proof deterrents, blow up the flight in frustration and as an entrance fee to whichever heaven he is trying to enter. In order to do this, I think there are a few low tech things that could be done (some of these are already on the site). The premise they work on is that it needs human intelligence to deal with those who are illogical and hence we need to provide tools to someone on the flight to deal with any threats:

1/ Prevent passenger access to the toilets/pantry next to the cockpit and protect that area with unbreakable double doors. This prevents anyone from having a reason to go near the cockpit and gain entry and yet the pilots will be able to leave the cockpit if they need to. 2/ Have hidden cameras through the aircraft that allow the pilots to see what is happening at all times. 3/ Provide the pilots with buttons that allow them to release a gas that renders everyone in the flight unconscious immediately. 4/ And finally, a trick out of Indiana Jones' book - have the floor in the central aisle in the aircraft to be a series of trap doors any of which can be activated by the pilot and drops the terrorist into a cavity in the belly of the aircraft where again a gas can be released to render him unconscious. Even if they have gas masks, they are still isolated and the threat to the passengers is diminished.

Since its hard to hijack an aircraft sitting in your seat or from a washroom at the back of the aircraft, a combination of measures would probably allow for absolute safety in combination with the deterrence you have proposed. All this is obviously effective only if the pilots are trained not crack under pressure in the first few seconds and react quickly.

At the end of the day, technology can only deter but it takes human intelligence and reflexes to prevent other human beings. Systems/technologies are made to be cracked and then improved and cracked and again improved...

The idea sounds good at first but I find it fraught with problems and misconceptions: ILS is not 100%, cannot take into account microbursts, unexpected traffic in the air corridor (esp on final approach), which runway to use (some airports alternate between Left and Right in order to reduce the effects of thrust wash and turbulence brought about by the passing of each aircraft) or a host of other less frequent issues that arise on landing. Would you not only risk the lives of the passengers but people and facilities at the airport also?

I would offer this suggestion instead - pre-program the flight path of the airline from departure to destination with minor allowances for weather and traffic avoidance. Do not give the pilot the ability to change this program or deviate from it in any significant manner with a coded signal being sent to the aircraft from a ground station, manned by authorized FAA personnel. sure this has some holes in it also, ie. someone could learn the codes and transmit them from a mobile device, but this can be accounted for during system design.

I appreciate Steve's intelligence and his taking the time to offer what appears to be a solution, but what he is advocating, in effect, is the dead man switch concept which has seldom proved to have the desired results.

SK: I like this idea too.  The only drawback is that human involvement can lead a hijacker into believing he can sweet talk (e.g., by killing crew members one at a time) the ground crew into giving him a new heading to Cuba. A combination idea is for the ground crew to enter the destination (so that two terrorist pilots couldn't do that), have the pilots verify it was done correctly before take off (to avoid a terrorist ground crew), and then make it "easy" for a panic button press to irrevocably lock it in. Even better is to lock in the primary destination and two alternates. If the panic button has been pressed, the pilots can still choose any of the 3 previously determined destinations.

I agree that a technological solution would likely be cheaper and more effective than sky marshals. However, I suspect that the "positive" system described would be perceived as too dangerous (and would therefore never be accepted) because in the event of aircraft malfunction, the pilots would be helpless. How, about a "negative" system? Pressing the panic button would prevent the plane from being flown anywhere EXCEPT in a designated corridor. The pilot would still maintain full control as long as the aircraft was within a certain distance from the plane's predefined route. A GPS I had in a rental car worked according to the same basic principle. As long as the car remained within the corridor of the programmed route, the GPS was happy. But, when I strayed from the route a rather obnoxious alarm signalled. Similarly, a plane on "skyjacker alert" could be piloted in the corridor, but the GPS would not permit the plane to fly out of the country or be used as a missile.

SK: Unbelievable....I read this message right after I composed the reply above. I like this idea ... and not just because I just thought of it too!


Yes, it sounds good unless the plane's destination was, say, Dulles, or JFK. The "corridor" can't be too tight, because you may have to circle due to traffic or trying to dump fuel (always done for an emergency landing).

Keep in mind we need to minimize the complexity of the programming to reduce the chance of safemode getting confused and bringing the plane to "land" on a lake or something. A subtle bug could be lethal.

No, when safemode is engaged, it should announce itself on the plane, so the hijackers know they've just lost thair chance to hijack; signal ATC it is engaged, select and notify it's new destination of it's impending arrival, lock onto the beacon and land.

And if the weather is too rough at destination 1, the way around it is a "positive" clearance. When safemode selects the new destination and signals the destination, the destination must respond that landing is safe. No reply tells safemode to pick another. If it goes through it's entire list of sites, it decides it's receiver is disabled and picks a site, this time signalling it's coming anyway.

As far as autolanding... Europes Autobus planes can land by themselves with no problems... even compensating for microburst.

As far as shutting off the power... naturally there would be an override.

Dr. Michael M. Rosenblatt (and Dick Dittenberger) 8082 Winery Court San Jose, CA 95135-1450  (408) 531-1800

Date: Sept. 16th, 2001

Dear Steve:

A friend of mine, a retired aeronautical engineer, and myself came up with almost virtually the identical schema you published in the SJMN. The only things we might disagree with here is the cost of the unit systems. Otherwise, they're about identical.

The question remains: How can "average" people like us GET this to the FAA to get them to listen. Perhaps you have more connections than Dick and I do. Please do what you can to get our ideas out. Congratulations on your article. It was a breath of REAL fresh air. I cannot tell you how delighted I was to see it published.

Dick and I are not interested in any "monetary" value of this idea, or any personal recognition. We could care less who gets the "credit" for it. We just want it DONE. You have our permission to publish this on your web site.

Mike Rosenblatt Dick Dittenberger

Here it is:



Install on every public and private aircraft that carries 30 people or more a system that can “control” the damage caused by hijacking by disabling flight surfaces to cockpit control, notifying military authorities automatically, while providing a fixed, pre-defined, unchangeable flight path.

