What may have happened to MH370?
By Colin Renouf
Why read this article With all of the media interest in the mystery of the behavior of Malaysia Airlines file MH370, a Boeing 777-200ER that took off from Kuala Lumpar, turned away from its original heading and headed off into the Indian Ocean for several hours before crashing, the world at large is interested to know if they are at risk from the same fate when flying on a Boeing 777, which is one of the mainstays of the modern airline fleet. One of the questions that has been asked is of interest to the security expert: Is it possible to hijack and aircraft from the ground using the techniques of the modern black hat hacker?
Summary - what will you learn
In this article we are going to look at answering the question that has been at the forefront of the news since the middle of March 2004: Is it possible to hack a modern airliner such as Boeing 777 to make it behave like the ill-fated Malaysian Airways MH370? If so, what would I need to do it, why would I do it, and can be done to mitigate against it. However, before we can answer these questions we have to understand how the systems on a modern aircraft work, and the similarities and differences from the other systems we are used to. The simple answer as to whether a modern aircraft can be hacked is not only a simple “yes, it can be done with some physical access to the aircraft on the ground”, and there are possibly other techniques; but also it is something that is of concern to aircraft systems manufacturers that the step-by-step guides in the text books tell you to guard against it! We will finish by asking what needs to change on the modern aircraft to add protection, and what can the aircraft industry learn from the wider IT industry.
Scenario - The Political Backdrop
First, a little explanation as to how this article came about. My first time at university was to get an Aeronautical engineering degree, but with the state of the industry and the more ready availability of opportunities in IT, I moved on to a degree in IT and Social Sciences, and then on to greater things. For the last few years I have been writing on the subjects of IT architecture, infrastructure and security.
When the news as to the lack of information as to what happened to the missing Malaysian Boeing 777 airliner broke I kept being asked “If it wasn’t the pilots who took the aircraft off course, is there some way somebody could have hacked the aircraft to make it do what it did? With your background surely you must have some idea?” With all of the mystery I went back to my old text books and purchased the latest editions. This story is something the whole modern world is worried about and wants answers. I’m not saying that what I am about to describe is what happened, but that it is a scenario that COULD happen. Lets think of a typical James Bond movie for a moment. The bad guys are always effectively terrorists, but they always target the world as a whole rather than individual governments because they want power or money rather than to fight for a political cause, and in these films there is no reason to publicly clam responsibility for their acts of terror as the people they are scaring is the establishment as a whole. Even when the governments know who is responsible they work together to fight the evil doer and don’t make announcements to the general public as to perpetrator and his or her demands. So, assuming the author of the James Bond stories, Ian Fleming, understood global politics; and I think he did; then if an evil doer wanted to hold the world to ransom for power or money irrespective of political leanings it is unlikely we would hear about it.
Malaysian Airlines MH370 - The Events
This aircraft, a Boeing 777 200 series model 200ER aircraft is a fairly modern twin jet widebody airliner and the backbone of the medium to long haul airline fleet; seating between 314 to 451 passengers over trip distances of a maximum range between around 9700km to 17300km (5200 to 9400 nautical miles). It was the first Boeing fly-by-wire airliner and as such all control requests from the pilot are mediated by the computer systems and turned into commands of the hydraulics. The key piece of information here is that normal operation requires direct intervention of computer systems to translate flight control requests and the pilot does not access the individual aileron and other control surfaces directly. On the day of its disappearance, Saturday March 8th 2014, Malaysian Airlines MH370 set off from Kuala Lumpur International airport in Malaysia at 12:40AM local time, bound for Beijing in China with 239 people on board consisting of 227 passengers and 12 crew. Its initial hour of flight time was uneventful, but at the handover between Malaysian air traffic control and Ho Chi Minh air traffic control in Vietnam contact was lost. The low level sequence of events is not entirely clear, but voice contact with Vietnamese air traffic controllers was not made, the normal secondary surveillance radar transponder that identifies the aircraft appears to have been switched off, followed by the ACARS systems health information communications with the manufacturers. The aircraft made a rapid ascent to 45,000 feet or 13,700 metres where it spent 23 minutes – above its normal operational ceiling – followed by a rapid descent to 5,000 feet or 1500 metres followed by a return to its cruising altitude of 30,000 feet or 9,100 metres; with a southwest bound turn back towards the commercial waypoint “Vampi” a along the N571 air corridor, followed by waypoint “Igrex” and the P628 air corridor from there it headed out over the southern Indian Ocean where it flew as a “ghost” plane for several hours, pinging the Inmarsat satellites every hour, before eventually crashing into the ocean. With all this change of direction, surely the aircraft was under human control, but if an emergency caused a turn back why was there no communication and if the plane was hijacked why was there no claim of responsibility or demand?
