FBI Investigating Chris Roberts For Hacking Flight WiFi, Taking Control Of Engines
from the how-is-this-possible? dept
I'll be honest: when I wrote about Chris Roberts being detained by the FBI for tweeting about hacking his flight's WiFi, I reacted with a great big eyeroll. On the one hand, security researchers like Roberts look for these vulnerabilities all the time and it's quite helpful when law enforcement and airlines learn about potential avenues for threats. On the other hand, Chris Roberts is quite obviously not Al Qaeda. The whole thing appeared to be a reaction to embarrassment that the vulnerability had been allowed to exist, rather than any belief that Roberts was in any way a threat.
But if Roberts is to be believed, he did something really stupid on previous flights: he used his WiFi hack to manipulate the plane's engines.
During two interviews with F.B.I. agents in February and March of this year, Roberts said he hacked the inflight entertainment systems of Boeing and Airbus aircraft, during flights, about 15 to 20 times between 2011 and 2014. In one instance, Roberts told the federal agents he hacked into an airplane’s thrust management computer and momentarily took control of an engine, according to an affidavit attached to the application for a search warrant.If true, that would go way beyond identifying exploits, mentioning that you could drop the oxygen masks, or really anything else that deals with in-flight wireless hacks. If the affidavit is to be believed, Roberts dangerously manipulated the flight's equipment, potentially putting everyone aboard at risk. We have only the FBI's word for all of this, of course, but the feds are certainly behaving as though Roberts both said all of this and that he's not simply making fictional claims.
“He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” said the affidavit, signed by F.B.I. agent Mike Hurley.
Roberts, who has been interviewed at least three times by the F.B.I. this year, is under investigation for allegedly hacking into the electronic entertainment systems of airplanes, according to an application for a search warrant to probe seized electronic equipment. The document shows F.B.I. agents investigating Roberts believe he has the ability to do what he claims: take over flight control systems by hacking the inflight entertainment computer.Roberts, for his part, has at least suggested to a Wired reporter that the FBI is twisting his words:
“We believe Roberts had the ability and the willingness to use the equipment then with him to access or attempt to access the (inflight entertainment system) and possibly the flight control systems on any aircraft equipped with an (inflight entertainment system) and it would endanger the public safety to allow him to leave the Syracuse airport that evening with that equipment,” sates the warrant application.
“That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about,” he said. “It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.”That still doesn't say he didn't do it, though.
As with too many of these stories, the end result is that we have absolutely nobody to root for. To be fair, Roberts has been warning the airlines and the feds about these exploits for years, without any of it generating much attention. His purported stunt has suddenly brought a little light to what is obviously an untenable security risk, which doesn't in any way excuse manipulating an engine mid-flight. That, plainly, is insane, and I don't think it can be argued that it's an action that deserves punishment. On the other hand, Roberts still isn't Al Qaeda and the end result of all of this may be that planes are safer. Intentions matter, after all.
As for the federal government and the airlines: are you kidding me? You're telling me that not only was all of this possible, which is crazy at the outset, but they had been warned about it and had done nothing? Crazy as it sounds, everyone should be thanking the universe that Chris Roberts was the one manning the keyboard on these flights instead of someone with more nefarious intentions. The feds and the airlines should have simply hired Roberts to battle these vulnerabilities rather than letting it get to this point. Instead, we learn this way that it may indeed be possible to get control of a flight through a plane's WiFi. And we learn that law enforcement and the airline's chief strategy to deal with that fact was to pretend it didn't exist.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: chris roberts, fbi, flights, hacking, wifi
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Battlestar Galactica
The willingness to connect critical infrastructure in ways that makes them susceptible to infection or compromised in other ways is worse in real life than in BSG.
The security theater introduces security holes such as "golden keys"
The security theater prevent fixing of security holes by harassing researchers
The security theater doesn't fix, it fondles
It serves no function; it is fake, and waste resources
If the problem have been reported by the researcher for years, who have known it, and for how long? Why are no-one in the security theater arrested?
Why are the planes not grounded? How large persentage of those aircrafts could be downed; even without those responsible being aboard the planes?
[ link to this | view in chronology ]
Re: Battlestar Galactica
It got a funny vote from me.
The willingness to connect critical infrastructure in ways that makes them susceptible to infection or compromised in other ways is worse in real life than in BSG.
