FBI Investigating Chris Roberts For Hacking Flight WiFi, Taking Control Of Engines

from the how-is-this-possible? dept

I'll be honest: when I wrote about Chris Roberts being detained by the FBI for tweeting about hacking his flight's WiFi, I reacted with a great big eyeroll. On the one hand, security researchers like Roberts look for these vulnerabilities all the time and it's quite helpful when law enforcement and airlines learn about potential avenues for threats. On the other hand, Chris Roberts is quite obviously not Al Qaeda. The whole thing appeared to be a reaction to embarrassment that the vulnerability had been allowed to exist, rather than any belief that Roberts was in any way a threat.

But if Roberts is to be believed, he did something really stupid on previous flights: he used his WiFi hack to manipulate the plane's engines.

During two interviews with F.B.I. agents in February and March of this year, Roberts said he hacked the inflight entertainment systems of Boeing and Airbus aircraft, during flights, about 15 to 20 times between 2011 and 2014. In one instance, Roberts told the federal agents he hacked into an airplane’s thrust management computer and momentarily took control of an engine, according to an affidavit attached to the application for a search warrant.

“He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” said the affidavit, signed by F.B.I. agent Mike Hurley.
If true, that would go way beyond identifying exploits, mentioning that you could drop the oxygen masks, or really anything else that deals with in-flight wireless hacks. If the affidavit is to be believed, Roberts dangerously manipulated the flight's equipment, potentially putting everyone aboard at risk. We have only the FBI's word for all of this, of course, but the feds are certainly behaving as though Roberts both said all of this and that he's not simply making fictional claims.
Roberts, who has been interviewed at least three times by the F.B.I. this year, is under investigation for allegedly hacking into the electronic entertainment systems of airplanes, according to an application for a search warrant to probe seized electronic equipment. The document shows F.B.I. agents investigating Roberts believe he has the ability to do what he claims: take over flight control systems by hacking the inflight entertainment computer.

“We believe Roberts had the ability and the willingness to use the equipment then with him to access or attempt to access the (inflight entertainment system) and possibly the flight control systems on any aircraft equipped with an (inflight entertainment system) and it would endanger the public safety to allow him to leave the Syracuse airport that evening with that equipment,” sates the warrant application.
Roberts, for his part, has at least suggested to a Wired reporter that the FBI is twisting his words:
“That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about,” he said. “It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.”
That still doesn't say he didn't do it, though.

As with too many of these stories, the end result is that we have absolutely nobody to root for. To be fair, Roberts has been warning the airlines and the feds about these exploits for years, without any of it generating much attention. His purported stunt has suddenly brought a little light to what is obviously an untenable security risk, which doesn't in any way excuse manipulating an engine mid-flight. That, plainly, is insane, and I don't think it can be argued that it's an action that deserves punishment. On the other hand, Roberts still isn't Al Qaeda and the end result of all of this may be that planes are safer. Intentions matter, after all.

As for the federal government and the airlines: are you kidding me? You're telling me that not only was all of this possible, which is crazy at the outset, but they had been warned about it and had done nothing? Crazy as it sounds, everyone should be thanking the universe that Chris Roberts was the one manning the keyboard on these flights instead of someone with more nefarious intentions. The feds and the airlines should have simply hired Roberts to battle these vulnerabilities rather than letting it get to this point. Instead, we learn this way that it may indeed be possible to get control of a flight through a plane's WiFi. And we learn that law enforcement and the airline's chief strategy to deal with that fact was to pretend it didn't exist.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    GMacGuffin (profile), 18 May 2015 @ 2:25pm

    Did none of these folks learn anything from BSG?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 May 2015 @ 6:19pm

      Battlestar Galactica

      Even if you spelled it out as Battlestar Galactica it would probably only generate blank stares
      The willingness to connect critical infrastructure in ways that makes them susceptible to infection or compromised in other ways is worse in real life than in BSG.

