MH370 Evidence Points to Sophisticated Hijackers

777 E:E Bay Access
The 777 E/E bay access hatch. Click for video.

 

Newly emerged details concerning Malaysia Airlines flight 370’s electrical system indicate that whoever took over the plane was technically sophisticated, possessing greater knowledge of Boeing 777 avionics than most commercial line pilots. They also suggest that the plane’s captain, Zaharie Ahmad Shah, was not responsible for taking the plane.

The new information comes via Michael Exner, a satellite industry veteran who has been one of the most prominent independent experts investigating the airliner’s disappearance. Several days ago Exner gained access to a major US airline’s professional-grade flight simulator facility, where he was able to run flight profiles accompanied by two veteran 777 pilots. “This is a state-of-the-art 777 simulator, level D, part of one of the most modern training facilities on earth,” Exner says.

A little background. As is well known, approximately forty minutes after its departure from Kuala Lumpur for Beijing, someone turned off all communications between MH370 and the outside world. Around the same time the plane turned sharply to the left and headed back over the Malayan Peninsula. Among the systems that were shut off were satellite communications; the transponder; and two automatic reporting systems, ACARS and ADS-B. The plane went dark just as it entered the space between two air-traffic control zones and was temporarily unmonitored, a sign that whoever planned the diversion wished to avoid detection and was well versed in international air traffic control procedures.

For approximately the next hour, MH370’s progress was visible only to military radar. The plane flew straight and fast between established navigational points, indicating that the aircraft had not suffered mechanical accident. At 18.22 UTC the plane was heading west out into the Indian Ocean when it passed out of range of military radar. At that point, the plane became effectively invisible. Shrouded in night, with approximately six hours’ fuel aboard, the plane could have reached any point within a 3000-mile radius and no one on the ground would have been any wiser. But it did not stay dark. Less than a minute later, MH370’s satellite communications system was switched back on.

Over the span of several minutes, between 18.25 and 18.28, the Satellite Data Unit (SDU) transmitted a flurry of brief electronic messages with Inmarsat satellite 3F-1, which occupies a geosynchronous orbit above the Indian Ocean. In a report issued this June, the Australian Transport Safety Board stated that the signals were “generated as part of a Log-on sequence after the terminal has likely been power cycled.”

Until now, it has not been publicly known how such a power-cycling could have taken place.

At the simulator facility, Exner reports, he was able to confirm “that there is no way to turn off the primary power to the satcom from the cockpit. It is not even described in the flight manuals. The only way to do is to find an obscure circuit breaker in the equipment bay [i.e. the Electronic and Equipment bay, or E/E bay, is the airplane’s main electronic nerve center].” Both of the pilots accompanying him told Exner that “pilots are not trained to know that detail.”

Why the satellite communications system was turned back on is unknown. The system was never used; no outgoing telephone calls were placed, no text messages were sent, and two inbound calls from Malaysia Airlines to the plane went unanswered. Aproximately every hour for the next six hours, however, a geostationary communications satellite sent electronic handshake signals, and the SDU aboard the plane responded, confirming that the system was still active and logged on. Though the signals contained no messages per se, the frequency at which they were sent, and the time it took to send and receive them, have been used to determine the plane’s probable direction of travel.

The fact that the SDU was turned back on provides a window into the circumstances of the hijack. For one thing, since the SDU integrates information from other parts of the plane’s computer system, we know that the plane’s electronics were substantially functional, and perhaps entirely so. Second, the fact that the perpetrator (or perpetrators) knew how to access this compartment and how to toggle the correct switches suggests a high degree of technical sophistication.

Further evidence of the hijacker’s sophistication comes from the fact that they also managed to turn of the ACARS reporting system. This is can be done from the cockpit, but only by those with specialized knowledge. “Disabling it is no simple thing,” Emirates Airline CEO Tim Clark told Der Spiegel recently, “and our pilots are not trained to do so.”

For all its importance, the 777 E/E bay is surprisingly accessible to members of the flying public. The hatch, generally left unlocked, is set in the floor at the front of the first class cabin, near the galley and the lavatories. You can see a video of a pilot accessing the E/E bay inflight here. (In Airbus jets, the hatch is located on the far side of the locked cockpit door.) Once inside, an intruder would have immediate physical access to the computer systems that control communication, navigation, and flight surfaces. A device called a Portable Maintenance Access Terminal allows ground crew to plug into the computer system to test systems and upload software.

The security implications of leaving the plane’s nerve-center freely accessible have not gone unnoticed. Matt Wuillemin, an Australian former 777 pilot, wrote a master’s thesis on the vulnerability in June 2013 and submitted it various industry groups in the hope of spurring action, such as the installation of locks. In his thesis, Wuillemin notes that in addition to the Flight Control Computers, the E/E bay also houses the oxygen cylinders that supply the flight crews’ masks in case of a depressurization event and the controls for the system that locks the flight deck door. “Information is publicly available online describing the cockpit defences and systems located within this compartment,” Wuillemin notes. “This hatch may therefore be accessible inflight to a knowledgeable and malevolent passenger with catastrophic consequences.”

Wuillemin reports that, among others, he sent his thesis to Emirates’ Tim Clark. A vice president for engineering at Emirates responded that the airline did not perceive the hatch to be a security risk, since the area is monitored by cabin crew and surveillance cameras. Wuillemin notes that cabin crew are often called away to duty elsewhere, and that the surveillance cameras are only routinely monitored when someone is seeking entry to the cockpit; he adds:

Emirates considered the possible requirement for crew to access the area should there be a ‘small’ in-flight fire. Research indicated there is no procedure, checklist or protocol (manufacturer, regulator or operator) to support this latter position. In fact, Emirates Operations manuals (at that time) specifically prohibited crew accessing this area in flight. Emirates amended the Operations manual recently and re-phrased the section to ‘enter only in an emergency’.

