FBI And United Airlines Shoot The Messenger After Security Researcher Discovers Vulnerabilities In Airplane Computer System
from the that-doesn't-make-me-feel-safer dept
At some point, the corporations and authorities in America are going to have to get over this knee-jerk reaction complex they have in going after citizens kindly pointing out technology and security flaws for them. You see this over and over and over again: someone notices a flaw in a system, points it out publicly instead of exploiting the flaw, and is thoroughly punished for his or her efforts. Often times there is a mealy-mouthed explanation for these punishments, which, chiefly, have to do with security risks in publicizing the flaw even though the ultimate goal should be fixing the exploit to begin with.
The latest version of this has gotten the EFF involved in defending a security intelligence expert who tweeted from aboard a United Airlines flight about his ability to hack into the flight’s WiFi and access some level of the flight’s communications.
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? 🙂 — Chris Roberts (@Sidragon1) April 15, 2015
It may not mean much to you, but he’s talking about getting access to communications systems and even some level of controls within the plane itself. And if that doesn’t scare you, it should. It scared the feds, too, but it didn’t scare them into actually, you know, addressing the security concerns. But it did scare them enough that upon the plane landing Roberts was scooped up by the FBI, questioned for several hours, and had his encrypted computer, tablet, and drives snatched from him. No warrant for any of this, mind you, at least not at the time of this writing. As you can imagine, he’s not pleased. Mostly, though, he’s confused as to why the feds are picking on him at all.
Roberts told FORBES he was disconcerted by the actions of US law enforcement. “Feds have known about issues in planes for years, why are they hot now? I’m a researcher, that’s what I do, I don’t go out to harm or hurt, why pick on researchers? If not us then who will find flaws?”
Which is the entire point. The government should be thanking its lucky stars that a benevolent force such as Chris Roberts was the one who found this exploit, rather than someone who might actually wish to do harm. Tweeting about it may alert more nefarious folks that such an exploit exists, sure, but it also got the attention of the federal government who had damned well better be fixing this tout de suite. As far as anyone interested in actually fixing this exploit should be concerned, mission freaking accomplished. And yet Roberts is targeted, not because he’s an actual threat, but merely for doing what people in his profession do.
And not just at the conclusion of that flight, either, I should add. The harassment continued afterwards.
Roberts was back at the airport on Saturday evening, headed to San Francisco to attend two high-profile security conferences, the RSA Conference, where he is scheduled to present on Thursday, and BSides SF. After Roberts retrieved his boarding pass, made his way through the TSA checkpoint and reached the gate, United corporate security personnel stopped him from boarding the plane. Roberts was told to expect a letter explaining the reasons for not being allowed to travel on United. Thankfully, Roberts was able to book a last-minute flight on another airline and has now landed safely in San Francisco.
Nevertheless, United’s refusal to allow Roberts to fly is both disappointing and confusing. As a member of the security research community, his job is to identify vulnerabilities in networks so that they can be fixed. Indeed, he was headed to RSA speak about security vulnerabilities in a talk called “Security Hopscotch” when attempting to board the United flight.
This should be seen as useful for the public, which now knows somewhat certainly that United Airlines would much rather attempt to achieve security through obscurity rather than seeing experts like Roberts as a boon to their own safety product. Should you need to fly anytime soon, do you really want to board a flight run by a company that has now demonstrated that it tolerates vulnerabilities aboard its flights and also would rather try to put its head in the sand than deal with those vulnerabilities? I sure wouldn’t. Keep in mind, by the way, that United is getting this important information into its own security for free. But rather than be grateful, out come the cross hairs.
It’s enough with this crap already. No amount of embarrassment is justification for harassing a security researcher who happens to be fault-testing technology on high-profile targets. And doing it free of charge, I might add. In the realm of security, Roberts is a helpful force, not a harmful one. It’d be nice if the Feds and United Airlines would behave gratefully, rather than targeting the man.
Filed Under: chris roberts, hacking, in-flight computers, in-flight wifi, obscurity, research, security, shooting the messenger
Companies: united airlines
Comments on “FBI And United Airlines Shoot The Messenger After Security Researcher Discovers Vulnerabilities In Airplane Computer System”
What makes you think that others are not conducting research to mitigate this possible issue? One possibility is such research is actively being pursued by persons/companies who choose to labor in anonymity due to the sensitivity of the issue.
Re: Re:
Oh, I see it now, it’s just like the aliens who are among us to study us being discrete so we all don’t panic…
Yeah, sure…
Re: Re: Re:
And then the cheap ass duck blind the aliens are provided turns out not to have enough redundancy built in and fails killing a few and lets the proto-Vulcans see what the aliens are doing, leading them to do an about face back to the Dark Ages (ST:TNG).
Yeah, this sort of thing was entirely impossible to foresee. The fibbies should be banging their heads on the wall for this and Boeing deserves to be forced to fix it for free. “Important people” should be fired for this cockup.
This article is ridiculous. You don’t make those kinds of jokes in that kind of situation especially when you have the means to actually carry it out.
He didn’t get in trouble for finding a vulnerability. He got in trouble for joking about abusing the vulnerability while on an airplane.
Re: Anonymous Coward
What makes you think that United or Boeing would have paid him one iota of attention if he had contacted them about this ex-post-facto (after the fact)? I agree with Tim G. United should apologize, give him a bug bounty, about 10M frequent flyer miles, and Boeing should hire him to pentest their systems. The TSA and FBI should give him an apology and his gear back – hopefully undamaged. If damaged, they should replace it gratis for him, as well as giving him back the damaged gear so he has a prayer of pulling his data off of the systems.
I used to fly United all the time. Now, I avoid them if at all possible in favor of Southwest.
Re: Re:
So, in your estimation, jokes are dangerous.
What about the whole, the issue exists and people can find it problem?
It seems apparent that the issue was known, but not disclosed. The people with responsibility for correcting the issue should be the ones embarrassed. Yet, the one who is sanctioned is the one who exposes it.
Where are our whistle-blower laws that exempt whistl-blowers from prosecution or even harassment? Oh right, they are tied up in the governments quest for moar power.
Que up the Wizard of Oz scene where the ‘professor’ is behind the curtain pulling levers to ‘create’ the illusion of omnipotence.
That is where you will find ‘just cause’. Ha, ha, ha!
Re: Re: Re:
“So, in your estimation, jokes are dangerous.”
Oh, yes. Jokes, sarcasm, parody and the whole similar lot should be absolutely banned!
Re: Re: Re: Re:
Don’t laugh! I know two peanuts who were assaulted because of a joke.
Re: Re: Re:
The word “que” is Spanish for “what?”; it’s pronounced the same way as “quay”, and rhymes with “say”.
The word you want here is “cue”; it’s pronounced the same way as “queue”, rhymes with “who”, and means either “a signal to do something” or “to signal to do something”.
The word “queue” in its turn means either “a line in which things wait for their turns” or “to put into line to wait for its turn”.
Re: Re: Re: Re:
For slightly less opaque pronunciations:
“que” is pronounced roughly “kway”.
“cue” and “queue” are pronounced roughly “kyoo”.
Re: Re:
The land of the free (from jokes)? Now that’s ridiculous.
Re: Re:
If it wasn’t a joke, they would have learned about it only if they recovered the data recorders after the crash. Maybe not even then.
Re: Re:
It might not have been the most hilarious joke, but let’s review the course of events, shall we?
1. He finds the security loophole. He tweets.
2. Feds notice it. At this point, the only ones who are aware of his actions are him, (on the plane,) and the feds (off the plane.) Unless someone on the plane was actively checking this one guy’s twitter. Feds can also probably tell from the twitter account that he’s a compsecurity researcher.
3. Feds prepare to meet him at the scheduled and intended landing. Of course, if he’s actually doing anything nefarious, the plane won’t be getting there. The entire plot of “we’re going to pick him up, interrogate him, and take all his shit” is predicated on “He’s not going to hijack, sabotage, or otherwise exploit his plane flight.”
4. It lands at his destination, proving that he was not hijacking, sabotaging, hacking, or generally doing anything wrong. He is taken into custody (sans warrant).
Maybe I’m a little too idealistic but this doesn’t seem like a sane, legal, or sensible response.
Re: Re: Re:
The feds failed to find the problem so they must look like they’re doing something useful now that the problem has been discovered by someone else. How else are they supposed to use this opportunity to grandstand?
Re: Re: Re:
from http://arstechnica.com/security/2015/04/19/researcher-who-joked-about-hacking-a-jet-plane-barred-from-united-flight/
I was at a registration-required, but otherwise public, conference Roberts presented at few (3 or 4) years ago, and had an opportunity to speak to him a bit one on one about some of this (I was actually attending the conference for free as part of a deal Infragard had worked with the conference organizers).
This isn’t a new thing, It’s not the first time the airlines and feds have been notified about these problem, and it’s not going to get fixed anytime soon.