      The security theater introduces security holes such as "golden keys"
      The security theater prevent fixing of security holes by harassing researchers
      The security theater doesn't fix, it fondles
      It serves no function; it is fake, and waste resources



      If the problem have been reported by the researcher for years, who have known it, and for how long? Why are no-one in the security theater arrested?
      Why are the planes not grounded? How large persentage of those aircrafts could be downed; even without those responsible being aboard the planes?

      reply to this | link to this | view in chronology ]

      • icon
        nasch (profile), 19 May 2015 @ 6:41pm

        Re: Battlestar Galactica

        Even if you spelled it out as Battlestar Galactica it would probably only generate blank stares

        It got a funny vote from me.

        The willingness to connect critical infrastructure in ways that makes them susceptible to infection or compromised in other ways is worse in real life than in BSG.

        Although in real life it can't result in the destruction of the human race.

        reply to this | link to this | view in chronology ]

  • icon
    Spike (profile), 18 May 2015 @ 3:21pm

    If you can't test commands to see if you are controlling such a vulnerable system, your words are as good as hot air. Also any captain/first officer should have caught on about such a supposed glitch in the matrix (engine) and reported it on record. It appears the FBI has nothing on him but his past notes on this subject and is taking things out of context.

    Also, how would you research on real aircraft legitimately? What special position would you have to be in to spend hours researching vulnerabilities on production aircraft? One job thats extremely hard to get given all the clearances required. Despite that, the FAA should be hiring this guy rather than allowing the FBI to attempt to destroy him.

    reply to this | link to this | view in chronology ]

    • icon
      doughless (profile), 18 May 2015 @ 6:20pm

      Re:

      Another thing the feds seem to be ignoring (maybe they're not, but it doesn't sound promising), is that because Roberts exposed that he could control a real aircraft means that he potentially saved real lives. That definitely outweighs the risk he took, especially because he already tried to go through the proper channels. If he had simply given up, and any terrorists had found this vulnerability, this entire news story would instead be about how planes were smashed into buildings again.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 May 2015 @ 3:22pm

    I'm reserving my judgement.

    The only easily belivable element of the story right now is that statements were taken out of context and amplified by fear mongering media. The rest is speculation. Let's see where the investigation will go.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 May 2015 @ 1:23am

      Re:

      Why? The FBI is not above lying under oath in a court of law. Or Congress. So why should we take their word? The FBI cannot be trusted at all.

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 18 May 2015 @ 3:26pm

    From bad to worse

    The idea that he may or may not have taken control of the engines of a plane mid-flight? That's bad.

    The idea that that's even possible? That is so much worse.

    Forget investigating him, they should be going after whatever morons programmed that system such that that was possible, and the airline execs for ignoring the warnings about such a massive vulnerability.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 May 2015 @ 3:32pm

      Re: From bad to worse

      Come now, shooting the messenger is the best way of dealing with warnings about problems, and action is only needed after a disaster due to the problem occurs.
      /s

      reply to this | link to this | view in chronology ]

    • icon
      JMT (profile), 18 May 2015 @ 6:26pm

      Re: From bad to worse

      The claim is that he did it via the entertainment system, which just adds another whole level of insanity.

      At this point I'm simply not inclined to believe this actually happened until an airline or aircraft manufacturer confirms it through their own testing. It just seems so crazy that it's even possible, and that the FBI are simply taking his word for it.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 May 2015 @ 6:50am

      Re: From bad to worse

      It's not the programmer that put the entertainment system on the same network as the flight control system.
      This is like the old discussion on why critical control systems (at nuclear power plants, etc) are connected to the internet.

      reply to this | link to this | view in chronology ]

      • icon
        nasch (profile), 19 May 2015 @ 9:31am

        Re: Re: From bad to worse

        It's not the programmer that put the entertainment system on the same network as the flight control system.