1. In order to take off, a pilot must install the GPS coordinates of their destination in the auto pilot system. 

2. Once installed that cannot be changed without a special code. The fixed nature of that code would exist as soon as the "highjacking alarm" button is pressed by a flight crew member. The code number is known only to the military authorities, and is different for each auto-pilot. The flight surfaces would lock and become inoperable by anybody on the aircraft immediately as the system is activated. 

3. As soon as a member of the flight crew gets information about a hijacking in progress, the AUTO ROGRAMMABLE LOCKING SYSTEM WOULD BE ACTIVATED. 

4. This will do the following things:

A. All ground communications between the aircraft are terminated. So if hijackers threatened, or actually kill each and every person on the aircraft, they would still not succeed in getting the secret code to release the control surfaces. They might have other ways to try to communicate their demands, say with cell phones, but the military could probably find ways to block those communications. Those methods should be classified and secret. Authorities might prefer to be able to monitor cockpit sounds during a hijacking incident, but this should be only one way communication. Important timely intelligence might be collected in this fashion, as well as the potential to save the aircraft, especially if the hijackers are over-powered during the crisis. B. The system would automatically fly to 13,000 feet and remain there until the system automatically “unlocked” about ½ mile prior to landing at the pre-designated GPS site. There is a limited "window" of vulnerability upon "release" of the auto pilot, but only co-ordinates within a fixed range of the original GPS system setting would be permitted during landing. C. After activating the "highjacking alert button," nobody on the aircraft would be able to change or control the flight surfaces without inputting the secret code. Only the military and/or the President would have that code. D. An automatic transponder beacon would be activated showing that the plane had been hijacked. It would be engineered to be impossible for anybody on the aircraft to turn off the beacon. The plane could be easily followed by authorities. Other aircraft could be easily diverted from its path. E. Locking the flight deck before take off would give the flight crew the extra few minutes necessary to “press the button” notifying authorities of the hijacking and activating the locking system(s). There must be some “secret” methods for flight assistants to notify the flight crew of an impending hijacking, since this is the primary “weakness” of the system. These communication methods should not be “advertised” in the media.

5. No anti-hijacking system is perfect. It would still be possible for hijackers to fly the aircraft into the terminal, attack the tower, some homes and buildings near the airport, etc. However, there would be considerable time available to EVACUATE those areas, since the authorities have excellent information on where the plane is going. Even a few minutes notice could prevent extensive loss of life. Loss of property is probably un-avoidable, as well as the occupants of the hijacked plane. 

6. The aircraft would thus have to be considered “lost” if this occurred. The President only would have the option of requesting that the military destroy it at some point during flight if necessary for national security. This agonizing decision is why we elect a president in a free society. It is a logical extension of presidential authority.

7. Terrorists would probably try to find a way to “disable or tamper with” the system prior to entering the flight. This would require collusion between aircraft mechanics, ground staff, etc. Authorities must develop secret technologies and policies to try to avoid those patterns of abuse. 8. This system could cost billions to put into effect. It could take many years to install throughout the system. Taxpayers should pay for it. I believe the engineering involved would not be prohibitive, and is certainly possible. It is absurd to allow aircraft to be “mechanically friendly” to hijacking. 9. Airplane development engineers suggest that each system would cost approximately 3 to 5 million/plane. Improvements of technology are a standard procedure in any wartime situation. Radar was one of the main reasons why we won WWII. This is no different than any other war.

There is no such thing as a “perfect” anti-hijacking aircraft mechanical policy. Loss of life and property will (probably) occur in any hijacking situation. But if (parts) of the system are made public, terrorists will learn that they have much less ability to control an aircraft after it is commandeered. That must be the immediate goal of America.


Dr. Michael M. Rosenblatt (408) 531-1800 Mr. Richard Dittenberger, retired aeronautical engineer, 30 yrs. employed by Boeing as a landing gear expert and new airplane developer

Very Well thought out, but should also place a bullet proof door. with hidden camera forward and aft cabins, which takes both pilot and copilot to open, or engineer, or the old (3) people rule. which makes all dependant, or at least (2) of three, will un-lock door, this would reduce, pilot nerves, and increase the likely hood, that the plane will land safely and people will not be victumized.

One issue you failed to discuss is how Safe mode would interact with other air traffic.  I am an Air Traffic Controller and the idea of an aircraft leaving its assigned altitude by itself and flying to a random airport has a few other problems.  Our skies are too crowded for this to safely happen.  U.S. passenger aircraft are required to have Traffic Collision Avoidance System (TCAS).  TCAS is tied into the flight management system and altitude encoding transponder. Safe mode would have to talk to the TCAS which could in turn talk to other aircraft.  Unfortunately, TCAS at this time only gives altitude (climb/descent) information.  That is, it advises the pilot to climb/descend at a specified climb/descent rate and coordinates this instruction with the second aircraft for obivous reasons.  TCAS at this point does not actually change altitudes, it gives the pilots a proposed solution to the traffic situation.
A second issue is how to inform the the Air Traffic Control (ATC) system of the change in destination.  A technology exists called Mode S transponders that allow two-way communication between ATC/aircraft.  Mode S could communicate the activation/de-activation of Safe mode to ATC.  Mode S is not operational in the system, and its future is in serious doubt, but it does exist.
I think you have a valid idea and it is do-able.  Good luck building support for what sounds like a good idea.  Folks in IT are innovative and I am proud to be a part of that group.  Thanks for spending some time thinking about this.
Rick Baker (who works at FAA)

SK: Thanks for the words of support. It has always been amazing to me how much technology we have available to us that the FAA does not let pilots use. By not letting regulations get in the way of the technology, I think we'd be amazed at what can be done. 

I had the same idea with some variance.....just don't let Microsoft develop the autopilot. Or the plane will crash before it even gets off the ground in the first place.

