Trojan-Infected Computer Linked To 2008 Spanair Crash

An anonymous reader writes "Two years ago, Spanair flight JK-5022 crashed shortly after takeoff in Madrid, killing 154 of its 172 passengers and crew. El Pais online newspaper reports that the ground computer responsible for triggering an alarm after three failures are reported in a plane failed to do so. The computer was infected with trojans (Google translation of Spanish original)."

Shit.

[fuzzyfuzzyfungus]

Holy Safety-critical system running Windows and apparently not adequately air-gapped, batman!

Re:Shit.

[TheRaven64]

The Internet is not the only source of infection. What about removable media, removable drives, or other machines on a private network that can connect to either the Internet or removable media? Perimeter defences are part of good security, but they are not the whole of it.

Re:Shit.

[Dunbal]

they don't have access to the Internet.

      Hopefully they don't have access to USB keyrings, flash drives, thumb drives and CD/DVD ROMS that have access to the internet, either...

Re:Shit.

[fuzzyfuzzyfungus]

I'm not sure that banning Windows by name would be of too much use. A quick trip down the router aisle at any computer store will show you more degenerate abuses of embedded linux and VXworks than you care to think about, and I'm told that things don't get better nearly as fast as you would hope as prices rise in other industry segments.

Anyone, though, using Windows in an environment where it could trivially be infected(ie. internet connected or contractors doing flash drive upgrades) really needs to be shown the door, yesterday. I'm also not sure why there would be "a" computer responsible for raising the alarm. Commodity x86 gear is pretty reliable for what you pay; but it isn't that reliable. If the safety of one or more 100 million+ aircraft, and everybody on board, is at stake, why are there not multiple systems, all independently capable of raising the alarm?

Re:Shit.

[Pojut]

If the safety of one or more 100 million+ aircraft, and everybody on board, is at stake, why are there not multiple systems, all independently capable of raising the alarm?

You're talking about an industry who would likely charge passengers for use of the bathroom, if they could get away with it. Why do you think there aren't multiple systems?

Re:Shit.

[JamesP]

We run critical stuff on Windows, they don't have access to the Internet. Deal with it.

Well, no. It's you who has to deal with it.

good luck

Re:Shit.

[Charliemopps]

We had to secure a computer at a company I worked at years ago. The IT department claimed it was secure (they had put Norton AV and firewall on it) I laughed when the owner of the company told me about it. He asked if I could do better. I put the computer in a metal drawer, locked it, drilled a hole in the back for the cables to come out and handed him the key. "There, now it's secure." He thought I was kidding until I pointed out the USB ports and drive bays.

Re:Shit.

[AlecC]

Except that this was not really a mission critical system - it was a fault logging system in the maintenance department. So far as one can tell from a machine-translated popular article, it was meant to log if a single aircraft had a number of different faults logged close together, because faults at different stations might not otherwise get correlated. As such, it is basically an IT system with response requirements in minutes, not a real time system with fault tolerance requirements. One of the systems which failed might have been a warning system which would have warned the pilots of the mistake which cause the crash.

Re:Shit.

[tibit]

Those mission-critical-designed-for OSes are, unfortunately, likely to be secure by obscurity. Something like vxWorks or QNX is not a big enough target for malware writers or blackhats, but I'm quite sure those platforms are full of holes simply because they are not very exposed. I'd say that linux, perhaps with realtime extensions, would be a somewhat better platform -- it's exposed way more, and most of the holes have been patched.

Re:Shit.

[Vectormatic]

i think MS also disclaims any responsability, that should tell you enough about windows' fitness for mission-critical stuff

regardless of law, putting any mission critical system (especially when lives depend on it) on a windows machine should be chargeable with criminal negligance, and in this case, manslaughter

Re:Shit.

[Rob+Riggs]

Did you remove the networkcable too?

No can do, my friend. Anti-virus software is useless without a network connection to keep the virus definitions up to date.

Re:Shit.

[Xiaran]

I worked for many years in the security industry. We had to do this to prevent security guards turning off the machine when they alarmed as it would interrupt their naps. Probably the best story I heard about a secure room was in Australian Defence. A contractor was installing a secure door to make a secure room(where you store your import and documents and hard disks after hours). Once completed a senior military guy comes down and is really impressed by this thick steel door with massive bolts etc. The contractor said its pretty good, but he reckoned he could get inside within 10 seconds. The military guys cannot believe it and bets the guy $100 he cant do it. They lock the door and the contractor then proceeds to go to the side of the secure room and put his foot thru the plaster board panelling, kicking out a large chunk and allowing him to crawl into the room in about 5 seconds.