Re: Re: Re:
Let’s review the actual course of events as there are differences with how you state them.
1) Roberts, and others, have done research on this issue in the last 5 years.
2) In previous flights Roberts has taken he has attached his laptop to the Ethernet port available under his seat and monitored all the packets that travel across this network. Even though this is the In Flight Entertainment system (IFE), he has seen packets that are for command and control and sensor information for the planes avionics control. This confirmed the network traffic is not strictly partitioned but the airlines claim such traffic is one way. That is there is a gateway to the IFE system which doesn’t allow any packet to be sent from the IFE. He has never attempted to inject his own packets into the network. He did not do any monitoring on this particular flight.
3). During a twitter conversation discussing what he does with an acquaintance he sends the joke tweet. This tweet refers to the type of plane and makes no mention of the airline or flight number.
4). Roberts was asked by the FBI a couple of months previously to back off on his research and back off on publicizing any potential vulnerabilities. This was a blanket request to stop talking, even generally, about the possible vulnerabilities. Last month, he was interviewed on Fox News where he discussed the general security risk in interconnecting the IFE and avionics networks.
5) 3 hours after he makes the tweet from the airplane, they land at their destination in Syracuse. The FBI is already waiting for him and escort him from his seat. I have to conclude the FBI was monitoring his twitter account as a result of him not kowtowing to their desire that he shut up.
6). Roberts was questioned for 2 hours. He was not taken into custody. His electronics were confiscated except for his cell phone.
Re: Re: Re: Re:
1) Where are the white papers documenting this? Have they been peer reviewed?
2) The IFE receives some telemetry data from the FMC via a unidirectional data bus e.g. ARINC’s 429 (http://en.wikipedia.org/wiki/Avionics_Full-Duplex_Switched_Ethernet). If he has indeed “seen” command/control packets, again, publish this so it can be peer reviewed.
4) Is there documented evidence of such an interaction with the FBI, or are you taking Mr Roberts’ word for it?
Re: Why not?
Re: Re:
Yes he did. Except…that’s not illegal.
Re: Re:
What makes you think the badguys haven’t already found it and were about to use it to commit mass murder? It sounds to me like it was pretty easy to do, like something a curious kid could have done. Somebody could have already been offering to sell this on the black market. Now that it’s out, the idea’s (hopefully) worthless and he may have just saved thousands of lives for free.
They should design laws...
… So that while unauthorised access to a system is illegal, it should also be legal for the equivalent of “Whistleblowers” to be entitled to disclose the nature of these vulnerabilities. Further more, it should be illegal to not fix it within a certain time period depending on the severity.
Re: They should design laws...
Design laws?
That’s a joke, right?
Re: Re: They should design laws...
Well it’s probably not what he meant, but I’d feel safer having engineers write laws rather than lawyers and their ilk.
Re: They should design laws...
Unauthorized access? What unauthorized access?
If I put out a sign that says “Free access to the premises” in front of my house, then forget to close (let alone lock) the front door, it’s not unauthorized access for someone to walk inside.
Yeah, common sense might say that of course I don;t really want people inside my house. But that’s not what my sign said.
Re: They should design laws...
No time limit for fixing required. Put the airplane on a no-fly list.
Lets not blow the illusion of security, SHHHHHH.
Re: Re:
“Lets not blow the illusion of security, SHHHHHH.”
Airports and the airline industry are ground zero for security theater.
Re: Re:
Sorry for being a grammar Nazi but let’s not confuse lets with let’s
They might have to investigate the hack. If he accidentally breached the system I hope they don’t shoot the messenger.
On WiFi at all?
My reaction was “Why is anything related to aircraft safety or control on WiFi at all?”. That sort of stuff should be running on a hardwired network where getting access wouldn’t be a trivial job or, if it absolutely must be broadcast, on a securely-encrypted network on a band not usable by common consumer electronics. This isn’t just a vulnerability in the system, it’s a fatal flaw in the very foundation of the system itself: as long as it exists the system can’t be adequately secured.
Re: On WiFi at all?
Exactly.
The much talked about, never yet seen massive cyber attack on infrastructure the NSA and FBI are constantly blathering about would first require that they connect vital systems to the internet — and only an idiot or a traitor would do that.
If vital systems that need to be secure are connected via WiFi, that’s just ASKING to be hacked. They’re just lucky the first member of the general public to notice is a white hat, not a black hat.
Re: On WiFi at all?
I agree that something like this should not have to be transmitted wirelessly or else a simple signal jammer could prevent it from operating (even if it’s encrypted). However, I’m not so sure it’s clear that the signal needs to be broadcasted. Do the oxygen mask deployment units deploy upon receiving a certain signal? Can that signal be jammed? Heck, even normal interference may interfere with deployment (just look how difficult it could be for you to open your garage door with a remote control, cell phone calls and Wifi are not always reliable, etc…). This instance could have been a case where a wired network can simply be accessed from the wireless router kinda like how you can set up a wireless router to make the wired network accessible through the wireless network. But I agree that a wired network responsible for anything critical should not be physically attached to any wireless network.
Re: On WiFi at all?
The Wi-FI part is an assumption by the Wall St. Journal writer. In fact, Roberts connected directly to the IFE network via an Ethernet port beneath his, and everyone’s, seat. This network is interconnected with the network used for avionics. I am not at all sure a WI-FI network has the same sort of interconnection. The networks are partitioned but the crux of the issue is if such partitioning is secure enough or should an air-gap be used between the networks.
Dunno why they don't teach this (explicitly) in school...
Thou Shalt Not Embarrass The Authorities
Re: Dunno why they don't teach this (explicitly) in school...
Some people don’t realize how easy it is to become the authorities. Seriously, the USC and the treaties are full of fun little things people can use back.
Re: Dunno why they don't teach this (explicitly) in school...
Because teaching this in schools WOULD embarrass the Authorities.
Re: Dunno why they don't teach this (explicitly) in school...
Because they are NOT the “authorities” per se, they SERVE the public. Admittedly they are working really hard to become the “authorities”, rulers.
It would help if you would no longer give them that title, and remind them that they do work for us overall and that WE do have the constitutional remedies for their corruptness – admittedly (again) it would help if more people would actually bother to learn the US Constitution, and their own state Constitution as they ARE the contracts that they are REQUIRED to follow and work under.
Re: Re: Dunno why they don't teach this (explicitly) in school...
Fine, so add a qualifier: Thou shalt not embarrass anyone who has been given enough authority to fuck with you.
Re: Dunno why they don't teach this (explicitly) in school...
It would be infringing on Cartman’s IP.
Maybe the flaws are being intentionally put in in. Much like the fake terrorism plots the FBi keep creating just so they can bust them.
Bad for business if the FBI were exposed putting peoples lives in danger just so they can look good.
Arrested the wrong person?
Perhaps the authorities arrested the wrong person. He publicily admitted to being able to hack into the avionics systems. Shouldn’t the authorities be more interested in those who made no public declaration but hacked in anyway?
seems to me in this and other cases i’ve read about that the company (in this case) already knew about the issue and left it as it was for two reasons. first they knew it would cost money to fix the issue and up to that point, they had saved money. second, the feds knew about the issue and didn’t want it fixed because it gave them a way into the system and perhaps into the equipment passengers were using whilst on the flight. now the exploit has been found, they have to act this way to make out that neither the airline or the feds knew about it. in their supposed ‘ignorance’ they now have an excuse to screw up the life of one of the very people they actually rely on for finding exploits. however, if they can frighten off those who work with this stuff 24/7 when it is found by an ‘undesirable’ and the result is catastrophic, it gives the feds at least a reason to go back to Congress demanding more surveillance measures, more spying, more funding, and less privacy for citizens. sounds like a plan to me and as there would be no feds caught in any aftermath, only airline staff and passengers, the feds just sit back and wait!
Re:
So passengers can currently hack into the onboard controls of the aircraft, and your theory is that “research is actively being pursued”? This is a catastrophic security defect which exists in the moment, not some theoretical curiosity suitable for a 4-year study.
A simpler and more logical explanation is that whoever’s job it was to keep aircraft communications secure is embarrassed at the public knowledge of their incompetence, and quite pleased to deflect blame toward the good samaritan who revealed it.
Re: Re:
He hacked into the WiFi, getting into the firewalled flight control system is quite a bit more difficult-unless he knows about the backdoors installed by the CIA and NSA.
Re: Re: Re:
And if he knows about them, how long do you think it will be before others learn about it?
Re: Re: Re:
“He hacked into the WiFi, getting into the firewalled flight control system is quite a bit more difficult-unless he knows about the backdoors installed by the CIA and NSA.”
But those backdoors are vital for national security! It they’re closed then we’re all doomed!
Re: Re: Re: Re:
And they are very likely in every product made by Boeing. I’d suggest you make all your future commercial flights on aircraft made by a Canadian, Brazilian or European aviation company.
