Soon after MH370 vanished in 2014, investigators became convinced that there was only one possible explanation: that the plane’s captain, Zaharie Ahmed Shah, had hijacked the plane and carried out an elaborate and technically sophisticated plan to commit mass murder-suicide by flying to a remote stretch of ocean and crashing there.

Underlying their sense of certainy were three core beliefs. In today’s episode we explore the second of those: the idea that the metadata that Inmarsat had received from the plane’s satellite communication system, and which scientists had analyzed to designate a search area, was 100 percent reliable and couldn’t have been tampered with.

But new research which finds that the 777 data bus is actually wide open to data tampering. By feeding falsified information into a program called the Doppler Precompensation Algorithm, sophisticated hijackers could create the impression that the plane had traveled south into the remote ocean when it actually flew north to Central Asia.

Let me explains.

As you’ll remember, MH370 went electronically dark 40 minutes into its flight to Beijing, did a 180, flew back over the Malayan Peninsula and was last seen on military radar at 18:22 universal time. Then, three minutes later, its satellite communications system was turned back on, for a reason that no one has ever been able to find a good explanation for.

After being turned on, the plane exchanged seven so-called handshakes or pings over the next six hours. These contained metadata that the satellite company Inmarsat stored on its servers in London.

There were two kinds of metadata that were important for the case. The first kind, called BTO or burst timing offset, was a measure of how far the plane was from the satellite at each of those seven moments. If you plot all the possible places the plane could be at that distance, you get a ring or an arc. Using a technique called Bayesian inference, Australian scientists were able to determine what route the plane most likely took.

Actually, the technique produced two routes, each a mirror image of the other. One goes into the southern ocean, and the other goes north, and ends up in Kazakhstan.

The reason that there are two mirrored routes is that the BTO data is symmetrically ambiguous. For any route you draw that matches the ping rings, there is going to be another one that’s exactly the same but going off in another direction.

This is where the second set of data comes in. It’s called Burst Frequency Offset, or BFO. This is a measure of how much the signal that the satellite receives from the plane is different in frequency from what the system is supposed to operate at.

This is important because if you’re a geosychronous satellite looking down from 22,000 miles at half the Earth stretched below you, there are going to be billions of devices operating on different parts of the radio spectrum, each of them allocated a very narrow slice of that to operate on so they don’t swamp each other out.

That’s tricky for the Inmarsat satellite, because thanks to a phenomenon called the Doppler effect, when a transmitter and a receiver are moving in relation to one another, that movement affects the frequency at which the signal is received. And a plane is moving at hundreds of miles per hour, so it has the potential to really screw up the frequency that the satellite receives its signal at.

To prevent that from happening, there’s a box on the plane called the Satellite Data Unit, or SDU, that carries out a procedure called Doppler Precompensation. Knowing what the relative velocity is, it changes the frequency it transmits at so that when the satellite gets it, it will be at the correct frequency.

If they system is working properly, then the BFO value should always be zero. But on the night in question, it wasn’t working properly. The satellite was old, past its planned retirement age, and so it wasn’t stationary relative to the earth. It was wobbling in its orbit, and the Doppler precompensation algorithm didn’t account for that extra motion.

As a result, the BFO would have looked different depending on whether the plane was flying south versus north, and this told investigators than the plane went into the ocean, not Kazakhstan.

Now, the way that the SDU knows how much to change the transmission frequency is by calculating where it is relative to the satellite using navigations information generated by a system called the IRS, or inertial reference system.

The SDU is located on the back of the aircraft, similar to where a shark’s dorsal fin would be. The IRS is in the electronics bay, which is in the front of the plane under the flight deck.

The two communicate over a data bus called the ARINC 629 bus. It’s kind of a like a hardwired internet. It consists of a braided cable that a whole bunch of devices can clamp onto, and any one one of them can send signals to any other. In this case, the IRS sends location and speed data to the SDU, which then calculates its relative velocity to the satellite and thence the Doppler precompensation value.

What this means is that if an attacker went up to the front of the business class cabin on flight 370, opened up the hatch to the electronics bay, and went down there, they would have access to the IRS and to the 629 bus that tells the SDU where it is. And because of that, a clever attacker could send signals that effectively lie to the SDU so it sends the signal at the wrong frequency and causes Inmarsat to record a misleading BFO value.

I’m not going to get into every detail right now, but the upshot is that if you’re sophisticated enough to know how this system works, and you can change the data that the IRS sends to the SDU, you can make it look like the plane went one way when it really went the other.

