Trojan-Infected Computer Linked To 2008 Spanair Crash

An anonymous reader writes "Two years ago, Spanair flight JK-5022 crashed shortly after takeoff in Madrid, killing 154 of its 172 passengers and crew. El Pais online newspaper reports that the ground computer responsible for triggering an alarm after three failures are reported in a plane failed to do so. The computer was infected with trojans (Google translation of Spanish original)."

Its an MD82

[MichaelSmith]

wiki link

Beyond the translated Spanish article I can't find anything else about this idea of an alerting system being infected with malware. Typically such systems are simple, embedded and not interfaced in ways which could cause them to run software they are not meant to.

This bit from wikipedia is interesting:

The MD-80 Advanced was to incorporate the advanced flight deck of the MD-88, including a choice of reference systems, with an inertial reference system as standard fitting and optional attitude-heading equipment. It was to be equipped with an electronic flight instrument system (EFIS), an optional second flight management system (FMS), light emitting diode (LED) dot matrix electronic engine and system displays. A Honeywell windshear computer and provision for an optional traffic-alert and collision avoidance system (TCAS) were also to be included. A new interior would have a 12% increase in overhead baggage space and stowage compartment lights that come on when the door opens, as well as new video system featuring drop-down LCD monitors above.[4]

link

Apparently this upgrade got dropped in 1991, so the system still in use must be pretty low tech.

Re:The pilots were incompetent

[Pojut]

From the Wikipedia page (emphasis mine):

"On 17 August 2009, CIAIAC released an interim report on the incident [21]. The interim report confirmed the preliminary report's conclusion that the crash was caused by an attempt to take off with the flaps and slats retracted, which constituted an improper configuration, and noted that safeguards that should have prevented the crash failed to do so. The cockpit recordings revealed that the pilots omitted the "set and check the flap/slat lever and lights" item in the After Start checklist. In the Takeoff Imminent verification checklist the copilot just repeats the flaps and slats correct values without actually checking them, as shown by the physical evidence."

Daayum.

Nothing to do with the plane

[Kupfernigk]

This is an aggregating computer at SpanAir HQ which is supposed to record aircraft alerts and notify when too many of them happen too close together. Its only connection with the on-board computer is that somehow it receives the alerts from it. Its OS is unstated. It is not a mission-critical system, it is a decision-support system. Even so, someone looks to have been careless.

Whoever modded up the above post - you've missed the point. There may have been a fault in the on-board management system - or human error failing to heed a warning - but nothing in TFA suggests that malware was in any way involved on the flight deck.

Summary needs a bit of clarification

[ptbarnett]

The infected computer was one being used by mechanics to enter maintenance log entries. According to the article, an alert is supposed to be raised if three failures in the same part or subsystem occurred. If I understand the broken English correctly, they would have taken the plane out of service had the maintenance log entry been completed before the plane attempted to take off.

But, the problem that was supposed to be logged was reportedly an overheated pitot tube. That was not the cause of the crash: the report says that the pilots did not set the flaps correctly and a warning alarm did not go off. This was not related to the problem with the computer being used by mechanics.

The article appears to be trying to link two independent events: a separate problem with the plane and an error by the pilots. Or maybe it's just the broken English translation.

Re:Summary needs a bit of clarification

Spanish is my mother tongue, so maybe I can shed more light after reading the original article:

The procedures of Spanair are to log incidences right away whenever they are detected. Three accumulated incidences and the plane is grounded.

Two incidences had been found the day before the crash. One incidence was detected on the same day of the crash.

However, the technicians did not enter the incidences into the system right away, because the system was too slow (assumedly due to the malware)

The system did not trigger any alarm on the same day because the incidences had not been entered by the technicians. The plane was deemed airworthy, and then the accident happened due to the multiple causes described elsewhere.

Re:Summary needs a bit of clarification

[Registered+Coward+v2]

The infected computer was one being used by mechanics to enter maintenance log entries. According to the article, an alert is supposed to be raised if three failures in the same part or subsystem occurred. If I understand the broken English correctly, they would have taken the plane out of service had the maintenance log entry been completed before the plane attempted to take off.

But, the problem that was supposed to be logged was reportedly an overheated pitot tube. That was not the cause of the crash: the report says that the pilots did not set the flaps correctly and a warning alarm did not go off. This was not related to the problem with the computer being used by mechanics.

The article appears to be trying to link two independent events: a separate problem with the plane and an error by the pilots. Or maybe it's just the broken English translation.

