Trojan-Infected Computer Linked To 2008 Spanair Crash

An anonymous reader writes "Two years ago, Spanair flight JK-5022 crashed shortly after takeoff in Madrid, killing 154 of its 172 passengers and crew. El Pais online newspaper reports that the ground computer responsible for triggering an alarm after three failures are reported in a plane failed to do so. The computer was infected with trojans (Google translation of Spanish original)."

Mission Critical

[Anonymous Coward]

If there ever was a computer that needed to be kept running this was it! WTF - I think some managers need to get investigated.

What operating system was used?

[sa666_666]

Just wondering what operating system those computers used, and how they contracted a virus from the outside network (when they probably shouldn't have been connected at all)??

The pilots were incompetent

[GaryOlson]

At the bottom of the article, it states the computer system did not alarm when the pilots failed to use the flaps properly on takeoff. That pilot should have had his license revoked.

Complimentary 7 point Slashdot troll guide...

[vistapwns]

Here is your complimentary guide to trolling this story: 1. Pretend only windows can get infected with trojans. 2. If you can't do 1. adequately, then pretend Windows is some how easier to infect with trojans than other OSes. 3. Accuse anyone who disagrees with you of being paid off. 4. Make thoughtless absolutists statements like Windows has no security model, and is not a networking OS. 5. Mention chair throwing as proof that MS personnel are unstable, but never mention wife murdering linux developers. 6. Repeat other MS bashers without researching what they're saying. 7. Mention "640k ought to be enough for anyone" as much as possible without giving thought to the brain dead simple idea that MS had nothing to do with the addressable memory limit of the 8086. Following this guide is sure to get you modded up and liked by many other slashdotters, so be sure to follow it closely!

Re:The pilots were incompetent

[Zocalo]

The pilots kind of revoked their own licenses. Permanently. All of the crew perished in the crash.

The thing that bugs me is that flight systems on passenger jets are multiply redundant and their are strict rules about what can and can't be done when there is a system failure. For instance there are usually at least three autopilot systems, and if only one is indicating a fault then the flight crew has to perform all flight operations manually. WTF happened with regulatory control that didn't enforce that this kind of redundancy and human oversight applied to critical systems on the ground as well?

Swiss cheese

[Fzz]

The crash of an airliner these days is rarely due to a single cause. There's a saying in the industry that a crash occurs when the holes in the Swiss cheese happen to line up. This appears to have been the case with this particular crash.

• The direct cause was that the pilots attempted to take off without setting take-off flaps.
• They were rushing because they'd had a technical issue, and returned to the terminal after previously taxiing to the runway and completing the take-off checks. So they accidentally skipped the critical check that the flaps were deployed when they lined up to take off the second time.
• There's a take-off configuration alarm that is supposed to alert the pilots, but it wasn't working.
• It wasn't working because the engineer removed the circuit breaker that powered it, in order to turn off a stuck heater on a pitot tube that was due to a malfunctioning switch.
• This particular fault had been noted on previous flights, so should have flagged a warning on the airline's fault monitoring system.
• The fault monitoring system had a trojan.

Yup, the holes in the cheese certainly lined up that day. None of these, by itself, would have caused the crash.

No Cause and Effect Alleged

[anorlunda]

The Spanish article cited in the summary does not allege any cause-and-effect relationship between the computer, the trojans, and the crash.

Nearly all crash investigations reveal factoids that cause suspicion and which invite people to jump to conclusions. Sometimes, the premature public debate on such issues cause emotional harm to victims, their families and other people involved.

I realize that I'm pissing into the wind to raise this topic. I's human nature to gossip. Slashdot is no different than any other public forum in this regard. It just frustrates me to see this happen again and again.

Re:Shit.

[JamesP]

We run critical stuff on Windows, they don't have access to the Internet. Deal with it.

Well, no. It's you who has to deal with it.

good luck

Re:Shit.

[AlecC]

Except that this was not really a mission critical system - it was a fault logging system in the maintenance department. So far as one can tell from a machine-translated popular article, it was meant to log if a single aircraft had a number of different faults logged close together, because faults at different stations might not otherwise get correlated. As such, it is basically an IT system with response requirements in minutes, not a real time system with fault tolerance requirements. One of the systems which failed might have been a warning system which would have warned the pilots of the mistake which cause the crash.

Re:Shit.

[tibit]

Those mission-critical-designed-for OSes are, unfortunately, likely to be secure by obscurity. Something like vxWorks or QNX is not a big enough target for malware writers or blackhats, but I'm quite sure those platforms are full of holes simply because they are not very exposed. I'd say that linux, perhaps with realtime extensions, would be a somewhat better platform -- it's exposed way more, and most of the holes have been patched.

Re:Shit.

[Ellis D. Tripp]

But if you don't have a network connection (and the machine is physically secured to protect the USB ports and removable media drives), then you don't NEED anti-virus software. Without a means for a virus to get onto the machine, it should be perfectly safe.

Having a live network connection only for the purpose of updating an unnecessary AV package provides a route of infection in itself. Unless the machine needs a network connection for another reason, then it shouldn't be connected to a network.

I maintain several Windows (and DOS) boxes which are used for stand-alone machine controls, and none of them have ever had a problem with virus infections (despite complete lack of AV software), because there is no way for a virus to get onto them. The front panel USB and floppy/CD ports are disabled (physically unplugged inside the machines), and the rear panel USB ports are filled with epoxy glue. If I need to update software, I just open the box, and plug the cables in as needed.