Apparently your plan already incorporates GPS as the primary guidance capability. Most large aircraft already incorporate autoland capabilities. Friends of mine, then students at Stanford, now employed by Integrenautics, were able to autoland a 737 numerous times in their GPS tests. If we can step up the development and deployment of Local Area Augmentation for GPS, your plan can incorporate full autoland, negating the need for pilot intervention upon landing and effect a runway shutdown, which places a (potential) hijacker in even greater jeopardy by refusing them the even slight chance that they might try to blend back into the crowd and escape at a gate.

As a pilot, and knowing a number of pilots, I expect some resistance to your idea. I suspect that upon reflection, most of the pilots *I* know will be willing to accept it as a viable alternative to what happened Tuesday. Their main gripe will be the one about the loss of autonomy for the pilot in command. I cannot agree with that concern.

Regards, Gerry Creager --

I believe that you are moving in the right direction. Short of strip searches, I believe something can always be brought on board to serve as a weapon.

I travel a lot and the idea of searching people is crazy. Anyone in the gate security business with an IQ smart enough to find a real terrorist is unlikely to want a job looking at X-ray images for 8 hours a day -- and I suspect, the pay is probably at or near poverty level. The best (most thorough) security I find are older, probably retired folks. The standard security person will probably identify the emotional lunytunes character but not the true terrorist which seems to have an intelligence level well beyond the security staff as well as the commitment.

The human inspection activity is the weakness. I have been carrying a small Leatherman tool with a blade about 1.5 inches long in my briefcase for about two years (>100 flights). A Leatherman type of knife does not present a "knife profile" in an X-ray. It is a chunk of metal. Yet, it is easily big enough to slit a jugular in the throat. This is just one kind of threat. I can think of many more such as repackaging some of the typical toiletry items with hazardous or poisonous materials. Two highjackers could coordinate efforts and each bring parts of weapons, etc..... I have thought of this all before this week. As an engineer, I certainly have the knowledge of how to create harm and so can others with the motivation.

So, using ideas like your must be the eventual solution. System errors can be controlled, technical shortcomings can be solved, etc. Only one point you did not mention is to protect the plane from an errant air controller on the ground but that will be trivial as long as there are multiple ground controller locations. Even then, a forced landing is not all that bad as long as isssues associated with multiple planes are addressed.

Keep it up. I would be happy to participate in informal critiques. I am a Mechanical Engineer with over 35 years experience and expertise in systems analysis and nuclear safety.

PS. I have a brother-in-law who is an ex-pilot. I will try to get his reaction for you.

Best Regards, William Quapp

I am sure that you are getting floods of emails so I will be brief.

My wife and I were JUST TALKING about this very idea last night, however I had purposed the idea of using an APIC (smartcard) which, since ALL of the cockpit functions are "digital" (meaning unlike prop counterparts, which use PHYSICAL cables to move the various flaps, ailerons, etc. it is just sending commands to the hydraulics systems computer control box) the controls are able to be COMPLETELY shut down via the on board computer system. Basically how my idea works is the pilot in command and the navigator each have smart cards. They are unique for each employee. once inserted the controls would become active. The plane's plotted course (before takeoff by special agents or crew who's smartcards have the only access to this portion of the computer) CANNOT be changed either manually or by plotting through VOR. If deviated by more than typical margins used in standard flight paths (i.e. slip streaming, avoiding storms/traffic, etc) a beacon sends the warnings and engages "hijack recovery mode"

If the cards are removed or if the large red lighted plastic button (your typical "eject" looking button) in locations you described is pressed, the plane sends a beacon via the VOR or transponder, or gps, etc. notifying all neighboring airports of the hijacking. then it sends the plane into a 15 minute holding pattern giving ground forces time to respond and air force/navy planes to scramble to the scene. At that point any number of scenarios could be pre programmed into the flight computer to their liking.

I had no idea that the ILS had gotten so advanced as to COMPLETELY land the plane. That is amazing. Your idea sounds great although the fact of implementing it (with a completely automated takeover) would pose some debate from certain groups that have concerns about "self flying" planes and possible dangers. There are always the what if people.

thank you so much for your time.


Steve's idea has a lot of merit. The development costs would be substantial but manageable, and probably could win support from the FAA. The objections would probably arise from the pilot's lack of confidence in automatic systems' design and reliability. My brother is a pilot for United Airlines, and I'm sure his objections would arise from this, and because he might feel that the autopilot's judgement cannot compare to that of a well trained and experienced pilot. But, even so, in today's computerized cockpit, such an idea could provide _A Level_ of protection. But understand, the terrorists were able to just unplug the circuit breaker to the transponders. What's to stop them from just cutting all power to all subsystems, and flying the aircraft using emergency manual proceedures?


Great idea ... wrong perspective. Every plane is watched by a FAA controller somewhere in the system. This controller gives the plane vector and altitude and they are expected to stay on it. If they go off vector or altitude by some pre-determined margin or they shut off the system that broadcasts the data then automatically engage the system and let the controllers bring the plane in safely. This gets around hijackings and radical pilots. This hands off landing system Automated Carrier Landing System (ACLS) is used by the military today.

Dennis Eisenstein

SK: Good idea, but there are some issues. The control frequencies from the ground could be jammed, it's tricky to land a plane via remote control, and the controller would still be subject to threats from the hijackers.


Not to burst your bubble, but your idea was already expressed via the media when the plane was hijacked by that Egyptian and crashed into California waters. I wish I could remember all the details, like what aviation expert at the time expressed the answer for our commercial planes, but I don't remember much, unfortunately. I believe he also expressed the cost factor to implement this feature. Sad. Because somehow that "cost" pales into comparison with the cost we've paid this week (and years to come) by not having it.

SK: Great, if cost were the only issue with this, I think we're done! 

