Security researcher 'hijacked plane in-flight': questions and (some) answers

Wired articleWhat's all the fuss about?
Well, at the end of last week, Wired published an extraordinary story: "Feds Say That Banned Researcher Commandeered a Plane"

A security researcher kicked off a United Airlines flight last month after tweeting about security vulnerabilities in its system had previously taken control of an airplane and caused it to briefly fly sideways, according to an application for a search warrant filed by an FBI agent.

Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane’s Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states.

Haven't I heard of this security researcher before?
Quite possibly.

You might know Chris Roberts from an article Fox News published in March, saying he knew how to "take planes out of the sky" via flaws in in-flight entertainment systems:

Fox News article

"We can still take planes out of the sky thanks to the flaws in the in-flight entertainment systems," said Roberts, who discovered susceptibilities in the system passengers use to watch television at their seats and is sharing his findings with the federal government. "Quite simply put, we can theorize on how to turn the engines off at 35,000 feet and not have any of those damn flashing lights go off in the cockpit."

It was the same guy who previously claimed to CNN that he had accessed an alarming amount of information after plugging into SEBs without permission under passenger seats:

"I could see the fuel rebalancing, thrust control system, flight management system, the state of controllers," he said.

If a fellow passenger ever asked what he was doing, Roberts would simply say, "We're enhancing your experience by putting in new systems."

Or maybe you remember when Roberts got himself into a spot of bother last month after making this "joke" tweet, after boarding a plane:

Tweet by Chris Roberts

Surprise surprise, the authorities didn't find that too funny, and Roberts was subsequently ejected from a flight because of it (before it took off, fortunately for him).

So now, Chris Roberts is saying that he actually commandeered a plane in-flight through hacking?
Not quite.

The report by Wired journalist Kim Zetter says that an FBI search warrant claims that the security researcher had confirmed during conversation that he identified vulnerabilities in aircraft in-flight entertainment (IFE) systems that we was keen for airlines to fix.

But, the search warrant continues, Roberts had compromised IFE systems "15 to 20 times" between 2011 and 2014, after connecting his laptop via a modified Cat6 ethernet cable to the Seat Electronic Box (SEB) stored under passenger seats.

Chris RobertsAnd here's the bit where things get really interesting:

"He stated that he successfully commanded the system he had accessed to issue the "CLB" or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights."

Maybe you'll think I'm being pedantic. But Wired isn't saying that Chris Roberts claimed to have hijacked and meddled with a plane's flight. Instead, they're saying that the FBI's search warrant claims that Roberts told them that he had done that.

Which means we need to consider the following possibilities:

  1. Chris Roberts never hacked the plane, but claimed he did to get some attention. And now - oh boy - he's successfully put himself on the FBI's radar.
  2. Chris Roberts never hacked the plane, but the FBI said he had in order to make their search warrant look more meaty.
  3. Chris Roberts told the FBI something, which the FBI took out of context as him saying that he had hacked the plane and forced it to move sideways.
  4. Chris Roberts and the FBI understand each other perfectly, but the media has misunderstood and overinflated what really happened.

Still, even if the full facts aren't yet known, it sounds serious. Interfering with the actual flight... that would be insane, wouldn't it?
Or at least plane stupid.

However, it's worth reading a little further in the search warrant if you're keen to know what might have happened.

If you read the next part of the search warrant, it says:

"Roberts said he used Kali Linux to perform penetration testing of the IFE system. He used the default IDs and passwords to compromise the IFE systems. He also said that he used VBox which is a virtualized environment to build his own version of the airplane network. The virtual environment would replicate airplane network, and that he used virtual machine's on his laptop while compromising the airplane network."

That part of the search warrant at least creates some ambiguity, and could be read as tying in with Roberts' claims to Wired that any meddling with avionics systems took place in simulated systems on a virtual environment, rather than directly to the in-flight plane.

If that were true, Roberts might have accessed the plane's systems and data without permission, but perhaps never sent the real live system any commands to mess with the aircraft's journey.

So, what now?
No doubt some of the hysteria in the mainstream press will continue to bubble away about hackers hijacking aircraft will continue, even though we don't know what actually happened.

Chris Roberts may or may not find himself on the sharp end of some legal action - even if he didn't interfere with a plane's actual flight, unauthorised access to someone else's server is not something that's likely to be taken lightly by an airline.

Roberts' company is reportedly suffering as a result. He told Wired that investors of his company One World Labs have withdrawn funding, and that he has had to lay off "about a dozen employees".

"The board has deemed it a risk. So that was one factor in many that made their decision," he said. "Their decision was not to fund the organization any further."

Meanwhile, United Airlines has started its own bug bounty.

But don't even think about looking for vulnerabilities in its aircraft. Because the airline says that if you conduct any testing on aircraft or aircraft systems then you will be permanently disqualified from the bug bounty, and could face possible criminal action.

Bug Bounty

Stay safe folks.

Tags: , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , , , , ,

6 Responses

  1. Jim Hillhouse

    May 17, 2015 at 7:53 pm #

    If Roberts got one of the engines to increase thrust that caused a sideways motion, in aviation parlance, he created a yaw motion due to asymmetrical thrust. At cruising altitude and speed, that can be extremely bad.

