Could Malaysia Air Flight 370 have been hacked?

The disappearance of Malaysia Airlines Flight 370 has become a modern Mary Celeste mystery, and it’s a guarantee the embellishments and inaccuracies will expand over time.

As the telemetry data from the aircraft and ground radar logs have emerged, it has become increasingly certain that the plane was deliberately diverted from its course. There are three possibilities:

  • The plane was diverted by the pilots.
  • The plane was diverted after some form of forcible takeover.
  • The plane was diverted by another party not on the plane at all.

At this point, most attention is focused on the first two possibilities, with diversion by one or both pilots the most likely explanation. Whoever diverted the plane certainly knew a lot about flying one.

But unlikely as it may sound, the third option — that someone not even on the plane is responsible — is actually a possibility. And so the term “SCADA” is likely to be heard in the coming days.

Boeing 777 cockpit (courtesy of 777Boeing.com)

Boeing 777 cockpit (courtesy of 777Boeing.com)

What is SCADA?

SCADA comes from the process control industry, and refers to one particular configuration of a digital control system. In a chemical plants there is typically a master computer receiving data from, and sending instructions to, a network of local control systems. Since I left that industry thirty years ago, the master computer has come to be called the Supervisory Control And Data Acquisition (SCADA) system.

When security vendors started to look for ways to sell product to the process control industry, the SCADA system was the only machine in a typical process control system that looked sufficiently like a PC to be able to run the existing products. This is of course nonsense, from a security point of view — every ‘local controller’ is also a computer, and vulnerable to attack, just as a printer or a telephone exchange is also a computer from a security point of view. But even if a billion dollars of marketing money is completely wrong, it can establish a name in a vocabulary. So now the term ‘SCADA security’ means security of an embedded control system, regardless of whether it is a SCADA architecture or not.

Private Hackers

The 777 is a fly-by-wire aircraft. Every signal from the flight deck makes its way to the control surfaces through a communications network that runs the length of the plane. From time to time, security researchers have demonstrated, or at least claimed to demonstrate, that these networks — the planes engines and controls — are vulnerable to hackers.

When seat back entertainment systems were introduced, many airlines wanted to show passengers a ‘moving map’ of the position of the aircraft. The simplest way to provide a moving map is to read the position information passing over the communications network. In effect bridging the air-gap between the control and entertainment networks. This has led to claims that the system can be hacked ‘from an Android phone in the passenger cabin’.

The last claim has since been debunked. Or at least the purported demonstration has been shown to have been made on a system designed to simulate the control system rather than the flight certified system. But there are other ways in which an airplane control system might conceivably be compromised. The control systems software could conceivably be replaced by ground maintenance crews, effectively giving an attacker the ability to divert the plane on a pre-programmed course.

According to our current understanding of hacker capabilities, such an attack would be beyond the known capabilities of any private hacker group. SCADA attacks are still comparatively rare. It would be rather surprising if a group of criminals working on SCADA systems would choose to make a mult-systems attack on a civil aircraft potentially causing hundreds of deaths. But unpleasant surprises have occurred before.

Government-sponsored Hackers

Another possibility is that an attack might originate from a government cyber-engagement program.

In 2010, the US launched the STUXNET attack on an Iranian civil nuclear facility. In the years since the discovery of STUXNET, other governments have been scrambling to establish similar capabilities. Unlike weapons for conventional warfare, cyberweapons are easily pilfered by the designers. In some programs this type of pilfering is even encouraged.

Cyber-Pirates

In the past, Hollywood movies used to explore scenarios in which mad government scientists researching germ warfare use the bugs for their own evil purposes. Such a scenario might even have occurred. In cyber, this type of scenario is played out every day: Criminals pay money for cyber attacks.

Just as the optimistic scenario has become plausible, due to the lack of candor from the Malaysian authorities, a variant of the SCADA attack has become plausible, although unlikely. In this scenario, the motive for the attack is extortion, and a group of cyber-pirates are threatening to pull another plane out of the air unless their financial demands are met.