The fact that someone must have entered the E/E bay during MH370’s disappearance diminishes the likelihood of one of the more popular MH370 theories: that the captain barred himself in the cockpit before absconding with the plane. Even if he locked the copilot on the far side of the door and depressurized the cabin to incapacitate everyone aboard, emergency oxygen masks would have deployed and provided those in the cabin with enough air to prevent Zaharie from leaving the cockpit before the next ACARS message was scheduled to be sent at 17:37, 18 minutes after the flight crew sent its last transmission, “Goodnight, Malaysia 370” at 17:19.

It’s conceivable that Zaharie could have acted in advance by leaving the cockpit, descending into the E/E bay, pulling the circuit breakers on the satcom system and then returning to the cockpit to lock himself in before making the final radio call and diverting the plane to the west, depressurizing the cabin, and waiting until everyone was dead before returning to the E/E bay to turn the SDU back on. But if his goal was to maintain radio silence he could have achieved the same effect much more simply by using cockpit to controls to deselect the SDU without turning it off.

As it happens, Wuillemin’s efforts to draw attention to the potential hazards afforded by unlocked E/E bay hatches proved too little, too late. MH370 went missing just two months after he submitted his work to the Australian government.

319 thoughts on “MH370 Evidence Points to Sophisticated Hijackers”

  1. Victor:
    Thanks. Your clarifications are exactly right. The only real news, if you want to call it news, is that MH370 Journalism has fallen to a new low. It is incomprehensible to me how IBT (http://au.ibtimes.com/articles/572208/20141110/mh370-search-update-lates-news.org#.VGC4-vnF-Sp) and Inquisitr (http://www.inquisitr.com/1599223/malaysia-airlines-flight-370-new-evidence-2/) could screw up the attributions so badly. The people writing these articles are idiots. Any junior high school student would be more accurate.

  2. Victor:
    Thanks. Your clarifications are exactly right. The only real news, if you want to call it news, is that MH370 Journalism has fallen to a new low. It is incomprehensible to me how IBT and Inquisitr could screw up the attributions so badly. The people writing these articles are idiots. Any junior high school student would be more accurate.

  3. Victor:

    I agree with your analysis. However, having read the reporting on other ATSB investigations, it is apparent that “likely” is used for anything that is not 100% certain, however unlikely the alternatives may be. So let’s consider the likelyhood of those alternatives.

  4. @Gysbreght,

    1. Contrary to your statement, there is no evidence for a course change between 18:40 and 19:41. The BFOs at those times are consistent with an unchanged southward course.

    2. Even if ones assumes MRC, the actual altitudes flown by 9M-MRO are unknown, and therefore the speed is unknown. You could assume that the aircraft was always flown at the most efficient altitude, but, again, that is an assumption.

  5. Gysbreght:
    We know that the AES initiated a logon sequence at 1825. It is unknown why the AES had no handshakes or higher level communication between 1707 and 1825. We do know that it could have been the result of any of the following:
    1. Restoration of primary power to the AES, after an interruption of more than 10 seconds (approximate holdup time).
    2. Restoration of IRS data to the AES, via 429 connection, after an interruption for unknown reasons.
    3. Recovery from loss of P channel tracking due to aircraft orientation relative to the satellite and nulls in the antenna pattern.
    4. AES out of tolerance BITE condition (any self-test failure condition that results in suppression of transmissions, such as HPA temperature limit exceeded).
    5. Software bug/failure

    ATSB reported that the logon observations are most consistent with restoration of primary power to the AES. While 2-5 cannot be ignored or taken off the table at this point, I tend to agree with ATSB’s assumption because a) the flight path seems to suggest that the IRS data was available to the AP, b) even if the HGA was stuck in a pattern null, it is believed that there was a backup LGA (omnidirectional) that could have been used, c) there is no evidence for 4 or 5.

    Digging deeper into the Power Cycle explanation, recent blog posts and private discussion suggest two possible human related explanations for the power cycle:
    1. AES power was turned off by a human using the AES CBs in the E bay
    2. AES power was turned off by a human in the cockpit by isolating the entire left side load buss from all available power sources (left main and back-up generators, right main and back-up generators and the APU generator).

    It is certainly possible that something happened to cause the loss of power to the AES that did not involve human action. For example, all CBs are interned to protect the power distribution wiring from overload conditions, due to a short circuit in the wiring or the load itself (AES in this case). Thus, one or more AES related CBs (it is believed there are 3) might have tripped due to excess current. Let me emphasize that by noting this fact, I do not mean to infer that this is what happened. It is just an example to illustrate that there are possible causes that do not require any human in the loop. Thus, even if we knew that the logon was due to a power cycle event, it cannot be certain that a human caused this to happen.

    Much has been said in recent days …all speculation…about the various “human in the E-Bay” scenarios. Some have jumped to the conclusion that there must have been a human in the E-Bay. But for the reasons given above, that conclusion would be premature absent additional information. One certainly cannot conclude there was a human in the E-Bay based solely on the fact that the discrete AES power circuits cannot be turned off from the cockpit.

    This raises the new question: What type of emergency could have taken place that was so bad that the crew might elect to isolate the entire left load buss? Might they have isolated both the left and right load busses from all the sources, and still have been able to operate the plane in the manor observed by radar, using battery power alone? If either scenario happened, what other functionality would be lost? Assuming that the left buss was isolated, what would lead the crew to reconnect the left buss to a power source circa 1822 (which, coincedently, is also the time that the radar data ends)?