Re:Shit.

[sjames]

Considering that 154 people died because this system did not issue the warning it was supposed to, I would say it most certainly IS a mission critical system, it just isn't treated as one.

Of course, it sounds like the whole thing was a tragedy of errors. The pilot should have seen that slats and flaps were in the wrong position, the computer in question should have flagged the plane for grounding, the on board computer should have raised the alarm. There should have been maintenance records independent of the computer that should have raised the flag on pre-flight. Not one of those things happened and people died as a result.

I would call it a comedy of errors except that it's hard to call 154 deaths a comedy.

Re:Shit.

[scribblej]

It's odd to me how easily you write off a system that caused the death of ~150 people as "not really ... mission critical."

Re:What operating system was used?

[TheKidWho]

I take it you've never worked with real people before?

Re:What operating system was used?

[mseeger]

Because humans are humans. Possible chain of events: "Hmmm. I want to surf in the internet but have no PC. But wait, there is our maintenance PC. If i install iTunes on it and connect it to my iPhone, i may surf during work. Hurray! I can even download the hot pics of my favorite celebrity to which i received a link from these chinese guy."

Its an MD82

[MichaelSmith]

wiki link

Beyond the translated Spanish article I can't find anything else about this idea of an alerting system being infected with malware. Typically such systems are simple, embedded and not interfaced in ways which could cause them to run software they are not meant to.

This bit from wikipedia is interesting:

The MD-80 Advanced was to incorporate the advanced flight deck of the MD-88, including a choice of reference systems, with an inertial reference system as standard fitting and optional attitude-heading equipment. It was to be equipped with an electronic flight instrument system (EFIS), an optional second flight management system (FMS), light emitting diode (LED) dot matrix electronic engine and system displays. A Honeywell windshear computer and provision for an optional traffic-alert and collision avoidance system (TCAS) were also to be included. A new interior would have a 12% increase in overhead baggage space and stowage compartment lights that come on when the door opens, as well as new video system featuring drop-down LCD monitors above.[4]

link

Apparently this upgrade got dropped in 1991, so the system still in use must be pretty low tech.

Re:Windows?

[WrongSizeGlass]

No, but this computer was running the old version of Flight Simulator.

What?

[miffo.swe]

Who puts Windows on anything even remotely mission critical? If you could blame someone, it should be the person deciding that.

Complimentary 7 point Slashdot troll guide...

[vistapwns]

Here is your complimentary guide to trolling this story: 1. Pretend only windows can get infected with trojans. 2. If you can't do 1. adequately, then pretend Windows is some how easier to infect with trojans than other OSes. 3. Accuse anyone who disagrees with you of being paid off. 4. Make thoughtless absolutists statements like Windows has no security model, and is not a networking OS. 5. Mention chair throwing as proof that MS personnel are unstable, but never mention wife murdering linux developers. 6. Repeat other MS bashers without researching what they're saying. 7. Mention "640k ought to be enough for anyone" as much as possible without giving thought to the brain dead simple idea that MS had nothing to do with the addressable memory limit of the 8086. Following this guide is sure to get you modded up and liked by many other slashdotters, so be sure to follow it closely!

Re:Complimentary 7 point Slashdot troll guide...

[LordLimecat]

Problem with your rebuttal: Whether or not other systems can get trojans, you should NOT be using Windows for anything that needs 100% uptime to guarentee safety of human lives, plain and simple. If the entire system can be locked up and made responsive by userland apps, then it isnt qualified to be responsible for the safety of human lives.

Re:Complimentary 7 point Slashdot troll guide...

[geekoid]

Windows is easier. It's a byproduct of sloppy architecture.

It doesn't mean the others can't be compromised, but it's a fallacy to assume all OS's can be infected with the same level of difficulty.

A result of employee loafing

[hessian]

1970s:

"I'm sorry, our computers are down." (Reality: our employees are playing NET TREK and DUNGEON on a Friday afternoon.)

2000s:

"I'm sorry, our computer has a trojan." (Reality: our employees finally found an "unused" machine to surf porn, got loaded up with Russian malware, and now it's nobody's fault.)

Re:The pilots were incompetent

[Pojut]

From the Wikipedia page (emphasis mine):

"On 17 August 2009, CIAIAC released an interim report on the incident [21]. The interim report confirmed the preliminary report's conclusion that the crash was caused by an attempt to take off with the flaps and slats retracted, which constituted an improper configuration, and noted that safeguards that should have prevented the crash failed to do so. The cockpit recordings revealed that the pilots omitted the "set and check the flap/slat lever and lights" item in the After Start checklist. In the Takeoff Imminent verification checklist the copilot just repeats the flaps and slats correct values without actually checking them, as shown by the physical evidence."

