A United Airlines Boeing 737-800 was at cruising altitude on the Chicago to Syracuse corridor last Wednesday when news broke of a government report describing potential security holes in Boeing and Airbus planes. The report, from the Government Accountability Office, noted that security issues with passenger Wi-Fi networks on several models of aircraft could allow hackers to access critical avionics systems and hijack the flight controls.
This wasn’t news to passenger Chris Roberts, a respected cybersecurity professional with One World Labs who has, since 2009, extensively researched the security of airline systems. He was on the United flight’s Wi-Fi network following tweets about the report and decided to join the discussion.
“Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM,? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone?,” he wrote in a tweet, punctuating it with a smiley face.
The tweet was a joke laced with sarcasm. Roberts is a veteran of the vulnerability disclosure wars, having tried for years to get Boeing and Airbus to heed warnings about security issues with their passenger communications systems. His tweet about the Engine Indicator Crew Alert System, or EICAS, was a reference to research he’d done years ago on vulnerabilities in inflight infotainment networks, vulnerabilities that could allow an attacker to access cabin controls and deploy a plane’s oxygen masks.
It was the wrong message to send.
The Feds were waiting when Roberts landed in Syracuse. As passengers stood in the aisle to deplane, a flight attendant instructed everyone to take their seats. Two Syracuse police officers and two FBI agents boarded the plane. Before they even looked at him, Roberts knew they were after him. “Shall I get my luggage?,” he asked. He spent the next four hours in an airport conference room on the business end of an interrogation. Before he left, agents seized his company-issued laptop, backup disks and other electronics without a warrant. When Roberts attempted to board another United flight to San Francisco days later, he was barred by the airline and had to book a flight with Southwest. Roberts has since retained a lawyer from the Electronic Frontier Foundation, who is interested to know under what authority the FBI seized his electronics. U.S. border agents can seize electronics at entry points as someone comes into the country, but seizing them without a warrant from someone taking a wholly domestic flight is a different matter.
The Twitterverse has been divided on the actions of Roberts and the Feds. Some say Roberts should have known better than to tweet his joke from a plane. It’s common knowledge that a joke about bombing or hijacking a plane can earn you a back-room consult with the Feds. But others say the government overreacted in this case. And some people are disturbed at how closely the government appeared to be monitoring social media that it saw his tweet so quickly and had a greeting party waiting for him when he arrived. They also say his treatment is a sign that his criticism hit home with the airline.
The circumstances around Roberts’s case are not black and white, though. United Airlines apparently told the Feds there was evidence of tampering under the seat where Roberts sat, seemingly implying that he had connected his laptop to the network connection points beneath his seat. Roberts told WIRED he did nothing to United’s network on that flight but has on 20 to 30 occasions explored the aircraft networks and configurations on other flights while a passenger, going beyond what some researchers might deem wise in the interest of research. (More detailed discussion of these tactics below.)
Roberts’s recent experience has invoked a heated debate in the security community, stemming from a longstanding Cold War between security researchers and the industries whose faults they expose.
The Cold War in Security Research
Years ago, a prominent hacker/researcher who went by the name Rain Forest Puppy crafted a “full disclosure” policy for publishing information about security holes. It became something of an industry standard for bug hunters. It came during a heady time in computer research when bug hunters were regularly threatened with prosecution or lawsuits for reverse-engineering software or exploring web sites to uncover security flaws. Often, researchers would disclose the vulnerability to a software maker or web site owner, only to be ignored or, worse, served with a stern letter accusing them of illegally hacking or reverse-engineering the software or system. Many researchers therefore opted for a more provocative route: they found that going directly to the public made the embarrassed vendor more likely to fix the hole and leave the researcher alone. Researchers increasingly began marching to the media or hacker conferences like DefCon and HOPE to expose the problems they found, while vendors fumed.
Puppy proffered a truce of sorts. In his full disclosure manifesto, he proposed that researchers should reveal vulnerabilities to vendors before publishing them, but vendors would be required to respond within five business days or the researcher would go public. The vendor didn’t have to fix the vulnerability within that time; it could negotiate a reasonable timeframe for doing so. But if a vendor didn’t at least acknowledge the bug report and respond politely, the researcher would be free to tell the public.
Many thought this was a reasonable and responsible compromise. This was in the days before bug bounty programs when vendors were still getting free research from security pros volunteering their skills to improve products and security. In exchange, researchers hoped for public acknowledgement and thanks, and a boost to their resumes. It didn’t work out this way, however. Instead, the history of computer security became littered with researchers put through the ringer over what they considered to be Good Samaritan acts.
The Cisco Surprise
One of the most egregious and famous examples of full-disclosure failure occurred in 2005 between a researcher named Mike Lynn and Cisco. Lynn, who worked for Internet Security Systems in Atlanta, uncovered a serious security hole in Cisco’s IOS, the operating system underpinning thousands of Cisco routers worldwide, some of them critical to the internet backbone. After disclosing the finding to Cisco, Lynn prepared a presentation to discuss it at the Black Hat security conference in Las Vegas. But then Cisco and Lynn’s employer swooped in with a last-minute injunction to stop him—even though Cisco and his employer had approved his talk before he submitted it to the conference for consideration. Conference organizers had to scramble to delete Lynn’s slides from 2,000 conference CD-ROMs and rip 20 pages from the printed program.
