1. INTRODUCTION

On March 8, 2014, a Boeing 777 operating as Malaysian Airlines Flight 370 diverted from its planned route from Kuala Lumpur to Beijing several seconds after leaving Malaysia’s air traffic control sector. The plane went electronically dark and flew west. Then, after leaving the coverage area of Malaysia’s military radar, the plane’s satellite communications system was turned back on. During the next six hours this systems exchanged seven sets of automated signals with an Inmarsat satellite in geosynchronous orbit above the Indian Ocean. These signals contained no navigational data, and the satcom system was designed to remove Doppler shift from transmissions that might give a clue as to the plane’s motion. But because the system was not working perfectly, some clues about the plane’s motion remained embedded in the signal, and investigators were later able to tease them out sufficiently to generate a probability heat map of the plane’s end point in the southern Indian Ocean. Yet after searchers scoured an area of the seabed comprising more than 99 percent of the calculated probability distribution they found no trace of the plane’s wreckage.

This absence suggests that one or more of the investigators’ Bayesian priors were incorrect. One such prior might have been the assumption that the data had been generated through the normal functioning of the equipment aboard the plane. An alternative possibility is that sophisticated hijackers tampered with the equipment to produce signals intended to mislead investigators. The purpose of this paper is to examine whether this scenario is conceptually possible: whether MH370 possessed a vulnerability which would have allowed such an attack to be carried out.

2. BACKGROUND

As the world’s economy has become ever more dependent on information technology, cybersecurity has become an increasingly urgent concern. State and non-state actors are constantly testing the infrastructure of potential adversaries for cybersecurity vulnerabilities. One important infrastructure sector of the modern economy is civil avation. Airlines have long been targeted by cyber attacks, and while the known targets so far have been ground operations, there is no reason to assume that this trend will continue, especially since in recent years international flights have been targeted by state actors using non-hacking measures. For instance, in 2021 a Ryanair flight from Greece to Lithuania was forced down while transiting Belarus airspace so that a regime critic on board could be arrested. It is far from inconceivable that someone might use hacking to target an airliner. Note that in 2011 Iran allegedly used GPS spoofing to take over control of a US drone and land it within its own territory.

The satellite communications system aboard MH370 was equipped with a MCS-6000 Satellite Data Unit manufactured by Honeywell. Like any SDU, the MCS-6000 uses a technique called Doppler precompensation to change the frequency at which it transmits its signal to a geosynchronous satellite overheard. SDUs do this to ensure that the relative motion of the airplance and satellite doesn’t shift the frequency of the received signal beyond the limits of the designated frequency band. There are two approaches used to accomplish this. The first, utilized by SDUs manufactured by Rockwell Collins, measures incoming signals from the satellite, compares it to the expected frequency, and applies the difference to outgoing transmissions.

The second approach is used by SDUs manufactured by Honeywell and involves calculating the necessary frequency change from navigational data. To do this, the SDU must know the location and velocity of the plane on which it is located, and the location and velocity of the statellite with which it is communicating. According to the User Manual for the successor to the MCS-6000, the MCS-7000, “The SDU system table memory contains the location of all satellites. When a GES is selected, the SDU uses this location information and aircraft positional information (through an ARINC 429 interface) from the IRS to compute the position of the satellite relative to the aircraft.”

When the system is working perfectly, it fully compensates for the plane’s relative motion and as a result the satellite receives the plane’s transmissions at exactly the right frequency. During MH370’s final flight, however, the system was not working perfectly. The satellite over the Indian Ocean, named 3F-1, had been launched 18 years before with an anticipated service life of 13 years and was now low on the fuel that it required to maintain its orbit. Instead of maintaining its position directly over the equator, it was wandering 1.65 degrees above and below it.

In anticipation that such a situation might arise, the designers of the MCS-6000 had incorporated a parameter in its firmware called “satellite inclination” that could take this drift into account and cancel it out via the Doppler precompensation algorithm. But at the time that MH370 disappeared Inmarsat had not updated this value for 3F-1; it remained set to “0,” the value for a satellite whose orbit had not degraded. Thus, the relative motion between the plane and the satellite that was caused by the satellite’s wobble was incorrectly compensated for.

As part of its ongoing efforts to ensure that they operate within their designated frequency band, Inmarsat routinely records a measurement of the accuracy of the transmissions made on its network a value it calls “burst frequency offset,” or BFO. In the case of MH370, the faulty Doppler precompensation process had left clues about the plane’s location and motion embedded in the BFO data recorded during the flight.

3. DEFINING A SEABED SEARCH AREA

Forty minutes after takeoff on March 8, 2014, MH370’s satcom was turned off. Approximately one hour later it reconnected with the Inmarsat network. In analysing the event, the ATSB concluded that the satcom had not been disconnected from Inmarsat network by being switched off from the control panel in the cockpit, but as the result of a power interruption. “A log-on request in the middle of a flight is not common and can occur for only a few reasons,” the agency wrote in a June 2014 report. “These include a power interruption to the aircraft satellite data unit (SDU), a software failure, loss of critical systems providing input to the SDU or a loss of the link due to aircraft attitude. An analysis was performed which determined that the characteristics and timing of the logon requests were best matched as resulting from power interruption to the SDU.”

