Crashing an In-Flight Entertainment System

rabblerouzer writes "Hugh Thompson, who was interviewed by Slashdot on the dangers of e-voting, now has a cool blog entry on how he was able to bring down the gaming/movie console on an airplane. He calls it one of the most interesting examples of a software 'abuse case' he has ever seen." Fortunately the IFE system is totally disjoint from the avionics.

Yeah tell me about it ....

[taniwha]

I fly across the pacific a few times every year and they always warn people to take it easy and be patient with the IFE "or it will crash" - which is certainly true - without trying I managed to spend 10 hours staring at a Windows CE "some thing bad happened" dialog box .... couldn't even turn the damn thing off when I wanted to sleep

Re:Err

[inviolet]

Interesting. I went to swissair111.org [swissair111.org] and read up on the incident. They are now reporting that "MICHAIL ITKIS, CEO OF INTERACTIVE FLIGHT TECHNOLOGY CHANGES NAME TO MIKE SNOW". So apparently we need an extra step in the old cliche:

1. Create fly-by-night company to produce in-flight entertainment systems.
2. Rush the product to market prematurely.
3. Organize an IPO.
4. Profit !!
5. Observe the product causing airplanes to crash and burn.
6. Change name and move away.

You can tell it's Linux when it crashes.

[VirtualSquid]

I suspect it might be fairly common for seat-back computers to crash?
I don't know enough about Linux to understand what it said on my screen when it was trying (and failing) to boot back up again:
http://washedashore.com/misc/inflight_error.jpg [washedashore.com]
(This was April 23, 2005, on a flight from Bucuresti Romania to NYC.)
-Ben

Re:There is a NAME for the bug...

[AndroidCat]

And when you compile the code in release, where is your friend now?

Similar Crash

[Roger W Moore]

Several years ago I managed to crash an in flight entertainment system on a united flight completely inadvertently. The system in question required only had a few games for free with the rest costing money to unlock. Since I objected to having to pay for the games I restricted myself to the free games until suddenly in the middle of a game of pong it got more and more sluggish until the screen freezes, goes black and the system reset itself. I went back into pong, cranked up the number of balls to the max allowed (4 IIRC) and noticed that now it would crash within a minute or two.

Playing around (there really was nothing better to do) I found that quickly wiggling the bat around with 4 balls on the screen would crash the system. After about the 4th or 5th crash the system came back up but this time with all the games enabled! After that I was careful not to crash the system but still about 30 minutes from landing it crashed again and came back up with only the free games.

I wondered at the time how such an easily triggered failure could have been overlooked. Unlike the article my crash only affected my screen...but at least there was some beneficial affect!

Re:Err

[iocat]

It sounds good. Too good in fact. In fact, it sounds like BS. It basically reads like an urban myth. Also, given that the max value was 4, its unlikely the field size onscreen would have been big enough to display a 3 digit number. I also can't think of any domestic carrier in 2005 that had a combo touch screen / telephone thingee in the back of every seat. The only one I can think of now is Thai in their Royal Thai section.

Can anyone intuit the airline? Because without an airline name, I call bullshit on this story. I would guess it had to be business class, and probably a foriegn carrier, if the story is to be believed.

Re:Err

[iocat]

Sorry to reply to my own post, but someone down below suggested it may have been a Delta 767. The Song (Delta's low cost brand) airline has the Panasonic eFX IFE which offers what he describes I think in every seat (my bad for not flying Song I guess!). Link here [panasonic.aero]. The story still seems way to slick to me (as a former tester, I would have tried that sequence of events pretty quick), but evidence of an IFE that fits the description makes it inherently more believable.

Re:As a side note...

[slacktide]

I wholeheartedly agree. You may find this picture relevant to your interests, I took it on Dec. 26 2006, onboard a Delta Airlines flight from New York to Seattle.

http://i12.tinypic.com/2j17rc4.jpg [tinypic.com]

The IFE had to be rebooted 3 or 4 times during a 5 hour flight, some people's screens never worked at all. Luckly I caught a snapshot of the offensive software's startup screen.