And, about those backdoors, I’ve come to the conclusion that the NSA, CIA and FBI have collectively sold their souls to the PLA’s elite cyberwarfare group, Unit 61398.
Re: Re: Re:
“He hacked into WiFi…” what does that even mean? Did he get an IP address from the plane’s wifi? Isn’t that what its supposed to do? Did he port scan? Did he sniff packets? Other than tweet, I can’t figure out what this guy actually did.
Re: Re: Re: Re:
Based on what he tweeted, he had access to the network that the plane uses to distribute commands to systems outside of the cockpit. Such as the one that controls the oxygen masks that drop from the ceiling during an in-flight emergency.
The fact that that is even POSSIBLE for someone sitting in the passenger area is terrifying — the sort of security flaw that should result in every plane using that network system being grounded instantly and permanently until it is fixed.
Re: Re: Re:2 Re:
THe problem is its likely a plane that was never built to grant consumers Wi-Fi that now does so. And they didn’t install an entire new, dedicated system that doesnt touch the flight ops in the plane. So now we have this problem.
Re: Re: Re:3 Re:
This also explains why it took them so long to allow passengers to access onboard WiFi, because somebody in the know knew it could be a disastrous thing to do because they just blindly assumed it would be done via the existing system that’s handling critical flight operations processes.
When I first heard of this, I was astounded that they were doing all of this on just the one system. One pizza box server for each would have been the smart way to go. How could they justify not doing that way?
Re: Re: Re:4 Re:
i am shure this was a totally split system from start.
no engineer would ever wire public wifi with ANYTHING ELSE of the airplane
(unless he and nobody he knows is ever going to fly)…
but then it went through “the manegerial revolution” you know, the happy MBA yes men,
and one had the brilliant idea to save cost wiring it all together…
Re: Re: Re:5 Re:
he probably got a big bonus for his brilliant idea
(another porsche)
Re: Re: Re:5 Split System
Way back when I worked for a large Canadian airline company the flight controls were all multiply redundant and firewalled to the nether regions.
Back then Boeing made one of the safest planes ever.They don’t now….
Things change, the bean counters and not the flight crew or engineers have the last say these days, Boeing makes crappy, unsafe planes, it’s suicidal to book a flight on Japan’s national air carrier, the TSA and HLS consider it their duty to rob us blind and as botw mentions corners have been cut by the air carriers and manufacturers.
It’s a nasty world we live in.
Bill the f*ckers...
This man should bill the airline for services provided. Make it a substantial bill, too.
the article doesn't get it
its not about going after andmaking it not known to the public or keeping you safe
IT’S ABOUT CONTROLLING YOU
it is why hackers do not share no more
it is why you will never know how vulnerable you are until you piss them off
yup thats it in a nut shell and for the record your fbi are a bunch a fucking criminals in suits
Re: the article doesn't get it
Exactly!
Key note:
He didn’t actually point out any flaw that could be exploited. He made a joke about potentially using a flaw that may or may not actually exist. There is a BIG difference there. Also if such a flaw does actually exist it begs a question similar to the one concerning the vulnerability of power grid facilities connected to the Internet. Why the hell would the flight control systems be connected to the on board WiFi in the first place? It doesn’t take an expert to see why that is a really dumb idea that would be really easy to fix.
#22 I’m sort of astounded no one else seams to have caught that. Seamed obvious to me. No known flaw here- just the potential due to the stupid design.
Re: Re:
He was talking about dropping the oxygen masks, which apparently IS a known flaw that can be done currently.
It seems like the feds are more intrested in keeping these things flawed.
Sympathize with the feds on this one
I can understand why Roberts was detained. Looking at that tweet alone, it seems like a threat. He wasn’t merely informing the manufacturer or the FAA that there was a vulnerability — his tweet, which was sent to nobody in particular, could easily be interpreted as implying that he intended to muck with the plane’s internal systems.
Yes, he had a smiley face to suggest sarcasm. Or maybe instead of sarcasm he meant Smithers-like glee? C’mon. Roberts’ statement was a clear provocation.
Furthermore, Roberts is quoted as saying, “I’m a researcher, that’s what I do.” That tweet sure doesn’t sound like it came from a researcher. Sounds more like it came from an unprofessional smart-ass.
I also believe it’s irresponsible and unprofessional (though not criminal) to publicize these types of serious security problems before they’re fixed.
The authorities were entirely justified in detaining Roberts after the flight, to determine whether he really intended to act on the vague threat, to properly determine his identity, and to make sure that if there was a vulnerability, he would reveal it so that it could be formally reported.
Imagine if someone joked that they found bomb-making materials on-board an aircraft, and no law enforcement bothered to follow up. Would you have been okay with that?
Re: Sympathize with the feds on this one
He spent five years trying to get the airlines to fix the vulnerability. He even met with the FBI and tried to explain it to them, then the GAO finally published a warning.
If you read the article at http://www.wired.com/2015/04/twitter-plane-chris-roberts-security-reasearch-cold-war/ you’ll perhaps see the errors in your post.
I don’t understand how asking if he should turn on the passenger oxygen system (or maybe just the warning light equals finding bomb making materials on an aircraft.
Re: Re: Sympathize with the feds on this one
He spent a lot of time trying to point out that there were vulnerabilities that needed to be addressed and was summarily ignored. There is no evidence here of any actual vulnerability that he was able to exploit had he wanted to. There is a joke tweet about being able to do something that he may or may not have been able to actually do at the time along with his background and an apparent demonstration of knowledge of some of the underlying systems that suggests the capability with nothing concrete to back up any of that conjecture up.
Re: Re: Re: Sympathize with the feds on this one
Read the link. He ABSOLUTELY can do it and has been trying to get them to fix it for 5 years.
Re: Re: Re:2 Sympathize with the feds on this one
I read the Wired article about it long before this post came out. I’m not saying that he couldn’t. I’m saying that nothing in this particular story says that he was able to at that moment. Yes he has claimed there are vulnerabilities in the past and that those claims were not responded to appropriately. No where did he point to a particular flaw that he could use to do what he joked about in that tweet. He didn’t have to be able to, to make a joke about it. Reading too much into the story gives undue power to those who use FUD to manipulate people. Don’t do that.
Re: Re: Re: Sympathize with the feds on this one
I believe he claimed that he could break into various systems if he wanted to, though perhaps with significant effort.
But that’s beside the point. You arrived at this conclusion after reading articles about it, and knowing that, in retrospect, this was intended as a joke. At the time, did the Feds what his intention was? Maybe he found a new attack vector. Maybe he was angry and intended to do something after having been ignored for 5 years.
Ask yourself this: if he HAD done something nefarious (say, on his next flight), and it was discovered that the Feds knew about his “threat” but chose not to act based on an assumption that he was just kidding, would you have been okay with that?
Re: Re: Re:2 Sympathize with the feds on this one
There’s a difference between talking to him about a potentially threatening tweet and detaining him and swiping his stuff. Also, why would there be a next flight if he intends to crash a plane? Furthermore, why would he even give warning? Your hypothetical situation is just that, hypothetical.
Re: Re: Re:2 Sympathize with the feds on this one
Really? His history is well documented and would obviously be known to them. Here’s a tip, people who exploit security flaws to exact carnage don’t spend extensive amounts of time trying to get their targets to fix the flaws that they would exploit beforehand.
Re: Re: Sympathize with the feds on this one
OK, I read the article you posted, but don’t see any errors in my post.
You are confusing two issues here. As far as the reaction to Robert’s tweet goes, it’s irrelevant whether he spent years trying to get them to fix such vulnerabilities. Even assuming in the relatively short duration of this flight that authorities had enough time to understand and confirm who Roberts was and all the history behind his efforts, his tweet was still provocative. And for all authorities knew, he was a guy who was disgruntled from the lack of response to his revelations and decided to ratchet things up a notch.
But again, his history doesn’t matter…just because the flaws were disclosed does not, years later, authorize him to threaten to exploit them. The lack of action on the airline’s part is inexcusable for sure, but immaterial to whether it was proper to detain Roberts.
And you’re picking and choosing from his tweet. He also threatened/joked about the engine/crew alerting system, and communications system. What he did was claim to have the ability to affect important airplane systems that are supposed to be off-limits to passengers, and that is why it’s on a par with finding bomb-making materials. In fact, if he could control avionics, he could not only destroy the aircraft, but ground-based targets as well.
Try to separate your justified disdain for the way Roberts’ research has been treated from his irresponsibly provocative tweet.
BTW, I’m not passing judgment on whether they should have confiscated his equipment, or whether United should have prevented him from flying. Just on detaining and questioning him.
Re: Re: Re: Sympathize with the feds on this one
Dear Reasonable Coward. My first question to you is:-
How long have you worked in any technical field where stupidity on the part of management leads to situations like this?
My second question is :-
If you have worked in a technical field for any length of time (
Re: Re: Re: Sympathize with the feds on this one
And here we have the full authoritarian mind set on display, take action against someone at the slightest sign of dissent.