The Modern Airliner
In the modern world, networking and interoperability are key to progress; with the Lego-like components that abstract their complexity and hide it behind well defined interfaces allowing ever more powerful and complex machines to be built based on the principles of previous generations. Individual components can be exchanged and upgraded without having to change every other system. Whilst this is true of the home, computers systems, cars and society as a whole; it is visibly the case with the external structure of an aircraft. Aircraft have improved in streamlining, performance, economics, range and the number of passengers that can be carried in comfort over great distances. The same is true of the aircraft systems. Whilst financial and other systems are dependent on networks, with standards like TCP/IP, 1000Base-TX Ethernet, etc; from the ISO, W3, etc the same is true on an aircraft, but with different standards allowing the independence and interoperability between systems. The body behind those standards is Aeronautical Radio, Incorporated; a corporation owned by a number of airlines, aircraft manufacturers, and avionics suppliers with the simple goal of maintaining interoperability. The key core standard for aircraft avionic systems from which others were derived or developed from is ARINC-429; with new standards proposed and a number of peripheral standards. In this standard the cabling specification for a serial, shielded twisted pair interface with the electrical signals fully defined using bipolar return to zero (BRTZ) electrical signaling evolved from the earlier ARINC-575 Digital Air Data Systems (DADS) specification; which with ARINC-429 allows configuration of a transmitter and up to twenty receivers in a star topology, bus-drop topology or with multiple buses. Transmission speeds range from a lowly 12.5kbps to 100kbps. Figure - A Hierarchy of Data Buses connect Subsystems on a Modern Airliner - ARINC429 messages use this transport The simplex communications in ARINC-429 consist of packets of 32-bit words with 8-bit data labels describing the 24-bit data (See Figure 1). For bi-directional communications two channels or buses are used. Data can be transmitted in binary, binary coded decimal (BCD), discrete data, two-way maintenance data, or a specialist bit-orientated file transfer protocol. Individual subsystems have no address but are identified by an Equipment ID.
Figure 2 - ARINC-429 Standard Data Format
In an ARINC packet the label 8-bit field identifies the type of information being transmitted, e.g. an airspeed, altitude, etc. The P field is a parity field, with ODD parity used to inform the systems of a single bit error possibly occurring. The DATA field contains the numeric value being sent in either Binary Coded Decimal (BCD) format or twos compliment (BNR) format, and the SSM field assists in its interpretation by containing values for North, East, South, West, Plus, Minus, Above, Below, To, From, etc. The SDI field is the Source/Destination Identifier and allows members on the bus to be targeted, but is an optional field. So, if the SSM bit fields are set to 0 with BCD data, or just bit 31 is is set to 0 with BNR data in normal operation the value means Plus, North, East, Right, Above or To; and if set to 1s with BCD data or just bit 31 with BNR data in normal operation it means Minus, South, West, Left, Below or From. The value 01 means no computed data and 10 means a functional test value, and some operations use these fields to indicate a failure warning. This representation system gives immense flexibility and is the foundation that allows interoperation of aircraft systems and the ability for a subsystem to be upgraded independently of others; and as we know such information hiding also reduces attack surfaces and protects against software debt – unless we use the representation as a weapon itself. Equipment IDs, the first three bits of the DATA field (11-13), identify what is sending the information, e.g. Hex 001 for the Flight Control Computer (FCC)/Flight Director (FD) [autopilot], Hex 002 for the Flight Management Computer (FMC), Hex 007 for the radio altimeter, Hex A1 for the Flight Control Computer Controller, etc. These are always documented in Hex values. Labels effectively identify the data type, not in IT terms but in aeronautical terms (e.g. barometric altitude, airspeed, etc), and are standardized amongst manufacturers and models so all air data computers will, for example, use label 203 to send barometric altitude information from that type of system; although there may be some minor variations in the data provided. Different types of system may reuse Labels for other things, but the combination of subsystem usage pattern, label, and equipment ID make clear what the data is, where it is from, and its expected use. So, the Flight Management Computer has an Equipment ID of Hex 002, and if it sends a value of 102 with BNR data the value represents a selected altitude, and other systems such as FCC Controller would be expected to use the label in the same way. Similarly, A Flight Controller (Hex 001) Roll request uses label 140 and a Pitch request uses Label 141; but these Labels mean Actual Fuel Quantity Display and Select Fuel Quantity Display respectively when the Equipment ID is Hex 05A for one of the pilot display units. This is best explained with an example. Consider a packet with the LABEL of 103 telling us the value is a selected airspeed, and the DATA value of 268 knots; and the Equipment ID set to 001 in the DATA field to say the value came from the Flight Control Computer (FCC).
