FBI claims security researcher took control of a plane mid-flight through its entertainment system

Jos

Jos

Posts: 3,073   +97
Staff

fbi united airlines flight security hacking hackfbi united airlines flight security hacking hack

Security researcher Chris Roberts got into quite a bit of trouble last month after seemingly Tweeting a joke about being able to hack into a plane’s electronic control systems mid-flight. "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ?  Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)," the now infamous tweet read. When the plane landed, Roberts was questioned by FBI agents, who seized his laptop and other electronics.

Apparently Roberts had met with the FBI before to disclose vulnerabilities within the In Flight Entertainment (IFE) systems, which he reportedly accessed 15 to 20 times from 2011 to 2014 through the Seat Electronic Box (SEB) located under seats containing video monitors using modified Ethernet cable. From there he is able to log into the IFE system using default admin usernames and passwords.

He says he never connected his laptop to any SEBs on this particular flight, though FBI agents claim the units under the seats where Roberts had been sitting showed signs of tampering. He has yet to be charged with a crime but the FBI’s ongoing investigation suggests he was able to gain control of other systems beyond in-flight entertainment on the airplane network. 

According to the affidavit for the search warrant application, Roberts told investigators he overwrote code on the airplane's Thrust Management Computer while aboard a flight and successfully commanded the system he had accessed to issue the 'CLB' or climb command. This supposedly caused one of the airplane engines to climb resulting in a sideways movement of the plane.

Roberts has since refuted these claims saying they’re out of context and that the FBI basically condensed a lot of discussions, meetings and notes into a single paragraph. He passed on the opportunity to set the record straight, however.

Other in the security industry have expressed skepticism over Roberts’ and the FBI’s claims in the search warrant, noting that entertainment systems are "isolated from flight and navigation systems”, that it is very unlikely he got physical access to the SEB in several flights without other passengers alerting the flight crew, and that even if he did interfere with flight controls, pilots should have noticed it and an investigation would have ensued.

Just last week United Airlines launched a a bug bounty program that offers people free airline miles in exchange for information about security vulnerabilities. Curiously, the offer is limited to their website and apps, not bugs on onboard Wi-Fi, entertainment systems or avionics.

Permalink to story.

https://www.techspot.com/news/60700-fbi-claims-security-researcher-took-control-plane-mid.html

 
Here's the controversy of our time...

It is the lawful right for anyone to be stupid, since there is no law that states a person isn't allowed to be stupid. And how does it go along with the famous Ignorantia juris non excusat?

If nobody in the entire airline has the intelligence for providing some basic security, how does it make this guy's fault that the plane's security is exposed like this? Shouldn't the FBI go after the airline's license instead for being so ignorant towards security?
 
  • Like
Reactions: treetops and Darth Shiv
I read the method by which the "researcher" says he performed the hack. I think he is delusional as the IFE systems are not physically attached to "any" systems on the airplane. They are "all" on a "non-critical" networks and are not by FAA part 25 rules to be physically connected to any critical systems. Without a physical connection, even attaching to the set box will do nothing but enable one to hack the content servers. These are not connected to the airplane systems. They do receive one-way signals from the Central Management Computer (CMC) to turn on or off under certain circumstances, but the CMC cannot "receive" any communication from the IFE system. The IFE system has to be so benign that the CMC does not know it exists. It is against FAA part-25 rules. If Boeing breaks the rules they lose their PC-700 government approval to build airplanes. This would not happen unless it was changed by an airline who did not follow proper procedures. Anyone who touches an airplane for modification, has to file a Supplemental Type Certificate(STC) that follows the FAA part-25 rules. There can be no “escapement” from the documentation of parts, software design, avionics design, etc. The consequences are too great. An airline would be subject to 3rd party liability if anything happened. If the hacked airplane had crashed, and the STC work revealed an undocumented change, the airline would lose their license to operate, and the insurance companies would have to pay billions.

This so called "Hacker" is all talk, he's just trying to get attention, this whole story is all made up by him.
 
  • Like
Reactions: RebelFlag, Hasbean, stewi0001 and 1 other person
Nitrotoxin said:
This so called "Hacker" is all talk, he's just trying to get attention.
Click to expand...