  6. @airlandseaman,
    It seems more elaborate and extreme to me, to electrically isolate the entire left bus, and then presumably turn the SDU back on by reconnecting the left bus. But if it’s possible I want to know how the process would be carried out, and what the other repurcussions would be in terms of functionality. So I’m working on that now.
    BTW I very much appreciate the rigor of your approach. There are some who throw up their hands and say, “We don’t know for sure that that’s what happened!” But the point is that something specific did happen, and we can identify all its potential causes, rule out some, rank the rest by likelihood — the point being, identifying clues and figuring out what they mean is not mere speculation, it is the essence of how mysteries are solved.
    Jeff

  7. Caution note:

    If you’re going to play with the media (especially the dumbed-down variety that targets a low-information audience), come armed with a savvy publicist or media consultant. Because they will use you. And then they’ll burn you.

  8. Jeff:

    I agree that isolating the Left Load Buss seems like an extreme case, and frankly, one I was (unconsciously) filtering out as too extreme to explore. But after thinking about it more, and casting the largest net possible, I think it is worth examining the potential reasons for such a human act. If it happened, it must have been a desperate response to a major on-board emergency, like a fire or smoke, or it must have been the deliberate act of some human with nefarious intent and special knowledge of the systems. I don’t see any other braches to this logic tree.

    If someone did start throwing every overhead power distribution switch in sight, just past IGARI, is there any configuration that could explain the loss of all the redundant VHF, transponders, ADS-B, and the AES, all the while continuing to fly the aircraft consistent with the radar track observed (i.e., relatively straight path legs)?

    I have no opinion on the likelyhood of any of these possibilites at this point.

    Mike

  9. @ Dr. Bobby Ulich (post of 10:41 AM):

    1. It depends on how you look at the data. Of course the BFO by itself does not produce a track, but combined with the BTO it does. The BFO only produces the latitudinal component, and says nothing about the longitudinal component of groundspeed.

    2. I did not assume MRC, it’s what the ATSB used in their performance analysis. Yes, the MRC speed varies with altitude. Therefore the analysis was done at FL’s of 400, 350, 300 and 250. Due to variation of MRC speed each altitude produces a different path, identified in figures 2 and 3 of the Update.

  10. @airlandseaman: in addition to the perhaps unintended consequence of generating this week’s episode of “E/E Bay-watch”, I’d thought an INTENDED aim of your sim time was to reduce uncertainty around position of wreckage, assuming [00:19 fuel exhaustion, and no pilot intervention]. My questions:

    1) Re: your tweeted bottom line: “Very close to 7th arc. Always turns. Very steep ending likely.” – HOW close to 7th arc?

    2) You performed various end-flight sensitivity tests (“L 1st, R 1st, 3 min, 10 min, simultaneous, trim, no trim”). But did all sims use a single pre-flame-out speed, altitude, and path, or were you able to vary any of these? Could a different, e.g. altitude conceivably produce a different result?

    3) Re: Nihonmama’s question on why you gave one report to the IG and the ATSB Nov.3, and will (soon?) issue a different one “for public consumption”. I’d hope the latter differs only with regard to context/translations ADDED for dummies like me – not redactions…?

  11. @Bobby Ulich
    >there is no evidence for a course change between 18:40 and 19:41. The BFOs at those times
    >are consistent with an unchanged southward course.

    The required heading changes are small, and the BFOs at those time cannot rule out such changes. That doesn’t mean that a change happened, of course.

    The discussions here of the relative merits of the ‘straight’ courses, red in the October ATSB report, and the green courses that require some loiter/heading/speed change will have reflected similar debates in the Investigation. The red courses (including your and the IG analyses) emphasise simplicity, but at the expensive of poor fits to the BFO data. The green courses (such as the example in the Inmarsat Ashton et al paper) are better fits to the BFOs, but more complex. You may recall a rather plaintive comment in one ATSB update (in September I think) on how the different analyses had diverged in their predictions and, presumably, opened up the debate again.

    The Investigation couldn’t settle the debate, hence the current search along a wide area of the final arc. I don’t think we will resolve it here, either.

  12. Jeff wrote: “identifying clues and figuring out what they mean is not mere speculation, it is the essence of how mysteries are solved.”

    Spot on, Jeff. To (try to) cast Rand’s “bar rules” post in this light: if you bring a fresh, fair, and informed perspective to evidence which has a decent chance of helping crack this mystery, your perspective is keenly welcomed – here, and elsewhere.

    If it is stale and/or biased and/or uninformed, it is not.

    One line of inquiry which I’ve felt has been routinely thrown into “Category 2” (on grounds of assumed “bias”) is where we would place the plane if one (or more) pieces of supplied evidence were DISCARDED. While this may not sit well with pure scientists (especially having so little to go on as it is), it would with detectives, whose first layer of the onion is always to assess credibility of evidence. Agatha Christie made a CAREER out of this tactic.

    I think we’ve seen enough obfuscation, deception, and incongruity with the physical evidence to permit (I would say, DEMAND) scientific inquiry under the alternative assumption that the post-17:21 data – its signal data component, in particular – is not valid.

    I admit it is much harder to solve a mystery when you no longer trust your main source of evidence. However, science tells us: if valid signal data, then DEBRIS, and excuses for not finding it – either on-site in mid-March, or on AU shores since August – (to me) fail to withstand hard scrutiny.

    We MUST keep digging, finding clues, and figuring out what they mean.

    P.S. I did a quick check of media coverage of the ATSB’s “debris drifted west” claim:

    NONE (save Jeff) checked with experts to validate its veracity
    MANY presented the ATSB’s claim as fact, rather than as an attributed claim
    SOME even wrote that debris “drifted west to Indonesia”…

    …so the only thing I find shocking about the reporting on Jeff’s latest article is how shocked some IG members seem to be that it would be bungled. The IG needs to watch and learn from the JIT, who seem to know exactly how to position the bread-crumbs.