        Indeed, if there is any physical connection at all between those systems, or any way to control flight systems wirelessly by any means, that is a disaster waiting to happen. I hope that part of the story is incorrect.

        reply to this | link to this | view in chronology ]

  • icon
    Spike (profile), 18 May 2015 @ 3:28pm

    It would be extremely embarrassing for the entire industry if such security vulnerabilities indeed exist, but rather than work with the guy they would rather muzzle him. What happens when the wrong person figures it out as a best kept secret?

    reply to this | link to this | view in chronology ]

  • identicon
    That One Other Not So Random Guy, 18 May 2015 @ 3:29pm

    His actions are moot

    "Roberts said he hacked the inflight entertainment systems of Boeing and Airbus aircraft, during flights, about 15 to 20 times between 2011 and 2014. In one instance, Roberts told the federal agents he hacked into an airplane’s thrust management computer and momentarily took control of an engine, according to an affidavit attached to the application for a search warrant."
    -
    No one sees a problem with an "entertainment system" having access to flight and system controls? How stupid can you get.

    reply to this | link to this | view in chronology ]

  • icon
    DB (profile), 18 May 2015 @ 3:47pm

    It is not credible that the engine and navigation control systems are networked to the in flight entertainment.

    Airbus is known to use an Avionics version of Ethernet: http://en.wikipedia.org/wiki/Avionics_Full-Duplex_Switched_Etherneth

    The networks might be electrically connected. But the configuration and routing between sections is fixed. It's pretty much a static VPN configuration, which only lets subsystems communicate with designated peers. This is part of the bandwidth control and fault isolation as much as for security.

    Much like the story that typing a certain sequence of numbers into an ATM will dispense free cash, it's not physically impossible. But it's an extraordinary claim that requires simultaneous investigation and skepticism.

    reply to this | link to this | view in chronology ]

    • identicon
      Jake, 18 May 2015 @ 5:18pm

      Re:

      What I suspect is happening is that some instrument readings are being transmitted to the airline's headquarters, and it's using the same downlink as the in-flight entertainment system because the hardware to give an airliner Internet access is neither small nor cheap.

      Quite possibly some deep packet-inspection could let you see those instrument readings for yourself if you really wanted to, because why would anyone bother encrypting it?

      As for the part about taking control of the engines, well, frankly I suspect either Chris Roberts or the FBI spokesperson was indluging in a bit of hyperbole there.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 May 2015 @ 5:18pm

      Re:

      And VPNs have never been breached, so...

      Oh wait: they have.

      If the avionics aren't air-gapped from entertainment, then there's a way. It's only a question of what that way is. My money's on a leftover debugging/installation code that someone forgot to turn off in a production software build.

      But we're not going to find out. He's going to tracked down, arrested, and Schwartzed by aggressive federal prosecutors -- in order to ensure his future silence and to deter everyone else from independently investigating aircraft security. The airlines will deny it all, the feds will back them, and everyone will pretend that it never happened, that it wasn't possible for it to happen, that it never could happen...

      reply to this | link to this | view in chronology ]

      • icon
        Richard (profile), 19 May 2015 @ 3:16am

        Re: Re:

        If the avionics aren't air-gapped from entertainment, then there's a way.

        There's also a way for the entertainment system DRM to crash the plane- after all the content companies freaked out when it was suggested that they should allow an exemption to DRM anti-circumvention laws for safety reasons.

        reply to this | link to this | view in chronology ]

  • identicon
    RR, 18 May 2015 @ 3:48pm

    sources?

    Did he say those things or did the FBI say he said those things? This is the last place I expected to be so trusting of the government. Other articles are saying he hacked into a flight simulator. That he built himself.

    To me, it's just s bunch of people cranking the hype machine up to full speed. For the sake of hype.

    reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 18 May 2015 @ 3:52pm

      Re: sources?

      Did he say those things or did the FBI say he said those things? This is the last place I expected to be so trusting of the government. Other articles are saying he hacked into a flight simulator. That he built himself.


      We expressed skepticism for the FBI's story in the piece -- but note that it's important to know more before deciding what really happened here. I think, frankly, that we expressed a lot more skepticism of this story that most of the media reporting elsewhere did.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 May 2015 @ 4:52pm

    > But if Roberts is to be believed, he did something really stupid on previous flights: he used his WiFi hack to manipulate the plane's engines.

    > He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command.

    Hmm... stupid... to manipulate a plane's engines while in the air - and in the plane. ... Unless, of course he's studied his Agrippa, which he has.