I just read your article about SAFE mode (it was linked to zdnet). I think these kind of solutions are on the right track but I think people will have trouble with the human aspect of pushing the panic buttons. Too many panic buttons and they'll get pushed all the time in non-emergency situations. Too few and there's a chance that someone could pull off a hijacking (there were 4-5 terrorists per plane on Tuesday each could cover a panic button in your initial proposal). Why not just have panic mode initiated from takeoff. The flight plan's already been laid out anyways. Give the pilots a couple of degrees of freedom on the GPS and your proposed 15,000 to 40,000 feet altitude range and only ground control can change the original flight plan. Maybe you could use a code given to the pilots to change the flight plan too. Just some thoughts on your idea.
Randy Mayes

SK: Nope, they couldn't cover the wireless or cockpit buttons. If they tried to shoot out the keypads, the keypads would activate (i.e., they must be operable or the system will engage). 

FAA regulations require that pilots be able to physically override the autopilot. That way, if the autopilot "goes nuts", and will not disengage, the pilot can still fly the airplane, by simply out muscling the autopilot.

Obviously, for your friend's plan to work, this would have to be undone. While it is conceivable that a "fly by wire" airplane, i.e., one that has no mechanical connection between the pilot's controls and the flying surfaces, could do what your friend wants to do, more conventional, non "fly by wire" airplanes probably could not. I don't know what the ratio is. But probably the large majority of existing transports.

SK: Yes, I agree that relatively few aircraft are true fly by wire where the computer can control the entire plane. However, it is still true that virtually all can land automatically, with operator intervention only after the plane has landed.

Incidentally, I'm told by my brother, a part-time pilot, that Lockheed pioneered auto-land technology with the L-1011 Tristar and that French aviation authorities, in the interest of maintaining reliable flight service to Mediteranian bordering airports, simultaneously developed auto-land systems.

The FAA has three categories of landing visibilities referred to by I, II and III. The most advanced airliners are capable of landing in IIIC, visibility 0, ceiling 0. The entire landing is done automatically. It lands and stops the airline. Apparently, they don't use it unless they absolutely have to, since humans are seen as safer than machines for this application.

SK: 100% fly by wire isn't required here. If there are pilots, this works. If there aren't pilots, you'd be dead no matter whether you implemented this or not (unless you are riding on a fly by wire plane in which case you are in fine... in fact, this mechanism could potentially save more lives than the system we have now).

do you really think this would work, ie, would we really go with technology that lacked a manual override? wouldn't it be easier to completely limit access to the cockpits like I'm told El Al does?

SK: The pilots in this air disaster cooperated with the hijackers. A steel door wouldn't have changed that. However, if the steel door were impervious AND could not be opened because of a physical interlock until the plane landed, we could have avoided the collision with the Pentagon and WTC. However, it would not prevent hijackers from taking a plane to cuba, etc. A door that cannot be breached or opened might be a good interim solution.

Hi Steve,

I read your panic button scenario and while certainly a good idea, I see two problems with the current revision:

1) It seems that it would still be possible to do a suicide attack in a heavily populated area by letting the plane guide itself near an airport, and then causing it to crash using an explosion, opening doors, or other means.

2) This focuses on the suicide bomber scenario. Many hijackers may want to simply land at a random airport and hold the passengers hostage. Once on the ground they know that the system can be disabled in some form (you're not going to throw away an airplane after one use of the panic button), so they can threaten to kill passengers unless they get a technician on board to re-enable the aircraft.

I also have a suggestion: A double-door system, while taking up a bit more space, would solve the "pilot has to go to the bathroom" or "pilots need food" problem. Also, a "Panic button" on the door system (which would permanently lock the pilots in the cockpit) would solve the human weakness problem. I do believe pilots could be trained to lock themselves in immediately if there is any type of attack.

Best regards,

-- Mike

SK: 1) Doors are impossible to open in flight, but an explosion would be possible. However, the plane is only close to ground near the airport, so relatively little damage would be incurred. A terrorist would find that unappealing.  2) the system could be designed so that no technician could disable that (i.e., the aircraft vendor would not supply the technology). Knowing that it isn't possible to disable it means that a hijacker would have to use the hostage situation and try to arrange for everyone to get off the plane so he could then fly it solo, and not have to worry about the system engaging. He could then fly it into the Capitol or Empire State building if he was able to convince the ground crew to get the plane in the air. If the codes to re-enable the plane are not provided, he has a plane that won't start. If all ground crews are trained not to re-enable the plane under any circumstances, the hijacker loses. Your double door idea is a good one too.

Hi Steve,

I very much like your idea, especially after Tuesday's disaster.

However, I think the stuff must be made more simple. The general message should be: PRESS THE PANIC BUTTON, AND FORGET ABOUT DOING ANYTHING WITH THE PLANE BY YOURSELF!!

1) Once the panic button has been pressed, it cannot be undone by the crew. Full stop. No more worries about PIN-Codes and such. If the button has been pressed by accident, then the airline will be really angry and provide additional training to the crew member who pressed the button by accident.

2) Why not have a 128-bit secure wireless link between ground control and the plane? Then the ground control tower could un-do the pressing of a panic button IF they are 100% SURE that it has happened accidentially. But this needs some more investigation, because how do we make sure that the button has REALLY been pressed by accident? We can't. Therefore, I would prefer to not make the button resetable. "Press Button = Forget Plane" is much better. Even far-east terrorists will understand this (welll, maybe not, but they will soon discover the secret behind this).

3) Once we have the wireless link, let the ground crews take over the flight completely, giving no control whatsoever to the pilot until the engines have stopped (not even braking and such allowed!). This is no rocket science, I guess, because even my old 486 could run MS Flight Simulator 4. Also, this bad weather stuff can be avoided by this.

4) The panic button should be activated automatically in certain cases, like loss of the "wireless link" or manual deactivation of certain components (e.g. the GPS unit, or the "black box"). If no wireless link is active, and the button has been pressed, then the automatical landing will take place, dis-regarding bad weather situation. Also, if the wireless link is down due to bad weather, the link should improve once the plane gets close to the airport. And with the wireless link working (again), the ground crew can bring the plane down safely.

5) Maybe the pilot has to enter his personal PIN (changed once per month) every hour during a flight to make sure that he is still in the seat, alive and kicking? If the code is not being entered, the panic button is being pressed automatically. This resembles the dead-man-button that needs to be pressed by train drivers.