    If a large enough yaw were created, and it doesn't take much, lateral forces against the vertical stabilizer will be created that either (best case) damages it or (worst case) disengages it; see American Airlines 587 as to what happens when an airliner looses its vertical stabilizer.

    At cruising altitude and speed, the vertical stabilizer actually has to be actively controlled to maintain straight flight. If you were sitting in the cockpit of most airliners, you'd see the rudder pedals move as the aircraft's control system moved the vertical stabilizer. Without that active input, you as a passenger would feel a slight side-to-side motion that would be uncomfortable but not deadly.

    Without the vertical stabilizer, those little yaws would quickly grow to the point where the lateral (sideways) force of the airflow against aircraft's fuselage and wings would exceed their design limits and…well, everyone dies.

    If Roberts is telling the truth, first he's stupid for admitting what he did and worse his hack put everyone in that plane at risk of dying.

  2. Coyote

    May 18, 2015 at 3:49 am #

    "Maybe you'll think I'm being pedantic."

    And as programmers we both know that being pedantic is a good thing. Because there is no room for error and errors arise from disregarding minute details (of course there's other sources – can't really help that – of errors but those are irrelevant at this time). While to the untrained some errors might seem harmless there is still the fact that an error is an error. Then consider off by ones that have at best inaccurate results and at it gets worse when you consider stability and security problems (for example). But let's dismiss programming analogies because it is only an analogy (giving a good reason for pedantic) and an analogy many won't understand (the other possibility is I tend to speak/write Gobbledegook): to take an article written by supposed statements (or alterations/misinterpretations/exaggerations of, possibly without context) as reason enough for a warrant is rather rash (although unsurprising). Still, his joke is hardly a joke (and disconcerting?) to those flying on that plane (or perhaps anyone who steps foot on jets/planes/etc.), I am sure, and it is very stupid to do (yet so many people do joke about these things even in the places that the joke would take place). If nothing else he's guilty of foolishness (especially if he's admitting to actually doing what was claimed). However, if they were to pay attention (there goes pedantry again!) to something else he said, specifically THIS from the statement:

    "He also said that he used VBox which is a virtualized environment to build his own version of the airplane network."

    … they would understand that virtual networks is like virtual reality – it isn't real. That he used VirtualBox (VBox is short for and VBox itself is a component of VirtualBox! – this is basic stuff!) and this is somehow proof (or that they ignore the fact he used VirtualBox) that he did it on a live system/network is absurd, a lie (and/or defamation), it defies logic (even for government officials) and ignores the reality that virtualisation isn't real. There's a reason fantasy based games have virtual worlds and not real life worlds (as much as I sometimes wish elves, hobbits, goblins, trolls, faeries, magic, etc., were real, they are not, and admittedly that is best for all of us). The key word is virtual. I may be mad but at least I am generally logical and understand the difference between fantasy (and virtual) compared to reality (where possible, of course…).

    "Or at least plane stupid."
    Love it. Needed it too.

  3. Matt Harwood

    May 18, 2015 at 8:35 am #

    There are so many issues I have with this story.

    Firstly, what is a "climb command"? I assume they mean engine thrust.

    Secondly, I find it very hard to believe Boeing engineers would design the system so badly as to allow access to critical flight controls from the entertainment system. Even laymen could think of that as a priority throughout the design process, surely?

    Thirdly, thrust in one engine would risk a huge lateral spin. So no one noticed this? The pilots just ignored it somehow?

    And what sane, non-suicidal researcher would submit the command even if this is indeed possible on a live flight?

    I don't buy it for a second. Either someone's lying or someone has misunderstood.

  4. Protective Intelligence

    May 18, 2015 at 1:35 pm #

    I'm with Kevin Mitnick on this one – Roberts is full of BS. There's no conceivable way I can think of that would allow you access to the FMS via the IFE.

    Roberts strikes me as the kind of man who has started to believe his own hype. He may well have accessed the IFE (which is not too difficult to do), but his claims of controlling the aircraft are fantasy at best. Had he really changed the thrust setting on one of the engines whilst at cruising altitude, the results would likely have been disastrous. When a Thrust Reverser accidentally deployed on one of the engines on a Lauda Air flight in 1991, the pilots only had about three or four seconds to identify and correct the situation before the aircraft entered an unrecoverable spin.

  5. Dave Cockayne

    May 18, 2015 at 2:36 pm #

    If you look closely at what Roberts has said, there are two separate things going on.

    He has hacked into live flights via the IFE and penetrated far enough to sniff packets to control systems.

    Separately in simulations (not live flights) he has managed to control the engines.

    The man has two GRRCON talks on youtube from 2011/2012 explaining this stuff and both Boeing and the FBI have known for years what he has done.

  6. Dan

    May 18, 2015 at 9:03 pm #

    A cynic might claim that Roberts plan was to later claim that 'mysterious figures' were really responsible for the crash of Germanwings 9525 and proceed to make a good living off of yet another preposterous conspiracy theory.

    Hold on, thats actually pretty good!

Leave a Reply