Very true - the accident appears to have been the result of a series of crew errors that lead to an improper takeoff condition:

From Wikipedia: On 17 August 2009, CIAIAC released an interim report on the incident [21]. The interim report confirmed the preliminary report's conclusion that the crash was caused by an attempt to take off with the flaps and slats retracted, which constituted an improper configuration, and noted that safeguards that should have prevented the crash failed to do so. The cockpit recordings revealed that the pilots omitted the "set and check the flap/slat lever and lights" item in the After Start checklist. In the Takeoff Imminent verification checklist the copilot just repeats the flaps and slats correct values without actually checking them, as shown by the physical evidence. All three safety barriers provided to avoid the takeoff in an inappropriate configuration were defeated: the configuration checklist, the confirm and verify checklist, and aircraft warning system (TOWS).

Had they not made a series of compounding errors the flight probably would have been uneventful; it appears the deactivated systems was not related to the crash. It may be that some other systems were improperly set - ground vs flight mode - which caused problems and may have contributed to the accident; but none are related to the maintenance computer. Should the plane have been grounded due to an early problem? Maybe; but that may not have prevented the errors that lead to the crash.

We'll never know what the pilots were thinking; but having aborted one takeoff they may have assumed, intentionally or not, that they systems were set for takeoff and did a cursory check as a result; I've seen that happen in other industries where checklists are used. You interrupt the expected course of actions and people simply pick up where they left off, without assuring the systems were properly set for operation.

Re:Complimentary 7 point Slashdot troll guide...

[LordLimecat]

Problem with your rebuttal: Whether or not other systems can get trojans, you should NOT be using Windows for anything that needs 100% uptime to guarentee safety of human lives, plain and simple. If the entire system can be locked up and made responsive by userland apps, then it isnt qualified to be responsible for the safety of human lives.

Re:Swiss cheese

[Kitten+Killer]

Instead of indicting everyone under the sun, let's do something to fix it instead of tossing people in jail. Many people contributed a little, like Murder on the Orient Express. In the end, the ultimate responsibility rested on the Pilot-in-Command who paid the price for his mistakes. Let's learn from it instead.

1. Revise procedures so that the PNF (Pilot-Not-Flying) visually confirms the flap & slats indicator instead of just reading it to the PF (Pilot Flying)

2. Design future systems such that the take-off config warning isn't on the same circuit breaker as the Total-Air-Temp sensor. (I'm a recreational pilot, not an engineer, so I don't know if there's a valid reason for them to be on the same circuit.) Also, have an EICAS warning when the take-off-config alarm is disabled.

3. Have the engineers remind the pilots / placard the cockpit to remind them that the take-off-config alarm is disabled.

4. Flapless take-off attempts leading to accidents are not a new thing to airplanes. Further training seems to be required, especially as the small aircraft we all initially learn in will take off without flaps.

Re:What operating system was used?

[mcgrew]

Sure, a Linux box can get rooted, but I've never seen one, and I've installed Linux on friends' computers when I got tired of reinstalling Windows for them after the thing slows to a crawl from malware. Once Linux was on it, they never got infected again.

Of course, to be victim of a trojan you have to know how to install a program ;)

Re:Shit.

[SpzToid]

Actually two, operational blowout preventers were called for in the regulatory specifications. Turns out the single blowout preventer had no battery juice available. The system is supposed to work, by the batteries closing the hole automatically when detection of the control monitoring software fails. But if the batteries to the sole preventer don't have the juice when needed, bad things can happen. Someone thought the costs vs. risks were negligible, so they settled for less.

Re:Mission Critical

[DougF]

Maybe I wasn't clear, the mainframe in maintenance has nothing to do directly with inflight operations. The computers on board are completely independent of those in the maintenance system. Now, if there are wireless connections, allowing the maintenance mainframe and the aircraft to share information, it MAY be possible for a virus to gain access to the aircraft, but I am pretty sure this has not happened yet, possibly to the security in place, or possibly no one has really tried to infect an aircraft with a virus.

Indirectly, the maintenance mainframe's failure to alert on related system faults MAY be a factor in future mishaps, but it does not appear that the infected mainframe had anything to do with this one.

Re:Shit.

[blair1q]

Let me be a bit more clear about this:

No, those OSes are not secure. Quite the opposite. Almost all of them are very primitive, and have wide-open memory models that allow anything to run, allow anything running to touch any location in memory, and don't log a thing about it. More recent versions of them may have memory partitioning and privileged-user-only modes, but don't bet on the more recent versions being used even on brand new projects.

The innate vulnerabilities to coding errors presented by this openness are alleviated by performing exhaustive (and expensive) testing of every function in the system to be sure it does what it's supposed to, and exhaustive (and expensive) testing of the system to be sure it does what's required of it, and exhaustive (and expensive) evaluation of the requirements to be sure they cover all of the safety-critical and mission-critical possiblities.

And then you still get gomers on the flight deck disabling safety alerts on a poorly maintained aircraft and executives in the airline HQ giving them a wink and a nod for it while looking all stern (or waving a bulging envelope) at regulator visits.