Re: Sympathize with the feds on this one
For someone in the “know” this is the difference between a hacker and a cracker! Of course he quips about a flaw… this is a super easy fix and huge oversight by United…. very embarrassing and incompetent for them I’m sure! His discovery is a somewhat jab in the eye of a fellow cyber security individual saying “pull your head out” ergo the quip! To demonize him for this is ridiculous… if he had kept it quiet, how long should United have to be allowed to fix this flaw….Years? Now that the flaw is in the daylight, they have to fix it immediately. Therefore having to hire a REAL cyber security professional not an in-house software/hardware stooge. Cyber security is it’s own house in the computer world now.. people should stop treating it as an after thought. Thats’ exactly why the world has the problems it has now! Wake up!
Re: Re: Sympathize with the feds on this one
How long it takes United to fix a flaw is not relevant to whether a threatening message should be ignored. Wake up!
For example, it’s well-known and trivially obvious that you could circumvent the TSA’s volume-of-liquid limitations by splitting them into multiple containers, and/or via multiple passengers. That bug has never been fixed. So does that make it okay to tweet something about combining liquids to create, say, a smoke bomb on the plane?
I didn’t think so.
Re: Re: Re: Sympathize with the feds on this one
What freaking threat? If anything, from the additional history, it shows a level of self-control well above the norm.
Re: Sympathize with the feds on this one
I know right? Fuck the first amendment, this guy could possibly have been hinting at maybe messing with something!!!
Re: Re: Sympathize with the feds on this one
You have a few too qualifiers in there. The guy was hinting at messing with something.
You are being influenced by the after-the-fact knowledge that Roberts didn’t actually intend to do anything underhanded.
Re: Re: Re: Sympathize with the feds on this one
I am influenced by the before-the-fact knowledge that he was traveling to present this info at a BSides conference. The info would’ve been public either way. But also, the at-the-fact knowledge was that his tweet didn’t contain enough info to actually inform anyone of how to go any kind of exploit.
There was no security gain in the Feds having confiscated his equipment, though the deluge of Feds that have been commenting on this topic on Schneier’s blog and on here does make for some interesting conversion, albeit, it comes off a bit like shilling when there’s no back-and-forth with productive dialogue.
Re: Re: Re: Sympathize with the feds on this one
I’m moreso influenced by the at-the-fact knowledge that his tweet was obviously phrased jokingly and contained no threat other than to toggle the entertainment system’s on/off state. An act which would not have caused anyone to panic.
How about an alternative argument:
Intimidating security researchers will ensure less security research is done in the future by onlooking researchers or prospective researchers. If law enforcement is more comfortable in a world where a 747 could be hacked and taken over/taken down by a terrorist than they are in a world where a security researcher can jokingly bait them, then I’d say there’s either mixed up priorities or a severe lack of foresight.
Re: Sympathize with the feds on this one
I also believe it’s irresponsible and unprofessional (though not criminal) to publicize these types of serious security problems before they’re fixed.
It could sensibly construed as facilitating the nefarious intentions of enemies already determined to use our own technology against us. So, it should be criminal to aid the enemy in this manner. Make it well known to everyone also.
Re: Re: Sympathize with the feds on this one
Several decades ago when Americans were together on patriotism there might have been a HOTLINE Number you could call to report such discoveries before they fell into the wrong hands, but now everyone is suspect. And that is our Freedom being flushed down the drain.
Re: Sympathize with the feds on this one
Beggars cannot be choosers. You have no ground to stand on saying the security researchers should be “more professional”. Hell, I say that the Feds need a sense of humor.
Also, he was going to present his findings at a BSides conference. With much more specificity. Information that’d be public. In a venue that many more security-minded people would’ve been paying attention to as opposed to a TWITTER ACCOUNT.
Re: Sympathize with the feds on this one
What a load of dog faeces.
If a serious problem like this has been reported and no visible action has taken place within days or weeks, then the responsible and professional thing to do is publicise the flaw. It is a matter of public safety not company reputation that should take the front line.
If it means that that particular airline and any other airline which has the same flaw suffers major economic damage due to their lack of movement on such a flaw, then so be it. To put profits before safety is a common attitude amongst many companies (both large and small).
It is far better that such flaws are widely publicised than hidden. Sure, the wrong people may get a early insight to an exploitable flaw. But the reality is that the wrong people already know about and are already exploiting the flaw.
Re: Sympathize with the feds on this one
So, did the FBI immediately contact the plane and insist they put it on the ground tout suite? No, they just sat around and waited for it to land leaving how many potential lives in jeopardy, in the air and on the ground.
This is a fibbie, United, and Boeing cockup, and they should all be extremely grateful and seriously embarassed for their actions.
Re: Re: Sympathize with the feds on this one
The bottom line is that there is no good reason to cut the FBI, their compatriots, United and the makers of the systems they are using any slack. They know about the weaknesses, backdoors and whatever other shit is making their systems vulnerable, have known about it for years and done nothing about it. It’s time to ground United’s fleet and make an example. Let the other airlines learn from this.
Re: Re: Sympathize with the feds on this one
Reading some of the reactions to this story, it feels oddly reminiscent of Tony Blair beating himself up for that boneheaded mistake of enacting FOI legislation. $DEITY forbid that we get to learn about the authorities falling down on the job. Wouldn’t it obviously be better for everybody if we just stick our fingers in our ears and sing “La la la …”?
Re: Re: Re: Sympathize with the feds on this one
Let me get this straight. You are against a defense against zombie hordes attacking innocent hamlets and letting that innocent populace know what defenses are available?
The real story here is ...
… that is has apparently been known for a while that any passenger equipped with a tablet and information available on the internet can play pilot on UNITED planes, and both UNITED and FBI have decided that it is ok to continue flying UNITED planes with this security hole.
4 types
People can be divided into 4 groups on computer security:
1. White hats who try find flaws and alert the appropriate people about them so the flaws can be fixed (Roberts). This is relatively small group because of the skills needed to find the flaws.
2. The security aware who try keep up with the field but lack the deep technical knowledge to routinely find flaws. The is not a particularly large group but an important because they often provide a link to educate others about best practices. Readers of Techdirt and similar blogs are in this group.
3. The average user who does not keep up with most security issues and may not understand their implications. They are heavily reliant on their technically aware friends and family members for advice, training, and support. This by far the largest group of users. Often they confuse the white hats with the black hats, especially by the technical illiterates in the criminal injustice system.
4. The black hats who use flaws to harm others usually financially but occasionally in other ways. Many black hats are script kiddies who do not have the technical skill to find the flaws. They are reliant on more skill black hats to find them and determine how to exploit. This is a very small but dangerous group.
Re: 4 types
6. Political Hats who don’t know shit about anything including but not limited to so called cyber security, so they just make shit up or regurgitate what has been feed to them from their overlords, the Corporate Hats.
7. Media Hats whose talking heads anoint your idiot boxes daily with slanted garbage feed to their teleprompter by corporate editors.
Re: Re: 4 types
Re: Re: Re: 4 types
I missed a few.
Re: Re: Re: 4 types
you mean like the FBI creating fake terrorism plots just so they can justify what they do to bust them?
that was considered a crackpot theory before the evidence proving it came out
maybe you should add number point for the people who have to eat their words after ridiculing those tin foil hats
Re: 4 types
You left out a bit for the first type.
1. White hats who try find flaws and alert the appropriate people about them so the flaws can be fixed (Roberts). This is relatively small group because of the skills needed to find the flaws, and the fact that so many companies have made it clear that exposing a flaw in their product and/or service will not result in it being fixed, but the company doing everything they can to crush the one who found the flaw.
Re: Re: 4 types
Better to be a black hat then. Gather together a group of nefariously minded code monkeys, call the group something evil like PAP and threaten to shut down the airlines unless they pay you. It almost worked for those GOP idiots that went after Sony.
Re:
It’s more likely that this issue, by being worked on in secrecy, cannot be secure. Because the methods are opaque.
Having openness actually increases security, provided that competent people are applying the recommended fixes.
Know the truth
The reason why many of these flaws exist is that the government plans to exploit them for some nefarious, serious purpose, such as a false flag attack in which they pretend to be agents of some other country or tewworist organization. To borrow tech terminology, they want to spoof a physical attack and blame it on scapegoats, to achieve some police state goal.
So, did he get into the airplane, scan for vulnerabilities, and find some? Or was this just a tweet with enough jargon to make it seem that way?
The way this story is being reported you’d think he was just a few well adjusted packets away from dropping the oxygen masks. Which if true, in-flight tweets seem a poorly chosen method of disclosure. Or perhaps it was meant as a publicity stunt, in which case, mission accomplished.