6) As long as the wireless link between ground control and plane is active, the ground control can ALWAYS release the panic button. So, for example, if they see that the plane is taking a different route than planned (as happened on Tuesday), they simply release the panic button, and that's it.

I REALLY like the idea, and I hope that this mail does not get lost in billions of mails you will receive on this.

Best regards, with a smile from Munich/Germany,

Mark Zanzig 

SK: These seem like good ideas. I'm a bit wary of controlling the plane from the ground, but I guess I have to remember that we did manage to land a space probe on an asteroid (NASA's NEAR Shoemaker spacecraft landed safely on the surface of asteroid Eros on Feb 13, 2001)... if we can do that, we can control the plane from the ground. The beauty of the panic button is that it irrevocably locks in a destination, whereas hijackers may believe that they could sweet talk a human ground crew if the ground crew has control

Or just take pilots out of the equation all thogether. Computer control systems have progressed to the point where they are completely capable of flying an airplane. The militray has recently begin using a computer controlled aircraft of a size comperable to a commercial airliner. This aircraft is called the Global Hawk, formerly known as the Tier 2 plus. It is designed to react to situations suck as weather, and even hostile fire...It has proven reliable under all aspects of flight, including takeoff and landing. I am personally working on a project at Iowa State University, to build a completely computer controlled aircraft, if a bunch of college students can do it with minimal funding, then the engineers of this country would not have a problem with it...just the passengers. More info -

Securing the cockpit does no good at all… any hijacker could coerce the pilot into submitting by threatening passengers and crew with death until the pilot opened the door. I can't image a pilot not caving under that kind of pressure.

Your friends idea is actually pretty good… but I would not allow for any reversing or disabling… and I would remove any ability to control the plane at all… (and that includes by ground control or the cockpit)… threats of death to passengers and crew could convince ground control to abide by the hijackers demands.

As far as altitude and obstacles… I would have the approach for all potential emergency landing strips pre-programmed into the system… this would solve obstacles. As far as compensation for weather… I'd forgo it all together. The ability to introduce any guidance at all could prove to be a weak link… weather would simply have to be a gamble.

And I also think that the complete landing process (flaps, breaking and reverse thrust) could all be automated… simply leaving the plane on the tarmac.

If anyone mistakenly initiated the system… they would simply go to jail.

The cockpit door is merely a privacy partition. Many captains leave the door open during taxy--for passenger comfort & interest, just as you can listen to pilots' transmissions on the headphones during flights--but FAA regulations require it to be closed during takeoff. It's not meant to be a physical barrier at all.

Even if it were, I've heard pilots say that nothing would prevent them from coming out of the cockpit if they thought a flight attendant's or passenger's life was threatened.

I like the idea of a separate entrance for pilots, and must note that bulletproof partitions are prevalent in CABS also. This is technology that is easily integrated, as is a separate hatch for the cabin crew.

Elaborate systems are costly, time consuming and high-risk. We need simple solutions NOW that can be easily implemented, using tested technology.

The panic-button idea is perfect, but not sure about the auto-land part. Much more feasible is putting the plane into auto circle and alerting Air Traffic Control, even summoning fighter jets. That could be done with a contact switch and software updates.

Let's be frank: the world is changed forever and airport culture must adjust to this threat. What we thought were minor inconveniences are now irrelevant.

We must draw upon known designs from other industries to more easily integrate these complex systems. People have been calling for commercial airlines to follow the practice of military planes by pumping inert gas into the fuel tanks during flight to minimize the risk of explosion.

The news as I type is describing further arrests of people with fake pilot IDs and uniforms, *still* trying to get on planes! WTF?!?!?

Extreme measures are required.

I think the idea has a lot of merit. I had a similar though t (though a lot simplier and lower tech). My idea was to have the plane just start circling at it's current location if the "Emergency" button was hit. To unlock the holding pattern, people on the ground would have to be convinced that there was no hostile people on board. They could then signal the aircraft computer that it was all clear. Then the plane would be returned to the Pilot's control.

Improve the barrier between the pilots and passenger cabin, make it bullet resistant and formidable. The door is closed prior to passenger boarding. Finally instruct the pilots to never, ever, open that door.

A drawback is I think airlines like you to "see" how relaxed and professional the pilots look - it is very reassuring.

I have experience with the flight management industry and I can't agree with the autoland feature simply because of liability -- you can never be sure of the integrity of entire autoland system. As long as people are on-board no amount of autonomous computer control is ever 100% reliable.

My bright idea doesn't depend on flying the plane: simply line the spine of the airplane (above the passenger cabin) with a set of drogue and main parachutes (or a parawing). next provide a jettison mechanism that shears the wings off and allows the cabin to gently lower to the ground.

The only negatives are if it goes off accidentally or too low. The plus is this also provides recovery for a variety of in-flight failures.

One thought about all these solutions: when you add equipment to airplanes it is exceptionally difficult to get end to end approval from the government, airframe builders, and airlines. The risks are often so disproportionate to the benefits and that fact keeps a lot of innovations off the fleets.


No, the control of the plane can not be returned until AFTER it has landed and automatically blown all doors when it has stopped.

The weak link in all the security discussions is PEOPLE. At least one of the hijacking teams got access by killing crew members until the pilot opened the door.

Another is the ability to disable equipment. The transponders in the 4 planes were disabled. The safe mode CPU must be protected from being disabled except by a complex method. Since the intent of safe mode is to land the plane, it seems very unlikely it would need to be disabled.

As far as it landing the plane, talk to Lufthansa. A gentleman I was talking to today told me about his landing in Germany. After the plane stopped, the pilot announced they had landed by autopilot (it was very foggy). Then the pilot said, "It does work, after all".

This sounds good. Now is the time to promote it, while safety is more important than money.


You can not stop someone bent on killing themselves in order to gain access to heaven. Maybe they will not land the plane in a foreign airport or American building, but in most cases they will just blow up the plain and the passengers in the same way they drive a car bomb into the side of a embassy.

