Fact check: malware did not bring down a passenger jet

I've been reading breathless and shocking headlines for several days now alleging that "malware brought down a Spanish jet" in a fatal 2008 crash. It's yet another case study in how the Internet echo chamber works to take a single report and distort it beyond recognition. No, malware didn't cause that crash. Here's what really happened.
Written by Ed Bott, Senior Contributing Editor

I've been reading breathless and shocking "reports" for several days now explaining that "malware brought down a Spanish jet." And once again we have a case study in how the Internet echo chamber works to take a single report and distort it beyond recognition. I've now read articles from more than 20 online publications repeating this story. Not a single one has done even a shred of research beyond simply quoting a bad translation of the original Spanish-language report.

The reality? Yes, the crash of Spanair flight 5022 at Madrid-Barajas Airport in August 2008 was a tragedy, with the entire crew and 154 passengers losing their lives. But malware did not bring down that plane. The actual cause of this crash has been extensively documented in official reports from the Spanish Civil Aviation Accident and Incident Investigation Commission (CIAIAC). Their website contains a preliminary report published shortly after the accident, an Interim Report released last year at roughly this time, and a Progress Note published just last week. The official English translation of the most recent report does not mention viruses or malware. The actual cause is far more prosaic: the pilots missed a crucial item on their checklist and took off with the flaps in the wrong position:

The investigation has determined that the takeoff was attempted while in an inappropriate and unapproved configuration, since the flaps and slats were fully retracted. The system outfitted on the airplane to warn of an inadequate takeoff configuration (TOWS) also failed to activate.

Was there a problem with the computer on the plane? Not according to the CIAIAC:

[T]he information stored on the computers for the enhanced ground proximity warning system (EGWPS), the advanced flight management (AFMC), central air data (CADC), digital flight guidance (DFGC) and the optical inertial reference units (IRU) has been extracted. The results from the analysis of the data recovered from the ground proximity warning system computer are available and consistent with the data found on the flight data recorder (DFDR) and from the two air data computers, which indicate that both units were functioning normally on the previous flights and at the time of the accident.

In fact, as airline-safety experts noted, the aircraft in question, a McDonnell Douglas DC-9-82 (MD-82), is not computerized (its design dates back to 1979 and the last delivery was in 1997). The exact same type of aircraft was involved in the eerily similar fatal crash of Northwest Airlines Flight 255 in Detroit in 1987. The investigators in that crash concluded that the cause was pilot error.

So where did these alarming reports of malware-infested computers come from? The original article, from Spain's El País newspaper, opens with this paragraph:

El ordenador central de la compañía Spanair en el que se anotaban las averías de los aviones estaba contaminado con programas informáticos maliciosos cuando se produjo, hace hoy dos años, el accidente del vuelo JK 5022. La computadora, situada en la sede de la aerolínea en Palma de Mallorca, emite una señal de alarma en el monitor cuando registra tres problemas técnicos similares en el mismo aparato.

My Spanish is rusty, but it's good enough to get the gist of the report: A computer at the airline's maintenance headquarters in Palma de Mallorca was infected with some sort of malware  ("troyanos," or Trojans) at the time of the accident. That same computer is used to record incident reports submitted by mechanics and is programmed to raise an alarm if the same problem occurs three times on the same aircraft. [Update: As a commenter with avionics test experience notes, this "alarm" is probably not a flashing light or a ringing bell. It's more likely a pop-up dialog box or an e-mail alert.]

On the day of the crash, the plane returned to the gate after the crew noticed a problem. The mechanics at the airport identified the issue and cleared the plane for takeoff. They apparently didn't know that this was the third report of a similar problem in a two-day period. But even if the headquarters office had maintained its PC perfectly, the plane would still have taken off. The mechanics were still entering their report at the time of the crash, and as a May 2010 report in the same newspaper noted, the headquarters office had a custom of entering data 24 hours after it was received. None of those three incidents were recorded on the allegedly infected PC until after the plane had crashed.

There's no doubt that this accident was a tragedy. It might even have been preventable. But the cause was not a piece of malware on a PC hundreds of miles away. Reports from air safety investigators are written in circumspect language, reflecting the fact that they are the work of engineers and potential expert witnesses in civil and criminal actions. In this case, it's easy to read between the lines of last week's Progress Note, in which the investigators note that they are continuing to analyze "the operator's maintenance structure and organization … specifically, the procedures described in the company's manuals [and] the degree of compliance by maintenance personnel."

In fact, two mechanics who checked the plane before take-off and Spanair's head of maintenance at Barajas were hauled before a judge on manslaughter charges, according to a 2008 BBC report. The fact that a PC used for such a critical function might have been susceptible to infection suggests that the entire maintenance operation was lax and poorly run. In other words, the malware, if it existed, was one symptom among many of a much larger management problem at an unprofitable airline.

Meanwhile, the publications that teased readers with inflammatory headlines need to go back to journalism school. "Malware Contributed to Plane Crash" and "Trojan blamed for Spanish air crash" are simply not accurate. The most disgusting one of all the headlines I read was "Murder by malware: Can computer viruses kill?" The editor and author of that post should hang their heads in shame.

Editorial standards