Did a hacker really make a plane go sideways?
Last month when a noted cybersecurity researcher tweeted mid-flight about his airplane's technical vulnerabilities, he was detained by the FBI and听found himself at听the center of renewed debate over security risks in commercial airliners.听
Now, newly released documents show听that federal听agents believe听that Chris Roberts of the firm One World Labs didn't just听joke about听in-flight computer flaws. He may have actually听hacked into听a听plane's navigation system and听instructed it to change course听鈥撎齛 shocking claim that would suggest that passengers have the ability to gain access to critical flight control systems.
The FBI investigation into Mr. Roberts' activities are raising serious听questions about the safety and security of software used to operate commercial airplanes. If the FBI claims about Roberts' actions are听correct, experts agree, they听raise troubling听questions about听the security of听avionics systems that control commercial airliners, and about the risk that the actions of a security researcher might pose a threat to public safety.
The allegations regarding Roberts' alleged in-flight hacking are contained in the听听by an FBI special agent days after the FBI escorted Roberts from the United Airlines听flight in Syracuse, N.Y.听The charges leveled in the affidavit were听.
Roberts has consistently denied that he tampered with the April United flight. Now, he听says, the FBI claims and ongoing investigation are the result of听a misunderstanding.
鈥淚t would be nice if the feds got the context right,鈥 Roberts said in a text message to Passcode on Sunday听when asked about the affidavit. Asked if the FBI had misconstrued his message, he said he believed they had 鈥渂adly. not听[sic]听looked at planes in almost 2 years,鈥 he wrote.
Hacking a jet engine at 38,000 feet
For years, Roberts has听been one among a cadre of researchers who have called on听the aviation industry to do more to secure modern software systems on planes. And if the FBI claims are indeed true, they only add more fuel to claims that听federal agencies and the industry haven't done more to close security gaps.
The FBI鈥檚 effort in April to obtain a search warrant听was the culmination听of a series of interviews, stretching back months, between Roberts and FBI agents in both Denver and听Syracuse.听The last of those was the impromptu discussion with FBI agents in Syracuse that was prompted by in-flight messages sent by Roberts through his Twitter account, @sidragon1, while aboard a United flight from Denver to Chicago on听April.听
In those messages, Roberts pointed to weaknesses in the security of systems on board the Boeing 737 he was flying on, including exploitable holes in the in-flight entertainment and avionics systems. Shortly after his arrival in Syracuse, N.Y., Roberts was escorted from a United flight and questioned for more than two hours by local FBI agents.The researcher was released and was not charged with a crime.听But computer equipment in his possession, including an Apple MacBook and iPad and portable storage devices, were seized by the FBI for forensic analysis, prompting the request for a search warrant.
In a sworn affidavit and application for a warrant dated听April 17, FBI Special Agent Mark Hurley asked a judge for permission to search the computers and storage devices and conduct a forensic analysis of them. Among the reasons cited by Agent Hurley were claims by Roberts made during a March interview with FBI agents in Denver that he had, on one occasion, tampered with the Seat Electronic Box (SEB) in the passenger cabin and used it to gain access to the plane鈥檚 in-flight systems and, from there, to the plane鈥檚 avionics systems.
According to Hurley, Roberts told FBI agents in Denver that he had successfully hacked into and issued a 鈥渃limb鈥 command to the Thrust Management Computer aboard an aircraft in flight, resulting in a 鈥渓ateral or sideways movement of the plane during one of these flights.鈥澨
The affidavit also claims that agents found听evidence of tampering with the SEB in the row Roberts was seated in during the flight from Denver to Chicago. The FBI alleged that Roberts听demonstrated听both the intent and means to hack airplanes in flight.听
Aircraft makers Boeing and Airbus have both publicly refuted claims that their planes can be hacked, but also refuse to discuss the details of the security features in place on airplanes.
鈥淎irbus has robust systems and procedures in place for our aircraft and their operations to ensure security against potential cyber attacks,鈥 the company said in a statement to听Passcode. 鈥淲e naturally do not discuss details on our security design and operations in public.鈥
Boeing did not respond to a request for comment in time for publication.
A sudden interest
As previously听reported by Passcode, warnings about the hacking risk to aircraft are nothing new. In public presentations going back more than four years, Roberts and other researchers have demonstrated methods for hacking into onboard computer networks used to operate in-flight entertainment systems.听Roberts, who is based in Denver, claims to have hacked into in flight entertainment systems听by Panasonic and Thales, which are common on commercial aircraft manufactured by Boeing and Airbus,听on a number of occasions in the past four years, though not recently.听
According to Roberts,听the substance of his research听was shared with aircraft makers Boeing and Airbus, as well as the Federal Aviation Administration, but garnered little attention.
