In theory, a malware infection would allow the plane to be controlled remotely
A former scientific adviser to the government has suggested that the missing Malaysia Airlines Flight MH370 could have been hijacked by hackers on the plane breaking into the plane’s in-flight entertainment system.
Dr Sally Leivesley told the Daily Express that a mobile phone or a USB stick inserted into the plane’s in-flight entertainment console could have infected the aircraft’s systems with malware and resulted in “the world’s first cyber hijack”.
German Security Researcher Hugo Teso previously claimed he found a combination of software flaws that enabled him to hijack a virtual model of a real plane using an Android app, sending it in different directions and adjusting its speed.
Flight MH370 disappeared on 8 March en route from Kuala Lumpur to Beijing, carrying 12 crew members and 227 passengers from 15 countries. The aircraft had not relayed a distress signal, indications of bad weather, or technical problems before all communications were lost and it vanished from radar screens.
It was established that the plane’s automated communications systems had been switched off, likely on purpose, but satellites continued to receive a signal four hours after air traffic control lost contact with the flight. What happened afterwards is a mystery, but the incident is being investigated as a “deliberate act”.
Despite 25 countries operating the biggest air-sea search and rescue operation in history, Flight MH370 is still missing at the time of writing.
Leivesley, a specialist in risk management and incident response, said it was theoretically possible to change the plane’s speed, altitude and direction by infecting and then controlling its flight systems. The aircraft could then be made to land or crash.
“It is looking more and more likely that the control of some systems was taken over in a deceptive manner, either manually, so someone sitting in a seat overriding the autopilot, or via a remote device turning off or overwhelming the systems,” Leivesley told the Daily Express. “A mobile phone could have been used to do so or a USB stick.”
If it’s a computer, it can be hacked
Meanwhile, International Business Times has discovered a 2013 report in which the US Federal Aviation Authority voices concern about the increased connectivity of some Boeing 777 models, similar to the Boeing 777-200ER which went missing. The document outlines “special conditions” developed to make the in-flight entertainment systems safer.
“The integrated network configurations in the Boeing Model 777-200, -300, and -300ER series airplanes may enable increased connectivity with external network sources and will have more interconnected networks and systems, such as passenger entertainment and information services than previous airplane models. This may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants,” states the report.
“This potential exploitation of security vulnerabilities may result in intentional or unintentional destruction, disruption, degradation, or exploitation of data and systems critical to the safety and maintenance of the airplane.”
This is not the first time increased aircraft connectivity has prompted passenger safety concerns. At the Hack In The Box conference in 2013, Hugo Teso demonstrated that it was theoretically possible to hijack Automatic Dependent Surveillance-Broadcast (ADS-B) and Aircraft Communications Addressing and Report System (ACARS) protocols. The first is a replacement for radar and used to send location and altitude information to the ground, whilst ACARS is used for exchanging a variety of text messages via radio or satellite.
His method relied on flaws in flight management software which enabled him to change the direction of a virtual plane, believed to contain the same code as the real aircraft. However, experts noted at the time that pilots would be able to override any dangerous commands manually, and the report was dismissed by the aircraft industry.
But not everyone thinks hijacking Flight MH370 with malware would be possible. “The theory is extremely wild and unlikely. The entertainment systems on most airline carriers are relatively old and independent from the main computer systems of the aircraft such as position, temperature, etc. There is no feedback communication from the entertainment system to the main computer. It is basically only one way information for passengers,” explained Ondrej Vlcek, Chief Operating Officer at AVAST.
What do you know about the Internet of Things? Take our quiz!