I have some better ideas. 1. Put a real door between the cockpit and the passengers. That little porta-potty door couldn't stop a girl scout from kicking it in. Make a rule that the pilots are NEVER to leave the cockpit under any conditions while the plane is in flight. 2. Give the flight attendents training and access to non-bullet weapons. Such as tazers, mace, etc. 3. Install a camera(s) in the plane so that the pilots and if need be the ground crew can always monitor activity in the plane. 4. Planes already have oxygen delivery systems. Make it so the cockpit crew, with the flip of a switch, can pump the passanger section of the plane with a oderless sightless sleeping gas to knock out everyone behind the cockpit. Sure there is a risk a sick, elderly, or infant person would die from this, but look at the alternative. It would be a last ditch effort to regain control.

All four of these things combined would be much easier and cheaper to implement than this "Silicon Valley" solution, plus there would be less of a chance of problems. If people can break into defense department computers, banks, and other high security things and do as they long do you think it would be before they could "over-ride" this technological solution??


As a variation of the concept I have always thought of this idea for use on air force 1 but could be used on a commercial jet as well. It is based on the same basic theme as the one outlined in this article in that it's existance would lead people not even to attempt a hi-jacking.

The idea is this: use the same auto-landing system but immediately release a mild anesthetic into the air, rendering everyone on board unconscious while the plane is landing. The officials on the ground would simply would simply enter the plane and take off the hi-jackers. I know that there are some problems with this (mentioned below) and I admit that I thought that this would have more feasibility on a extreme one-off basis (air force 1) but I think that the existance of the system would render its use unlikely. By the way, this was just off the top of my head and I don't claim that this would work or would be feasible but thought that I would throw out the idea for discussion.


* Health reactions to the gas
* Hi-jackers making makeshift gas masks out of materials on board or sneeking one onboard
* ????

SK: Gassing the cockpit is a good idea, it's been suggested by others I've spoken with. It would mean that the hijackers would be unconscious upon landing, making a hostage situation impossible (unless they could all sneak on with gas masks or portable oxygen canisters).

Also with a locked airtight cockpit door the pilot could just push the button to release the anesthetic and then guide the plane to the ground. Much lower tech but this could save the millions of dollars it would take to outfit planes with auto-pilot.

Don't the Pilots have control of the plane's cabin pressure? If so, as soon as they get wind of a hijacking, the Pilots should release the cabin pressure and cause everyone to go unconscious. No questions asked. No fussing around. Land the plan, evacuate it and have a squad comb through it for bombs, etc.

They also need to install suveillance cameras throughout the planes.

SK: If you are too high and release all pressure, you'd kill the passengers. There may be a way to release some pressure to knock everyone out with killing them. That might be way way too tricky to risk... if the equipment malfunctions, you could kill everyone. On the other hand, it may be the simplest and easiest solution. Gas masks wouldn't help a terrorist if there is no oxygen.

This is an intriguing idea, and I believe it has some merit. In the meantime--this is the first day of flights after Tuesday's attack. Here is what has happened so far.

1--Three airline employees tested airport security at Phoenix. There is no airport security at Phoenix, even after the tragedy last Tuesday. Two of the "security hackers" got through with metal knives, the third got through posing as a pilot. The airport says this is an isolated incident. How would they know? They have no security at the Phoenix airport. I have better security at my house.

2--The government reports that there are four more sets of hijackers. But planes are still flying. Why? Do we really want a repeat of Tuesday?

3--At Boston, the pilot comes out of the cockpit to talk to passengers. There were three hijackers on the plane at the time. The hijackers were captured a few minutes later, while the plane was still on the ground. They could just as easily have hijacked the plane on the ground when the pilot came out of the cockpit.

How come the flight crews have not been told to get on the plane before any passengers, and remain locked in the cockpit until all passengers have left the plane? No exceptions, and you lose your license to fly if you don't do this.

3--Air marshalls work. I won't fly until we have them again. Neither should you. We have armed guards for city buses, for crying out loud. So what if a few airline executives have to have slightly smaller bonuses to go with their millions of dollars of salary.

No planes should fly until we actually have security at our airports. And the flight crews use common sense. And we have trained armed guards on all airplanes.

I think the key to ending skyjackings, lies in the separation of the pilots from the main shell of the plane. Make the cockpit a separate entity, impregnable from the passenger section. Give the pilots their own rest room and food preparation area and boarding protocol. Have a camera installed to allow viewing of the passenger cabin and a button to push during a hostile takeover. The button can release a non-lethal gas into the passenger cabin, disabling the entire section, until an emergency landing can be implemented. Perhaps a tad extreme, but better than multiple deaths.


I was amazed when I read Anchordesk tonight... I'm a private pilot, as is one of my senior execs... just tonight I finalized an idea not unlike yours (attached below).

The only significant difference is that I suggested that specific air force bases in rural areas - say spaced every 500 miles or so around the country.. be the destination once the panic button is pressed. I'd also scramble two jets, for security and to transmit a powerful homing signal so that terrorists can't jam the GPS signals. Toward the final few miles, the pilot can control directional and altitude tuning plus or minus a few degrees and a few hundred feet, so the final tweaks can be handled manually should they be needed.

The Air Force Base is more secure than civilian airports; and more likely to have teams to control any violence on landing. They are also less likely to be in a populated area. Oh - one other thing - the route to the nearest base follows less densely populated areas, not flying over cities or landmarks.

Otherwise,. I think your plan is a solid one. I've asked another few pilots I know to review my plan.. and have sent them the pointer to your idea. I'll let you know what I hear back - but I think it's a great idea!

Miles Kehoe 


I was thinking of a possible solution to the 'jets as weapons' problem.. the solution is made easier if jets can fly themselves, but it's not needed:)

So here's what I was thinking...

First, commercial jets have a 'panic button'... a 'one use' switch in the cockpit, at pilot and copilot station, that puts the aircraft on full autopilot. The plane vectors immediately to one of a dozen of so identified air force bases around the country - say every 500 miles or so apart on a grid.