Whether this scenario turns out to be accurate or not, it is another reminder that the security of SCADA systems requires urgent attention. In particular, aircraft control systems will need to be designed so that they are ‘tamper evident,’ and future telemetry systems will be designed so that they continue to provide position updates and cannot be disabled.

With modern encryption and communication systems a plane could report telemetry and cockpit voice conversations on a continuous basis. We could have known that the plane had been diverted, and why, immediately, rather than having speculation continue over a week later.

Share This Post

  • Chocolatini

    The U.S. military already commandeers drones remotely half-way around the world. They have the technology. How much work would it be to jam communications, and remotely “hijack” a plane so the pilots can’t send out for help?

    If it wasn’t that, then it’s harder to understand why both pilots would be complicit in this “suicidal” mission. Unless one happened to choke the other one while in his seat.

  • Dan

    I was writing the “Could it be Stuxnet II?” commentary when I was interrupted as I was writing and lost my connection. I’m surprised to see that anything was posted. Well, please let me continue.
    Their are two primary hurtles that need to be explained before the Stuxnet II scenario become nearly certain. The first hurdle is of a technical nature and involve shutting down the transponder. It’s my understanding that this device is independent and not connected to the control system. Shutting down the transponders would have been a significant challenge but even these transponders rely on electrical power from the generators which are connected to the control system. I suspect that detailed knowledge of the control and electrical power system in the plane, there is a way to damage or disable the transponder.
    The second hurdle is not as technical but far more difficult to overcome. It involves the interplay of motive and capability. In other words who could do it and why? The first thought might be Iran not to attack but more as a show of force. Possible re-establishing the concept of mutually assured destruction and establishing themselves as world power with a weapon far more destructive than a couple of atomic bombs. The young Iranians traveling on stolen passport were there either by happenstance or as designated martyrs along with all the other Muslims on board.
    There’s a serious problems with assuming that Iran is responsible for the downing of Fight 370. It my opinion that Iran does not have the capabilities, especially with respect to access and understanding of the Boeing control system and several ancillary system. And why would Iran kill this many Chinese since China is in need of Iranian oil is a moderating influence for Iran at the UN Security Council. And the martyring concept does not seem reasonable I suspect, to even someone with a twisted belief in Islam. If the Iranians are responsible, the Chinese will find out and their response might be worst than Stuxnet I.
    But then who else? No rogue Russian criminals would even consider it, having technology like this is like walking around with plutonium in your pocket. But if the creation of a Stuxnet II actually occurred and infected Flight 370, there would to be many individual with access to just about everything in multiple cultures and countries. Maybe a secret society of an elite scientists, engineers, and programmer have come together in an attempt avoid the next world war that will likely occur in cyberspace ? At least their programmers would support Snowden’s actions and may have anonymously leaked a lot themselves.
    A deliberate act would require a degree of sophistication and knowledge that just seems impossible for a private group and a motive behind potential state sponsorship is equally as dubious. If it was Stuxnet II, then the crash site was pre-programmed and the coordinates are precisely known by the perpetrators. This remote deep water location is well known because of its long reference in literature as a very hostile place . Due to the remoteness of the crash site, the over three miles of ocean depth, and frequent gale force winds combined with strong diverging currents, the crash site may never be found.
    Are the perpetrators so confident that the crash site can not be found that they are withholding the coordinates until the search publically appears pointless? As part of the Stuxnet II scenario, the plane was probably programed to crash nose first to minimize the debri field to further obscure the location of the crash site. Unless this was just a test run for a new weapon, a possibility so awfully inhuman that it’s not considered here, Fight 370 was downed as a demonstration and a warning because the flight had no strategic value. If it was Stuxnet II, then the coordinate will be revealed to the powers to be.
    Something else to consider, if enough wreckage is ever recovered to analyze the control system, there will be no trace of any Stuxnet II or any other virus. That’s because Stuxnet II would have been deleting itself as the plane fell from the sky at its designated crash location leaving investigator with only one possible conclusion, an intentional or coerced act by the flight crew. Let’s hope there is no Stuxnet II because the thought scares me, in fact so much so that I’m convinced that even if it were logically suspected or actually detected by a governmental agency, its presence or suspected presence would never be told to the general population.
    Dan

