I am no fan of conspiracy theories and I usually dismiss them when it comes to aircraft accidents, or in this case, missing aircraft. However, as we approach the 1 year mark for the MH370 case, no trace of the aircraft has ever surfaced and while we wait for the ongoing search to continue and the lack of new available evidence, perhaps it is time to, reluctantly, take a look at these.

My viewpoint on MH370 is simple: if the aircraft went south, I don’t buy the view that this was a hijack or other forms of hostile takeover. The theory relies too much on damning the Captain who was a known sympathizer of Malaysia’s opposition. The circumstantial evidence were just too convenient. The so-called satcom logon and ping at 1825, in my opinion, invalidates this theory. There is little sense for someone to switch off the satcom and then switch it back on, if someone wants to disappear into the middle of the ocean. This was where I left MH370 last year.

Me, Jeff, TV Cameras, MH370 and “Crypto-Investigations”
GS_n_JW

Both Jeff and I have covered MH370 on camera in 2014 (source: Own documentation)

I didn’t think much of the other conspiracy theories, but then after the Indonesia Air Asia QZ8501 accident, I began to be in contact with the so-called “Independent Group” (IG), a group of independent experts in what I call “crypto-investigators” due to their amount of work on MH370. One of their members was Jeff Wise, who was the expert who often appeared on CNN’s coverage on MH370. Through the lack of evidence in the initial stages of QZ8501, I began to communicate with Jeff Wise and the rest of the IG. It was then that I began to realize the level expertise that did the “crypto-investigation” into MH370, and inevitably, I too joined some of the discussions.

The similarities between me and Jeff is merely the fact that while was largely the remaining expert on MH370 for CNN, I was largely the remaining expert on MH370 for Agence France Presse (AFP), throughout the first month of the debacle. From a global list of 600 aviation expert (to which I rank very far down the list), by the time the satcom issue came out, I was virtually the last guy that can talk about the aircraft satcom and aircraft piloting at the same time, that was available to AFP. This is probably where the mutual respect between me and Jeff came from (which was boosted by our discussions on QZ8501).

While Jeff said he “was on-air up to six times a day as part of its nonstop MH370 coverage” and  he “was spending 18 hours a day doing six minutes of talking”, which went on for a month with some variety  to the “rhythm of perpetual chatter”, I spent about a month doing various interviews and did my “six minutes of talking” on international media and various 45 minute appeances on local media. 9 months later, the situation turned around with QZ8501, where Jeff did what I did for MH370, and I ended up not spending a day without seeing a camera for 3 weeks, and probably became the most Indonesian in the world aside from celebrities and politicans, with a record 5 hours of airtime on a single day feeding the perpetual chatter at one or up to 4 TV stations a day… filling up the “breaking news” during the news-less end of year season. It’s therefore easy to understand why I understand Jeff in a way.

But I can’t deny that I was shocked to see what Jeff wrote on February 23… It seemed that Jeff yielded to the conspiracy theories at his site and the New York Magazine.

B-jbINzIQAA0e0y

Featured montage on Jeff’s article on New York Magazine (source: New York Magazine)

My jaw dropped and , I thought, “Oh no… Jeff lost it!” However, the respect I had for Jeff got me to read the articles.

In true crypto-investigation style, the conspiracy was, while outlandish, set up in a way that shows it had a systematic flow to it. Of all the conspiracies theories I’ve seen appear on MH370, this is the best one so far in my opinion… mainly because Jeff remains skeptical to his own conspiracy theory.

I remember that saturday 14th March 2014 when I was running from the house to Jakarta’s Al-Jazeera studio for a 2 minute appearance regarding MH370 (after some repetitive rescheduling on their part), and immediately after my appearance, I went to Jakarta’s AFP office for my appointment with my friend and journalist there, Angela Dewan (who has since taken up another post elsewhere), where we watched Prime Minister Najib’s announcement that the airplane was detected to be “alive” until around 8:20 am the next day.

Pings

What PM Najib announced on 14th March 2014, the last “Ping Ring”

One question Angela asked in our long conversation that day that I remember to this day, “if the airplane did go north, where would it end up?” Ironically, the destination that immediately came up in my head was, “Baikonur… it’s pretty remote.” However, neither me nor Angela, nor any other journalists that discussed this with me ever thought much of the northern path because if it it did, “how did it get through all that” was my quoted answer regarding that possibility, and that it wasn’t long before the BFO analysis concluded the aircraft went south. The northern path was then buried far down below in my list of priorities.

