Establishing Digital Trust: Don't Sacrifice Security for Convenience
The FBI recently accused security researcher Chris Roberts of hacking into a United Airlines airplane in flight via its in-flight entertainment (IFE) system, causing the plane to temporarily fly in a "lateral or sideways movement," The Register reports.
On April 15, 2015, FBI agents detained Roberts and confiscated a MacBook Pro, an iPad Air, eight thumb drives and three portable hard drives after he exited a United flight in Syracuse, New York.
In an application for a search warrant filed on April 17, 2015, FBI special agent Mark S. Hurley requested permission to search the 13 devices taken from Roberts on April 15.
According to Hurley's statement, the FBI interviewed Roberts on February 13 and March 5, 2015 regarding vulnerabilities he'd found in IFE systems on Boeing 737-800, 737-900, 757-200, and Airbus A320 aircraft. Roberts disclosed the information, Hurley noted, "because he would like the vulnerabilities to be fixed."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
During the interviews, Hurley stated, Roberts said he had exploited the vulnerabilities "while in flight," and had done so "approximately 15 to 20 times during the time period 2011 through 2014."
In order to do so, Hurley noted, Roberts claimed to have accessed the IFE system by connecting an Ethernet cable to the Seat Electronic Box (SEB) under the seat in front of him.
"He then connected to other systems on the airplane network after he exploited/gained access to, or 'hacked' the IFE system," Hurley wrote. "He stated that he then overwrote code on the airplane's Thrust Management Computer while aboard a flight.
"He stated that he successfully commanded the system he had accessed to issue the 'CLB' or climb command," Hurley added. "He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights."
According to Hurley's statement, FBI special agents told Roberts in February 2015 "that accessing airplane networks without authorization is a violation of federal statue, and that Roberts may be prosecuted for obtaining access to airplane networks or scanning airplane networks."
Then, while on a United flight on April 15, 2015, Roberts tweeted, "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? 'PASS OXYGEN ON' Anyone ? :)"
After Roberts exited the aircraft on April 15, an FBI special agent inspected the SEBs under Roberts' seat and the seat in front of him and found that they "showed signs of tampering." The FBI then confiscated the 13 devices he had with him at the time.
"Over last 5 years my only interest has been to improve aircraft security...given the current situation I've been advised against saying much," Roberts tweeted recently.
Tripwire director of IT security and risk strategy Tim Erlin told eSecurity Planet by email that it's crucial to examine how aircraft cyber security is being managed. "Whether Chris Roberts is a criminal or not is secondary to the safety of passengers," he said. "As a consumer and a member of the information security community, I’d like to know what is being done to address the vulnerabilities that have been disclosed."
And RedSeal CTO Dr. Mike Lloyd said the implications of Roberts' story reach far beyond aircraft cyber security. "We rely more and more on networks that we cannot easily see or understand," he said. "Defects in one network can open up access to another -- attacks can work upwards like grass through cement, finding weak points and cracking hard defenses. What all defenders need to learn to do is to use technology to monitor technology -- human effort and good will are not enough, as our networks grow larger than we can understand."
"According to FAA and experts we interviewed, modern communciations technologies, including IP connectivity, are increasingly used in aircraft systems, creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems," the GAO report [PDF] stated.