  • Dan

    Could it be Stuxnet II? The same basic virus applied to the Boeing control instead of the Siemen PLCs that controlled the Iranian centrifuges. Possibly downloaded from a thumb drive even months before the disappearance. It explains all of the planes behavior. The virus may have been lying in wait until the plane was scheduled to travel within an early morning window on this relatively common route and then simply reprogramed the avionics with an entirely different flight path. For example, maybe the plane did climb to an elevation 45,000 but after the cabin lost pressurization insure that all aboard were entirely incapacitated and soon to be dead. All of which occurred so quickly as to no allow for satellite of cell phone calls.

  • HeartlandLiberal

    Well, having retired after nearly thirty years in computing, and having witnessed it from the birth of the PC to current situation where millions of computers worldwide are hacked and being used as zombies for all sorts of illegal activity; and watching this situation created because no one at Microsoft ever considered writing security into an operating system: I just do not expect much from the auto industry. So far they have not given much sign or responding to the growing criticism of their automation direction.

    I have a good friend who owns and operates a very successful auto repair shop where I live. He and his crew specialize in European cars. We have discussed this repeatedly, and he has the same concerns I have in this regard. I drive a Mercedes sedan that is now 10 years old, and does not have this level of vulnerability. As much as I would like to get a more recent model, I am not rushing to do so, not until my friend can tell me that he and his crew can disable the dangerous components.

    But of course even that 10 year old Mercedes is filled with electronics, don’t get me wrong. We have a running joke about how every few weeks it will decide to display a spurious message that the SRS restraint system has failed; or the dash console will not turn on and display for radio and other controls. Solution? Park the car. Turn it off. Wait five minutes. And turn it back on. In other words, REBOOT IT!!

  • Krockcfd

    I’ve been saying that this is a real possibility since the beginning… If it is some Governments military, its likely we’ll never know the truth. If it some rogue group or faction, just imagine how much this sort of technology would be worth to a terrorist organization! If a country like Russia can take a US drone out via a cyber attack, you can sure bet the capability exists to take over a passenger airline and land it somewhere…..

  • HansSatan

    You might want to look at FAA docket 2013-0958 which is available on the Federal Register:

    DEPARTMENT OF TRANSPORTATION
    Federal Aviation Administration
    14 CFR Part 25
    [Docket No. FAA–2013–0958; Special Conditions No. 25–503–SC]

    Special Conditions: Boeing Model 777– 200, –300, and –300ER Series Airplanes; Aircraft Electronic System Security Protection From Unauthorized Internal Access

    The integrated network configurations in the Boeing Model 777–200, –300, and –300ER series airplanes may enable increased connectivity with external network sources and will have more interconnected networks and systems, such as passenger entertainment and information services than previous airplane models. This may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants. This potential exploitation of security vulnerabilities may result in intentional or unintentional destruction, disruption, degradation, or exploitation of data and systems critical to the safety and maintenance of the airplane. The existing regulations and guidance material did not anticipate these types of system architectures. Furthermore, 14 CFR regulations and current system safety assessment policy and techniques do not address potential security vulnerabilities which could be exploited by unauthorized access to airplane networks and servers.

  • perljammer

    Thanks for the link; I really do appreciate it. One scholarly study (“Comprehensive Experimental Analyses of Automotive Attack Surfaces”) is particularly interesting.

