Malaysia Airlines Flight MH 370 may have been hacked in the world’s first “cyber-hijack,” claims a British anti-terrorism expert.
Former Home Office scientific adviser Sally Leivesley said that hijackers may have changed the plane’s speed, direction, and altitude via radio signals to the plane’s flight management system, reported the Sydney Morning Herald.
The plane could have then been crashed or landed, Leivesley continued, according to the Herald, which cited the Sunday Express newspaper in London.
Leivesley’s theory is one of many as to what happened to the missing plane, which had 239 people on board. It hasn’t been seen or heard from since March 8 when it was flying from Kuala Lumpur to Beijing.
Malaysian officials said over the weekend that the plane’s disappearance was a deliberate act, and police started searching the homes of the jet’s pilot and co-pilot.
Leivesley said that she believes malicious codes could have overcome the plane’s security.
“This is a very early version of what I would call a smart plane, a fly-by-wire aircraft controlled by electronic signals,” she said. “There appears to be an element of planning from someone with a very sophisticated systems engineering understanding,” she added.
Leivesley continued: “It is looking more and more likely that the control of some systems was taken over in a deceptive manner, either manually, so someone sitting in a seat overriding the autopilot, or via a remote device turning off or overwhelming the systems.
“A mobile phone could have been used to do so or a USB stick. When the plane is air-side, you can insert a set of commands and codes that may initiate, on signal, a set of processes.”
Leivesley told the paper that she was notified of this kind of hacking threat last year while at a conference. “What we are finding now is that it is possible with a mobile phone to initiate a signal to a preset piece of malicious software, or malware, in the computer that initiates a whole set of instructions,’’ she said.
“It is possible for hackers — be they part of organised crime or with government backgrounds — to get into the main computer network of the plane through the inflight, onboard entertainment system,” she continued.
In 2013, at the Hack in the Box conference, security researcher Hugo Teso went on stage and took out his phone. He accessed an app, Planesploit, that he coded himself, which he said could affect a plane’s navigation systems.
Teso, who is a researcher, said that he could theoretically change a plane’s route and make it crash with the app. He reportedly did a demonstration on stage to show that systems on board planes are vulnerable.
But U.S. air regulators said that his app wasn’t possible.
“The hacking technique described during a recent computer security conference does not pose a flight safety concern because it does not work on certified flight hardware. The described technique cannot engage or control the aircraft’s autopilot system using the FMS or prevent a pilot from overriding the autopilot. Therefore, a hacker cannot obtain ‘full control of an aircraft’ as the technology consultant has claimed,” the FAA said, according to Net-Security.
And the European Aviation Safety Agency (EASA) downplayed Teso’s findings, saying that embedded software has a “robustness that is not present on ground-based simulation software.”
Rockwell Collins wrote a commentary for Forbes that said, “Today’s certified avionics systems are designed and built with high levels of redundancy and security,” adding that Teso’s research “involves testing with virtual aircraft in a lab environment, which is not analogous to certified aircraft and systems operating in regulated airspace.”
Trend Micro, a security company, said in October 2013 that “vulnerabilities” have been “discovered in global vessel tracking systems.”
“Trend Micro researchers have discovered that flaws in the [Automatic Identification System]AIS vessel tracking system can allow attackers to hijack communications of existing vessels, create fake vessels, trigger false SOS or collision alerts and even permanently disable AIS tracking on any vessel,” the firm wrote.
The AIS is a “a mandatory vessel tracking system for all commercial (non-fishing) ships over 300 metric tons, as well as passenger ships (regardless of size and weight). AIS works by acquiring GPS coordinates and exchanging a vessel’s position, course and information with nearby ships and offshore installations. It is currently installed in around 400,000 vessels.”
AIS, it says, is but one example of “a mandatory vessel tracking system for all commercial (non-fishing) ships over 300 metric tons, as well as passenger ships (regardless of size and weight). AIS works by acquiring GPS coordinates and exchanging a vessel’s position, course and information with nearby ships and offshore installations. It is currently installed in around 400,000 vessels.”