  13. Brock:

    First, apologies to all for the sim report delays. Personal issues sometimes get in the way of the best intensions. I’ll try to answer a few questions now.

    All cases tested resulted in turns starting shortly after the second engine flamed out. Usually, the turns gradually increased in turn rate, often accompanied by phugoid oscillations superimposed on the turns. The phugoids in combination with the turns result in extreme attitudes and airspeeds, including speeds near Mach 1 and descent rates >20,000 ft/min. We did not observe any case where the aircraft continued on the same heading (with or without phugoids). Based on the turn rates observed (2 degrees per second developed in one case I recall), the typical turn radius would be <5NM. But even in the cases where the turn rate was lower for part of the ending flight, the aircraft always turned back at least 180 degrees before augering in (I believe 1-3 360s would be more common).

    In one case tested (left first), the impact came only 03:01 after the APU came on line, and 04:09 after the 2nd engine flameout. Obviously, this requires a steep descent. I note this case because it takes about 02:40 for the AES to begin a logon sequence after the APU comes on line, and we see in the Inmarsat data log evidence something caused the 0019 logon sequence to stop before completion, only seconds after 001937.

    All tests assumed the same arbitrary heading (186), NOAA winds at 38S,89E, altitude (FL350), ECON AP mode (cost index=50). BTW…the speed was down to Mach 0.804 at first engine fuel exhaustion; the ECON algorithm reduces TAS as the weight decreases. But none of these variables would significantly change the post fuel exhaustion general behavior. I have no doubt that turns would begin shortly after fuel exhaustion at any altitude and heading, and phugoid oscillations would be very likely too.

    In addition, we observed that the aircraft usually attempts an auto restart of at least one engine, after the APU comes on. Usually the attempt failed. But in one case (simultaneous flameout case), the left engine restarted for about 2 seconds. When that happened, the aircraft reacted violently. I mean, we felt a huge jerk in the cockpit and observed a lock to lock aileron transient lasting ~1 second. After this, the aircraft went into a very steep spiral and impacted with wings near vertical.

    As to the penultimate question: How close to the 7th ARC ?… I would say, *based on our simulations alone*, within 10-15NM with a high degree of certainty, and probably within 5NM (50% chance). However, when the simulator observations are combined with the Inmarsat BFO observations, the case for impact within 5NM becomes quite compelling. As noted, I shared all this with ATSB and their response was that our sim experience was essentially the same as theirs.

    Finally, let me say….I find it ridiculous…indeed insulting…for anyone to suggest that I intend to make pubic anything less than the exact same truth I reported to ATSB last Monday. What I reported to ATSB was necessarily a brief written summary without all the photos and video I’m trying to incorporate into a detailed report. (If noot for my lack of video editing skill, this would have been finished!) What I report for public consumption, in due course, will be much more detailed, and 100% consistent with what I reported to ATSB.

  14. In the absence of any new information for quite awhile now (beyond Mike’s reports on the simulations), I have lowered my objective from trying to figure what happened to trying to post something as amusing as Brock’s posts.

    While reviewing Wikipedia’s long and fascinating list of aircraft hijackings for anything similar to what Jeff suggests happened to MH370 (in vain), I ran across something suggestive of why the Malaysians may not have scrambled to intercept.

    Ethiopian Airlines 702 was forced to proceed to Geneva on February 17, 2014. According to Wikipedia, the Swiss Air Force did not respond because the incident occurred outside normal office hours, which are 08:00–12:00 and 13:30–17:00. According to a Swiss air force spokesman, “Switzerland cannot intervene because its airbases are closed at night and on the weekend…. It’s a question of budget and staffing.”

    Perhaps the Malaysians are just as practical as the Swiss, but not as candid.

  15. “Perhaps the Malaysians are just as practical as the Swiss, but not as candid.”

    Regarding military RADAR use in the wee morning hours, I would point you to the Reuters piece on March 15th:

    “a defense source said that India did not keep its radar facilities operational at all times because of cost. Asked what the reason was, the source said: “Too expensive.”

    On India’s Andaman Islands, a defense official told reporters he saw nothing unusual or out of place in the lack of permanent radar coverage. The threat in the area, he said, was much lower than on India’s border with Pakistan where sophisticated radars are manned and online continuously.

    At night in particular, he said, “nothing much happens”.

    “We have our radars, we use them, we train with them, but it’s not a place where we have (much) to watch out for,” he said. “My take is that this is a pretty peaceful place.”

    See: http://www.reuters.com/article/2014/03/15/us-malaysia-airlines-defence-idUSBREA2E0JT20140315

  16. @airlandseaman,

    Re “Finally, let me say….I find it ridiculous…indeed insulting…”

    Exactly my take of the unfortunate twitter convo involving JF.

    Apologies for serving as an involuntary conduit for his venom by way of being tagged.

    Cheers,
    Will

  17. @ Brock:

    You knocked it out of the park.

    “…so the only thing I find shocking about the reporting on Jeff’s latest article is how shocked some IG members seem to be that it would be bungled. The IG needs to watch and learn from the JIT, who seem to know exactly how to position the bread-crumbs.”

    It’s all about having a game. And telling a STORY.

    One evening, some months ago, I found myself, along with several others (including Mike Exner) in an extended Twitter conversation about the importance of clear communication and engaging the AUDIENCE.

    Does the even audience CARE?

    The conversation took off because a very exasperated Michael Frodl (who consults to the largest insurers on the planet, who in turn, underwrite the worlds’ airlines/operators) said:

    “Audience is People which is Power & why Twitter has influence! keep us all on board. keep us unwashed masses understanding this – too many buzz words & numbers. Yikes!”

