Confusion mounts over FBI claims that researcher 'hacked plane' mid-flight

A prominent security researcher is appears to have compromised in-flight systems to take control of a plane and make it fly sideways whilst on-board, according to an FBI affidavit.

Confusion mounts over FBI claims that researcher 'hacked plane' mid-flight
Confusion mounts over FBI claims that researcher 'hacked plane' mid-flight

One World Labs security guru Chris Roberts caused a commotion last month when he was arrested shortly after tweeting, apparently in jest, that its on-board network could be hacked. His comments came just days after a separate report, from a US watchdog which had consulted Roberts, warned that planes could potentially be destroyed via their on-board Wi-Fi.

However, now it transpires that there is a lot more to that story than first thought. Following on from an interview with Wired magazine where revealed he had caused a plane to climb during a simulated test in a virtual environment, the FBI affidavit – which is based on conversations between Roberts and an FBI agent – claims that the security researcher had briefly compromised an airliner's Thrust Management Computer system to issue a climb command to the engine, temporarily causing the aircraft to briefly change course and fly sideways.

According to the agent, the expert said he had hacked into the network via the in-flight entertainment system whilst on board the Boeing 737/800 flight on an unspecified carrier. The same affidavit reveals that he told FBI he had accessed in-flight networks more than a dozen times between 2011 and 2014.

On this occasion, he is alleged to have hacked into the Seat Electronic Box, which is installed under passenger seats on certain commercial aircraft. He is said to have removed the box's cover by "wiggling and squeezing" before plugging in a modified Cat6 Ethernet cable attached to his laptop. At this point, he used default IDs and passwords to gain access to the in-flight entertainment system and other networks on the planes, which also gave him access to monitor traffic from the cockpit system.

"Sorry it's so generic, but there's a whole five years of stuff that the affidavit incorrectly compressed into one paragraph," tweeted Roberts, who has denied taking control of the aircraft. More recently, the security expert appears to have taken EFF advice, and is thus not commenting to the press.

“He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights," FBI Special Agent Mark Hurley wrote in a search warrant application.

Roberts, who was interviewed at various stages during February and March this year, was removed from a flight (Chicago to Syracuse, New York), after it landed at its destination last month, and two of his laptops and USB sticks were confiscated.

Security experts on Twitter expressed their dismay at the news, although most were divided on whether the FBI or Roberts was at fault.

“You cannot promote the (true) idea that security research benefits humanity while defending research that endangered hundreds of innocents,” tweeted Yahoo CISO Alex Stamos.

Matthew Green added: "Irony: for FBI to make its case against Chris Roberts, they're going to have to seriously harm confidence in the aviation industry.”

Brian Honan, managing consultant at BH Consulting, added in an email to SCMagazineUK.com: “At the moment there is a lot of confusion and speculation over what actually happened and whether or not the FBI in its allegations understand the technical details of Chris Roberts explained to them. However, if some of the allegations where Chris Roberts allegedly accessed the Inflight Entertainment network on numerous flights then these are serious issues.

“The issue highlights that good security research should be conducted on a system that is owned by the researcher, or in cooperation with the vendor. Accessing systems without permission, particularly live systems that are critical, is irresponsible and should not be condoned. I am sure that in time the exact details of what happened will come to light and hopefully there will be lessons to learn for the information security industry and also for vendors, regulators, and law enforcement.”

Alan Woodward, visiting professor at the University of Surrey, also expressed surprise at the news, especially around the fact that avionics were not air-gapped, and suggested that law enforcement may have taken Roberts' comments “out of context” or “watched too many Die Hard movies.”

He said that he suspects the interviewing officer “doesn't know enough – officers rarely have a deep understanding of tech.” Woodward did question though why planes weren't grounded immediately if Roberts had done what he is accused of, and why he is still yet to be charged.