Tin foil hat time:
What is achieved by systematically attacking security researchers? Less security research. Which, given that we know the NSA compromises everything, is in the government’s best interests. Even if the Snowden leaks hadn’t occurred, is it plausible that these programs could remain secret forever with substantial security research? Doubtful, so to make sure that doesn’t happen the feds go after anyone approaching the discovery.
That would reveal a vague what and how things have been compromised, so they have to go after everyone of necessity.
Horribly, horribly misleading headline
He did not find a flaw, he simply strung together some aerospace acronyms to make it sound like it meant something.
Take, for example, the simple fact that the 737 DOES NOT have an EICAS. There is no such thing as a “PASS OXYGEN ON” message on that airplane.
It is 100% joke and I will leave it to others to argue about whether or not that is wrong.
Re: Horribly, horribly misleading headline
All commercial aircraft either have the US designed EICAS or the European ECAM systems installed.
And if you look at the B737’s very hefty technical manual you will discover that the passenger O2 system can be activated by sending a test message over EICAS. You’ll also discover that the system can be remotely activated if you have the proper codes and can broadcast them on the correct frequency.
Re: Re: Horribly, horribly misleading headline
BTW the manual, in its entirety is online, searchable and gives detailed instructions on how to do this.
Highly Efficient to Squash the Proficient
It is quicker and cheaper to kidnap, trash, and sever the discoverer’s capabilities spreading further analysis of high level systems security vulnerabilities by scaring the B’jesus out of these people, isolating them, and beating them with a rubber hose until they all agree to go to work for the good guys!
Re: Highly Efficient to Squash the Proficient
Who are the good guys? That seems like something the bad guys would do.
Re:
What makes you think they are ?
Re: Re:
“What makes you think they are ?”
Because apologists are always all knowing.
This is by far the worst airlines in business today. They totally ruined our vacation to cancun by screwing our tickets both ways. Use to use them for one of my events in steamboat? Not anymore there goes 5000 tickets!
Re:
What makes you think up these ridiculous scenarios depicting the lazy assed industry as good guys diligently working for your betterment?
um
Just curious about how the cops etc found out about the tweet.
Re: um
He likely said the right keywords to flag the Fed system using Twitter’s API.
Re: um
if he had been trying to warn the feds and this airline for 5 years about their security flaws. Could the feds have been illegally spying on him to see what he did. Since he had dangerous knowledge that they refused to act on.
Re: Re: um
And now they can chalk up another terrorist plot stopped via their spy on everyone program.
There is absolutely no benifit for them to fix the error.
This is from their point of view of course:
If someone used this vulnerability in the system, it would have to be spread on the internet that this is the way they did it. If not, it would be kept quiet so as to not encourage others to do it as well and/or to cause panic.
The crash would most likely be blamed on the plane or the pilot. Behind the curtain, agencies would get more money and power for fighting terrorists and United would get money to fix the flaw and beef up security even more and at the same time probably collect the insurance on the plane.
To be cynical, one could believe that the reason these flaws are ignored is that they simply didn’t care because it would only end up making profit in the end, even if the flaws were misused.
They should design laws...
Ever heard of whistleblower laws?
Funny how they never seem to be applied to anything except ‘unauthorized’ leaks by people in power…
Calm down
“Box-IFE-ICE-SATCOM,EICAS messages, PASS OXYGEN ON”
These hosts are there because:
1) ‘Box-IFE-ICE-SATCOM’ is the central hub of the Inflight Entertainment (IFE) system, which includes a SATCOM terminal.
1) the EICAS is a read only message window in the cockpit, think of it as the debug output of the plane. Should the IFE overheat or otherwise fail a message would be displayed to the pilots. Why? Because fires in IFE systems have damaged airplanes and in at least one case caused a crash (Google ‘SwissAir Flight 111’).
2) ‘PAS-OX-0N’ is a device that sends a signal to the IFE that causes the IFE to shut down. The IFE can’t cause the passenger oxygen masks to drop.
While no hack is possible in this network, joking about anything to do with aircraft safety is not a smart thing to twitter. The first amendment doesn’t mean that other people can’t consider your speech when deciding to trust you.
Nothing to see here, move along.
Re: Calm down
Can you post the exact pages of the manual? I’d like to check your information.
that's nice
bad reporting. and totally ignoring the truth or any facts. merely spewing Chris’ view of things and leaving out his actions etc to garner sympathy leaves me sick to my stomach.
Bottom line is this
If there was a person who…
a) Showed that an avionics system could be hacked
b) Had the skills to actually perform the hack
c) Publicly implied that he might start hacking
d) Subsequently started hacking in-flight avionics, causing big problems
…and it was discovered that the authorities didn’t bother investigating after (c), there would be a huge hue and cry about how incompetent law enforcement was in this case, ignoring a potential threat like this.
Some of you obviously aren’t able to eliminate the ‘hindsight’ factor. You know that (d) didn’t occur, so you can’t imagine why he was hassled.
For those of you who think whatever Roberts might have done would have been harmless, how the heck would you have known that (esp. without hindsight)? If the oxygen masks were deployed, how do you know that panic wouldn’t have ensued, or that someone wouldn’t have had a heart attack? How could you know that Roberts wouldn’t make a mistake and inadvertently affect a critical system during his first live real-time intrusion? How could you know whether the hack would cause the flight to be diverted, causing great expense and potential hardship on the passengers? How could you know whether Roberts intended to affect only non-critical systems, since his tweet left the door open to just about anything? How could you know that Roberts hadn’t slipped a cog and decided to end it all to make a point after years of frustration?
The bottom line is you couldn’t know any of these things without the benefit of hindsight.
You don’t joke about hijacking or bombing in an airport, and it’s fine for authorities to detain you to determine whether it was a joke or not. Do you think authorities should assume all such comments to be frivolous and never investigate them?
The TSA, FBI, Police, Prosecutors, et al., are guilty of many transgressions. There are countless examples of their overreach, ineptitude, stupidity, and callous disregard for civil liberties. But detaining Roberts after that tweet was one of many examples of them doing something right.
If you want to complain about United’s inaction, that’s a separate beef.
But if you want to complain about bad behavior by law enforcement, there are too many better examples of it out there than criticizing the questioning of someone who wrote something as ambiguously provocative as that tweet.
Re: Bottom line is this
“The bottom line is you couldn’t know any of these things without the benefit of hindsight.”
Hindsight like, “Oh, the plane made it safely to the airport on time, now we can arrest him and take his stuff”?
Re: Bottom line is this
Roberts said he eventually tested out the theory himself 15 to 20 times on actual flights. He’d pull out his laptop, connect it to the box underneath his seat, and view sensitive data from the avionics control systems.
“I could see the fuel rebalancing, thrust control system, flight management system, the state of controllers,” he said.
He told CNN he has been hacking planes loaded with passengers. That’s why he was kicked off United.
Fbi, cia, nsa,homeland security
What good is a vulnrability, if EVERYone knows about it
Sick
Hindsight
‘Hindsight like, “Oh, the plane made it safely to the airport on time, now we can arrest him and take his stuff”?’
First, you’re off-base on a few things. He wasn’t arrested. And I wasn’t commenting on the FBI “taking his stuff” (if you read my initial comment above). I was only talking about the FBI questioning him.
Re hindsight: The plane landing safely didn’t prove that Roberts had not tried, intended to, or did not actually break into the avionics, or that he didn’t discover a new method of doing so (a vulnerability which should be reported), or that he was not a threat to hack an upcoming flight, or that he didn’t alter something that would affect subsequent flights on that plane. Or that it was actually Roberts who sent the tweet. For example.
And if he had succeeded in breaking into the system, I would certainly hope there would be consequences. I don’t want even well-intentioned passengers fiddling with these systems in any way. Heck, I’m an IT guy and we’d take action against anyone poking around in our network in violation of our policy, even if we are just a public library and lives aren’t exactly on the line.
I don’t want the FBI to take a potential threat and look for every possible reason to ignore it. They’ve gotten rightly slammed for failing to connect the dots on other occasions. Roberts’ tweet was a pretty big dot.
Sounds like you’d have preferred the FBI to say, “Yeah, we’re assuming that the tweet is from that security researcher guy Chris Roberts…he’s always breaking into the control systems and whining about their hackability; he’s probably just blowing off steam and trying to get people worked up about it. Let’s not make a big deal out of this. We could go talk to him about it, but let’s just assume the best case.”
Re: Hindsight
Relying on passengers, well intentioned or not, not fiddling with these systems is a security failure, they should not be able to fiddle withe the systems full stop. When such security problems exist, one hopes that well intentioned people bring it the attention of the authorities, and one also hopes that the authorities will fix the problem., and not as in this case ignore it until at least it is made public.
A reasonable question for Reasonable Coward
What public safety laws has United broken in not dealing with this known problem? Why has the FBI not made a big hoohaa about the deliberate incompetency of United in not fixing this public safety problem? Why did they not just ignore the messenger and deal immediately with the message and those responsible for continuing to allow the public safety problem to exist?