Re:Shit.

[Twillerror]

I'm not sure about Norton, but Symantec AV has gone beyond simple virus stuff for a while now.

Using Symantec we didn't block USB entirely, but it is possible. It did block the standard USB type attacks though. When USB drives where plugged in the system logged all activity including files and sent them up to the central server.

Better than a drawer would have been a nice server rack...of course physical security is important. Someone could steal the drive and modify it and then put it back in. But I would think if the machine auto locked and users didn't have root/administrator access it would harder for these types of attacks.

Also, if your USB cable is coming out the back couldn't someone hijack that?

The new firewalls block incoming worms versus just blocking ips and ports like a traditional firewall.

But at the end of the day most of these attacks happen because of lack of a firewall and not patching the machines. For devices like the article it should be tested regularly, monitored, and even rebuilt from time to time for good measure...lifes are at stake.

I wish MS's firewall would be smart enough to block all traffic unless from servers. Does Joe and Janes machines at work really ever need to talk to one another. In fact I'd block traffic from the same subnet most of the time in a business setting.

Re:Windows?

[Z00L00K]

In any case the malware author could be charged with 154 cases of second degree murder. Or will it be mass murder?

It would be interesting to see that in court.

Re:Windows?

[halowolf]

And I would dearly love to see it in court. However I would imagine it would fit more under manslaughter rather than common law type murder, as I would imagine the trojan writer wasn't out to kill people. Though I would imagine you could argue malice is involved in writing trojans. I'm not a lawyer so don't take notice of anything I say. Though going by the poorly translated article there was more going on then just the trojans, the trojan computer may of been more of a contributing factor rather than the primary reason for the crash, due to reasons stated in the article.

Re:Shit.

[Jeremy Erwin]

See, this is why government oversight is so expensive. Regulations have to written for morons and swindlers. Here's the US Government standard.

1) Class A Vaults.

(a) Reinforced Concrete. The wall, floor, and ceiling will be a minimum thickness of eight inches of reinforced concrete. The concrete mixture will have a comprehensive strength rating of a least 3,000 psi. Reinforcement will be accomplished with steel reinforcing rods, a minimum of 5/8 inches in diameter, positioned centrally and spaced horizontally and vertically 6 inches on center; rods will be tied or welded at the intersections. The reinforcing is to be anchored into the ceiling and floor to a minimum depth of one-half the thickness of the adjoining member.

(b) Modular. Modular panel wall, floor, and ceiling components, manufactured of intrusion-resistant material, intended for assembly at the place of use, and capable of being disassembled and relocated meeting Underwriters Laboratories, Inc. (UL) standards are approved for vault construction.

(c) Steel-lined. Vaults may be constructed of steel alloy-type, such as U.S. Steel T-1, having characteristics of high-yield tensile strength or normal structural steel with a minimum thickness of 1/4 inch. The metal plates are to be continuously welded to load-bearing steel members of a thickness equal to that of the plates. If the load-bearing steel members are being placed in a continuous floor and ceiling of reinforced concrete, they must be firmly affixed to a depth of one-half the thickness of the floor and ceiling. If the floor and/or ceiling construction are less than six inches of reinforced concrete, a steel liner is to be constructed the same as the walls to form the floor and ceiling of the vault. Seams where the steel plates meet horizontally and vertically are to be continuously welded together.

(2) Class B Vaults.

(a) Monolithic Concrete. The wall, floor, and ceiling will be a minimum thickness of four inches of monolithic concrete.

(b) Masonry Units. The wall will be brick, concrete block, or other masonry units not less than eight inches thick. The wall will extend to the underside of the roof slab above (from the true floor to the true ceiling). Hollow masonry units shall be the vertical-cell type (load bearing) filled with concrete and metal reinforcement bars. The floor and ceiling must be of a thickness determined by structural requirements, but not less than four inches of monolithic concrete construction.

(3) Class C Vaults. The floor and ceiling must be of a thickness determined by structural requirements, but not less than four inches of monolithic concrete construction. Walls must be not less than eight inches thick concrete block or hollow-clay tile or other masonry units. The wall will extend to the underside of the roof slab above (from the true floor to the true ceiling).

source [usgs.gov]

Re:Mission Critical

[DougF]

Hate to rain on the IT parade here, but the investigation revealed that the aircrew had the aircraft on "in-flight" mode, leading to erroneous indications (forcing the first abort), and then excluding the no flaps/no slats pre-takeoff configuration error warning. The crew also called for the flaps/slats settings to be proper without actually checking them. In effect, they were able to defeat three separate safety measures to prevent exactly this kind of mishap from happening.

It does not appear that an infection of the mainframe maintenance computer is anything more than a side note in this particular mishap. It may, however, be something for airline maintenance personnel to be aware of to prevent future incidents.

The real question is why the aircrew are allowed to override a weight-on-wheels (WOW) sensor, when that is primary used for troubleshooting by ground crews. Putting the aircraft into "flight" mode while on the ground requires special attention to actions/procedures (as in when a USAF F-4 shot up a maintenance truck when the WOW switch was in override and the weapons crew performed an ops check on the gun system--ops check good, BTW).