268 (bits for 256, 8, and 4 set) – Equipment ID set to Hex 001 towards the LSB
Figure 3 - An ARINC-429 Packet informing Receivers of an airspeed of 268 knots from the FlCC
Similarly, the Flight Management Computer (FMC) can instruct other systems that need to act on the information (such as the Autopilot or Flight Control Computer (FCC)/Auto Flight Control System (AFCS) to ascend to 13,106 meters or 43,000feet with the SSM field identifying the Data Value as Positive or Above and the Label field identifying it as a Selected Altitude. The commands sent to the autopilot by Malaysia Airlines MH-370 would include such an ARINC-429 command (the 777-200ER uses the uprated ARINC-629 standard) or some slight variation.
13106 metres (43,000 feet) (bits 13, 12, 10, 9, 6, 5, and 2 set) – Equipment ID set to Hex 002
Figure 4 - An ARINC-429 Packet from the Flight Management Computer informing other systems to ascend to 13106m (43,000ft)
In the modern aircraft fibre optics are becoming prevalent; offering the benefits of improved performance and protection against Electromagnetic Interference (EMI). Even in this world, at the core are standard CPUs, operating system derivatives, etc. However, the standards on which these new systems are built are generally developed from the core of the ARINC-429 system. Modern airliners have increased in the amount of automation to reduce the workloads on the crew, so Flight Management Systems (FMS) include software to interface to other systems on an aircraft and can automate an entire journey; with a database of waypoints and settings to use to provide instructions to the autopilot to make turns at appropriate points, update the engine controls to change speed and altitude, etc. With the addition of Electronic Flight Bags (EFBs), the maps and planning for a flight that a pilot and co-pilot make that takes account of weather, time zones, air traffic control, etc allow the setting and control of the Flight Management Systems to also be automated. Integration of these uses the facilities provided by ARINC-429 and its successors. With these types of systems regular updates are necessary with Field Loadable Software (FLS) and Database Field Loadable Data (DFLD) updates via CD-ROM or even with patches downloadable over the Internet. Software has to be heavily tested as it now forms part of a critical system for which failure may result in the loss of life. So processes for making updates include multiple copies (old and new) of software and data, and checks for consistency when downloaded. Processes for updating the software may include specific interfaces to specialist components, including special cables, power settings, etc (See Section 13.3.3 of Reference 1). It is in this area that the risk of hacking comes into play.
What is Aircraft Communications Addressing and Reporting System (ACARS)?
This has been mentioned a lot with the monitoring of flight MH370.