Re:Err

[Mycroft_VIII]

Nope, IQ is not a linear measurement (usually).
There are quite a few IQ tests and they are usually structured so that the majority of people fall right around 100 with a max possible score of 200.
    IIRC, over 80% of all people fall in the 10 point range around 100 (or maybe it was with 10 points of 100).
      A 150+ on most tests is in the upper 2% of the population.

Mycroft

Re:There is a NAME for the bug...

[Danny Rathjens]

Right there with him if he is a game developer apparently. :) I boot out of linux into windows once in a blue moon to play a game and have been quite surprised to see code that millions of dollars went into developing like WoW or FFXI throwing assertion errors. Apparently they compile release builds with assertions enabled nowadays!

Re:Avionics programmers

[Voice of Meson]

Interesting stuff this critical code. When I started out as a grad at a large Aerospace company we were given shiploads of Flight Control Computer code to unit test for a new(ish) fighter aircraft. Most of the stuff we worked with was what you have described as 'Level A' code but I didn't really understand what it all meant at the time.

Anyway, the level of testing required was very, very high. I say that even though we were grads working on it, because it was not our choice what to test and what to leave, and they were done multiple times with different people, the the branches, lines run etc compared. It was the lowest level of the software tests and everything was in modules about 30 lines long that needed 100% coverage, every logical combination tested out etc. Plus the languages they used (ADA95, fortran(77?) and assembly) were cut down to remove anything too untestable. I think 'while' loops were out because, as opposed to 'for's, there is a chance of a infinite loop. That sort of stuff. Would be a nightmare to code in.

In not sure how other FCC's usually are, but interestingly this one had 4 CPU's with a fifth 'controlling' one or something and basically each calculation would be performed on all 4 then the results correlated and the majority answer taken. I guess to protect it from a freakish glitch or maybe some deliberate interferance? Not sure, but surely accurate.

Fly-By-Wire - It's not just the software that crashes.

Re:Err

[Anonymous Coward]

in the U.S., no foriegn carrier is allowed to make any flight that starts and ends in this country.

disjoint...

[Ixthus2001]

Fortunately the IFE system is totally disjoint from the avionics.

I was at a presentation (about nine years ago, now) where someone from the aviation industry was showing us the future (or the future as he hoped) of aircraft systems - in particular a new bus that was being used for communication around the aircraft. And yes, the in-flight-entertainment used the same bus as the avionics. It was being actively presented as a positive feature. Sadly, I don't remember the details.

Re:Err

[Registered Coward v2]

SwissAir 111 went down because the in-flight entertainment & gambling system had been rushed into service, and due to its design overheated and burned down the plane in-flight. This was its design: a separate computer for each seat. The computers (presumably single cards) were located in the ceiling near the front of the passenger compartment. So were the avionics wires. The entertainment/gambling devices overheated, caught fire and the plane crashed near Nova Scotia.

Yes, the wiring insulation burned and brought down the plane. A friend's wife was on that plane, so I have an interest beyond the technical.

Another interesting event was the crash of an Airbus flight control system, resulting in an inflight rebooting message; the pilots flew on in manual.

Greed. SwissAir is no more.

Yes, but it was due to them overpaying their employees and not controlling other expenses as well - a problem many European state run airlines have. Look at Alitalia for example - they could lease planes with crews for less than it costs to fly their own. Europe's carriers are heading towards teh same consolidation and liquidation taht US ones have expereineced and only a handful will survive. I think BA Lufthansa and Air France will probably be the last standing.

Re:Avionics programmers

[unts]

From the mighty Wikipedia [wikipedia.org]:

The hardware of a typical autopilot is a set of five 80386 CPUs, each on its own printed circuit board. The 80386 is an inexpensive, well-tested design that can implement a true virtual computer. New versions are being implemented that are radiation-resistant and hardened for aerospace use, but this aged computer design is intentionally favored because it is inexpensive and its reliability and software behavior are well-characterized.

If it ain't broke...

Re:Go look up "fortune" or something

[radtea]

There is no reasonable scenario which would ever put the IFE system in a position to affect the avionics

You are committing the logical fallacy of "Argumentum ad Stultum": argument from stupidity.

Arguments that commit this fallacy have the form:

It would be stupid to do X
No one would ever do anything stupid
------------
Therefore no one would ever do X

The second premise is so obviously false it hardly needs mention.

