Did a hacker really make a plane go sideways?
A FBI affidavit in a case involving security researcher Chris Roberts claims that he took over the navigation system of an airliner. But if those claims are indeed true, they raise troubling questions about the state of airline security.
Last month when a noted cybersecurity researcher tweeted mid-flight about his airplane's technical vulnerabilities, he was detained by the FBI and found himself at the center of renewed debate over security risks in commercial airliners.
Now, newly released documents show that federal agents believe that Chris Roberts of the firm One World Labs didn't just joke about in-flight computer flaws. He may have actually hacked into a plane's navigation system and instructed it to change course – a shocking claim that would suggest that passengers have the ability to gain access to critical flight control systems.
The FBI investigation into Mr. Roberts' activities are raising serious questions about the safety and security of software used to operate commercial airplanes. If the FBI claims about Roberts' actions are correct, experts agree, they raise troubling questions about the security of avionics systems that control commercial airliners, and about the risk that the actions of a security researcher might pose a threat to public safety.
The allegations regarding Roberts' alleged in-flight hacking are contained in the text of an affidavit filed by an FBI special agent days after the FBI escorted Roberts from the United Airlines flight in Syracuse, N.Y. The charges leveled in the affidavit were first reported by the Canadian web site APTN.com on Friday.
Roberts has consistently denied that he tampered with the April United flight. Now, he says, the FBI claims and ongoing investigation are the result of a misunderstanding.
“It would be nice if the feds got the context right,” Roberts said in a text message to Passcode on Sunday when asked about the affidavit. Asked if the FBI had misconstrued his message, he said he believed they had “badly. not [sic] looked at planes in almost 2 years,” he wrote.
Hacking a jet engine at 38,000 feet
For years, Roberts has been one among a cadre of researchers who have called on the aviation industry to do more to secure modern software systems on planes. And if the FBI claims are indeed true, they only add more fuel to claims that federal agencies and the industry haven't done more to close security gaps.
The FBI’s effort in April to obtain a search warrant was the culmination of a series of interviews, stretching back months, between Roberts and FBI agents in both Denver and Syracuse. The last of those was the impromptu discussion with FBI agents in Syracuse that was prompted by in-flight messages sent by Roberts through his Twitter account, @sidragon1, while aboard a United flight from Denver to Chicago on April.
In those messages, Roberts pointed to weaknesses in the security of systems on board the Boeing 737 he was flying on, including exploitable holes in the in-flight entertainment and avionics systems. Shortly after his arrival in Syracuse, N.Y., Roberts was escorted from a United flight and questioned for more than two hours by local FBI agents.The researcher was released and was not charged with a crime. But computer equipment in his possession, including an Apple MacBook and iPad and portable storage devices, were seized by the FBI for forensic analysis, prompting the request for a search warrant.
In a sworn affidavit and application for a warrant dated April 17, FBI Special Agent Mark Hurley asked a judge for permission to search the computers and storage devices and conduct a forensic analysis of them. Among the reasons cited by Agent Hurley were claims by Roberts made during a March interview with FBI agents in Denver that he had, on one occasion, tampered with the Seat Electronic Box (SEB) in the passenger cabin and used it to gain access to the plane’s in-flight systems and, from there, to the plane’s avionics systems.
According to Hurley, Roberts told FBI agents in Denver that he had successfully hacked into and issued a “climb” command to the Thrust Management Computer aboard an aircraft in flight, resulting in a “lateral or sideways movement of the plane during one of these flights.”
The affidavit also claims that agents found evidence of tampering with the SEB in the row Roberts was seated in during the flight from Denver to Chicago. The FBI alleged that Roberts demonstrated both the intent and means to hack airplanes in flight.
Aircraft makers Boeing and Airbus have both publicly refuted claims that their planes can be hacked, but also refuse to discuss the details of the security features in place on airplanes.
“Airbus has robust systems and procedures in place for our aircraft and their operations to ensure security against potential cyber attacks,” the company said in a statement to Passcode. “We naturally do not discuss details on our security design and operations in public.”
Boeing did not respond to a request for comment in time for publication.
A sudden interest
As previously reported by Passcode, warnings about the hacking risk to aircraft are nothing new. In public presentations going back more than four years, Roberts and other researchers have demonstrated methods for hacking into onboard computer networks used to operate in-flight entertainment systems. Roberts, who is based in Denver, claims to have hacked into in flight entertainment systems by Panasonic and Thales, which are common on commercial aircraft manufactured by Boeing and Airbus, on a number of occasions in the past four years, though not recently.
