Well, at the end of last week, Wired published an extraordinary story: “Feds Say That Banned Researcher Commandeered a Plane”
A security researcher kicked off a United Airlines flight last month after tweeting about security vulnerabilities in its system had previously taken control of an airplane and caused it to briefly fly sideways, according to an application for a search warrant filed by an FBI agent.
Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane’s Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states.
Haven’t I heard of this security researcher before?
You might know Chris Roberts from an article Fox News published in March, saying he knew how to “take planes out of the sky” via flaws in in-flight entertainment systems:
“We can still take planes out of the sky thanks to the flaws in the in-flight entertainment systems,” said Roberts, who discovered susceptibilities in the system passengers use to watch television at their seats and is sharing his findings with the federal government. “Quite simply put, we can theorize on how to turn the engines off at 35,000 feet and not have any of those damn flashing lights go off in the cockpit.”
It was the same guy who previously claimed to CNN that he had accessed an alarming amount of information after plugging into SEBs without permission under passenger seats:
“I could see the fuel rebalancing, thrust control system, flight management system, the state of controllers,” he said.
If a fellow passenger ever asked what he was doing, Roberts would simply say, “We’re enhancing your experience by putting in new systems.”
Or maybe you remember when Roberts got himself into a spot of bother last month after making this “joke” tweet, after boarding a plane:
Surprise surprise, the authorities didn’t find that too funny, and Roberts was subsequently ejected from a flight because of it (before it took off, fortunately for him).
So now, Chris Roberts is saying that he actually commandeered a plane in-flight through hacking?
The report by Wired journalist Kim Zetter says that an FBI search warrant claims that the security researcher had confirmed during conversation that he identified vulnerabilities in aircraft in-flight entertainment (IFE) systems that we was keen for airlines to fix.
But, the search warrant continues, Roberts had compromised IFE systems “15 to 20 times” between 2011 and 2014, after connecting his laptop via a modified Cat6 ethernet cable to the Seat Electronic Box (SEB) stored under passenger seats.
“He stated that he successfully commanded the system he had accessed to issue the “CLB” or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights.”
Maybe you’ll think I’m being pedantic. But Wired isn’t saying that Chris Roberts claimed to have hijacked and meddled with a plane’s flight. Instead, they’re saying that the FBI’s search warrant claims that Roberts told them that he had done that.
Which means we need to consider the following possibilities:
- Chris Roberts never hacked the plane, but claimed he did to get some attention. And now – oh boy – he’s successfully put himself on the FBI’s radar.
- Chris Roberts never hacked the plane, but the FBI said he had in order to make their search warrant look more meaty.
- Chris Roberts told the FBI something, which the FBI took out of context as him saying that he had hacked the plane and forced it to move sideways.
- Chris Roberts and the FBI understand each other perfectly, but the media has misunderstood and overinflated what really happened.
Still, even if the full facts aren’t yet known, it sounds serious. Interfering with the actual flight… that would be insane, wouldn’t it?
Or at least plane stupid.
However, it’s worth reading a little further in the search warrant if you’re keen to know what might have happened.
If you read the next part of the search warrant, it says:
“Roberts said he used Kali Linux to perform penetration testing of the IFE system. He used the default IDs and passwords to compromise the IFE systems. He also said that he used VBox which is a virtualized environment to build his own version of the airplane network. The virtual environment would replicate airplane network, and that he used virtual machine’s on his laptop while compromising the airplane network.”
That part of the search warrant at least creates some ambiguity, and could be read as tying in with Roberts’ claims to Wired that any meddling with avionics systems took place in simulated systems on a virtual environment, rather than directly to the in-flight plane.
If that were true, Roberts might have accessed the plane’s systems and data without permission, but perhaps never sent the real live system any commands to mess with the aircraft’s journey.
So, what now?
No doubt some of the hysteria in the mainstream press will continue to bubble away about hackers hijacking aircraft will continue, even though we don’t know what actually happened.
Chris Roberts may or may not find himself on the sharp end of some legal action – even if he didn’t interfere with a plane’s actual flight, unauthorised access to someone else’s server is not something that’s likely to be taken lightly by an airline.
Roberts’ company is reportedly suffering as a result. He told Wired that investors of his company One World Labs have withdrawn funding, and that he has had to lay off “about a dozen employees”.
“The board has deemed it a risk. So that was one factor in many that made their decision,” he said. “Their decision was not to fund the organization any further.”
Meanwhile, United Airlines has started its own bug bounty.
But don’t even think about looking for vulnerabilities in its aircraft. Because the airline says that if you conduct any testing on aircraft or aircraft systems then you will be permanently disqualified from the bug bounty, and could face possible criminal action.
Stay safe folks.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.