So, simply because there is no reasonable scenario that would put the IFE system in a position of affecting the avionics does not mean there is no probable scenario in which this could occur. It requires good engineering, good management and yes, good luck, to ensure independence. Every engineer knows that we must try to eliminate luck from the process and must never, ever rely on it, but also that it will always be a factor.

One obvious way in which the IFE could affect the avionics is via coupled grounds. Grounding in aircraft is never simple, and maintaining fully independent power supplies has been a challenge for IFE and avionics engineers. IIRC the 777 was delayed for a while due to the need to do some redesign on the power systems to ensure independence was retained. In any system so complex there will always be an element of luck, despite the engineer's best efforts.

Re:Yeah tell me about it ....

[chrisjwray]

I flew to Crete (Heraklion) from Gatwick in 2002, while we didn't have IFE's on the seatbacks there was a camera in the nosegear which came on the TV monitors on takeoff and landing. This is the only flight Ive ever been on with this feature but it was _very_ cool.

Answers to your questions

[Okian Warrior]

Test *software*, if it is used, is software that exists outside of the avionics software in question. It does not need to be rigorously tested, only "qualified" (FAA term). Qualification means that someone goes over the code in a cursory manner and checks each logical case the software tests for, and verifies correct operation.

For example, a coverage analysis tool would have a qualification test report that shows the system works for an if-statement, a for-loop, a while-loop, and so on. Similarly, the compiler is qualified by showing that it generates correct code for an if-statement, a for-loop, &c.

In practice, there is usually very little external test software that can be used effectively. Exceptions exist, but largely much of the avionics software components don't port to another system for testing very well. (As opposed to testing the *entire unit* by having some sort of simulator computer which generates synthesized inputs, which works very well.) (Fly-by-wire calculation engines being one of the exceptions.)

In the case of ASSERT's and other constructs which continuously check the code inside the unit, they are considered to be part of the avionics software and thus must undergo the same level of criticality testing as the rest of the code.

As an example from projects I have worked on, in a level-A project each separate ASSERT statement was tested for both cases (pass/fail) and verified to be working. In a level-C project the ASSERT macro was analyzed and shown to generate correct code, and then a handful of the simple-clause ASSERT's were rigorously tested, and from this all the rest of the simple ASSERT's were deemed OK. (and complex clause ASSERT's were rewritten to use simple clauses, and the one remaining complex ASSERT was tested rigorously).

Are you sure?

[Anonymous Coward]

> No offense, but I don't think avionics are your run of the mill programmers.

I was an intern, back in college, and I wrote code to test the avionics hardware. The code was ugly, and it was in some form of VB (I'm repeating myself, I know).

Granted, I don't think I did anything wrong--if anything, knowing that it was for something important made me want to code as best I could, but I was still just some random college student who was chosen primarily for having BASIC on his resume (the wrong form of BASIC, but learning VB isn't exactly difficult, I think that even monkeys could be trained to use it and they may have written it to begin with).

Oh, and this was with respect to the actual avionics, not some IFE (they didn't have those back then). Yeah, that means reading & writing things like pitch, roll and yaw. I believe that the avionics even communicated over some form of Ethernet? Although it would, of course, be isolated from anything the passengers are supposed to have access to.

Re:Err

[Anonymous Coward]

Sorry to throw you off your high horse, but the system described is in use on various airlines around the world. I flew executive class on Air France from Sâo Paulo (Brazil) to Paris (France) last November, and they had a system exactly like the one described. Yes, they even had Tetris, but I didn't get to play it (I had my Nintendo DS and lots of games with me). The plane was an Airbus. I took some pictures inside the plane that show the IFE described.

http://www.caetano.eng.br/rigues/galerias/Seoul/sl ides/DSC03202.html [caetano.eng.br] - These are the back-seat screens. Touch sensitive, probably passive LCD (terrible viewing angle).

http://www.caetano.eng.br/rigues/galerias/Seoul/sl ides/DSC03206.html [caetano.eng.br] - This is the controller on the armrest. Note the directional and four action buttons on a SNES-like configuration (plus L & R on the back, not visible). And surely there is a fone (with a tiny LCD screen and keypad) on the back of the controller.