That changed in February and March of this year, when Roberts was called in to the Denver FBI office to discuss his work. The Denver agents delivered a message to him at the time that he characterized as 鈥渘o messing with planes鈥 鈥 a request that Roberts said he honored.
In an interview in April, he also claimed that FBI agents asked for his assistance reproducing the results of his vulnerability research and helping them set up a custom virtualized environment he used to test vulnerabilities in in-flight systems. Their reasons for doing so were not explained, and Roberts claims that he declined both requests, citing his work responsibilities and the FBI鈥檚 unwillingness to grant him immunity from prosecution should he assist them.
Rather than lay low after his meeting, however, Roberts鈥 ended up in the spotlight. He was quoted as an expert in a听March 19听Fox News edition of "听on hacking airplanes in flight. His research was publicly cited again in April following a Government Accountability Office report that warned of the danger of software based hacking of commercial airliners.
And then came the infamous tweets from aboard a plane: "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? 鈥淧ASS OXYGEN ON鈥 Anyone ? :)鈥 EICAS refers to the听Engine Indicating and Crew Alerting System, which is a critical in-flight system.
When local law enforcement and FBI agents boarded his plane in Syracuse, Roberts said he wasn't surprised. "I asked them 'So, should I get up and get my bag now?' and they said, 'Yes, Mr. Roberts,'" he recalled in an interview with Passcode in April.听听
Roberts said that he was cooperative during questioning in Syracuse and truthful when asked if he accessed in-flight systems.
鈥淒id you do anything?鈥 he recalled the agents asking. 鈥淎nd I said, 鈥楬ell no. Of course not,' " he said in the interview.
As proof, Roberts claimed to have a receipt from the flight showing he paid for wireless access 鈥渇or a change.鈥
Many questions, few answers
But Roberts' statements and the FBI's actions raise as many questions as they answer. For Roberts, the question is听why the FBI is suddenly focused on years-old research that has long been part of the public record.听
鈥淭his has been a known issue for four or five years, where a bunch of us have been stood up and pounding our chest and saying, 'This has to be fixed,' " Roberts noted. 听鈥淚s there a credible threat? Is something happening? If so, they鈥檙e not going to tell us,鈥 he said.
Roberts isn鈥檛 the only one confused by the series of events surrounding his detention in April and the revelations about his interviews with federal agents.
鈥淚 would like to see a transcript (of the interviews),鈥 said one former federal computer crimes prosecutor, speaking on condition of anonymity. 鈥淚f he did what he said he did, why is he not in jail? And if he didn鈥檛 do it, why is the FBI saying he did?鈥
Within the information security community, also, the story garnered immediate attention with some high-profile figures critical of Roberts and others supportive of him, and skeptical of the claims made in the affidavit. Penetration tests on in-flight entertainment or avionics systems while in flight and without the permission of the airlines or aircraft makers would clearly cross a line, both legally and ethically, many agree.
Yahoo Chief Information Security Officer Alex Stamos said, via his Twitter account, that 鈥淵ou cannot promote the (true) idea that security research benefits humanity while defending research that endangered hundreds of innocents.鈥澨鼴ut Mr. Stamos and others were also critical of statements by aircraft manufacturers such as Boeing, which refuses to discuss the design of their products.
Josh Corman, the chief technology officer at the firm Sonatype, said the media and security industry's focus on Roberts' actions is a distraction. Mr. Corman, who is the founder of IAmTheCavalry.org, a grassroots group focused on issues where computer security intersects public safety and human life, said that the real question was about the safety and reliability of airplane avionics systems.
"The message has been that nothing the customer can do in the passenger cabin can affect the avionics," said Corman. 听However, the FBI affidavit suggests otherwise.听
"So we're getting a mixed message about what can and can't be done," Corman said. "Either planes are not hackable, or they might be...irrespective or regardless of the veracity of [Roberts] claim."
Don Bailey, the founder of Lab Mouse Security, agreed that the facts of what Roberts did are a side issue. The more important issue is that Roberts' actions underscore a shift in the security research world, as experts turn their attention from mere computers to critical technologies that put life and limb at risk.
"We need to mature as an industry and move away from a rogue, maverick style reputation," Mr. Bailey said. "We just can鈥檛 do that anymore. We have to take into account physical safety.
As for Roberts said he'll be keeping quiet when it comes to airline security. 鈥淥ver last 5 years my only interest has been to improve aircraft security...given the current situation I've been advised against saying much,鈥 he tweeted Saturday.听
听