Once the button is pressed, no one on the aircraft can change the destination... the plane flies within a few miles of the closest afb; and lands. (If the technology does not allow such fully automated landings, then the yoke can provide input - say +/-5 degrees at 5 miles, +/-2 degrees at 2 miles etc... maybe a 'missed approach button which causes the aircraft to fly a missed approach pattern then retry.. The button also causes a pair of fighters to scramble to meet the aircraft and escort it along its way.

When the plane lands, emergency vehicles - and security - are there to welcome the aircraft. If the button was pressed by accident - perhaps it could happen - then the button is reset, and the travelers go off on their way a little late.

Of course, the possibility of faulty radio signals, jammed signals and the like could interfere.. but between some inertial navigation and perhaps powerful homing signals sent out by the fighters, I think that can be overcome.

This doesn't prevent hijackings - but it does seem to prevent the use of aircraft as bombs... what d'ya think?

SK: Great minds think alike :)

Good thinking, however compromised. I see a bug in the plan here; as the plane descends to the airport a small blast could cause an intact crash in a heavily populated area causing as much if not more damage as a targeted hit. Thus providing the terrorist with the end product "fear". Further development is needed in this direction. I find bugs, plus I believe the bio-chem terror will be involved with the next attempt, rendering most any system ineffective. The worm is virtually unstoppable. Ref; Code red code blue etc. They will be around as long as time is. Thanks for reading. 

SK: Not really. The only time you'd get close enough to the ground is at the airport. And even then, to have a big explosion, you'd have to have an awfully big bomb and that would be really tough to sneak on board.

I enjoyed reading your article and I hope some one is picking up on your train of thoughts. I would consider even going a step further - biometrics. The technology is here today - finger prints, retinal scans coupled with smart cards; and at a price the airlines can definitely afford it.

SK: I totally agree. This would be much better than photo ID.

Biggest problem may be that it is electronic.

There's a problem of plugs that can be pulled, fuses removed, or simply a hammer going through a circuit board in order to disable the system.

SK: Bashing the controls in the cockpit wouldn't do much good. The computers involved in SAFE mode would need to be safely tucked away and only accessible from the outside of the aircraft.


The best defense is a great offence.

I'm currently in the automotive industry. The auto industry has options for people to remotely lock or unlock a car or truck by a remote device. I have seen several after market products, that will even turn the auto on or off by people in there homes during the winter season.

Please understand that; When a plane is hijacked the hijackers must first take an hostage, usually a steward or stewardess. By doing this the pilot, must either surrender the plane to save a life, a tough decision for anyone. Here is a few solutions,

A remote device that could be hidden, by placing it on or in a wrist bracelet and worn by all stewards or stewardess. When activated, it notifies the pilot and sends a signal to a ground station. This type of device is used on the Onstar system by General Motors, and upon the deployment of an emergency button or a airbag that is deployed, a signal goes out. When deployed, your idea to override the airplanes systems can take place. The override can even be controlled by the people on the ground and taken out of the hands of the pilot or hijacker. By doing so the hijacker can do nothing. I was told on Tuesday night that I was too old (52) to enlist in the Army. So, if I could help with technical information, don't hesitate to call upon me.


Ken Cox

Hello Steve,

I saw your opinion and at your site and I fully agree with you... We are starting an initiative named GlobalSensing. The idea is to make very low cost condition monitoring for human and systems. The technology ZISC (Zero Instruction Set Computer) that we develop with IBM allows to make selective transmission and/or recording of pictures, signal (biological, etc...). In the case of the pilot a few things: The pilots are the more fragile part in the control chain of an airplane, they can be disabled and killed, or emotionally blackmailed, we need to monitor permanently from the ground any abnormal condition and trigger the automatic system either from the ground or locally on the aircraft. Triggering of the system should be done without any pilot action so our system can also detect permanently if one pilot is in control and if is physiology (stress, etc.) is normal. The airplane mechanics and electronics are permanently monitored for stress.... Such a system could be a very low cost system which allows also to monitor crew activity and passengers normal activity (scream, frozen, etc...) in the cabin. Picture and audio will be transmitted automatically to air traffic control in case of abnormal situation... In addition it totally stupid that an aircraft is not equipped with Ground Collision Avoidance System with no possibility of being disabled. It is not a single reason in the world why an aircraft wants to fly @ 300 mph into an horizontal obstacle. Typically the planes would have passed above the WTC and Pentagon, This system exist most of airline do not use them (cost, false alarm), this systems should mandatory on all fly by wire (767, 777, 757 ) aircrafts. The low cost technology is existing ... As French I am deeply sad for all the people who as been involved directly in such a tragedy, and I believe that in addition to realistic retaliation, measure should be adopted quickly to prevent such a technical failure. Congratulations for your action! With Best Regards

Guy Paillet Chairman Silicon Recognition Inc.

I would like to add a little to the idea. I am developing software that can link-up with the aircraft and steer it.

What that means, is that once the situation is known, the actual destination can be changed by ATC or other ATS (Air Traffic Services). What that gives, is the incredible edge that even if someone had knowledge of how these systems worked, and know how the nearest destination is calculated by the on-board computers, ultimately, the aircraft is controlled by ATC.

The actual system that I am working on is an automated ATC system that communicates directly between the aircraft and the ATC system. This also means lesser human intervention and possibility for errors. If you would like more information on the idea, I would be happy to explain.

Ori Shloosh

Int’l Air Traffic Automation Systems

I admit that your idea does have merit but you might want to read James Fallows Free Flight or speak to him at Agenda (oops, I guess I better finally sign up). He focuses on Vern's Eclipse and another plane, the SR-20 which is equipped with a parachutes. Pilots don't like the parachute because, well, it just isn't done that way. That's also why there is probably nothing on the voice recorders form the hijacked planes -- pilots want to be able to erase information and turn off such monitoring.

Remember that flying a plane is a very very boring job so pilots need to have the illusion that they are doing something in which they can act like sea captains of old with sovereign power.

