Breach Response , Cybersecurity , Data Breach

Questions Over Plane Hacking Report

Did FBI Conflate Virtual Hacks With Actual Exploits?
Questions Over Plane Hacking Report

Did information security expert Chris Roberts exploit vulnerabilities in airplanes' onboard entertainment systems more than a dozen times in recent years, allowing him - in at least one case - to access a plane's thrust management computer and cause it to climb?

See Also: How to Identify and Mitigate Threats on Your Network by Using a CASB

That's a critical question being asked by information security experts following the release of an FBI search warrant application, which says that in February and March, Roberts - a researcher with One World Labs - told FBI agents "that he had been able to and did use special equipment in his possession to 'hack' into the IFE [in-flight entertainment] systems on aircraft previously and had claimed that he had connected to other systems on the aircraft network."

But Roberts - who has not been arrested or charged with any crime - has tweeted that the FBI "incorrectly compressed" his research, which he has been conducting to help eliminate vulnerabilities in aircraft systems. "There's a whole five years of stuff that the affidavit incorrectly compressed into 1 paragraph ... lots to untangle," he wrote on Twitter.

Roberts added in another tweet: "Over last five years my only interest has been to improve aircraft security ... given the current situation I've been advised against saying much." Roberts did not immediately respond to a related request for comment. In an interview with Wired, however, he said that he had caused a plane to climb when running a simulation - in a testing environment He contended that key information contained in the FBI's search warrant had been taken out of context.

An FBI spokeswoman declined to comment on related questions.

The FBI's search warrant says Roberts told agents that he had found vulnerabilities in the IFE systems on Boeing 737-800, 737-900 and 757-200 airplanes, as well as the Airbus A-320, and exploited them up to 20 times between 2011 and the middle of 2014. "Chris Roberts furnished the information because he would like the vulnerabilities to be fixed," and noted that he'd been able to access the IFE systems - built by Thales and Panasonic - in part because they used a default username and password, according to the FBI.

The FBI's application for a search warrant, dated April 17, notes that the bureau seized "digital evidence in possession of Chris Roberts" on April 15, after he flew from Denver to Chicago, and then on to Syracuse, on the grounds that "it would endanger public safety to allow him to leave the Syracuse airport that evening with that equipment." Seized items included an iPad Air and a Macbook Pro that Roberts said he had used to run a Vbox virtual environment that he built to emulate the airplane network. Also seized were multiple thumb drives that contained virtual machines as well as what Roberts - a professional information security researcher - described as "nasty" malware that he was studying.

FBI Warning

According to the FBI's search warrant, an agent had previously advised Roberts that "accessing airplane networks without authorization is a violation of federal statute," and noted that Roberts reported that he understood, and said that "he would not access airplane networks." Roberts in February noted via Twitter that the FBI had given him "two very civilized but direct warnings in the last week to not mess with certain things means I'll be modifying a few upcoming talks."

But the FBI's search warrant says the April 17 seizure was prompted in part by this tweet from Roberts suggesting that he might "start playing" with systems aboard the airplane he was traveling on, including the Engine Indication Crew Alerting System that relays engine information to pilots:

The FBI's search warrant notes that PASS OXYGEN ON "may refer to the passenger oxygen masks on the aircraft," and that ICE might be a reference to integrated communications equipment used by pilots.

After the FBI seized Roberts' items, the Department of Homeland Security issued a related alert on April 20. It said that the FBI and Transportation Safety Administration "are currently analyzing claims in recent media reports, which included statements that critical in-flight networks on commercial aircraft may be vulnerable to remote intrusion." But it noted that "at this time, the FBI and TSA have no information to support these claims."

Roberts could not be immediately reached for comment. Last month, attorneys at privacy rights group Electronic Frontier Foundation said in a statement that they are attempting to get the FBI to return his devices, as well as to overturn a ban that United Airlines placed on the researcher after he made the above tweet in April. Hanni Fakhoury, an EFF staff attorney, tells Information Security Media Group that while his organization is continuing to assist Roberts, the researcher's lead attorneys now hail from the law firm of Keker and Van Nest; he otherwise declined to comment. Keker and Van Nest did not immediately respond to a request for comment.

Were Hacks Real?

Several security experts are questioning whether the FBI's search warrant accidentally conflates tests run by Robert on the Vbox virtual system that he built with actual exploits of live airplane systems. For example, Surrey University computer science professor Alan Woodward, told the BBC that he found it "difficult to believe" that a hacker had managed to plug an Ethernet cable into the box underneath the seat, access the IFE, and then pivot to avionics systems and eavesdrop on pilots' radio chatter with airport controllers, as alleged in the FBI's search warrant.

"Flight systems are typically kept physically separate, as are any safety critical systems," he said. "I can imagine only that someone has misunderstood something in the conversation between the researcher and the FBI, someone is exaggerating to make a point, or, it is actually possible and the aircraft manufacturers have some urgent work to do."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network