Daayum.

Nothing to do with the plane

[Kupfernigk]

This is an aggregating computer at SpanAir HQ which is supposed to record aircraft alerts and notify when too many of them happen too close together. Its only connection with the on-board computer is that somehow it receives the alerts from it. Its OS is unstated. It is not a mission-critical system, it is a decision-support system. Even so, someone looks to have been careless.

Whoever modded up the above post - you've missed the point. There may have been a fault in the on-board management system - or human error failing to heed a warning - but nothing in TFA suggests that malware was in any way involved on the flight deck.

So, when...

[Titan1080]

Does the 'War on Trojanists', begin? But seriously, someone wrote that virus. That means that someone, somewhere (probably Estonia), is guilty of killing 154 people.

Re:The pilots were incompetent

[Zocalo]

The pilots kind of revoked their own licenses. Permanently. All of the crew perished in the crash.

The thing that bugs me is that flight systems on passenger jets are multiply redundant and their are strict rules about what can and can't be done when there is a system failure. For instance there are usually at least three autopilot systems, and if only one is indicating a fault then the flight crew has to perform all flight operations manually. WTF happened with regulatory control that didn't enforce that this kind of redundancy and human oversight applied to critical systems on the ground as well?

Summary needs a bit of clarification

[ptbarnett]

The infected computer was one being used by mechanics to enter maintenance log entries. According to the article, an alert is supposed to be raised if three failures in the same part or subsystem occurred. If I understand the broken English correctly, they would have taken the plane out of service had the maintenance log entry been completed before the plane attempted to take off.

But, the problem that was supposed to be logged was reportedly an overheated pitot tube. That was not the cause of the crash: the report says that the pilots did not set the flaps correctly and a warning alarm did not go off. This was not related to the problem with the computer being used by mechanics.

The article appears to be trying to link two independent events: a separate problem with the plane and an error by the pilots. Or maybe it's just the broken English translation.

Re:Summary needs a bit of clarification

Spanish is my mother tongue, so maybe I can shed more light after reading the original article:

The procedures of Spanair are to log incidences right away whenever they are detected. Three accumulated incidences and the plane is grounded.

Two incidences had been found the day before the crash. One incidence was detected on the same day of the crash.

However, the technicians did not enter the incidences into the system right away, because the system was too slow (assumedly due to the malware)

The system did not trigger any alarm on the same day because the incidences had not been entered by the technicians. The plane was deemed airworthy, and then the accident happened due to the multiple causes described elsewhere.

Re:Summary needs a bit of clarification

[Registered+Coward+v2]

The infected computer was one being used by mechanics to enter maintenance log entries. According to the article, an alert is supposed to be raised if three failures in the same part or subsystem occurred. If I understand the broken English correctly, they would have taken the plane out of service had the maintenance log entry been completed before the plane attempted to take off.

But, the problem that was supposed to be logged was reportedly an overheated pitot tube. That was not the cause of the crash: the report says that the pilots did not set the flaps correctly and a warning alarm did not go off. This was not related to the problem with the computer being used by mechanics.

The article appears to be trying to link two independent events: a separate problem with the plane and an error by the pilots. Or maybe it's just the broken English translation.

Very true - the accident appears to have been the result of a series of crew errors that lead to an improper takeoff condition:

From Wikipedia: On 17 August 2009, CIAIAC released an interim report on the incident [21]. The interim report confirmed the preliminary report's conclusion that the crash was caused by an attempt to take off with the flaps and slats retracted, which constituted an improper configuration, and noted that safeguards that should have prevented the crash failed to do so. The cockpit recordings revealed that the pilots omitted the "set and check the flap/slat lever and lights" item in the After Start checklist. In the Takeoff Imminent verification checklist the copilot just repeats the flaps and slats correct values without actually checking them, as shown by the physical evidence. All three safety barriers provided to avoid the takeoff in an inappropriate configuration were defeated: the configuration checklist, the confirm and verify checklist, and aircraft warning system (TOWS).

Had they not made a series of compounding errors the flight probably would have been uneventful; it appears the deactivated systems was not related to the crash. It may be that some other systems were improperly set - ground vs flight mode - which caused problems and may have contributed to the accident; but none are related to the maintenance computer. Should the plane have been grounded due to an early problem? Maybe; but that may not have prevented the errors that lead to the crash.