    I wonder if people get that in addition to all of the invaluable and painstaking number-crunching and analysis that has occurred to date, one of the most profound ways to help the MH370 families and next of kin exert meaningful pressure on the Malaysian authorities (and their co-conspirators) is by ENGAGING the global audience that is avidly following every twist and turn. It doesn’t matter that the lamestream media (24-hour cable and print) are no longer reporting on MH370 daily. There is a massive (and not unsophisticated) audience on the Internet that is following it all.

    But if you want to get AUDIENCE attention, you need to tell a STORY — one that is crisp, clear, and simple. Simple enough for a five-year old to understand. The story should also convey why the audience should care. If the story is relatable, the audience will CARE. And now you’ve got an army — with a cause. An army that can be harnessed to make it unbearable for those seeking to hide the truth. Moreover, when the click-bait media puts out a story (as they did today) that twists and conflates facts with a (not inconceivable) hypothesis, the audience will not be confused — and they’ll ignore the click-bait.

    By way of example, look no further than the long-running (14 years and counting) reality series ‘Survivor’. One of the reasons this show still has significant ratings (and staying power) is because of its highly engaged AUDIENCE. Did you know? There’s a substantial and dedicate contingent of the global Survivor audience that works together (via the Net) to spoil each season by trying to determine the winner and location BEFORE each season airs. They are rabid fans. They also buy the STORY. And they’ve gotten so good as a collective that Mark Burnett, the show’s creator, had to start studying game theory to stay ahead of them. He also ENGAGES with them.

    As Henry Jenkins writes in Culture Convergence (pg. 28): “Survivor spoiling is collective intelligence in practice.”

    That same collective intelligence exists re MH370. Here, on a million other blogs, Twitter, Reddit, Facebook and in other nooks and crannies where nobody’s even looking. That collective intelligence wants a tight, crystal-clear, compelling STORY that they can relate to. They’re not deferential to ‘authority’ (real or imagined), and they ask a lot of questions. As they should. But if they get clear answers and buy your STORY, then they’ll go forth and spread it. They’ll even defend it. Malcolm Gladwell calls them Salespeople and Mavens.

    But if you don’t tell YOUR story, be very assured that someone else will. And when they do, very likely, it won’t be the truth.

  18. @airlandseaman: thanks so much for the update.

    Certainly did not mean to imply you’d redact – much less distort – anything at all. Your choice of words (“for public consumption”) may have had avid groupies – oft stung by what that phrase seems to mean to official investigators – fearing the worst. Without just cause in your case, I heartily agree, for the record.

    Best of luck with post-production. (And with fielding the inevitable onslaught of “huge jerk in the cockpit” jokes…)

  19. The Economist
    Hacking aircraft
    Remote control
    Nov 4th 2014, 12:04 by D.N.

    “IN ONE of his many former lives, Gulliver qualified as a pilot. He therefore exudes an aura of unquestionable confidence when striding into an aircraft cabin, secure in the belief that, if the worst happens and both pilots have the fish, he could take charge of the cockpit and calmly land the plane, Sullenberger-style. Cue the applause.

    At least he did. Nowadays, he is less sure, for two reasons. First, fly-by-wire has become the norm. As the direct link between bicep and control surface has been severed, it has rendered much of Gulliver’s skill obsolete. Second, the technical sophistication of modern aircraft means that pilots are no longer necessarily masters of the plane’s destiny. As Britain’s parliament heard last week, protecting the data links connecting ground and aircraft from cyber hackers is a “conundrum for the future”.

    How realistic is it for computer hackers to interfere with aircraft while they are in the air, a phenomenon known as cyberjacking? It partly depends on terminology. Hijacking and fully controlling an aircraft by remote means borders on the impossible, according to David Stupples of City University in London, a specialist in communications. But interfering with an aircraft’s systems, including inducing a catastrophic failure, in order to extort money is a distinct possibility, he warns.

    There are two ways this could be done, one more likely than the other. The first is a cyber attack from the outside. Passengers increasingly demand internet connectivity for work, games, movies and the like. But drilling holes in fuselages for additional antennae is costly and inefficient. So internet signals are routed through existing communications architecture, such as the Aircraft Communications Addressing and Reporting System (ACARS), which is used for short messages, or the Automatic Dependent Surveillance-Broadcast (ADS-B), an anti-collision system. As these both send and receive information they can, in theory, be targetted. When aircraft become more connected to the wider world they begin to look, electronically at least, like fixed structures. If banks can be hacked, why not aircraft?

    Yet such an attack from outside is unlikely due to the technical challenges of overcoming software architectures that, unlike banks, are currently unfamiliar and largely bespoke. It would be far easier to pay a disgruntled employee to implant malware either directly into the aircraft during a maintenance routine or through the jetway when the aircraft docks to upload the In-Flight Entertainment (IFE) system. (The IFE on the Boeing 787 used to link to the flight control system, but the company have since rectified this, according to Mr Stupples.) Just the threat of activating such a program when a flight is in the air could be enough to trigger a ransom.

    So why hasn’t it happened yet? There are two probable answers. First, the airlines and authorities are aware of the danger and are actively taking steps to address the threat, including designing fall-back systems to revert to basic manual control in the event of an anomaly discovered in the system. Second, the integration of aircraft systems, which increases the chances of finding a way through the entire architecture, is a relatively new development, brought in with the move to fibre optic cabling and data buses.

    But there is another possibility: perhaps it has already happened. Just as smartphones have been disabled with “ransomware” (“send money to this account and you’ll get the code to unlock your phone”) perhaps airline companies have had erroneous messages pop up indicating the malicious potential of an anonymous extorter. If so, would they tell the passengers and watch the share price collapse? Mr Stupples is gloomy: “if it can happen, it will”.”