Your attitude (like so many others in the “authority” vein) is that the message is so bad that the messenger has to be shot to protect those above.
You completely miss the point of the entire scenario – the problem was allowed to continue long after it should have been fixed. The FBI should have been beating the doors down to United first and foremost without even having to speak to Chris Roberts.
Re: A reasonable question for Reasonable Coward
I’d also want to be talking to the FAA about this. Did they know this situation exists? Why did they allow this system to even get into the air? They’re supposed to be certifying stuff like this for commercial airlines.
Re: Re: A reasonable question for Reasonable Coward
Excellent additional points.
Your response Reasonable Coward?
Re: Re: Re: A reasonable question for Reasonable Coward
As expected, not a peep out of him when challenged to give a reasoned response to reasonable questions.
I wonder if he is a lackey from the FBI PR group or from the airline PR group?
Opportunistic reporting
I work in the aviation industry. To note, and to his credit, Chris Roberts struck a goldmine in terms of media attention when he tweeted his “joke”. In my opinion, this was an opportunistic attempt to garner attention to himself and his company prior to the RSA conference. And the media hungrily gobbled up the nonsense, only to shove it down the collective throats of an even hungrier public.
Many very highly qualified people of a given airplane manufacturer’s team, the IFE provider’s team and the airline’s team work tirelessly to eliminate security issues. I’d venture they are multiple orders of magnitude better qualified than Mr. Roberts and other commentators in the matters of avionics, flight management computers and in-flight entertainment systems.
Yet, the uninformed media and consumers of the media don’t want to know this because a) it is not fun b) it does not scare anyone and c) it takes a minimum degree of intellect to comprehend.
Keep calm, and move on. Nothing to see here, and more importantly, there’s no money to be made here…
Re: Opportunistic reporting
One thing you have overlooked, kiddo, is that for all the expertise available in these men and women, they can and do quite often overlook the obvious.
I’ve done it, so have many of my colleagues and so have many we have worked with. Specialists can very easily get blind sided by the obvious. My process is to give inexpert people opportunity to use said systems and watch carefully. It is amazing what you then pick up.
I have, at various times, made suggestions to colleagues far more expert in their field than I about things I see as obvious and have many times had these same colleagues figuratively palm their faces at missing the obvious. It then becomes a simple matter for them to fix, but they first have to see the problem.
That is reality.
Re: Re: Opportunistic reporting
Ok “kiddo”. Except that these are people who engineer aircraft that safely transport 2.4 billion air travelers every year. I wonder if you have done what you said you did to this scale, and to these exacting standards. I know I haven’t, so I am not attacking you personally. This is an industry for adults who apply critical thinking at all times because this industry is completely driven by in-flight and on-board safety. To say that their expertise far surpasses these Sunday market experts would be a gross understatement.
This is what I believe is the problem here. We have a security industry that has failed everyone miserably. Sony, Target, Anthem, Home Depot etc. – the list goes on forever, and it is MY data and YOUR data that has been lost as a consequence of lousy products offered by the industry and the lousy implementation of the lousy products by those who acquire them. If the security industry did its job well, would we have seen all these breaches last year? Probably not. Instead, what does the industry do? It has a conference in San Francisco claiming that security Armageddon is nigh and all hell will break loose if corporations don’t spend even more money on buying even more lousy products.
Where am I going with this seemingly ranting statement? The aviation industry (i.e. the engineering, safety and security of the aircraft and on-board systems) has been optimized over the years by many experts in their respective fields. Opening the kimono to the Sunday market cowboys such as Chris Roberts will have as much impact on further improving the security of the on-board systems as the proverbial fly on an elephant’s rear end.
You can count on the fact that airplane manufacturers and on-board systems manufacturers are constantly optimizing their products for efficiency, safety and security. Not because they are kind souls, but because not doing so gravely threatens their commercial interests.
In my opinion, the real experts in any field are the quiet ones. They don’t tweet, they don’t speak at massive commercial conferences, their passion is their work and the goal is to 100% optimize what they do.
Please, please, see this entire episode for what it really is – an unabashed way to exploit fears to further one’s own commercial agenda.
Re: Re: Re: Opportunistic reporting
It doesn’t matter what industry (aviation, space, rail, automotive, power, pharmaceutical, medical technology, etc.) that uses highly skilled people and are supposed to be working to highly exacting standards, there are still blind spots that arise. We know this because there are major fixes that occur across all industries that are seen after the machines, systems, drugs, etc. are deployed.
This is just a fact of life. Not everyone is careful and this can be due to outside influences (including accountants, management, government regulation, banking, etc.).
It doesn’t even matter if the specific manufacturers are continually optimising their systems for efficiency, safety and security. Obvious things can and do get missed. In the above example, the problem itself can be a third party piece of hardware/software that allows the entire system down. The eventual interactions within any complex system can and does give rise to avenues that allow security to be bypassed. All it takes is for a belief that someone else has done the complete required testing and that that testing has covered all the interactions between all the systems in question. Even a change in standards can give rise to an opening up of a system.
The most difficult job to do completely is that of testing a system in every possible way. This requires a specific set of skills that are quite rare and are rarely found in highly technical people. When you find such people, they are literally worth their weight in gold but are not considered very important by management.
I have seen (in action) highly competent technical experts that have missed the obvious. Simply because they know that something should not be done a specific way and hence have not expected the suppliers, users or others to have failed in that manner.
Only if they are given the freedom to do this. Too often, it is the commercial interests of the organisation that dictate that this doesn’t happen. Deadlines, cost, etc have caused more problems for engineering excellence than incompetency in the design and development staff. It, at times, takes the squeaky wheels raising enough noise to stop the deployment of a sub-standard system.
The fact that so many systems today use computers of all sorts with the associated hardware just increases the likelihood that different interactions will give rise to “obvious” points of attack.
In my early days, I worked on systems where we found severe system limitations which only manifested itself after we started testing a completely different sub-system. In hindsight, assumptions had been made were not correct (though our testing had confirmed these assumptions). We didn’t even have to raise our access levels above the lowest levels to bring about the problem. The experts had made an assumption that nobody even in their most warped mind would ever do what we did in our testing. From our point of view, it was the most obvious way to do our testing (we were young and naive way back then).
The point is that blind spots do arise and are a fact of life and obvious things can be missed.
Yes, the commercial agenda of the FBI and the airlines.
Re: Re: Re:2 Opportunistic reporting
You make all valid points. Except the commercial agenda of the FBI – don’t see how they can be in a commercial business, unless for greater budget appropriations.
The airlines and the airplane manufacturers? Certainly – they are in business to make money. Do they do it safely? The record pretty much speaks for itself.
Re: Re: Re:3 Opportunistic reporting
All government organisations are commercial ventures – in this case, such actions by the FBI ensure the available cash is increased. They get to spend more on their business.
Re: Re: Re:4 Opportunistic reporting
Fixed your error for you
All American Government Organizations are commercial ventures.
Re: Re: Re:5 Opportunistic reporting
Ladies and Gentlemen,
I thank you for reading and responding to my posts. I do not believe there is any merit in discussing this matter further because subjectivity has overtaken the conversation (including my submissions).
Regardless, while I am thrilled to see so much concern on aircraft system’s security, I am equally disappointed that you find it so hard to hold the security industry and researchers accountable for their abysmal failures over the recent few years. Certainly, there is enough blame to go around when it comes to data breaches, but to ignore the elephant in the room is simply bad form and further shames this industry segment.
Again, thanks. I can only hope that something good will come out of this episode and the good guys’ voices across the spectrum are not drained out by armchair cowboys and backbenchers with no expertise in these matters.
Good luck!
Re: Re: Re: Opportunistic reporting
You are conflating security researchers with the security industry. Security researchers are more academic in nature and discover attack vectors or vulnerabilities that have not yet been discovered. Researching vulnerabilities isn’t the same as selling a product.
The idea is to have the good guys find 0-days and get the vendor to patch them before the bad guys can weaponize them.
Re: Re: Re:2 Opportunistic reporting
Wait a second. Conflating security researchers with the security industry? Well, Mr. Robers does work for One World Labs, doesn’t he – https://oneworldlabs.com/team/ ? They are one and the same. The industry keeps the researchers going and the researchers keep the industry going. A vicious circle, and ample examples exist in this industry and others. Apologies, but I just don’t see the difference. Money motivates them and drives them. That simply is not a good motivator.
They are a business, and their goal is to make money. If they were doing this out of the kindness of their hearts and because their pure motivation was to make aviation safe, they’d be academics, and their approach to this issue would be vastly different.
Re: Re: Re: Opportunistic reporting
“We have a security industry that has failed everyone miserably. Sony, Target, Anthem, Home Depot etc.”