The two possible ways a person aboard a 777 can effect this power interruption are 1) by going into the electronics bay and pulling three circuit breakers located on the left-hand wall, or 2) by isolated the aircraft’s entire left AC bus, which can be done by flipping breakers on the overhead panel. Neither procedure is part of normal operational procedure nor is either called for by any emergency checklist.

Around the same time as the satcom was turned off, the ADS-B and transponder were also switched off, and no further radio transmissions of any kind were made by the plane. Electronically dark, the plane was seen on Malaysian military radar as it made a U-turn, flew back over the Malay Peninsula and up the Strait of Malacca toward the Andaman Sea, where at 18:22 universal time it left its final primary radar return as it left the radar’s coverage zone.

Three minutes later, MH370’s Satellite Data Unit made a logon request via satellite 3F-1. For the next six hours, the aircraft exchanged a total of seven sets of transmissions, most of them consisting of hourly automated check-ins initiated by the Inmarsat network to verify that MH370 wished to remain logged on. No transmissions were initiated by the plane, and two incoming satellite telephone calls went unanswered.

During these six hours, the plane didn’t pass through any further areas of radar coverage, nor was it seen by eyewitnesses on the ground, satellite reconnaissance, or observed in any other way. The only evidence that it was still flying were these seven pings.

At the time, Malaysia Airlines subscribed to the least expensive version of Inmarsat’s service, called Classic Aero, which did not embed GPS location data in satcom transmissions. Inmarsat’s high-end service, Swift Broadband, did offer this feature, but it cost more and Malaysia Airlines had decided not to purchase it.

In the absence of embedded GPS data, Inmarsat scientist were left to tease out what information they could from the metadata they had logged. In addition to the BFO, the company had saved the Burst Timing Offset, or BTO. This is a measure of the time elapsed between each of the satellite’s transmissions and the plane’s corresponding reply. Because light travels at a finite speed, and the SDU’s electronics require a known amount of time to generate a response, it’s possible to derive from the BTO value the distance between the plane and the satellite. The set of all the points on the earth’s surface which lie at that precise distance from the satellite makes a ring.

Samuel Davey and his colleagues at the Defence Science and Technology Group, Australia, were able to use the principles of Bayesian inference to derive from those pings a route that the plane mostly likely flew. The endpoint of this route presumably lay quite close to the final resting place of the airplane. However, there was a complication. Due to the directional ambiguity of the BTO data, every route created in this way has a mirror-image route lying in the opposite direction. One route lay to the south, with an endpoint in the remote Indian Ocean; the other lay to the north, with an endpoint in central Kazakhstan. It was impossible, based solely on the BTO data alone, to tell which was the route traveled and which was the mirror image.

The BFO data was the tool that broke the symmetry. Because the Doppler precompensation algorithm did not take the satellite’s wobble into account, when the satellite was moving north (for instance) it would have a larger Doppler shift relative to a plane heading south than it would to a plane heading north. And vice versa. In this way, Inmarsat scientist Chris Ashton and his colleagues were able to determine that the plane must have been traveling south, and must have ended its flight in the southern Indian Ocean.

Using the BTO data, Davey and his colleagues were able to generate a probability heat map of where the plane might have gone in the southern Indian Ocean. Using it, the Australia Transport Safety Board (ATSB) defined a search area of 60,000 square kilometers that incorporated approximately 97 percent of the probabiilty function.

Yet when this area was searched, no wreckage was found. The area was expanded to a total of 120,000 square kilometers, and yet again, no wreckage was found. In November 2016, a panel of experts convened in Canberra to take stock. Reviewing the evidence, “They agreed that the methodology and effectiveness of the underwater search meant that if an area had been searched, there was little to no chance that any aircraft debris had been missed,” the ATSB reported. “The experts concluded that, once the then-current search area was completed, an additional area of approximately 25,000 square kilometers had the highest probability of containing the wreckage of the aircraft. The experts stated that, if this area were to be searched, prospective areas for locating the aircraft wreckage, based on all the analysis to date, would be exhausted.”

In 2018, a private company called Ocean Infinity stepped forward and offered to recommence the search using a new generation of underwater drones. They searched the 25,000 sq km area specified by the ATSB and far beyond, to a total of 112,000 square kilometres. No trace of MH370 was found there, either.

The ATSB has never offered an official explanation for why the seabed search was unsuccessful. It is possible that the plane simply flew in a statistically implausible way — for example, by making changes in speed and direction that just happened to create ping rings that matched straight-and-fast flight—but such an eventuality must be seen as extremely unlikely, having been assigned a probability of less than 1 percent before the search commenced.

Given the unlikelihood of such eventualities it’s worth casting a wider net than originally thought necessary, and to consider ideas that might otherwise have been judged unlikely. In the final section, we will consider just such a concept: the idea that MH370’s Inmarsat data could have been tampered with to create the false impression that the plane went south. This would explain the absence of the wreckage from the seabed and also resolve some other puzzles.