According to Roberts, the substance of his research was shared with aircraft makers Boeing and Airbus, as well as the Federal Aviation Administration, but garnered little attention.
That changed in February and March of this year, when Roberts was called in to the Denver FBI office to discuss his work. The Denver agents delivered a message to him at the time that he characterized as “no messing with planes” – a request that Roberts said he honored.
In an interview in April, he also claimed that FBI agents asked for his assistance reproducing the results of his vulnerability research and helping them set up a custom virtualized environment he used to test vulnerabilities in in-flight systems. Their reasons for doing so were not explained, and Roberts claims that he declined both requests, citing his work responsibilities and the FBI’s unwillingness to grant him immunity from prosecution should he assist them.
Rather than lay low after his meeting, however, Roberts’ ended up in the spotlight. He was quoted as an expert in a March 19 Fox News edition of "On the Record with Greta Van Susteren" on hacking airplanes in flight. His research was publicly cited again in April following a Government Accountability Office report that warned of the danger of software based hacking of commercial airliners.
And then came the infamous tweets from aboard a plane: "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)” EICAS refers to the Engine Indicating and Crew Alerting System, which is a critical in-flight system.
When local law enforcement and FBI agents boarded his plane in Syracuse, Roberts said he wasn't surprised. "I asked them 'So, should I get up and get my bag now?' and they said, 'Yes, Mr. Roberts,'" he recalled in an interview with Passcode in April.
Roberts said that he was cooperative during questioning in Syracuse and truthful when asked if he accessed in-flight systems.
“Did you do anything?” he recalled the agents asking. “And I said, ‘Hell no. Of course not,' " he said in the interview.
As proof, Roberts claimed to have a receipt from the flight showing he paid for wireless access “for a change.”
Many questions, few answers
But Roberts' statements and the FBI's actions raise as many questions as they answer. For Roberts, the question is why the FBI is suddenly focused on years-old research that has long been part of the public record.
“This has been a known issue for four or five years, where a bunch of us have been stood up and pounding our chest and saying, 'This has to be fixed,' " Roberts noted. “Is there a credible threat? Is something happening? If so, they’re not going to tell us,” he said.
Roberts isn’t the only one confused by the series of events surrounding his detention in April and the revelations about his interviews with federal agents.
“I would like to see a transcript (of the interviews),” said one former federal computer crimes prosecutor, speaking on condition of anonymity. “If he did what he said he did, why is he not in jail? And if he didn’t do it, why is the FBI saying he did?”
Within the information security community, also, the story garnered immediate attention with some high-profile figures critical of Roberts and others supportive of him, and skeptical of the claims made in the affidavit. Penetration tests on in-flight entertainment or avionics systems while in flight and without the permission of the airlines or aircraft makers would clearly cross a line, both legally and ethically, many agree.
Yahoo Chief Information Security Officer Alex Stamos said, via his Twitter account, that “You cannot promote the (true) idea that security research benefits humanity while defending research that endangered hundreds of innocents.” But Mr. Stamos and others were also critical of statements by aircraft manufacturers such as Boeing, which refuses to discuss the design of their products.
Josh Corman, the chief technology officer at the firm Sonatype, said the media and security industry's focus on Roberts' actions is a distraction. Mr. Corman, who is the founder of IAmTheCavalry.org, a grassroots group focused on issues where computer security intersects public safety and human life, said that the real question was about the safety and reliability of airplane avionics systems.
"The message has been that nothing the customer can do in the passenger cabin can affect the avionics," said Corman. However, the FBI affidavit suggests otherwise.
"So we're getting a mixed message about what can and can't be done," Corman said. "Either planes are not hackable, or they might be...irrespective or regardless of the veracity of [Roberts] claim."
Don Bailey, the founder of Lab Mouse Security, agreed that the facts of what Roberts did are a side issue. The more important issue is that Roberts' actions underscore a shift in the security research world, as experts turn their attention from mere computers to critical technologies that put life and limb at risk.
"We need to mature as an industry and move away from a rogue, maverick style reputation," Mr. Bailey said. "We just can’t do that anymore. We have to take into account physical safety.
As for Roberts said he'll be keeping quiet when it comes to airline security. “Over last 5 years my only interest has been to improve aircraft security...given the current situation I've been advised against saying much,” he tweeted Saturday.