So what was interesting in Jeff’s “crazy theory”?

For someone like Jeff to come up with such a theory requires a lot of bravery, and needs to be looked at even for just a little bit, at least to freshen our minds. I emailed him immediately after reading the New York Magazine article, telling him that someone in the past mentioned something similar to his theory. The first sentence in his reply was:

“Thanks very much, it means a lot coming from you.”

This tells me, we’re all just so fed up of being stuck in the black hole of information with no new updates for the last 6 months, and that to fill our time, maybe it’s time to look at some alternatives, as ridiculous as they may be.

The purpose of such exercise is to keep our minds sharp, and our imagination tested, which is very important in this “crypto-investigation”.

JeffsTheory

Premise of Jeff’s theory (source: New York Magazine)

Whilst the BTO (pings) are not doubted whatsoever, the Burst Frequency Offset (BFO) which has long been the source of irrefutable evidence that the aircraft went south after it disappeared from Malaysian military radar coverage, while accurate as far as what Inmarsat received is concerned, can be forged. This is what Jeff’s theory relies upon.

As I read through the New York Magazine article, I thought, “nah, Jeff’s just having fun and pulling our legs on this one.” Either that, or he’d gone bonkers. I mean, the bulldozed patch of land north of the airfield the size of a 777? Come on Jeff, it would be damn hard to tow the aircraft there from the airfield and not knock any buildings or get the plane stuck with a wheel leaving the asphalt. I began to remember the old discussions I had with Angela and found my mind reluctantly yielding to parts of Jeff’s theory. I thought, “If they landed there, they must have flown it elsewhere instead of burying the plane there.”

But to get to Baikonur, the BFO data would have to be faked. But then Jeff started to talk about the 3 ethnic Russians onboard with 2 from from Odessa in Ukraine, and one from Irtkusk. Then my mind started thinking.

1Russian2UkrainiansMH370

The Russian from Irtkutsk and the 2 Russo-Ukrainians from Odessa. (source: Jeff Wise)

Jeff toyed the mind with the following:

Could any of these men, I wondered, be special forces or covert operatives? As I looked at the few pictures available on the internet, they definitely struck me as the sort who might battle Liam Neeson in midair.

At first I was going to chuckle, but then Jeff mentioned where the 2 Ukrainians sat:

MH777SeatMap_MH370

B: Where the Russian from Irtkutsk sat. C & D: Where the 2 Ukrainians sat. (Source: Jeff Wise)

The alarm bells in my head suddenly went off. The 2 Ukrainians sat right under where the Satcom antenna would be , and on the side where the controller boxes would be located (left aisle). As coverage of these 3 people were at the end of his article, I immediately contacted Jeff.

I told Jeff that many of those claiming ruse operations claim that the whole BTO and Aircraft Earth Station (AES, the aircraft’s satcom system) identifiers were faked which is too outlandish in my opinion. Faking the BFO however, was a lot easier.

  • The 3 people all had connections with wood. The Russian has a lumber company while the 2 Ukrainians had a furniture company. Coincidence?
  • The Russian sat near to where the E/E bay would be, but I told Jeff that there was no need for anyone to enter the E/E bay, and definitely not on the initial stages.
  • The 2 Ukrainians sat just under and in front of where the access panels to the Satellite Data Unit would be above the cabin ceiling.

Obviously, Jeff was immediately hooked on this. So a small discussion between me and Jeff ensued.

In 2011, I led the Aerospace and Defence Solutions department at one of the local Inmarsat resellers here in Indonesia. I told him that back then I have heard rumours of 2 Indonesian guys who have managed to remote spoof the Doppler while they worked for Inmarsat during integrity testings of the Inmarsat 3 system. And then in several defence related meetings in 2011, I was also told that the other guys who can spoof the Doppler (remote or through the satcom terminal) are Israelis (using Russian immigrant engineers), the Chinese (using the Israeli expertise) and the Russians too, but obviously my sources didn’t want to go into details. The other interesting thing is that the Israelis do have their own set of satcom engineers dealing with “new innovations” for Inmarsat satcom, through one of the Inmarsat Distribution Partners, so, nothing surprising there if anyone can spoof the BFO… all you need to do is spoof the Doppler

How do you spoof the BFO?