Although in real life it can't result in the destruction of the human race.
[ link to this | view in chronology ]
Also, how would you research on real aircraft legitimately? What special position would you have to be in to spend hours researching vulnerabilities on production aircraft? One job thats extremely hard to get given all the clearances required. Despite that, the FAA should be hiring this guy rather than allowing the FBI to attempt to destroy him.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The only easily belivable element of the story right now is that statements were taken out of context and amplified by fear mongering media. The rest is speculation. Let's see where the investigation will go.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
From bad to worse
The idea that that's even possible? That is so much worse.
Forget investigating him, they should be going after whatever morons programmed that system such that that was possible, and the airline execs for ignoring the warnings about such a massive vulnerability.
[ link to this | view in chronology ]
Re: From bad to worse
/s
[ link to this | view in chronology ]
Re: Re: From bad to worse
Right, guys?
[ link to this | view in chronology ]
Re: From bad to worse
At this point I'm simply not inclined to believe this actually happened until an airline or aircraft manufacturer confirms it through their own testing. It just seems so crazy that it's even possible, and that the FBI are simply taking his word for it.
[ link to this | view in chronology ]
Re: From bad to worse
This is like the old discussion on why critical control systems (at nuclear power plants, etc) are connected to the internet.
[ link to this | view in chronology ]
Re: Re: From bad to worse
Indeed, if there is any physical connection at all between those systems, or any way to control flight systems wirelessly by any means, that is a disaster waiting to happen. I hope that part of the story is incorrect.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
His actions are moot
-
No one sees a problem with an "entertainment system" having access to flight and system controls? How stupid can you get.
[ link to this | view in chronology ]
Re: His actions are moot
[ link to this | view in chronology ]
Airbus is known to use an Avionics version of Ethernet: http://en.wikipedia.org/wiki/Avionics_Full-Duplex_Switched_Etherneth
The networks might be electrically connected. But the configuration and routing between sections is fixed. It's pretty much a static VPN configuration, which only lets subsystems communicate with designated peers. This is part of the bandwidth control and fault isolation as much as for security.
Much like the story that typing a certain sequence of numbers into an ATM will dispense free cash, it's not physically impossible. But it's an extraordinary claim that requires simultaneous investigation and skepticism.
[ link to this | view in chronology ]
Re:
Quite possibly some deep packet-inspection could let you see those instrument readings for yourself if you really wanted to, because why would anyone bother encrypting it?
As for the part about taking control of the engines, well, frankly I suspect either Chris Roberts or the FBI spokesperson was indluging in a bit of hyperbole there.
[ link to this | view in chronology ]
Re:
Oh wait: they have.
If the avionics aren't air-gapped from entertainment, then there's a way. It's only a question of what that way is. My money's on a leftover debugging/installation code that someone forgot to turn off in a production software build.
But we're not going to find out. He's going to tracked down, arrested, and Schwartzed by aggressive federal prosecutors -- in order to ensure his future silence and to deter everyone else from independently investigating aircraft security. The airlines will deny it all, the feds will back them, and everyone will pretend that it never happened, that it wasn't possible for it to happen, that it never could happen...
[ link to this | view in chronology ]
Re: Re:
There's also a way for the entertainment system DRM to crash the plane- after all the content companies freaked out when it was suggested that they should allow an exemption to DRM anti-circumvention laws for safety reasons.
[ link to this | view in chronology ]
sources?
To me, it's just s bunch of people cranking the hype machine up to full speed. For the sake of hype.
[ link to this | view in chronology ]
Re: sources?
We expressed skepticism for the FBI's story in the piece -- but note that it's important to know more before deciding what really happened here. I think, frankly, that we expressed a lot more skepticism of this story that most of the media reporting elsewhere did.
[ link to this | view in chronology ]
> He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command.
Hmm... stupid... to manipulate a plane's engines while in the air - and in the plane. ... Unless, of course he's studied his Agrippa, which he has.
If he knows enough to issue a specific command, I would wager he knew enough to be able to cancel it on command as well.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
That assumes he had some kind of accurate simulator to practice on. Otherwise he was experimenting as he went.
[ link to this | view in chronology ]
For one, I don't believe you can get from the in-flight entertainment system to the avionics. That is such a dumb idea that I have trouble accepting it.