Lynn was livid. There already were signs that Chinese hackers might have found the vulnerability and were perhaps taking steps to exploit it. But there was little he could do against the court injunction. He was also facing the prospect of an FBI probe until he reached a settlement with Cisco and Internet Security Systems. He agreed, among other things, to erase all of his research materials about the vulnerability, to keep secret all details of the attack, and to refrain from distributing copies of his presentation.
In 2008 a group of MIT students preparing a talk at the DefCon hacker conference had a similar experience. They’d discovered vulnerabilities in the Massachusetts mass transit payment systems that would allow someone to get free rides. A week before their talk they met with the Massachusetts Bay Transportation Authority to discuss the issue and address the authority’s concerns that going public could teach others how to defraud the system. The students assured the authority that they would withhold key information from their presentation. They left the meeting believing the authority’s concerns were resolved, only to learn two days before their presentation that the MBTA had obtained a temporary restraining order barring them from discussing the vulnerabilities. A judge later dismissed the gag order, ruling it an unconstitutional prior restraint of speech, but the damage was done. Their DefCon talk never occurred, and security researchers were left feeling burned and yet again silenced.
And this is the struggle at the heart of Roberts’s story: Though his tweet may have been ill-advised, it was borne out of years of frustration from being ignored by the airlines.
Calling All Airlines
Roberts began investigating aviation security about six years ago after he and a research colleague, whom he prefers not to name given the FBI’s reaction to his tweet, got ahold of publicly available flight manuals and wiring diagrams. The documents showed how inflight entertainment systems were connected to the passenger satellite phone network, which to their surprise included functions for operating some cabin control systems. These systems were in turn connected to the plane avionics systems. They built a test lab using demo software obtained from infotainment vendors and others. “Planes are happy to tell you who they use for suppliers and suppliers give you demos and downloads,” Roberts explained.
In 2010, Roberts gave a presentation about hacking planes and cars at the BSides security conference in Las Vegas. Another presentation followed two years later. He also spoke directly to airplane manufacturers about the problems with their systems. “We had conversations with two main airplane builders as well as with two of the top providers of infotainment systems and it never went anywhere,” he told WIRED.
About four months ago, the FBI in Denver, where Rogers is based, requested a meeting. They discussed his research for an hour, and returned a couple weeks later for a discussion that lasted several more hours. They wanted to know what was possible and what exactly he and his colleague had done. Roberts disclosed that they had sniffed the data traffic on more than a dozen flights after connecting their laptops to the infotainment networks.
“We researched further than that,” he told WIRED. “We were within the fuel balancing system and the thrust control system. We watched the packets and data going across the network to see where it was going.”
Eventually, Roberts and his research partner determined that it would take a convoluted set of hacks to seriously subvert an avionics system, but they believed it could be done. He insisted, however, that they did not “mess around with that except on simulation systems.” In simulations, for example, Roberts says they were able to turn the engine controls from cruise to climb, “which definitely had the desired effect on the system—the plane sped up and the nose of the airplane went up.”
He thinks the first meeting with the FBI in Denver months ago was about making a case against him. When the agents returned for their second visit, however, they seemed more interested in helping get the problems fixed. But they said they needed evidence to convince Boeing and Airbus the problems were real. Roberts said the research was old and he’d have to recreate it. But he wanted immunity first. The agents left, after advising him to drop his aviation research, and he never heard from them again.
Then last month Fox News did a story about his work on airplane security. The Government Accountability Office followed that with its own report last week after lawmakers asked it to look into the issue of airplane security. Roberts thinks his tweet was simply too much for Boeing and the FBI to take in the wake of so much attention being brought to airplane vulnerabilities.
“I tweeted out something in jest with a smiley face, and I’m guessing that was probably the final straw for at least one area of the federal authorities,” he says.
Where things go now remains unclear. Roberts is awaiting a letter from United Airlines explaining exactly why he was barred from his flight to San Francisco. The Electronic Frontier Foundation is awaiting an explanation from the FBI about which authority it was using to justify seizing Roberts’s electronic gear without a warrant.
Kurt Opsahl, deputy executive director and general counsel for EFF and Roberts’s representative, says the FBI’s move is puzzling.
“[Roberts] was not talking about bombing a plane,” he says. “This was in no way intended as a threat or as an intent to actually do anything to the plane. It was a commentary on the security of the plane.” A commentary Roberts had spent years trying to get people to hear.
Opsahl says it’s in the interest of companies like United and Boeing to work with researchers not fight them. “Whether a company should be treating a security researcher who has identified potential flaws and vulns as an ally or as someone to be arrested from a plane?” he asks. “The allied approach is going to make us all more secure.”