    If he knows enough to issue a specific command, I would wager he knew enough to be able to cancel it on command as well.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 May 2015 @ 6:05pm

      Re:

      Hmm... stupid... to manipulate a plane's engines while in the air - and in the plane. ... Unless, of course he's studied his Agrippa, which he has.
      Either way, very stupid to admit to it. Flight recorder data isn't retained forever, so it's unlikely the authorities could prove anything if he kept quiet.

      reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 19 May 2015 @ 9:33am

      Re:

      If he knows enough to issue a specific command, I would wager he knew enough to be able to cancel it on command as well.

      That assumes he had some kind of accurate simulator to practice on. Otherwise he was experimenting as he went.

      reply to this | link to this | view in chronology ]

  • icon
    Nate (profile), 18 May 2015 @ 5:18pm

    This doesn't pass the sniff test.

    For one, I don't believe you can get from the in-flight entertainment system to the avionics. That is such a dumb idea that I have trouble accepting it.

    But even if you could, do they really expect us to believe that this penetration wasn't identified and then backtracked to the entertainment system?

    A simple crosscheck of the passenger manifests of a couple of the hacked flights would have turned up this guy's name. A Google search would have revealed his occupation.

    And no one ever thought to do that basic investigation?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 May 2015 @ 11:03pm

      Re:

      For one, I don't believe you can get from the in-flight entertainment system to the avionics. That is such a dumb idea that I have trouble accepting it.

      Management can ignore the advice of their engineers, and order them to do dumb things so as to cut costs and increase profits.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 May 2015 @ 9:36am

      Re:

      The event has to be detected before investigation can begin. It seems like he confessed as opposed to being sniffed out.

      Also, the article states he did this over Wi-Fi, but my understanding was he manipulated the transceiver boxes used for the in-seat infotainment (you know, the little TV screens that show where you are and give the the option to watch several shitty video streams) underneath the seats he was in. I doubt Wi-Fi is actually connected to anything but a radio for offloading the traffic from the plane.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 May 2015 @ 5:25pm

    Really, we just believe him?

    While I agree that this article is showing more scepticism than most (or maybe all) similar articles, promoting the thought that that he should be hired when all he has done is make unsubstantiated claims is kind of over the top. Particularly when you haven't had input from independent aviation experts. You are lending him credibility that he hasn't proven.

    There may be evidence that he tampered with some under seat IFE boxes which would be worth investigating and everything else is misunderstood / exaggerated for effect by one side or the other.

    reply to this | link to this | view in chronology ]

  • icon
    Kaemaril (profile), 18 May 2015 @ 6:00pm

    I can't help feeling that if there were any evidence to show that he had done this - or even could do this - in real life, he'd already have been deposited in a nice secure cell while some prosecutor somewhere spent a few months pouring through his or her law books trying to sum up every single thing he could possibly be charged with and seeing if they could get the maximum possible sentence to get into triple figures ...

    On the other hand, as he's saying he was taken 'out of context', I wouldn't be at all surprised if he'd had a nice rambling conversation with some FBI agents during those interviews, mentioned what he thought the dangers might be, how interference could be technically possible, remarked how he might have had some initial successes in simulation etc ...

    And then the FBI drew up an affadavit using the scariest-sounding bits they could find - with 'in simulation' omitted - to get a worried judge to sign off on things.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 May 2015 @ 7:27pm

    what kind of idiotic design decisions lead to the flight entertainment system being connected to the flight/engine control systems?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 May 2015 @ 12:30am

    expose the governmental and or corporate misdeeds and you find yourself targeted by the whole corrupt system.

    God bless police state America, or along those lines.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 May 2015 @ 1:35am

    they just want to Guantanamo him.
    either they misplace his words or they will torture him to say it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 May 2015 @ 4:04am

    Something smells fishy

    “He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” said the affidavit, signed by F.B.I. agent Mike Hurley.

    ..."he thereby caused one of the airplane engines to climb"... what.