4. THE VULNERABILITY

The Honeywell MCS-6000 Satellite Data Unit aboard MH370 was located in the ceiling of the passenger cabin.

In the front of the unit is a PDL port.

In normal operation, this port is used by maintenance personel to install firmware updates. According to the MCS-7000 User Manual, “The SDU also maintains a bootstrap system table containing a default set of satellite and GES identifying information. This information includes satellite Psid-channel frequencies, satellite location and associated GES IDs, plus satellite inclination [emphasis mine] and right ascension, spot beam support, and GES Psmc-channel frequencies that are set to zero… The bootstrap system table is loaded into the SDU as an inseparable part of the upload of executable software. The SDU defaults to the bootstrap system table in the absence of a stored system table, or upon execution of a factory settings restart. The default data for a satellite is used until that satellite is first accessed, where a complete update of the data for that satellite takes place.”

This implies that if the SDU is using a stored system table that is not the default system table, it will not be overwritten when the unit logs on with a satellite. Thus an agent aboard the plane could plug into the PDL port of the SDU and change the satellite inclination parameter before logging back onto the network. An opportunity to carry out such an operation presented itself during the time the SDU was switched off prior to 18:25.

According to calculations performed by Independent Group member Victor Iannello, “If an individual obtained unauthorized access to the non-volatile memory of the SATCOM, the value of the inclination used by the frequency correction algorithm could be changed from 0 to 3.3⁰, or about twice the true inclination of the satellite. With this change, the BFO signature of a northern path that satisfied the BTO data would resemble the BFO signature of a southern path that satisfied the BTO data.” In other words, a flight to Kazakhstan would create BFO values similar to those actually logged by Inmarsat in March of 2014.

It should be noted that only a small proportion of commercial airline flights would be vulnerable to the exploit suggested here. Such an attack could only be carried out against planes 1) equipped with the Honeywell SDU, rather than Rockwell Collins; 2) using Inmarsat’s Classic Aero service, rather than Swift Broadband; 3) flying a route whose entire length was under a single Inmarsat satellite that was low on thruster fuel. MH370, notably, met all these criteria.

If the identified vulnerability were exploited in order to abscond with an aircraft, the incident would necessarily possess certain characteristics: 1) the plane would be seen to have left the Inmarsat network and then logged on again 2) the plane would otherwise be electronically dark in order to provide no contradictory evidence 3) the plane’s true route and mirror route would both have to lie outside the detection range of any primary radar system 4) the plane’s true route and mirror route would have on a north-south axis, so that the BFO error could provide a distinguishing signal. Again, MH370 met all these criteria.

It’s worth noting that this scenario would explain some aspects of the case that are otherwise puzzling, including the reboot of the SDU, the lack of identifiable motive on the part of MH370’s captain, the absence of wreckage in the seabed search area, and the fact that none of the pieces of debris later retrieved from the western Indian Ocean exhibited biofouling consistant with drift from the predicted ocean impact site.

To be sure, there are objections that could be raised about the likelihood of this scenario. For instance, if the plane flew north, why was it not detected by the air defence radar of any of the countries under its path? One possible answer is that none of these countries was in a state of heightened military tension along the route, and so did not require round-the-clock radar surveillance. India’s radar in the Andaman Sea region, for instance, was not turned on that night. “We operate on an ‘as required’ basis,” the chief of staff of India’s Andamans and Nicobar Command told Reuters.

Another objection that could be raised is that the attack described is so arcane that it would be impossible for any attacker to conceive of. Internally, this is the attitude that Inmarsat appears to have taken when considering the possibility that their data might have spoofed. In a conversation in 2014 with this author and journalist Miles O’Brien, Inmarsat's vice president of satellite operations Mark Dickinson said: “Whoever did that would have to have six month’s worth of knowledge of what would happen, in essence to know how the data would be used, and there’s nothing to show that evidence at all as far as I’m aware.”

However, it is dangerous to impose an imagined upper limit to the cleverness and resourcefulness of one’s adversaries. What’s more, a strategem that seems arcane in a general context might seem more obvious to those well versed in a technical subspecialty. Doppler spoofing is a time-tested technique in electronic warfare, for instance. And the idea that decaying satelite orbits can affect transmission frequencies is implicit in the fact that SDUs are designed to incorporate ascension values in the precompensation algorithm. Thus, what seems like an obscure exploit to a layperson would not seem so obscure to experienced engineers in either the electronic warfare or satcom industries.

For many years it was widely accepted that the authorities charged with finding MH370 had the situation well in hand. Their assumptions and conclusions alike were clear and reasonable. Their failure to find the plane indicates that they were either unlucky or that one or more of their assumptions were erroneous. It is dangerous to ascribe one’s failures to bad luck, if in doing so one misses the opportunity to address correctable shortcomings.

The point of the present exercise has not been to prove that the vulnerability was exploited, but to demonstrate that it may well have existed. As hacking of civilian infrastructure becomes increasingly widespread, maximalist attitude to vulnerabilities must be adopted. Rather than assuming they don’t exist, we must assume they do unless proven otherwise, and be prepared for the possibility that adversaries may attempt to exploit them in ways that we can’t anticipate, and for motives that we don’t understand.