Agreed... WIRED had an article a couple months ago about the state of the flight systems on airlines. They're old, like really, really old. Without knowing anything else about them, I'd guess the in-flight entertainment system could talk to the flight systems as well as your iPhone could tell your Betamax to rewind a video tape.
Fear makes for great news though,...
 
I had a hard time reading the article and putting everything together, was it just me? (Might be that english is not my native language, but still took me a couple of reads before understanding it straight).
 
From there he is able to log into the IFE system using default admin usernames and passwords.

^^^Well there's your first problem. Anyone who would ever consider themselves in the "IT Field" should NEVER leave ANY device using those credentials. It's literally one of the first things I change when configuring a device.
 
Psychologically unstable pilots and Islamic terrorists are threats to aircraft and their passengers. A hacker with a chip on his shoulder is an annoyance.
 
  • Like
Reactions: cliffordcooley
"From there he is able to log into the IFE system using default admin usernames and passwords."
Wow
 
davislane1 said:
Psychologically unstable pilots and Islamic terrorists are threats to aircraft and their passengers. A hacker with a chip on his shoulder is an annoyance.
Click to expand...

Please do tell me more on how many of those have taken down commercial aircrafts in the last couple decades
 
  • Like
Reactions: Hasbean
Kibaruk said:
Please do tell me more on how many of those have taken down commercial aircrafts in the last couple decades
Click to expand...

Disgruntled pilots who have crashed commercial aircraft into mountains or other terrain: 5
Islamic terrorists who have highjacked and/or downed commercial aircraft (by instance): 13+
Number of aircraft crashed and/or highjacked by nefarious hackers: 0

It doesn't take a statistician to look at the numbers and conclude that depression and Islamic terrorism are demonstrably greater threats to airline passengers globally than any hacker.
 
  • Like
Reactions: RebelFlag
Kibaruk said:
davislane1 said:
Psychologically unstable pilots and Islamic terrorists are threats to aircraft and their passengers. A hacker with a chip on his shoulder is an annoyance.
Click to expand...

Please do tell me more on how many of those have taken down commercial aircrafts in the last couple decades
Click to expand...
A psychologically unstable pilot nosedived a plane in Europe THIS year and 9/11 was NOT over two decades ago.
 
Tanstar said:
A psychologically unstable pilot nosedived a plane in Europe THIS year and 9/11 was NOT over two decades ago.
Click to expand...

My point being... this happened once, and according to Davislane 5 times over the last 20 years and everyone is making such a huge deal out of it. Of course it's terrible but... you get it.
 
davislane1 said:
It doesn't take a statistician to look at the numbers and conclude that depression and Islamic terrorism are demonstrably greater threats to airline passengers globally than any hacker.
Click to expand...
How many hackers does it take to make a terrorist? Wait a minute you mean there is actually a difference? Simply because a hacker chooses to do other terrorist activities, than taking over airliners.
 
cliffordcooley said:
davislane1 said:
It doesn't take a statistician to look at the numbers and conclude that depression and Islamic terrorism are demonstrably greater threats to airline passengers globally than any hacker.
Click to expand...
How many hackers does it take to make a terrorist? Wait a minute you mean there is actually a difference? Simply because a hacker chooses to do other terrorist activities, than taking over airliners.
Click to expand...

Terrorist -n- the use of violence and threats to intimidate or coerce, especially for political purposes.
Hacker -n- a person who uses computers to gain unauthorized access to data

There is a huge difference between a hacker and a terrorist. Hackers normally not being into murder, and civil unrest for the most part. Most hackers are motivated by money, even when they try and pretend they are motivated by ideals. Most terrorists are motivated solely by their ideals.
 
You must log in or register to reply here.

Similar threads

Shawn Knight
Commercial cargo plane successfully completes crewless flight
Replies
8
Views
318
toooooot
T
E
Stratolaunch achieves first powered flight of hypersonic test vehicle
Replies
2
Views
141
Uncle Al
Uncle Al
E
Another day, another FBI takedown of routers infected by malware
Replies
7
Views
215
p51d007
p51d007

Latest posts

Back