    Now, a Twitter convo. To wit:

    “The B777 has loadable software for the AFDC (autopilot), intended for upgrades”

    “Airplane systems that can be modified…without physically modifying or replacing HARDWARE components”

    https://twitter.com/FarmQBoy/status/477491782763413504

  20. Is there a public record naming passengers in the first class area near the hatch? I can only find the manifest listing names in alphabetical order

  21. Brock:

    Thanks.
    Before something else gets unintentionally started (“huge jerk in the cockpit” jokes”), be advised, the term “jerk” is a formal engineering term referring to the first derivative of acceleration, second derivative of velocity, third derivative of position.
    http://en.wikipedia.org/wiki/Jerk_(physics)
    Jerk is exactly what we felt. It was like we hit a wall.

  22. @Nihonmama: thanks. You’re right: can’t just FIND the truth; must also SELL it (into stiff headwinds of competing “brands”).

    @Bruce: I think your post supported your objectives at BOTH altitudes.

  23. @Richard Cole,

    I agree completely. The only thing that will settle (most of) the debate on the course is locating the wreckage.

  24. @Gysbreght,

    You said:

    “Of course the BFO by itself does not produce a track, but combined with the BTO it does.”

    Not so. There are an infinite number of track solutions with no other constraints or assumptions.

  25. Up to 18:22, everyone agrees that the plane was flying on 2 engines at or just above a typical operating speed for FL350. Likewise, just about everyone has assumed that the plane was flying on 2 engines up until just before the 7th ring. However, what if, after the turn South, it were flying on just one engine? The speed would be lower and the autopilot system might not have maintained a straight trajectory – just the conditions needed to end up on the 7th ring at a lower latitude. Perhaps such a scenario might be ruled out by endurance considerations, but I haven’t seen it discussed before. (If it has, could someone point out where?)

    The reason to pursue such a scenario is that a “curvy track” (as richardc10 calls it) at a relatively low velocity seems to be what is necessary to fit the BTO and BFO data simultaneously.

    Just a thought

  26. Great article Jeff. I like it because it reduces culpability on the part of Captain Zaharie. But I think we all had a general consensus that Captain Zaharie is/was the most technically savvy person on this flight. This now opens up the educational backgrounds and technical training possibilities of all the passengers again, who were supposedly “cleared.” Who would have had the knowledge of the avionics in the EE bay and who would not have wanted that flight to reach Beijing? If the sophisticated hijackers secured passage by becoming stowaways and were not on the passenger manifest then the ground crew investigations and the video footage of KLIA on March 7 and March 8 become very important I would imagine.

    If there were sophisticated hijackers I see it as an explanation of why there was no landing in the vicinity of several airports (with the exception of Victor’s Banda Aceh second plane scenario) when again a general consensus by us has “intentional diversion at IGARI, with intended destination Malaysia.” It seems doubtful that the hijackers just having left Malaysia would want to land there again. Apparently they felt safe enough crossing Malaysia transponderless though.

    Was there a struggle or battle of wits between the cockpit and the EE bay resulting in a struggle rendering no one capable of flying the plane and it turning south soon after that unanswered sat phone call at 18:40? I still think the experts need to find what caused the supposed “power interruption” to the sdu in the first place sometime around 17:21. Connecting that and the reboot of it about an hour later I still think holds a big clue in it, and this coming from someone, as far as any of this goes, who is only the daughter of an avionics/aerospace engineer with Bendix/Honeywell who has since passed on.

    If a switch can “deselect” the sdu from the cockpit was it ever determined if MAS flights to China switch over to a different satcom link and power off or deselect the sdu in some way?????

  27. sk999:

    If the aircraft was flying on AP at FL350, and lost one engine, there would be no change in the track. The TAS would start slowing down, while maintaining the altitude, until the TAS reached 225kts. That takes about 10-15 minutes. At that point, the TAS would be held by traing altitude for airspeed. Once it was down to about 24,000 feet, the airplane would be able to maintain the airspeed and altitude (225/24K). We observed this in the simulator last week.

  28. sk999:

    I should have noted that 225 IAS/24,000 alt would be the single engine performance with near empty fuel tanks. If heavier, the number would change some, but the same basic principles hold. Note that the single engine fuel consupmtion goes up considerably because the system pushes the thrust up to the max.

  29. @sk99: A low speed, curved path @ 225 knots TAS does not fit the BFO data, according my calculations. Do you have an example that you can show us?

  30. Matty: there’s a pay wall; are you now doing CRM marketing for The Austalian? It would be great if you could post full-text excerpts.

    Cheryl: if it was a hijacking and the intended destination was not Malaysia, where to then? My thinking is that the relative silence of the Yanks is the result of: a. A cloaked effort to apprehend the perps (.20); or b. US intelligence is satisfied that the loss of MH370 is not a threat to the US (.80). From here, it would appear that there is even a rather lackadaisical approach on the part of the US concerning how the loss impacts the security of global civil aviation; again, they appear somewhat satisfied and are not doggedly pursuing a resolution of the inherent security breach. This further indicates that the US is quite privy to ‘something’ that has satisfied their security concerns, while such a something would need be wholly intrinsic to Malaysia (as the intended destination for the hijacked flight).

    Unless there is some larger ‘terror plot’ hermetically sealed in a yet larger, multi-lateral, covert investigation, then the pall of silence surrounding what is known about the flight can likely be attributed to the authority that Malaysia maintains under international convention (Chicago, Article 13, I believe). Nobody is pushing the Malaysian authorities to do much of anything; this should tell us a little about the aforementioned ‘something.’

