Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Software Bug Triggered Airplane Dive Emergency

When an airplane system monitoring Airbus jet's altitude and position output incorrect data, flight computers failed to compensate.

Investigators have released their final report into a 2008 Qantas flight QF72 from Singapore to Perth, Australia, in which 110 people were injured after a computer component failed. Interestingly, investigators have now found that a programming error was partly to blame for the incident.

Here's what happened: On October 7, 2008, aircraft-monitoring systems in the Airbus A330-303--flying at 37,000 feet--failed, causing the autopilot to automatically disconnect. But pilots were still at the mercy of a flight computer that was receiving incorrect data.

Roughly two minutes after the failure of the computer component, the flight computer initiated two deep dives, the first for 20 seconds, the second for 16 seconds. Each dive slammed passengers into ceilings and walls. Dozens of alarms, most of them false, also began sounding in the cockpit. Luckily, pilots were able to switch to fully manual controls and execute an emergency landing at a nearby Australian military base.

[ Software bugs can cause serious problems. See Iran Hacked GPS Signals To Capture U.S. Drone. ]

After the incident, investigators quickly traced the problem to a failure involving one of the plane's three Northrop Grumman LTN-101 air data inertial reference units (ADIRUs), which measure the airplane's altitude, position, as well as angle of attack--meaning the degree to which the plane's nose is up or down.

But according to the final report on the incident from the Australian Transport Safety Bureau (ATSB), released Monday, the problem wasn't just a faulty ADIRU, but also a programming error involving the flight computers. In particular, the airplane software wasn't written to handle an event in which an ADIRU began outputting erroneous data at regular intervals.

Notably, the flight computers averaged the angle of attack data from two of the ADIRUs to compute the airplane's true angle of attack. If the data from the two ADIRUs significantly differed, however, then the flight computers discarded the values and used the one they'd computed 1.2 seconds prior. But investigators said that the algorithm couldn't handle an episode in which an ADIRU began feeding erroneous information at 1.2-second intervals. That led to the flight computers computing an incorrect angle-of-attack reading, causing it to execute the two dives, one of which subjected passengers to forces of 0.8 G.

To be sure, it was an extremely unlikely failure scenario, and while dangerous, investigators said it was very unlikely that the failure would have caused the plane to crash. All told, in over 28 million hours of flight time involving A330 and A340 aircraft, investigators said that there have been only three known cases of the aircraft systems failing in this manner and causing flight computers to incorrectly adjust the plane's angle of attack (AOA). Interestingly, one of those other failures involved an ADIRU in the same aircraft.

Investigators said that Airbus "subsequently redesigned the AOA algorithm to prevent the same type of accident from occurring again."

Another issue identified by investigators was that "at least 60 of the aircraft's passengers were seated without their seat belts fastened at the time of the first pitch-down." Notably, those passengers were injured with greater frequency--and severity--than passengers who had been wearing their seatbelts.

IT's spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques. It's time to break free. Download our Disaster Recovery Disaster supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
12/22/2011 | 10:30:15 PM
re: Software Bug Triggered Airplane Dive Emergency
Scary. Is it known what caused the initial failure of the ADIRU?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...