The BFO is the error of the Doppler correction between the aircraft and the satellite, with the assumption that the satellite was static in orbit, while it is in fact moving in a small elliptical orbit around it’s geo-stationary point. The aircraft feeds it’s position and orientation to the satcom system, so that the Satellite Data Unit (SDU) can determine how much frequency adjustment is needed and where to point the antenna beam.

SatComLogon

A typical SatCom Log-On Page on the FMC. Note the “DOPPLER” entry and frequency correction. (source: Boeing)

I can not discuss this deeper in public but one can replace the data feed from the aircraft system into the SDU. The aircraft’s Inertial Reference System(IRS) data to the SDU through an ARINC feed (standard physical  and software interface), but these can be replaced by an independent Satellite Reference Unit (SRU) which is basically an IRS on an independent box. You can also have SRU or IRS feed ARINC emulators, based on discussions with some satcom systems manufacturers. These emulators can run on a laptop and that’s why my eyes jumped at the 2 Ukrainians sitting under the satcom system.

Take over the aircraft… then switch off the transponders… depower left main AC Bus, or pull the CB in the E/E bay… open the roof panel, take out the ARINC feed to the SDU, connect the spoofer, then repower when you need to. The 10,000ft logon, can be programmed into the SDU as far as I remember, so it doesn’t have to be the Satcom controller in the E/E bay or the FMC to do that.

SatComSystems-ControlStatusInterface

Notice the need for IRS data for position and attitude. (Source: Boeing)

Some SDUs can be programmed to send positions as the aircraft passes certain altitudes (barometric or GPS depending on the desired source through the ARINC feed). A logon or a ping at 10,000ft can be programmed if one wants to, and that you can shut down the system through this emulator if you want. A more complex set up would be to manipulate the Doppler correction from the speed and position from the ARINC feed, then offset it through a processor, into the SDU.

All this is a LOT easier to do than to fake the unit identifier on a separate AES as what other “Fake satcom data” proponents have claimed. Jeff seemed overwhelmed in his reply.

You’re blowing my mind! I had no idea you’d gone down this path indendently — and cleary got further than I did. Can you access the SDU from the ceiling of the passenger cabin? I always figured they fed the faked IRS data from the E/E bay end of the ARINC cable. But it did seem odd to me that the Ukrainians were sitting under the AES.

I told Jeff that I got these information back in 2011 and had absolutely forgotten about them until I read his article about spoofing. It was only when I saw the 2 Ukrainians sitting below it did I remember all this!

During the discussions in great lengths with one of the satcom systems manufacturers about the various set ups, what I discovered was that many people know is the IRS data can be replaced with the SRU, or run it with a doppler correction emulator to replace the ARINC or SRU feed. The SDU has to be located near the High Power Amplifier (HPA) and Low Noise Amplifier (DLNA), so it is usually located above the cabin near the antenna. Can you access these boxes from the cabin? OF COURSE!

SatComComponents-1

SATCOM control rack above the left aisle on the rear 777 cabin. (Source: Boeing)

SatComComponents-2

A typical High Gain Antenna. 9M-MRO has a different set up but at the same location along the aircraft. (Source: Boeing)

I was involved with a project on this for a fleet of A330s that were normally chartered by a head of state, and SatCom security was a concern that was raised by all parties involved, as the set up was to have someone sitting near and below the AES to activate the system and it’s security. So, reverse that, and see the 2 Ukrainians sitting where they sat and…

Of course, the 2 didn’t sit exactly under where the SDU rack would be, but pretty near it. And remember that in such a scenario, to control the cabin you do not need firearms. Scary? Of course! Jeff’s reaction to this was blunt and clear.

Holy crap!

If this is true then what happened?

Assuming that something like this happened, my chain of events still differ from Jeff’s. The timing could be simple. An airband receiver can still receive what the aircraft transmitted on VHF, and you can get the aircraft’s accurate position through portable GPS, like the ones shown below:

GPSonWindow

Two GPS used by a colleague to plot his flights as a passenger (Source: “M.S.” LatLon)

Connect the GPS above to a display unit or a computer, and you can figure out where you’re at in the airspace, which airway you’re at, and therefore with an airband radio, figure out when to prepare and when to pounce at the cockpit during an ATC hand-off. Of course, how to enter the cockpit is a different story altogether and even if I know, I wouldn’t say it here.