    The Yanks have already traded the ‘pass’ that they have provided Malaysia in exchange for securing its cooperation (and permission for US involvement) in domestic counter-terrorism operations. Yep, the US is a primary supporter of the Malaysian regime, and then for a host of additional reasons.

  31. Just for accuracy: At FL240 ISA + 10 225 kt IAS is 330 kt TAS, but that still does not fit the BFO.

    Single engine fuel mileage is not necessarily worse than all engine at the same altitude, sometimes even better.

  32. @ airlandseaman:

    ” At that point, the TAS would be held by tra(d)ing altitude for airspeed. (…) We observed this in the simulator last week.”

    Do you remember the autopilot modes?

  33. Families’ fury over claims MH370 to be declared lost
    THE AUSTRALIAN NOVEMBER 11, 2014 9:34AM
    Print
    Save for later
    Steve Creedy

    Aviation Editor
    Sydney
    https://plus.google.com/107158623429005505864
    Fury over claims MH370 declared lost
    The search zone for flight MH370 has changed a number of times. Source: Supplied
    MALAYSIA Airlines and search authorities looking for MH370 have moved to hose down speculation the missing Boeing 777 could be declared officially lost by the end of the year.

    Victims’ families were angered after MAS commercial director Hugh Dunleavy told The New Zealand Herald that the Australian and Malaysian governments were working together on a date to formally announce the loss of MH370 and that was likely to be set by the end of the year.

    Dr Dunleavy said there was no final date but the recording of an official loss meant the airline could work with the next of kin on the full compensation payments.

    He said the Montreal Convention set the ceiling on compensation at around $US175,000 although passengers could take legal action for more.

    Responding to concern from victims’ families, Malaysia Airlines said overnight that Dr Dunleavy’s statements were a personal opinion only and that responsibility for search and recovery “remained with Australia’s Joint Agency Coordination Centre (JACC).’’

    The JACC today acknowledged concerns expressed by the next of kin and that the statements by Dr Dunleavy about a statement of loss were “greatly disturbing for the families and loved ones of the passengers and crew on board MH370”.

    “We note that overnight Malaysia Airlines has issued a statement advising that Mr Dunleavy’s comments were a personal opinion only, and also highlights that the company is not involved in any way in the search activities,’’ it said.

    “Under international convention the Malaysian Government carries overall responsibility for the search and any declarations in relation to MH370.

    “Australia continues to lead the search for MH370 on behalf of Malaysia and remains committed to providing all necessary assistance in the search for the aircraft. We owe this to the families of those on board MH370.’’

    The airline’s statement said it hoped for a closure to the tragedy and it shared the pain and anguish of families in having to deal and come to terms the situation.

    “As such we have assured them that locating the aircraft and recovering the flight data recorders remain the key priority,’’ it said. “Every party involved in this complex operation is as determined as the families and Malaysia Airlines to find answers to our many questions.

    “With regard to the level of compensation available pursuant to the Montreal Convention, or similar applicable legal regime, the airline has made it very clear that payments are determined by law to take account of proven passenger and family circumstances and will be assessed accordingly.

    “Malaysia Airlines and its insurers remain steadfast to ensure that fair and reasonable compensation is paid to the families of all MH370 passengers in accordance with the law when the families are ready to discuss the issue.’’

  34. Dr. Bobby Ulich posted November 10, 2014 at 6:43 PM :
    “There are an infinite number of track solutions with no other constraints or assumptions.”

    True, but if the turn south occurred between 18:27 and 18:39 all solutions are very close to each other.

  35. >True, but if the turn south occurred between 18:27 and 18:39
    >all solutions are very close to each other.

    That’s one of the constraints applied in the October ATSB report and I (personally) wouldn’t call the full width of the green and red distributions ‘close to each other’. Are you saying they are close, or referring to some other analysis?

    As a general point, any reference to numbers of solutions is not useful, the relevant parameter is range of latitudes (or longitudes) on the 7th arc. ATSB started this trend in their reports.

  36. @ Richard Cole

    I believe we are discussing ‘data optimized’ paths. The green distribution is the result of ‘errors’ attributed to BFO and FFB. Without those assumed errors the paths corresponding to the recorded BFO’s would be close.

  37. Does any of the BFO data support the flyby observed by the Maldives residents ? It could be the sharp turn away from due south that was observed.

  38. Well, it’s the BTO data that really resoundingly rules out the Maldives. You really shouldn’t talk about “Maldives” and “MH370” together in polite company.

  39. @Gysbregth: Thank you for correcting me. I meant 225 knots IAS, not TAS. I agree that at 24,000 ft, KIAS=225 corresponds to about KTAS=330. I have looked at curved paths between 275 and 325 knots TAS and have not found one that matches the BFO data.

  40. Here’s one possible way distance to 7th arc could be simulated in Excel:

    Cell A1: =GAMMA.INV(RAND(),2,2)+1
    Cell B1: =ABS(SIN(RAND()*2*PI())*A1)

    Copy down as many times as you like to simulate (1 trial per row). I did 10,000.

    Col A is simulated turn radius. My choice of radius ~ Gamma(2,2)+1 miles is arbitrary – I sought only to capture airlandseaman’s comments re: min/avg/max radii. Average = 5 miles; no material probability under 1.5 miles, or over 15.

    Col B is simulated distance from 7th arc. The formula does two steps at once: computes a uniformly distributed random angle (direction from 7th arc crossing to impact point, in radians), and then uses trig to convert this into distance from 7th arc.

    The assumption that all radii remain constant over time (within each trial) is of course a gross simplification – suspect radii would tend to decrease during descent. Adding this assumption would logically tend to DECREASE the average distance from the 7th arc. However, I think leaving this OUT adds a measure of prudence to my conclusions.