    It is certainly possible to gain remote access to at least some cars’ internal networks by at least one method. It could hardly be called trivial (the reverse engineering required to accomplish this is significant), but it is possible. The authors of the study have been in contact with auto manufacturers; one can only hope that the auto manufacturers take the threat seriously.

  • HeartlandLiberal

    Google really is your friend,

    Here is one article from a year ago with discussion of and links to studies.

    http://motherboard.vice.com/blog/how-easily-can-a-moving-car-be-hacked

  • 4th Turning

    Myrddin, can you come up with anything on/about Anwar Ibrahim? Just heard a Slate guy
    on npr give an interesting rundown on Malaysian politics and he came off sounding okay?

  • http://www.rebeccamorn.com/mind BeccaM

    Hackers, eh? Or do we need to consider adding Skynet to this mix, too?

  • eggroll_jr

    One would assume that the military would have the capability, but they might be reluctant to admit it. For example, the US Navy, which had been to 11.5 km depth already in 1960 in the bathyscaph Trieste, and had been doing manned recovery at 6 km depth in the 1980s, suddenly lost the ability to operate at 1.5 km, the depth of the Macondo (Deepwater Horizon) Oil Spill. There probably are several military reasons for being able to take over a commercial airliner and fly it remotely, but nothing on this flight suggests why any government would have such a motive with this particular flight.

  • bkmn

    Not only vehicles, but your home too. The Nest thermostat is internet connected and can be hacked easily.

    Have a home security system you can access via your mobile phone? Hackable. Those surveillance cameras for your security system. Hackable – someone could be watching inside your home without your even being aware of it. Can you lock up your home via tablet/smartphone – guess what, that means someone could hack your security system and unlock it too.

  • Dave of the Jungle

    Such a scenario is unlikely with the Boeing 777 but will be more possible with newer models like the A 350. The 777 is still largely mechanically controlled with computer assistance possible whereas newer models will be completely dependent on on-board computers for control.

  • perljammer

    Again, I’m looking for a real-world case in which a car’s systems have been compromised without any physical access whatsoever (and that would have to include physical access to a cellular phone or other device that is then connected to the car’s network). Not an unsubstantiated conspiracy theory.

  • Drew2u

    Michael Hastings? *shrug*

  • perljammer

    “Every few months for past several years I have read articles about how trivially hackers have demonstrated the total lack of security being built into these systems.”

    Can you share a few links? I’m not trying to downplay the issue; however, every example of “car hacking” I’ve seen in the media has been a case where a hunk of hardware has been added to the car to give the hacker remote access to the car’s CAN (controller area network) bus. I would really like to see a real-world case in which a car’s systems have been compromised without any physical access whatsoever.

  • TonyT

    Fiction but true? https://www.youtube.com/watch?v=_DKp213cp44 – Recent scene from Person of Interest on CBS

  • HeartlandLiberal

    In this context, everyone needs to inform themselves about the new generation of computerized electronics being so blithely introduced into current automobiles. These are wifi and bluetooth enabled. Every few months for past several years I have read articles about how trivially hackers have demonstrated the total lack of security being built into these systems. Exploits have included hacking while driving next to a car with such systems, and causing the engine to stop, the brakes to activate, and other actions. The latest iteration is being sold with systems embedded, which, like the aircraft engines on this Boeing jet, report back wirelessly to the manufacturer, so they become aware immediately if there appears to be a mechanical problem sensed by the onboard computers. And the manufacturers sell this as a plus, because they can then notify the driver they need to hie themselves to their dealer immediately.

    I for one am leaning towards the take of a friend who is an engineer and has slowly rebuilt the engine and all accessory parts on the engine of his 30 year old Chevrolet truck, which does not have a smidgen of computerized communications software built into it. He plans to keep it running forever. It has no geolocation capabilities in it by which it can be electronically and trivially tracked, as all new automobiles and trucks are equipped with as the role of the assembly line.

© 2014 AMERICAblog News. All rights reserved. · Entries RSS