    The engines have no "climb" command, it's only increase or decrease thrust. Increasing thrust to the engines can be used to make the airplane climb, so it might be just the FBI confusing the terminology, but I doubt that the "increase thrust" command would be called "CLB". And a true "climb" command to the autopilot would increase the thrust of both engines, not just one.

    The most probable explanation is that, since the FBI agent didn't understand what he was told, he mixed together several concepts in his mind. Which puts the reliability of his affidavit into question.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 May 2015 @ 9:41am

      Re: Something smells fishy

      People don't understand modern airplanes, that's all. Not terribly surprising. It is similar to when the FBI talks about.. well pretty much anything that isn't related to orchestrating a terror attack so they can put a stop to it or violating the Constitutional and natural rights of the american people.

      The autopilot could be put in a climb mode, or perhaps a mode setting in the digital flight director. TOGO power could have been selected in the engine as well. This nonsense about flying sideways (in proper terms an aircraft with an engine on one side producing more thrust than the engine on the opposite side of the craft would cause yaw due to differential thrust)

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 May 2015 @ 10:01am

      Re: Something smells fishy

      Now that I think about it, you're right.

      If he actually manipulated an engine in-flight he should be charged with recklessly endangering safety, no matter how good his intentions were. But yeah, something seems wrong with this explanation.

      I suppose it's possible that when the "climb" command is issued, the command is passed to several components and they react appropriately. So the engines get the "climb" command and they increase thrust, the wing gets the "climb" command and it changes its shape, etc. So if you send the command to only one engine instead of all the components, it alone increases thrust. This seems like an odd way of doing things, though. Why wouldn't all that be processed centrally? There's no reason for the engine to know anything except how much thrust to produce.

      It's much more likely that the FBI agent did not understand what he was being told. Too bad they don't record the conversations so we could know for sure.

      reply to this | link to this | view in chronology ]

  • icon
    scatman (profile), 19 May 2015 @ 6:09am

    "everyone should be thanking the universe"?? Why not just thank feces...it's just as pointless. Silly Timothy, when will you learn? Jesus Christ loves you the most.

    Anywho...we won't have safe air travel until all travelers, on all airlines worldwide, are forced by international law to fly buck naked.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 May 2015 @ 7:51am

    wtf?
    Planes do not fly sideways.

    reply to this | link to this | view in chronology ]

  • icon
    aldestrawk (profile), 19 May 2015 @ 5:20pm

    IFE network is connected to the Avionics networks

    After reading the comments, I see there is some skepticism here about the fact that, on more modern aircraft, the IFE network shares the same network cabling as the avionics network(s). It is true. This was done to save weight despite the fact that you can no longer use the best security, which is a air-gapped networks. The aircraft manufacturers, such as Boeing, claim that the security they have in place in sufficient. They claim that even if a passenger laptop is connected to the IFE, no packets can be injected into the avionics networks. They probably have a network switch which is set to filter out any packets coming from the boxes under the passenger seats. What they probably really mean is that no conversations can be initiated from the seats as a lot of common protocols, including those used for the IFE, involve packets sent from these seats. Such a system can be secure, but I would be very nervous about proclaiming this set up to actually be secure. One of the possible vulnerabilities are commands to the network switches themselves to change the filtering.

    Not only is there common cabling between the networks, but the manufacturers have moved away from a proprietary protocol stack and are using TCP/IP on top of a modified Ethernet protocol. This allows someone, with a little knowledge, to connect their laptop to the box underneath the seat. [Please note, Timothy Geigner, that this does not involve the WI-FI network] Undoubtedly, the FAA, and the aircraft manufacturers, have put some effort into assuring passengers can't affect any of the avionics controls or sensors. The question is, have they done enough? Since the industry is also relying on security through obscurity by keeping the details secret, it makes it hard for independent researchers to confirm this.

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 19 May 2015 @ 5:49pm

      Re: IFE network is connected to the Avionics networks

      This was done to save weight despite the fact that you can no longer use the best security, which is a air-gapped networks.

      So it will probably take hundreds of deaths to get them to air-gap the two systems. Hopefully the security is good enough that it doesn't come to that.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.