Is it the ‘security industry’ that has failed miserably here or is it Sony that has failed to hire the required security experts, pay them appropriately, and follow their recommendations because they’re either too cheap or don’t want to be inconvenienced by security to do so. Saying that one company failed at security is different than saying it’s a ‘failed industry’. The industry doesn’t owe this one company free security fixes to their insecure network just because Sony did things that any security expert would tell you shouldn’t be done either out of convenience or out of their unwillingness to pay an expert. Security costs money. It causes inconvenience as well (ie: the need to type in passwords). If a company is cheap and lazy that’s their own faults.
Re: Re: Re: Opportunistic reporting
“We have a security industry that has failed everyone miserably. Sony, Target, Anthem, Home Depot etc. – the list goes on forever”
Those are not examples of failure by “the security industry”. Those are failures by the companies that were breached. Unless you are asserting that the security industry has the power to force others to engage in good security practices…
Re: Re: Re:2 Opportunistic reporting
John, may I suggest that your assertion is half valid? There is no doubt that responsibility is jointly owned by those purchasing the security apparatus and services and by those companies touting the same.
Companies that suffer data breaches or create serious security concerns for anyone due to lax governance/security/standards should be held accountable to the highest standard. Equally, security companies need to be held accountable and responsible for producing lousy products. Unfortunately, nothing makes a company produce a better product than the threat of significant monetary losses, and this statement works both ways i.e. the security products consumer and the security products producer.
Not recognizing this as a problem is akin to the proverbial ostrich with its head buried in the sand.
Re: Opportunistic reporting
Get better security researchers, Mr. “I work in the aviation industry”
Your researchers felt it safe to allow passengers not only logical access to one of the plane’s control systems, physical access to much more sensitive information with much more catastrophic possibilities were it exploited.
It’s people like you, the “nothing to see here folks, move along” ones that sicken me. People like you ensure we live in a more dangerous tomorrow filled with fear mongering, security theatre, and most importantly, LACK OF ACTUAL SECURITY.
Re: Re: Opportunistic reporting
Zero value comment. “People like you”? What a nasty statement. I am advocating and always have advocated continually improved safety and security standards. Just not by under qualified and glorified security researchers, who incidentally, have failed the public in the last decade.
You, sir, are prone to hyperbole. Please drink a glass of water and relax.
Re: Opportunistic reporting
“I’d venture they are multiple orders of magnitude better qualified than Mr. Roberts and other commentators in the matters of avionics, flight management computers and in-flight entertainment systems.”
Perhaps so, but what Mr. Roberts was talking about was security, which is something that he is qualified to discuss.
Re: Re: Opportunistic reporting
I don’t want to attack Mr. Roberts. After all, he has to make a living. However, I’d really like to understand (as should you) how he and his compatriots in the security industry fared over the last five years when we were subject to a huge number of data breaches. Some examples are Sony, Anthem, Target, Home Depot. So how did the industry fare, and how did these security consultants do?
Note that I am less inclined about protecting the aviation industry. I’m just more curious about the credentials of these security researchers and security companies, who really have failed and failed miserably at protecting personal and corporate assets. Bottom line is that I don’t believe a word they say because nothing they say is not under the umbrella of commercial interests.
Re: Re: Re: Opportunistic reporting
Security is a massive field and it’s silly to disregard the work of security researchers in general because they haven’t solved Internet security.
It’s also important to note that many security researchers or prospective security researchers have been intimidated away from the field due to heavy-handed and capricious enforcement of existing computer crime laws by prosecutors that have track records of driving their targets to suicide.
Re: Re: Re:2 Opportunistic reporting
It is even sillier to tweet that he could release the oxygen masks, or do you suppose that is construed to be good humor? What would your reaction have been had you been sitting next to him or behind him with your family, and you had no idea who he was and/or what he was capable of?
Please don’t get me wrong, but I have little to no faith in the security industry and/or these commercial security researchers. The various mega breaches in 2014 are ample evidence that whatever the industry and these researchers are doing is simply not working.
Social media seems to have given people the leave to commit incredible acts of narcissistic stupidity – look at me, I’m so awesome, I can do this to a commercial airplane (which, in fact, he couldn’t).
Legitimate research has its roots in academia. I support it and salute it. The term seems to be loosely used by commercial interests – they will not research any bloody thing unless it has clear financial benefit attached to it.
To be clear, if MIT, Georgia Tech, UoW Madison, UC Berkeley, CalTech etc. came out and conducted an academic study of the security within a commercial aircraft environment and reported it so the faults, if any, could be addressed, the world would welcome it.
I’m not a government or airline or airplane manufacturer lackey. It’s just that I’ve been in the tech industry for 26 years now, and I have the experience to see through red herrings.
Re: Re: Re:3 Opportunistic reporting
Except he didn’t threaten to drop the oxygen masks. Quoting from an earlier post:
“2) ‘PAS-OX-0N’ is a device that sends a signal to the IFE that causes the IFE to shut down. The IFE can’t cause the passenger oxygen masks to drop.”
Yes, his tweet included the word oxygen, which easily could have been an autocorrect insertion.
My reaction sitting next to him would have been a non-reaction, as he tweeted his edgy joke and it’s ridiculous to assume I’d even know the Twitter handle of a random stranger.
Assuming I did see his tweet if I were on the same flight, I’d likely assume it was an inside joke as I didn’t even know what EICAS was before all this. I’d provably eyeball things to make sure nothing odd happened, but I wouldn’t panic.
You keep referring to him as a commercial researcher. If that was true, he’d be seeking remuneration for his disclosure, not going from conference to conference to on his findings.
Regarding social media and narcissism, I fail to see how his tweet was narcissistic. For someone to make a joke to bait observers in-the-know into a reaction is more so a function of his profession and his personality.
Regarding research and legitimacy, it’s unreasonable to assume all brilliant minds that want to research must only do so within a societal institution. Brilliant minds are to be cherished, not given financial and bureaucratic barriers too stymie public-interest work.
I’m confused as to why this research would’ve been more palettable to you were the researcher doing so on behalf of a university as opposed to doing so on behalf of himself, but in the public interest.
Re: Re: Re:4 Opportunistic reporting
“I’m confused as to why this research would’ve been more palettable to you were the researcher doing so on behalf of a university as opposed to doing so on behalf of himself, but in the public interest.”
And how do you suppose that a tweet about releasing oxygen masks on an airplane full of passengers is in public interest. If Mr Roberts were not so narcissistic (judging by his subsequent media dabbling), I’d think he was stark raving mad.
I have intense respect for academics because their quests are dedicated to learning and solving. That is undisputable.
Money brings a different dimension into play – includes greatly vaulted traits such as lying, cheating, truthiness, and of course, tweeting about how much power you have over a hapless Boeing aircraft.
In order for me to be convinced that Mr Roberts is simply not an opportunist, he need to publish his findings in a technical paper that experts can peer review. Until that happens, well, you know.
Re: Re: Re:4 Opportunistic reporting
His tweet:
“Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)”
Are you seriously stating that his tweet suffered an autocorrect incident? If so, I have only this to offer: https://www.youtube.com/watch?v=BvJF0j-RLxk
Re: Re: Re:3 Opportunistic reporting
You’re missing the point of the problem here. It’s not necessarily that the security folk don’t know what they’re doing. It’s that companies resent having to spend money on them. They want to buy politicians and gulfstream jets and lawyers. They don’t want to hire us smelly geeks who can’t even speak English considering the mumbo jumbo we babble on about. Sony has been hacked numerous times over the years because they despise “wasting” money on IT.
In your average corporation, IT is considered a cost center, as in a drain on the bottom line. How is something that enables the business to reduce costs and increase sales via connectivity and computerized efficiencies a drain on the business? They’d rather spend it on marketing and advertising, jet setting around the world getting face time with stakeholders and partners, while we run from problem to problem applying bandaid fixes to what we can of it before we have to run off to fix the next imminent disaster; lather, rinse, repeat.
They think we went through all that Y2K stuff as a scam, ’cause once 2000 rolled around, no disaster! Well, yeah, we fixed all that broken stuff, or at least all we could find of it! They don’t believe us and still resent that we somehow pulled a fast one and got away with something sneaky and underhanded.
Yet we’re just a bunch of too expensive, prima donnas, smelly, socially inept geeks who can’t even converse with normal people.
Re: Re: Re:4 Opportunistic reporting
I’m a geek, though I’ve lost that odor problem a while back. I’m afraid you are correct, though. Many companies will balk at the thought of spending money on systems’ security and the engineering talent to keep things sane.
However, I find it rather hard to digest that the two largest engineering manufactures of commercial aircraft, who also happen to engineer and build military aircraft would turn away from security. If anything, their ranks almost all the way to the top are replete with smelly lovable geeks.
Re: Re: Opportunistic reporting
John – I neglected to address your primary remark on my statement. Mr.Roberts was indeed talking about security.
My statement below intrinsically implies that systems and data security is part and parcel of the engineering effort of these systems. Judging by his public statements, I’d venture that Mr. Roberts does not have keen knowledge of aircraft systems. Again, no disrespect intended to him. I am only stating what I believe to be a fact, and in this case, would love to be proven wrong.