Thanks for putting the information out regarding twarting hijacks. In the past and recently I have thought about such a device and would like to offer a few bits of information for you to consider.

The majority of the American Civil fleet is comprised of aircraft whose controls are fully powered (hydraulically actuated 757, 767, DC-10, MD-11, L-1011, A300) or combined mechanically / hydraulically actuated (737, DC-9/MD-80/90). The autopilot philosophy on all are common in that the computers command the servo/actuators to move the controls in parallel (ie, you can see the surface move at the control column). Any surface deflection commanded by the autopilot is transmitted to the control column so the pilot can monitor its progress and overpower the wheel in the event things don't go as planned. Only the Yaw Damper (not considered part of the autopilot) is different in that it operates in a series mode (no transmittal of control deflection to the rudder pedals).

All autopilot servo/actuators in these aircraft are designed to be overridden. Even if you implemented a safe mode of operation on existing control system computers, it would be no different than any autopilot mode of operation. In the unlikely event the autopilot does not command the correct aircraft trajectory, the crew can grab the wheel, overpower the servo (the autopilot should automatically or be commanded to disconnect, but let's assume it doesn't), and fly the plane out of a hazard.

A true safe mode would require redesign of the primary flight control systems on each type of aircraft mentioned above. The controls would have to be deactivated in the flight station (possible but dubious on a fully powered aircraft, not possible on a mechanically actuated aircraft). The newer generation of aircraft (777, A320, A330, etc.) could possible be altered to implement the safe mode as they are flown by a combined set of primary flight control computers, although each aircraft does have some form of mechanical overrride that can be utilized when all else fails.

Control of any modern aircraft is designed to allow pilots the final word (although some would disagree WRT the Airbus). Automatic Flight Control System servo/actuators are required by Regualtion to be capable of being overridden in the event of a malfunction. In this light, design of a safe mode would be difficult to realize in the near future.

I'm not saying it is impossible to provide a safe mode - it would require a major redesign / overhaul of thousands of existing and current production aircraft. I'm ready to start whenever you are

Bob Smith Marietta, GA

stk: SAFE mode creates a deterrent even if the pilot can override it. It forces the hijacker to be an excellent pilot and forces two hijackers to be tied up fighting the cockpit. 

RE: Bob Smith Marietta, GA

Bob has some good points regarding how some (most?) autopilots are designed to be overridden. He also assumes that it would take substantial redesign to replace or change these systems. I dissagree. The control linkages from the control column could have fusable links e.g. explosive bolts. When the panic button is pressed (or short time after) the mechanical linkage between the contol column and the rest of the control system is mechanicaly severed. After which only the autopilot is capable of controlling the plane.

Jim Dempsey

Hello Steve;

I have followed your site and the news regarding your site with some interest over the past short time. The suggestions and comments have been very interesting as persons from all sectors involved are offering to put forth their piece of the puzzle in order to assist in completing the overall picture.

As such, let me offer the following feedback on couple of points.

One of the writers has mentioned facial recognition systems at airport check-in terminals. This is a potential great use of emerging biometric technology. The only drawback until now has been the ability to maintain and update a very large database. The database for biometric technology contains unique identifying features collected through hardware devices and converted through algorithmic process into digital data. This data is stored and can be retrieved upon demand for verification, authentication and identification purposes. Until recently, the search, match and retrieval process was both cumbersome and slow. Our company, 1010 Net/Soft Systems has developed a scalable database process that can be updated and accessed via any method, media or platform and offers virtually instantaneous response to a user defined request.

The other suggestion was to do with the SAFE mode. This mode would require the use of PIN's to verify and/or disable and/or to cancel the alert and auto-control functions. The PIN format is a good idea and very necessary in the event of accidental engagement. However, to bypass the need for PINS (and subsequent potential demands of the terrorist to enter those PIN's) would be to employ the use of fingerprint biometrics. This version of biometric technology could be implemented either with a token based system or through a variation of the car ignition control system that has been developing for the past while.

A token based system employs an i-button or card and would require the use of such to match with live tissue to ensure that the pilot and co-pilot are still in control. A token based system can also be configured and integrated in such a manner to provide a number of features including fail-safe, override, reverse alarm and negative response functions to meet any FAA and airline requirement.

The vehicle ignition variation is similar with the added proviso that each flight would require the flight crew to update the on-board database prior to take off.

In either fingerprint solution, the flight crew that registers itself to a particular airplane and flight on the ground before passenger boarding must be the same flight crew that is in control throughout the flight and through to final landing and de-planing. Any variation of the flight crew status is cause for SAFE mode implementation.

I have asked our personnel to spend some time on design proposals. If you would like to have more information please email me directly to pj @ or use my direct line to 604 517 1670. I will ensure that your requests are sent to the proper person and followed up with a timely response.

Best Regards

Paul (PJ) Paulson

1010 Net/Soft Systems

You have presented some excellent ideas and with today's technologies, most of it can be accomplished. However, there is a faster fix available and the technology is already being used. Having been a air traffic controller for 32 1/2 years, leaving the FAA (Assistant Manager, SFO Tower) in 1994, now working here at NASA-Ames helping in the development of air traffic control tools. My suggestion is to develop a device that would be located away from the cockpit and when the aircraft's transponder was shut off, the device would activate a "ELT" signal, plus the device would transmit the proper "hijack" transponder code and mode "C" readout (continued altitude reporting). The ELT would go away during the aircraft landing (weight upon the wheels). The technology to accomplish is already being used in the National Airspace System (NAS). Transponders, ELTs and Encoding altimeter (Mode C devices) are not that expensive. I believe that most of the "what if" questions could be answered with no problems. Jim McClenahen, ATC Analyst, NASA-Ames, Moffett Field, CA

I've received hundreds of other emails with excellent suggestions. If you are with the FAA, Congress, an airline, or aircraft manufacturer, I can forward you the email archive if you email me stk @

How to prevent air hijackings

Hit Counter