    Which are:

    Searching 1st 2 miles on each side of 7th arc covers 39% of probability density.
    Searching 1st 5 miles on each side of 7th arc covers 82% of probability density.

    The main reason these are so high is because, even if turn radius is very large, there is still a decent chance of impact close to the arc, if impact ANGLE is anywhere near either 180 or 360 degrees.

    Mike Chillit, who tracks & tweets search progress, reports pass spacing for Go Phoenix/Fugro Discovery of 1.0/1.25 miles respectively. When the pass they’re on is complete (4/3), they’ll have searched roughly 2 miles on either side.

    This is a first draft analysis, so likely littered with naïve errors. Peer review warmly welcomed.

  41. Rand:

    “the US is quite privy to ‘something’ that has satisfied their security concerns, while such a something would need be wholly intrinsic to Malaysia (as the intended destination for the hijacked flight).”

    How do we know that the intended destination was Malaysia?

    Again, I ask – what if the “get” was the aircraft itself – to be used later?

    If so, that would be a compelling reason for perps not to claim ‘credit’ for MH370.

    It would also fit with your 20% scenario (read: US and other looking for the perps and/or the plane), which, in turn, could explain why:

    “Nobody is pushing the Malaysian authorities to do much of anything; this should tell us a little about the aforementioned ‘something.’”

    If what happened to MH370 is wholly intrinsic to Malaysia (and it may be) then what cui bono for other countries that would have to play along with the US? Let’s surmise that ‘Five Eyes’ is at least part of the answer.

    So unless there’s a person of conscience in that mix (and I wouldn’t attempt to assign a likelihood), we should watch for (possible) leakage elsewhere.

  42. Mike asks, “What type of emergency could have taken place that was so bad that the crew might elect to isolate the entire left load buss?”

    My reading indicates that 70% of all 777 fires are electrical, and that it is difficult to determine the source or nature of “Smoke/Fire/Fumes” (SFF) if it is not immediately obvious. I have also read of the frustrations flight crews have experienced in trying to go through multiple pages of SFF checklists in emergencies.

    The Boeing SFF checklist gives as Step 7, “If possible, remove power from the affected equipment by switch or circuit breaker on the flight deck or in the cabin.”

    I suspect these circumstances have lead to shutting down more power than necessary in dealing with SFF fires of non-obvious origin. In the case of Pan American Clipper Flight 160, a Boeing 707 (1973):

    “0931 CVR recorded PIC comment that smoke was suddenly getting worse and advising crew, “Shut down everything you don’t need.” Crew had (mistakenly) executed emergency procedures for “Electrical Smoke and Fire”, F/E previously had depowered normal Electrical Buses — but smoke continued. So after the Capt’s order at 0931, the F/E complied with the Checklist by further depowering the Essential Bus (by selecting External Power position with the Essential Power Switch).”

    Similar errors apparently were made on Saudia 163 (L1011, 1980) and Air Canada 797 (DC9, 1983).

    If, as it seems, it were possible for MH370 to aviate and navigate with “the entire left load buss isolated”, might it not have been a rationale or at least understandable decision to shut down as much as possible in one fell swoop, and concentrate on landing, regardless of how bad the emergency was?

  43. @Bruce Lamon: Assuming there was an emergency onboard that required an immediate landing, what is your theory as to why the plane passed all the suitable airports in Malaysia and flew by waypoint above the Malacca Strait? And if the SATCOM was shut down by isolating the left bus via the overhead panel in the cockpit, why wasn’t the (redundant right) VHF radio used to communicate?

    Victor

  44. One possiblility why they didn’t land in emergency term could be they lost control of the aircraft and / or the emergency killed the pilots.

  45. airlandseaman and VictorI – thanks for your repsonses. The minimum speed needed to get a decent fit to the BFO is about 400 knots ground speed, which is more than what a single engine can put out. Squash that theory.

    A web search shows that the question about what speed can be achieved with one engine gets asked a lot, but publicly available data are scant. Curiously, some ETOPs maps showing 1 hr and 2 hr radii imply that one could achieve over 400 knots on a single engine, so there is some disconnect, unless those distances include a “Gimli glider” style of flying.

  46. Malaysia drafted an MoU covering it and Australia in the event that wreckage, black boxes, or other from MH370 are found. But the MoU details will NOT be made public.

    Apparently, the MoU is “in accordance with” the ICAO ruling giving Malaysia and Australia jurisdiction.
    http://t.co/OB0CMt5mLr

    Just asked @liowtionglai (Malaysia’s Minister Of Transport) this:

    “if MoU ‘in accordance with ICAO’, is no public disclosure of MoU details mandatory, or discretionary?”

    [hat tip @@dizzyoz1]

  47. Victor, you’ve pinpointed one of the reasons I’ve been mistrustful of the unreleased primary radar data (as I know you have), and have tended to rely more on, e.g., the Kota Bharu eyewitness accounts. I like (what I think is) Bobby’s theory that the MH370 flight path after 17:21 basically reflects flying over airports with the intent of landing if possible, but at the same time, the primary radar seems to rule out any significant drop in altitude (because of the speed hit).

    I guess the short answer is, I have no theory. I recall reading somewhere that with the fly-by-wire/autopilot regime there can be an issue of regaining manual control so as to attempt a landing. I still think it’s reasonably possible MH370 did come in low to attempt to land at least at Kota Bharu.

    I also have no answer for why if only the left bus were shut down the redundant VHF on the right bus wasn’t used to communicate. I have read of a number of disasters where the stresses of the emergency clouded the judgment of the flight crew. But I don’t feel I understand well enough how the cockpit controls and the electrical and communications systems work to offer any useful explanation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.