Debunking MS-804 crash as a Terrorist Attack

Terrorism Jun 10, 2016

When one decides to write a blog, it's probably a good idea to have a topic that you want to write about in advance since you know, that's what blogging is.. I on the other hand started doing this just to play around with build a website so that I can have email and since then, things have changed drastically. I have a website that's probably been over designed, no email and a blog.

So for my first post lets take a look at something that I despise. It's a word. It's Terrorism. It's used all the time, the world over by law makers the world over to justify overly powerful bills, militaries, intelligence agencies and law enforcement for larger budgets and by pundits on the media we consume to basically spread fear rather than report. Most of those statements are what some may call opinion and that's fine and they will probably result in other blog posts. But I'm going to take issue with one of those groups today the intelligence agencies of the world.

In the wake of the attack there were unconfirmed statements from an unknown sources inside French Intelligence, the Greek Military & the Egyptian Security Services (I'm lacking a source, but regardless I can also debunk media speculation) that the that the attack on Egypt Air MS-804 was terror attack. And ohh boy did that statement add petrol to a fire in the media. So how do I, a random guy in who doesn't work in intelligence some how know this? Simple, I have my own intelligence that is drastically different from their intelligence.

The AV Herald, a great resource for all things aviation crash related, managed to get hold of the ACARS messages that were sent by the plane and they are as follows;

00:29Z 2200 AUTO FLT FCU 2 FAULT
00:29Z 2700 F/CTL SEC 3 FAULT
no further ACARS messages were received.

Now that is Grade A Gibberish to anyone who doesn't understand how to read ACARS messages. But luckily we have reddit for that! And /u/Jackal___ delivered with this gem, an Airbus Accident Information Transmission that outlines what the ACARS messages mean.

So what we can tell from the AIT is that at 0026 2 cockpit temperature sensors in the right hand side of the cockpit failed and also a toilet smoke sensor detected smoke. At 0027 we know a smoke sensor detected smoke in the Avionics Bay. 0028 another temperature sensor failed in the cockpit. Finally at 0029 we know that computers in the Avionics Bay failed before no other messages were received.

So how do I know that it wasn't a terrorist attack. Well that's pretty simple. The ACARS messages are standard computer logs and they are time series logs. This means that the first log is the first event to happen. So knowing that if we reexamine the logs again in a simpler format;

1. 00:26Z 3044 ANTI ICE R WINDOW
4. 00:27Z 2600 AVIONICS SMOKE
5. 00:28Z 561100 R FIXED WINDOW SENSOR
6. 00:29Z 2200 AUTO FLT FCU 2 FAULT
7. 00:29Z 2700 F/CTL SEC 3 FAULT
no further ACARS messages were received.

Doing this we can see that the first sensor to fail was a cockpit temperature sensor, then another and then the toilet smoke sensor detected smoke and all this happened in the 60 seconds that makes up 0026. So flat out we can see that it simply can't be fire in the toilet. The fire had to start in the cockpit.

Ok, so how do I know a pilot didn't start the fire? Well that's also pretty simple. In the wake of Germanwings Flight 9525 the Two Man Rule was made law in Europe. Now Egypt isn't in Europe but because of Egypt Air flight 990 in 1999 when it's believed that the crash was caused deliberately by a pilot and made law in the USA, Egypt Air instigated the Two Man Rule. So one of the pilots managed to subdue the other, and noiselessly at that and then started a fire in the cockpit, seems unlikely since anyone who's ever been in a fight or flight situation knows you have a tendency to freak out just a little and yell or scream.

So what caused the fire?! Wouldn't that be the first Airbus A320 to EVER have an on board component fire?! Yes, yet it would. But the cockpit is filled with something that can catch fire and fast and generate a lot heat and smoke, Lithium Polymer batteries. They are used when the plane is on the ground, with the engines off and with no generator attached to keep systems running.

So if we examine what we know and apply some critical thinking, what we know as a fact is that the fire started sometime around 0026 in the right hand side of the cockpit causing two temperature sensors to fail. After this we know there was smoke detected in a toilet, most likely one close to the cockpit. At 0027 we know that there was smoke detected in the Avionics bay. At 0028 we know another right hand side cockpit temperature sensor failed. Finally at 0029 we know 2 computers in the Avionics bay failed before transmission ceased. We know the flight went down around 0033 so the SDU must have failed or been damaged since there are no further messages.

But that's not really satisfying is it? What would Mythbusters do? Try and loosely recreate the myth for fun! So how would I get through Airport secure and start a fire on a plane? Pretty simple actually, Airport Security is largely a farce and it's very easy to make explosives after airport security. Evan Booth's Terminal Cornucopia is probably the best example of this but there is also a lot of really great security bloggers and researchers that cover the issue as well as some pilots too.

So how would I start a fire after airport security? Simple. Buy a bottle of water, some kind of device to hold the water, a Swiss Army Knife/Screwdriver/Tweezers/Scissors, any electronic device at all that has a battery and lastly some Hydrogen Peroxide contact lens cleaner. If you combine them, in the magic order you can start a fire and spread it very quickly. If you're really good, and can make it burn quick and clean, there's a small chance you can do it without smoke. Then all you have to do is break down the cockpit door and throw the burning mixture all over the place.


Paddy Kerley

DFCS at TU Dublin's Cyber Program and talk giver TU Dublin Hacker Soc. Mostly talks about Cyberwarfare, NatSec, Infosec, Big Safari, Arms Control, North Korea, OSINT and stuff that goes boom

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.