After taking over the aircraft, the perpetrators had around 1 hour to set up the spoof. Assuming that we’re talking about a Russian backed heist, one can easily get “training” on the Satcom set up of a 777 in Russia (Aeroflot and Transaero operate 777s with fitted with the Inmarsat-3 system), and heck, even I could get some of the above information. First thing’s first, you need to switch off the satcom, and there are 2 ways of doing this.

Alternative 1: Get into the E/E Bay, or the main avionics bay below the front galley (which others have exposed the easy access as a security threat), and pull the circuit breaker on the right panel.

SatComPowerInterface

777 Satcom power schematics (Source: Boeing)

Alternative 2: Remove power from the Left Main AC Bus, and kill the TCAS, and most of the cabin lighting, in addition to removing power from the Satcom system. This can be done by isolating the Left Main Bus Tie and switching off the Left Generator.

BUAC_370

777 Backup AC Electrical System and how it can deactivate the Satcom. (Source: Boeing)

After power has been removed from the Satcom system, the dirty deed could continue. Take out the feed cable, run it through a processor before re-feeding into the SDU; or, replace the whole feed with a processed feed using an SRU and a GPS, through a laptop. Either of these methods will enable you to provide various Doppler corrections in order to spoof the BFO data. One other way is just to run it through a frequency override made by let’s say the laptop, and allow the IRS feed to provide the position data.

Of course, take out the wiring etc, and then put it back on again with the hacked layout will take time. Whether 1 hour is enough or not, that’s the unknown, but if successful, one can log off and log on again at will, which can create the different log on hand shakes what has so far baffled us as to “Why?”

Wiring aside, is Satcom that vulnerable?

We rely more and more on high bandwidth satcom, and the Inmarsat system is the prevalent one out there. One can say that the idea of someone breaking into the overhead panels and fiddle with the satcom control boxes, is just ridiculous, but have a look at this set up at another Malaysian registered aircraft… you don’t need to open up cabin ceilings with this one!

UnsecuredInstallation

Anyone who thinks this set up is secure from manipulation needs to have his/her head checked!

Conclusions

Many will ask what’s the point if this article because it is obvious that I write this not to make people believe in conspiracy theories, and I also doubt that Jeff wrote his to get people to believe his conspiracy theory. However, what Jeff and I wrote, should raise some alarm bells with regards to safety and security.

Anyone who’s convinced that the 777-sized bulldozed ground at Baikonur is the burial place of MH370 should get their heads checked. If the aircraft did land there, it would have just been refuelled, and the satcom deactivated, and remained off as the aircraft took off again into real oblivion with the purpose of the spoof done, that is to misguide people elsewhere (like the southern Indian Ocean). But, do I think the airplane went north? No, not really. Both Jeff and I believe that the search on the southern Indian Ocean need to continue.

Due to MH370, ICAO is now considering making aircraft tracking via satcom as mandatory. Many are proponents of getting the tracking done by existing on-board satcom systems. However, I personally think that such a method is no additional means of security as we can see in this article that the current set up is nowhere near secure. The SDU and HPAs are where they are because they physically NEED to be close to the antenna to ensure good quality signals.

Mandatory tracking should be done through a less expensive system that can be applied universally, that is separate from the passenger satcom systems and/or cannot be tampered with in flight. The current set up installed on many aircraft as shown, isn’t tamper proof. The last thing we need is for someone to be able to tamper with the tracking portion by accessing the physical boxes of the satcom controls and spoofing or hacking into the Satellite Data Unit, or even, destroying it, as gaining access to them is pretty easy.

Current Inmarsat-4 (Swift Broadband) antennas have their own embedded GPS that can be used for tracking by taking the data and transmitting it through as customer payload, or through the non-payload data packets. The latter would be more secure, so far, for those who wants to not add anymore hardware onto aircraft installed with these systems.

This article is to raise alarms beyond flight safety and security, but also touches on data security of on-board air-to-ground data communications used by the passenger. Those in the industry should know what I mean and why details aren’t divulged in this article… it would be just too damned tempting to be abused by the bad guys, but the current set up can easily result in abuses of privacy and mining of personal data.

The fact is, security wise, on-board internet security is still poor. We had a provider of on-board internet spoofing SSL security certificates recently, which can compromise private data such as access passwords and e-banking security. Wanting to use these systems as is for safety purposes, can and probably will open up a can of worms.

As this article shows, from the crypto-investigation “hobby” of me, Jeff and many others, sleuthing through technical details, evidence, etc, can, when combined with a little imagination and analytical thinking, expose various risks we didn’t see before (even if it stared us right in the face).