The Boeing 777-200ER and Malaysian Airlines MH70 The Boeing 777 is a fly-by-wire system, meaning that data and communications between the pilot controls and the aircraft surfaces such as ailerons, flaps, etc has replaced hydraulics; which has greatly reduced the weight of a modern aircraft and allowed it to grow in size. Originally, fibre optic FDDI (Fibre Distributed Data Interface) cabling as part of ARINC-636 was used in the Boeing 777 to reduce weight, with speeds of up to 100Mbps; with data in frames along with the Copper Distributed Data Interface (CDDI) and Shielded Twisted Pair Data Interface (STPDI) related standards; but this has increased cost and complexity so more modern derivatives are moving to plain copper Ethernet cabling and related standards. The Boeing 777 introduced the ARINC-629 development of the ARINC-429 standard, with speeds of 2mbps between components, up to 120 devices on a single bus, and bidirectional communications. The 777 has a modern data network for its avionics to connect the complex subsystems using a combination of fiber optic standards (1000BaseSX) and copper (1000BaseTX), but this is just a shadow of the Avionics Full Duplex (AFDX) data network on the Airbus A380 and Boeing 787 Dreamliner; but even on the 777 these days standard Ethernet is being seen more and more as new subsystems and digital computers are added (e.g. the Electronic Flight Bag for the 777-200ER variant that provides the pilot information and allows the complete flight to be preprogrammed with waypoints for routes that take account of weather, etc). The modern computers and digital systems in the Boeing 777 are based on the AMD29050 32-bit RISC processor and its later Honeywell HI-29KII Application Specific Integrated Circuit (ASIC) derivative found in the Versatile Integrated Avionics (VIA) package. The CPUs are set up in a system called Voting where instructions are run in “lockstep” on two CPUs and compared, and if they don’t match an error has occurred and is flagged. These VIA packages form modules that plug into a backplane on which other aircraft avionics systems are built. Programming an AMD29050 system is like any other, with facilities to program in an assembler language, although complex compilers are usually used to make use of intelligent scheduling algorithms to keep each processor pipeline fed with instructions. Thus, like all modern aircraft the heavily computerized Boeing 777 and its modern network of complex subsystems that cooperate using a derivative of the ARINC-429 standard does have the computing systems that represent a ripe target for attack.
To attack aircraft system components using the protocols and standards outlined above: Physical access is required to the aircraft to apply hardware to change the outputs and inputs to systems such as the Flight Guidance Computer OR Access is required to the servers hosting field loadable software updates for the same core system components in order to change the software download offered to airline maintenance workers OR A man in the middle attack between the avionic system or component vendor and the airline maintenance worker is required to tamper with the download
Where do we got our information to being our attack?
These days a large part of the flight is controlled by the “autopilot”; particularly on long haul flights with such long periods of little change and the resulting boredom for the pilot. On a fly by wire aircraft there are no points in the flight where some computer system is not partially or fully in control of the flight. So, to take the plane off course we need to have overwritten the database used by the field loadable software in the flight management system (FMS) with new waypoints that the crew can’t override, so when each waypoint is transmitted to the autopilot to adjust the controls those the black hat hacker has provided are used. This could be performed from a secondary system such as the Electronic Flight Bag (EFB) systems that many pilots use with the inbuilt maps to load the waypoints in the first place. Another alternative is to intercept the ARINC-429 messages and their derivatives, such as the ARINC-629 variant in the 777; blocking the originals and providing new commands. Since the formats are well documented a box such as Raspberry Pi could do the job, especially since many aircraft have started to adopt plain Ethernet as the communications mechanism, although placement for effectiveness would require some knowledge of the aircraft systems and access, requiring the black hat hacker to be an aircraft maintenance worker. This all obviously only works if we have used the same techniques to alter the conditions on the aircraft such as to incapacitate the cockpit crew to stop them switching the autopilot off and flying the plane manually, which is more difficult on a fly-by-wire aircraft such as the 777, but is something pilots practice in simulators continually.
What do we need to take control from outside the aircraft?