But even if you could, do they really expect us to believe that this penetration wasn't identified and then backtracked to the entertainment system?
A simple crosscheck of the passenger manifests of a couple of the hacked flights would have turned up this guy's name. A Google search would have revealed his occupation.
And no one ever thought to do that basic investigation?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Also, the article states he did this over Wi-Fi, but my understanding was he manipulated the transceiver boxes used for the in-seat infotainment (you know, the little TV screens that show where you are and give the the option to watch several shitty video streams) underneath the seats he was in. I doubt Wi-Fi is actually connected to anything but a radio for offloading the traffic from the plane.
[ link to this | view in chronology ]
Really, we just believe him?
There may be evidence that he tampered with some under seat IFE boxes which would be worth investigating and everything else is misunderstood / exaggerated for effect by one side or the other.
[ link to this | view in chronology ]
On the other hand, as he's saying he was taken 'out of context', I wouldn't be at all surprised if he'd had a nice rambling conversation with some FBI agents during those interviews, mentioned what he thought the dangers might be, how interference could be technically possible, remarked how he might have had some initial successes in simulation etc ...
And then the FBI drew up an affadavit using the scariest-sounding bits they could find - with 'in simulation' omitted - to get a worried judge to sign off on things.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
God bless police state America, or along those lines.
[ link to this | view in chronology ]
either they misplace his words or they will torture him to say it.
[ link to this | view in chronology ]
Something smells fishy
..."he thereby caused one of the airplane engines to climb"... what.
The engines have no "climb" command, it's only increase or decrease thrust. Increasing thrust to the engines can be used to make the airplane climb, so it might be just the FBI confusing the terminology, but I doubt that the "increase thrust" command would be called "CLB". And a true "climb" command to the autopilot would increase the thrust of both engines, not just one.
The most probable explanation is that, since the FBI agent didn't understand what he was told, he mixed together several concepts in his mind. Which puts the reliability of his affidavit into question.
[ link to this | view in chronology ]
Re: Something smells fishy
The autopilot could be put in a climb mode, or perhaps a mode setting in the digital flight director. TOGO power could have been selected in the engine as well. This nonsense about flying sideways (in proper terms an aircraft with an engine on one side producing more thrust than the engine on the opposite side of the craft would cause yaw due to differential thrust)
[ link to this | view in chronology ]
Re: Something smells fishy
If he actually manipulated an engine in-flight he should be charged with recklessly endangering safety, no matter how good his intentions were. But yeah, something seems wrong with this explanation.
I suppose it's possible that when the "climb" command is issued, the command is passed to several components and they react appropriately. So the engines get the "climb" command and they increase thrust, the wing gets the "climb" command and it changes its shape, etc. So if you send the command to only one engine instead of all the components, it alone increases thrust. This seems like an odd way of doing things, though. Why wouldn't all that be processed centrally? There's no reason for the engine to know anything except how much thrust to produce.
It's much more likely that the FBI agent did not understand what he was being told. Too bad they don't record the conversations so we could know for sure.
[ link to this | view in chronology ]
Anywho...we won't have safe air travel until all travelers, on all airlines worldwide, are forced by international law to fly buck naked.
[ link to this | view in chronology ]
Planes do not fly sideways.
[ link to this | view in chronology ]
IFE network is connected to the Avionics networks
Not only is there common cabling between the networks, but the manufacturers have moved away from a proprietary protocol stack and are using TCP/IP on top of a modified Ethernet protocol. This allows someone, with a little knowledge, to connect their laptop to the box underneath the seat. [Please note, Timothy Geigner, that this does not involve the WI-FI network] Undoubtedly, the FAA, and the aircraft manufacturers, have put some effort into assuring passengers can't affect any of the avionics controls or sensors. The question is, have they done enough? Since the industry is also relying on security through obscurity by keeping the details secret, it makes it hard for independent researchers to confirm this.
[ link to this | view in chronology ]
Re: IFE network is connected to the Avionics networks
So it will probably take hundreds of deaths to get them to air-gap the two systems. Hopefully the security is good enough that it doesn't come to that.
[ link to this | view in chronology ]
Re: Re: IFE network is connected to the Avionics networks
[ link to this | view in chronology ]