In a 2024 paper called “Air-Bus Hijacking: Silently Taking over Avionics Systems,” Martin Strohmeier and colleagues from the Information Security Lab in Zurich describe the vulnerabilties of the ARINC 429 bus, which is an earlier version of the 629 bus that MH370 used. They describe how it’s possible, by clamping onto the bus, to overwrite signals that one device on the bus is sending to another. Basically, you can falsify any data that you want. They write:

…attackers can not only monitor bus communications, but also actively disrupt them through bit flips, packet injections, and cancellation attacks. This research sheds light on the severe risks of undetected data tampering and packet manipulation, which pose a real threat of catastrophic outcomes.

They add that:

the prioritization of functionality and safety has often led to the neglect of security considerations. This oversight leaves critical systems exposed to sophisticated cyber-physical attacks.

I’d interviewed Martin Strohmeier before for an article for New York magazine, and I reached out to him to see if he’d come on the show. I also wanted to know if the vulnerability that he identified in the 429 bus would also apply to the 629. He wrote:

…our communications people at the DoD are very jittery about something like this for various Switzerland-internal reasons, so unfortunately I have to pass this time. I wouldn’t be able to say much beyond what is in the paper…

Yes, 629 should work similarly, as we allude to in the paper.

I think it would be really interesting to put together a paper that builds on Martin’s research to specfiically detail how exactly a spoofing attack on MH370’s Doppler precompensation could be carried out.

Somewhat surprisingly, no one has ever really contested the idea that the BFO value could be spoofed.

Followers of the podcast will know that over the years I’ve had a long-running beef with members of the so-called Independent Group of MH370 experts, who are really reluctant to engage with the idea that MH370 might have been hijacked by someone other than its captain, but even they are on board with the feasability of a BFO spoof. No less than Victor Iannello himself wrote a very detailed description of how such an attack could be carried out.

And back when MH370 disappeared, scientists at Inmarsat publicly wondered if the data might have been altered. In May of 2014 David Coiley, Inmarsat’s VP Aviation, appeared at an aviation industry conference in California where he said,

We are very confident that this data is correct assuming that there is no way this data has been spoofed in any way.

He then stressed that Inmarsat strongly believed that spoofing did not occur.

The reason that they don’t think that the attack was carried out is that they believe that the work that they did to decipher the Doppler precompensation riddle was so difficult that they couldn’t conceive that someone else might have cooked up this hack in order to deceive them on such a subtle piece of evidence.

It would basically mean that they were dealing with an adversary who is smarter than they are. Mark Dickinson, former Inmarsat VP of satellite operations, expressed his skepticism in the Netflix documentary series “MH370: The Plane That Disappeared”:

The idea that someone predicts that we would analyze this data in this way, when we’d never done it in the past before, doesn’t seem particularly credible at all.

What I actually find really interesting is that he’s not saying that this kind of attack is impossible. He’s saying that he couldn’t believe that someone else could have figured it out before they did.

I find that a very weak argument. Zero day hacks happen all the time. The definition of a zero day hack is that it occurs when an attacker figures out and exploits a vulnerability before the engineers who built a system realize that its there.

It is absolutely no defense to imagine that there are no bad guys in the world who are smarter than you are.

A really stunning example of this was the SolarWinds hack, in which Russian state hackers achieved an absolutely devastating penetration of a major American IT management company, effectively turning its own software updates into a Trojan horse. Wired did a great article about it that came out in 2023. This key paragraph describes the process by which investigators realized how the attack had been carried out:

One possibility was that the attackers had stolen the digital certificate… or, more alarmingly, they might have breached SolarWinds’ network and altered the legitimate Orion .dll source code before SolarWinds compiled it—converting the code into software—and signed it. The second scenario seemed so far-fetched that the Mandiant crew didn’t really consider it—until an investigator downloaded an Orion software update from the SolarWinds website. The backdoor was in it. The implications were staggering.

Just to draw a line under it, investigators could have missed figuring out how the attack had worked because it seemed too far-fetched that the attackers could have been that sophisticated.

When they did eventually realize what had happened, they were stunned by the caliber of their adversaries. They were world-class.

Really, it’s a testimony to the quality of the investigators that they had the humility to recognize and acknowledge the quality of their adversaries. It takes a certain amount of intellectual humility to do that.

Contrast that with Mark Dickinson who says he doesn’t find it plausible that someone could have figured something out before Inmarsat did, I find that naive and frankly a bit sad, because I don’t think a top-caliber institution would allow itself to be lulled into complacency in this way.

What is very apparent right now, in a way that wasn’t apparent in 2014, is that we are living in a world in which a powerful actor is on the world stage, using a wide variety of attacks to try to undermine the free-market democracies of the world.

These attacks have been going on and on, they have been incredibly damaging for the well-being of civilization as a whole, and the reason that more has not been done to stop them is that many of the powerful people who are in a position to stop them simply lack the imagination to understand that the world has entered a new and dangerous phase that does not play by the old rules anymore.

And even when danger is staring them directly in the face they don’t see it because they lack the imagination to understand that it could be possible.