We'll never know what the pilots were thinking; but having aborted one takeoff they may have assumed, intentionally or not, that they systems were set for takeoff and did a cursory check as a result; I've seen that happen in other industries where checklists are used. You interrupt the expected course of actions and people simply pick up where they left off, without assuring the systems were properly set for operation.

Re:What operating system was used?

[LordLimecat]

Its STILL not a high-availabilty OS, and should not be treated as such. Windows can be great for normal business use when properly set up, but it isnt designed for mission critical stuff-- if your graphical shell can bring down the OS, its probably not a good candidate for that kind of thing.

Swiss cheese

[Fzz]

The crash of an airliner these days is rarely due to a single cause. There's a saying in the industry that a crash occurs when the holes in the Swiss cheese happen to line up. This appears to have been the case with this particular crash.

• The direct cause was that the pilots attempted to take off without setting take-off flaps.
• They were rushing because they'd had a technical issue, and returned to the terminal after previously taxiing to the runway and completing the take-off checks. So they accidentally skipped the critical check that the flaps were deployed when they lined up to take off the second time.
• There's a take-off configuration alarm that is supposed to alert the pilots, but it wasn't working.
• It wasn't working because the engineer removed the circuit breaker that powered it, in order to turn off a stuck heater on a pitot tube that was due to a malfunctioning switch.
• This particular fault had been noted on previous flights, so should have flagged a warning on the airline's fault monitoring system.
• The fault monitoring system had a trojan.

Yup, the holes in the cheese certainly lined up that day. None of these, by itself, would have caused the crash.

Re:Swiss cheese

[Kitten+Killer]

Instead of indicting everyone under the sun, let's do something to fix it instead of tossing people in jail. Many people contributed a little, like Murder on the Orient Express. In the end, the ultimate responsibility rested on the Pilot-in-Command who paid the price for his mistakes. Let's learn from it instead.

1. Revise procedures so that the PNF (Pilot-Not-Flying) visually confirms the flap & slats indicator instead of just reading it to the PF (Pilot Flying)

2. Design future systems such that the take-off config warning isn't on the same circuit breaker as the Total-Air-Temp sensor. (I'm a recreational pilot, not an engineer, so I don't know if there's a valid reason for them to be on the same circuit.) Also, have an EICAS warning when the take-off-config alarm is disabled.

3. Have the engineers remind the pilots / placard the cockpit to remind them that the take-off-config alarm is disabled.

4. Flapless take-off attempts leading to accidents are not a new thing to airplanes. Further training seems to be required, especially as the small aircraft we all initially learn in will take off without flaps.

Re:Windows?

[Z00L00K]

In any case the malware author could be charged with 154 cases of second degree murder. Or will it be mass murder?

It would be interesting to see that in court.

Just need a super cable

[Ripit]

Pop one of these AKDL1's on it, and the machine is immune to trojans.

Re:Windows?

[halowolf]

And I would dearly love to see it in court. However I would imagine it would fit more under manslaughter rather than common law type murder, as I would imagine the trojan writer wasn't out to kill people. Though I would imagine you could argue malice is involved in writing trojans. I'm not a lawyer so don't take notice of anything I say. Though going by the poorly translated article there was more going on then just the trojans, the trojan computer may of been more of a contributing factor rather than the primary reason for the crash, due to reasons stated in the article.

Re:Mission Critical

[DougF]

Hate to rain on the IT parade here, but the investigation revealed that the aircrew had the aircraft on "in-flight" mode, leading to erroneous indications (forcing the first abort), and then excluding the no flaps/no slats pre-takeoff configuration error warning. The crew also called for the flaps/slats settings to be proper without actually checking them. In effect, they were able to defeat three separate safety measures to prevent exactly this kind of mishap from happening.

It does not appear that an infection of the mainframe maintenance computer is anything more than a side note in this particular mishap. It may, however, be something for airline maintenance personnel to be aware of to prevent future incidents.

The real question is why the aircrew are allowed to override a weight-on-wheels (WOW) sensor, when that is primary used for troubleshooting by ground crews. Putting the aircraft into "flight" mode while on the ground requires special attention to actions/procedures (as in when a USAF F-4 shot up a maintenance truck when the WOW switch was in override and the weapons crew performed an ops check on the gun system--ops check good, BTW).

Re:Mission Critical

[tuxgeek]

A computer controlling in-flight operations infected with trojans translates to a computer running MS windows. Why the fuck would anyone even think of this? This is like building a suspension bridge using legos and 6 year olds doing the assembly.

So when I fly, is my life really dependent on a tinker toy OS? That's fucked up! Someone should be beaten to death for this idea.