“I’d venture they are multiple orders of magnitude better qualified than Mr. Roberts and other commentators in the matters of avionics, flight management computers and in-flight entertainment systems.”
Re: Re: Re: Opportunistic reporting
I’m sure there are, but it still doesn’t mean that they won’t miss the obvious attack vectors. See previous post above.
Re: Re: Re:2 Opportunistic reporting
I’d like to suggest that your statement is an obviousity.
Re: Re: Re:3 Opportunistic reporting
As it was intended.
Re: Re: Re: Opportunistic reporting
“I’d venture they are multiple orders of magnitude better qualified than Mr. Roberts and other commentators in the matters of avionics, flight management computers and in-flight entertainment systems.”
They were apparently not qualified enough to catch this vulnerability but Mr. Roberts was. Your subjective opinion about how unqualified he is in opposed to the ‘experts’ being paid to secure everything is irrelevant to this discussion. He was qualified enough to find said vulnerability and that’s all that matters here.
Re: Re: Re:2 Opportunistic reporting
And the vulnerability was what? And the evidence is where? In a tweet? Honestly, I have not seen a paper published by Mr. Roberts that details the vulnerability and how to reproduce it. If you have, please be so kind as to publish a URL for my perusal.
am I the only one?
If I understood correctly due to this flaw it would be totally possible to orchestrate
an accident EXACTLY like the German Wings in the French alps?:
-open/ lock doors
-spoof altitude information…
you can think I am sick, but this is the first thing that came to my mind…
please confirm with Chris Roberts,
-Do I need to sit in the plane to do the hack? or just plant a software in any passengers laptop…
(you can remote control a patsy/bot right?)
Re:
Yeah garbage. It is criminal that the aircraft can take off with such a vulnerability (if a researcher tweeted “there’s something wrong with the fuel line DON’T TAKE OFF” he would be a hero).
This is a fairly typical situation, when people in positions of authority are confronted with how much they DON’T know their usual response is to get aggressive and act poorly. In my experience most organisations arent prepared for cyber and they arent happy when its bought to their attention.
The researcher should have known this, I would NEVER attack a client network (or even discuss it) without my get out of jail free card but having said that I’ve pen tested planes in flight and not been on one with a vulnerability, if i was I would yell about it just like he did.
Re: Re:
“arent prepared for cyber”
You should be shot for using that annoying buzzword.
Re: Re: Re:
Ignoring the use of the horrible “cyber-” prefix, what does “prepared for cyber” even mean?
Come on people, use some common sense. Sure, TSA is a joke, but everyone knows not to tell the screener that you could easily get a bomb on board if you wanted to. Everyone knows what would happen if you did that. If you don’t think that, next time you fly, tell the screener that you could put a high explosive gel in your luggage and they would never stop it and see what happens.
Alex Baldwin got thrown off a plane for tweeting how bad the service was on a plane, tweeting that you could hack into the planes system? Yeah, not a good idea, at least if you want to continue on the plane. I don’t have a problem with his tweet, but his execution leaves much to be desired. Waiting till he was off the plane and issuing the same tweet would have been just as effective, and he wouldn’t have been delayed.
I admire what he did, but would you really expect any other reaction?
Re: Re:
Common sense is in short supply these days.
I wouldn’t dare say that TSA is a joke, I’m too busy making sure necessary body parts, keys, cash etc are still on my person after they get finished groping me.
FYI Alec Baldwin is an idiot, a rich, overly coddled idiot but still and idiot despite the fact that some of his movies are actually watchable.
And the whitehat computer genius, if he was truly a genius he would have spoofed the tweet so it appeared to come from Ted Cruz’s Twitter account.
Nice work United Airlines! Not all publicity is good.
Well I agree with the Feds he didn’t have to tweet that information he could have CHOOSE NOT TO PUT THAT COMMENT ON SOCIAL MEDIA he wanted the attention or you don’t post it for others to see. Good for the Feds and airlines for taking precaution better to be concerned then not at all. That researcher should no better anyways. I will fly American still and we should be thankful that they are trying to protect innocent passengers it may have been a false scare but what the researcher did was raise a red flag which requires action to insure safety! This is really ridiculous !!!!
Re: Re:
The only ones it scared were the Feds. Doesn’t matter that the info was ALREADY PUBLIC and that the researcher was going to present on related research findings on a BSides conference. Nope. A tweet is somehow worse than a recorded presentation that’s uploaded to YouTube or technical instruction manuals freely readable online.
Re: Re: Re:
Tweets get a lot more notice from the general public and spread over a wider network than do the contents of a potentially dry and boring conference presentation.
His initial tweet was;
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? 🙂
And 100 tweets later we get;
hey homies dis white muthafucka say his schmoooove ass can blow up a plane wit just a cold-ass lil beeper
And every gangbanger in East LA is looking to make his bones by taking out a United Airlines 737.
Almost makes me wish Volvo made commercial aircraft.
Do you not understand what Internet trolling is? No one speaks like that seriously that thinks of hacking as anything other than black magic.
It doesn't work that way
The 737-800 does not have EICAS and does not use an ethernet/wifi connection for any of its flight systems. The only ethernet/wifi network onboard is the in flight entertainment/in flight internet. So, to people questioning why the flight critical systems/warning lights/etc. are connected to the wifi, they aren’t which is one of the reasons his statement is complete nonsense. Most of the “digital” connections on a 737-800 are ARINC 429 which is a completely different kind of interface from Ethernet. The “researcher” found the in flight entertainment interface, didn’t understand what he was seeing, and made a stupid comment that demonstrated that fact. It would be equivalent to finding your cable modem on your local network (with a label like “Modem-Comcast-1234”) and tweeting about how you’re going to hack the ECU of your neighbor’s car parked across the street.
Re: It doesn't work that way
He never said he could access the critical systems over WiFi. He said he could access critical system data through a physical connection to a “box” located near his seat on other flights. He said this on the air on CNN.
Chris Roberts: Credibility? Shattered! - Security UNprofessional!
The shocking thing here is a so-called security expert not first contacting Boeing and UAL with a Security Vulnerability Report and allowing them time-to-fix before going public! Multi-billion-dollar corporations that manufacture or integrate computing devices (Boeing – avionics, UAL – passenger wifi) have procedures for handling device vulnerabilities such as this one. They prioritize and resolve them quickly and quietly to avoid 0-day attacks. Every white-hat hacker knows this, so why doesn’t Chris Roberts? A “security industry expert” would not do something as reckless as making a public announcement of a newly discovered vulnerability (but a black-hat hacker would). His actions are as hostile as anyone else providing specific procedures to terrorists on how to bring down an airplane. The FBI investigating this guy’s motives is clearly in the flying public’s best interest. Now, and until he is proven to NOT have ties to terrorism, I would not fly if he was a passenger. So United placing him on a no-fly list is also in the public’s best interest. Kudos to FBI & UAL!
Clarification
Guys,
I find it really amazing that so many people are so panicked about this.
Having worked in aviation DTE (Developmental Test), OTE (Operational Test), and Avionics Systems Design for nearly 20 years, I call bullshit on this guy.
I have worked on and co-developed some of the protocols used in ARINC based Ethernet before it was even standardized under ARINC.
To me there is no reason for Boeing, Airbus or any of the other companies to respond to this shill. He is seriously full of shit. Sorry guys but no way you are gaining flight control or any other control of an operational aircraft system. PERHAPS, one could should down the In-Flight Entertainment system but that is about it and all that would do is tick off fellow passengers.
The guy doesn’t even understand how the messaging protocols work. Just because a signal (message) is sent to and read by the IFE doesn’t mean the IFE can send a message back.
I’m being deliberately vague as to why this is simply not possible, but I suppose one can google up on Avionics bus communication protocols/messages and be able to figure it out quickly.
Even if you were highly knowledgeable and were able to tap into the some part of the avionics buss, mux, communications, chances are you will corrupt the channel (and it would thus be shut down) before you could even communicate with a device on the bus/network.
Last thing I feel that should be stressed…if you are worried about the physical security of an airplane you shouldn’t fly. And to replace firmware on a plane someone will need physical access to the avionics bays/areas.
Seriously, there are so many better, cheaper, faster ways to do something nefarious or destructive to a plane if someone who wishes to do ill has unfettered access to it. No reason to even hack the firmware.
I still fly so that should tell you something. However if I was flying with this guy…I would have reported him as he is an ass.
There is seriously nothing to see here aside from the guy being an idiot. I don’t wish any ill will towards the guy but I think he doesn’t have a clue. BUT if we should ever be at the same conference together I will take him to task!
Re: Clarification
AE-One – well stated. People just don’t want to hear the facts because they are usually not fun/scary and there’s no money to be made. Mr Roberts concocted a story and has provided zero peer reviewable evidence to back up his claims.