As mentioned earlier, the first thing we need is access to the software used to control the flight management computer or some physical access in which we can insert something to interrupt the signals using the ARINC-429 protocols. This access is controlled and in both cases is probably best given to a member of the maintenance crew to avoid suspicion; but a hacked server hosting maintenance software from the likes of Boeing would also give that access, and this latter approach is more likely available to a typical Black Hat hacker. Given the architecture of the avionics systems and broadcast connectivity between them an event driven trigger could be placed in the software to initiate taking control, or possibly a particular ACARS message from the ground. All we need to direct the course of the aircraft is to provide the messages in the appropriate format to the autopilot system, and the ARINC-429 standard and its derivatives give us the instruction set for doing this. This is best seen with an example. To send an instruction to change altitude as seen in flight MH-370 I would have to use the Equipment ID bits in an ARINC-429 message to say I am the Flight Management Computer (FMC), i.e. Hex 002; the Label field to 102 to say I am sending a Selected Altitude, the SSM field to say it is positive or above, and the Data to say the target altitude value (e.g. 13106 metres encoded in Binary Coded Decimal is 43,000feet). Other systems on the bus, such as the Automatic Flight Control System or autopilot would then take that instruction on the bus and perform the necessary operations to make the ascension happen until the aircraft was stable at that selected altitude. We have seen just such an instruction in Figure 3. To then cause the aircraft to turn to a new heading another FMC issued message would be sent, and to change airspeed yet another FMC message with label 103. Whilst field loadable software updates downloaded from the Internet or provided on a CD-ROM usually has an associated recommendation that it is virus checked and the checksum verified, this always assumes that the person performing maintenance using the software isn’t malicious and that the providing source hasn’t been compromised; and the updates for the Flight Management Systems (FMS) and Electronic Flight Bag (EFB) are just the targets that would allow an attack to bring about the behavior seen with Malaysian airways MH-370. However, if the perpetrator is an aircraft maintenance worker why not add a new subsystem to run interference and provide its own control commands using Ethernet and a small unit such as Raspberry Pi. You might ask why a maintenance worker wouldn’t just plant a bomb on board. In many ways, the mystery associated with unpredictable behavior of an aircraft gives more of a source of terror than a bomb. So, if someone has caused the MH-370 disappearance with a hack; only telling governments and not claiming responsibility can cause more fear.
How do we mitigate against this?
How about an Intrusion Detection System (IDS) for aircraft and a virus checker? To build such systems we would need to have some means of interrogating each subsystem for its integrity and some way of identifying abnormal behavior. The IDS would need to download signatures of known equipment every time a change occurred and have some way to perform a checksum to verify the equipment has not been tampered with; and it should know the expected flow of commands from a subsystem and the different possibilities of waypoints for given routes. Finally, the IDS should use ACARS to maintain communications with the ground at all times.
Modern aircraft have their own complex networks of subsystems, and like the Internet protocols are what allows these disparate systems to interoperate and the complexities within a system to remain hidden. This also allows systems to be upgraded independently. The very knowledge of this interoperation and the flexibility it brings gives a black hat hacker a blue print for an attack. Knowledge for how to pass information between subsystems allows an intruder to misinform systems and gain control of one subsystems from another. The use of subsystems that rely on computing and software at the core with the need for “field upgradability” gives an avenue by which to initiate an attack. When updates are downloaded from the Internet or copied onto a CD-ROM for distribution they can be attacked at source, and the provided software can be tampered with. Such tampering could alter the waypoints in the database of the flight management system (FMS) in such as way as to completely alter the behavior of a flight, but other operations would need to incapacitate the crew to avoid them switching off the computers – something which is hard to do on a modern fly-by-wire aircraft such as the 777. Whilst it is unlikely that this is the circumstance that led to the demise of Malaysian Airlines flight MH-370 the fact that it looks to be possible, and the lack of intrusion detection systems at the core of modern aircraft suggests that it is a possibility. Given the publicity surrounding the mystery of flight MH-370 it is likely that such a terrorist attack may not have been thought of in the past; but it is likely to be from now on. So, thought as to intrusion detection to protect against such attack is now needed.
References 1) Aircraft Digital Electronic and Computer Systems, 2nd Edition, by Mike Tooley
2) Boeing Jeppesen 777 Electronic Flight Bag PDF
About the Author
Colin Renouf is long standing IT worker, currently an Enterprise Architect in the finance industry, but having worked in multiple roles and industries over the period of decades. An eternal student, Colin has other degrees in varied subjects in addition to that for IT. Having written several books and articles ranging from architecture, Java, and security; and contributed to well known products from the likes of IBM or Oracle, he is even referenced on one of the most fundamental patents in technology. Colin has had several jobs in the past, but his first role after getting his earliest degree in Aeronautical Engineering was in the aerospace trade. Colin has two incredibly smart and intelligent children, and spends most of his time in his favourite country – Australia (the land of the free thinker and good food) – wondering how he manages to upset people so easily and trying to have a social life when he or close friends aren’t working themselves into the ground. Thank you Red Bull