The next time you’re flying and the passenger next to you is on his computer, he/she may be enjoying the in-flight entertainment, or he may be piloting the aircraft. That is exactly what Chris Roberts, a renowned cyber-security expert, was allegedly able to accomplish by hacking the airplane’s network. These actions were reportedly disclosed by Roberts in an interview with the F.B.I. – APTN News initially discovered the details attached to a search warrant application that had been publicly filed by the F.B.I.
According to the report, Chris Roberts has hacked the in-flight entertainment network on airplanes between 15 and 20 times between 2011 and 2014. This instance marks the first documented instance of anyone being able to control the plane via the network. Roberts accomplished this by tapping into the airplane’s network by connecting an Ethernet cable to the electronic box under the passenger seat. According to the affidavit:
He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,
Roberts has not been charged with a crime as of yet, however, he has been banned from United Airlines. This was the result of a previous incident. Roberts was stopped and searched by the TSA after he tweeted that he could take control of the aircraft’s systems and cause the oxygen masks to deploy. The TSA confiscated the electronic equipment which he had on his person: an iPad, Macbook Pro, 3 Hard-drives, 6 Thumb Drives, and 2 USB cables as reported by APTN. Roberts has since clarified that his tweet was not a display of intent, but a cry of frustration over the poor security measures instated in airplane networks.
However, it appears there is quite a bit more to the story than the documents allude to. Roberts has clarified that his statements were taken out of context and that the interview with the FBI encompassed a conversation that covered five years of history. Roberts had previously stated in an interview with Wired that he had never directly hacked and piloted an airplane in an actual flight situation, only within simulations.
Sorry it’s so generic, but there’s a whole 5 years of stuff that the affidavit incorrectly compressed into 1 paragraph….lots to untangle
— Chris Roberts (@Sidragon1) May 17, 2015
However, the damage has been done. Many other security experts in the industry have scorned Roberts for his “security research” on airplanes with live passengers. As initially reported by Bustle, Yahoo’s Chief Information Security Officer spoke out about Robert’s actions on Twitter:
You cannot promote the (true) idea that security research benefits humanity while defending research that endangered hundreds of innocents
— Alex Stamos (@alexstamos) May 16, 2015
However, not everyone is pointing the finger at Roberts. Herbert Dixon, Washington D.C.’s superior court judge (also known as the technology judge) took to Twitter to pose the question as to whether the Airline should be investigated:
— Herbert Dixon (@Jhbdixon) May 17, 2015
This poses an age-old question, “At what point do we hold organizations accountable for security vulnerabilities?” Considering that Roberts has been able to hack at least 15 aircraft networks over the course of 4 years undetected is disconcerting at best and does not bode well for airline security. While Robert’s actions of hacking live airplanes are irresponsible, the action identifies a serious flaw within Airline security. If this information were to get into the hands of a malicious terrorist, actions far more severe than spontaneous oxygen masks could unfold. Hopefully this will act as a trigger for Airlines to improve upon their in-flight cyber-security practices.
What are your thoughts? Did Roberts do us a favor by identifying a severe security flaw? Or were his actions irresponsible? Let us know in the comments below.