United Airlines: All started with a tweet. By Dan Tynan
On an United Airlines Flight 1474 from Denver to Chicago in April last year, security researcher Chris Roberts made an ill-advised joke. He twittered about hacking into a commercial jetliner’s satellite communications and engine alert systems.
Roberts is a well-known figure in white-hat (the good guys) hacking circles who has been issuing warnings about faulty airline security since 2009. He was interviewed twice by the FBI earlier this year.
When Roberts landed in Syracuse, N.Y., his final destination, he was met at the airport by FBI officials, who this time detained him for four hours. Having confiscated nearly all of the electronics he was carrying. Three days ago, a Canadian news service obtained a copy of the search warrant filed by the FBI for Roberts’s gear.
According to the warrant, Roberts allegedly told FBI agents back in February that during an earlier flight he used an in-flight entertainment system to gain access to the United Airlines airplane’s navigational controls. And “thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights.”
Roberts has not been charged, although his equipment is still in the FBI’s control. But the story has raised a host of difficult questions, the most compelling one being:
Question to United Airlines: „So can an airplane’s internal network be hacked?“
The answer is, yes, it most likely can. Whether it can be done using the method described by Roberts is another matter.
Security experts differ as to whether hacking a plane’s in-flight entertainment system. But as Roberts claims to have done this between 15 and 20 times over the last four years, would allow an attacker to gain access to more critical systems such as navigation and communications.
Not surprisingly, United Airlines denies any threat. In an email statement provided to Yahoo Tech, an airline spokesperson wrote, “We will continue to cooperate with the FBI on its investigation. Our internal review with our aircraft manufacturer partners makes us confident that these claims are unfounded.”
When asked by Yahoo Tech whether hacking a plane’s avionics controls via its in-flight entertainment system was possible, internationally known security technologist Bruce Schneier says it requires more research. But he added that “it seems like a possibility.”
Then he left to catch a plane.
How could this happen?
On most older planes, the network that passengers use for in-flight entertainment or Wi-Fi access is separate from the avionics networks airline crew members use for controlling the plane. That’s not the case with newer aircraft like the Boeing 787 Dreamliner or the Airbus A350 and A380. In 2008, the Federal Aviation Administration warned aircraft makers about the potential dangers of using a single network for both passengers and crew.
However, Roberts appears to have discovered similar vulnerabilities in older craft. According to the FBI warrant, Roberts said he pried open the Seat Electronic Box beneath the seat in front of him on a Boeing 737-800. Then he plugged in a network cable from his laptop, and accessed the in-flight entertainment system using default passwords. From there, he claims to have been able to access more critical systems on the plane’s network.
„We can still take planes out of the sky thanks to the flaws in the in-flight entertainment systems,” Roberts told FoxNews last March.“Quite simply put, we can theorize on how to turn the engines off at 35,000 feet and not have any of those damn flashing lights go off in the cockpit.”
Does the government know about this?
Last month, the Government Accountability Office (GAO) issued a report chastising the FAA for failing to address potential weaknesses in airplane cybersecurity. In particular systems that connect to the Internet and “can potentially provide unauthorized remote access to aircraft avionics systems.”
According to the GAO report, one third of avionic communication systems connect to the Internet, a figure that’s expected to reach as high as 60 percent in five years.
It was that report, in part, that inspired Roberts’s dangerous tweet.
Has anyone else identified potentially deadly flaws in aircraft security?
In April 2014, a Madrid-based security firm, IOActive, published a report on the security of satellite communications systems used by airlines, as well the military, heavy industry, and the media. It uncovered critical errors that could allow remote attackers to intercept ground-to-plane communications, block them, or take control of the plane’s SATCOM device.
“I discovered a backdoor that allowed me to gain privileged access to the Satellite Data Unit. Its the most important piece of SATCOM (Satellite communications) equipment on aircraft,” Ruben Santamarta, principal security consultant for IOActive, told Fox News last March. “These vulnerabilities allowed unauthenticated users to hack into the SATCOM equipment. It is easily accessible through Wi-Fi or in-flight entertainment networks.”
However, IOActive performed its research by analyzing firmware on the ground. But not by attempting to gain access in midflight. It also offered to help manufacturers of SATCOM systems fix these issues. Only one of five companies accepted its offer.
Anyone else knows about this United Airlines incident?
At the Def Con security conference in July 2012, researcher Brad “RenderMan” Haines demonstrated how anyone with the right equipment could intercept air traffic control data. Also jamming the signal, or provide false location information to pilots. (The FAA disputes his claims.) Again, though, this was from the ground, not in the air.
However, Haines says such an attack could be launched even more easily inside a plane. He also adds that he hopes the controversy surrounding Roberts‘ actions leads to more transparency about cybersecurity in aircraft.
“Let all the various researchers test their work on an actual plane in a transparent manner.” Haines says. “If nothing can be proven, then the industry can point to this independent test as proof. If anything can be proven, the industry can say they fixed it and thereby made things safer for the public.“
„It’s better for everyone to work with us rather than against us. Remember, hackers are part of the flying public too. We are at risk as well.”
Did Roberts really hack that United Airlines airplane’s nav system, or was he just bragging?
That is the question. In an interview with Wired’s Kim Zetter last week, Roberts avoided directly answering it, saying instead that the FBI’s charges were presented out of context.
“It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.” He said.
The answer to that question might be found on one of the laptops or hard drives the FBI seized from Roberts last month. But that’s only if they are able to compel him to hand over the encryption keys that Roberts says he used to keep his data private.
How did United Airlines know to alert the FBI?
One of the creepiest aspects of this whole situation — besides the notion of a passenger flying an airplane from a seat in coach — is how United Airlines knew who Roberts was and which flight he was on.
According to the FBI warrant, United Airlines cybersecurity alerted the feds to Roberts’s jest about hacking the plane. However, his tweet did not mention United Airlines or the flight number.
Roberts is well known in avionics security circles, as well as to federal authorities. It seems likely someone on UA’s cybersecurity team was keeping a close eye on Roberts’s online activities, and looked up his passenger name record after seeing the tweet.
As Schneier wrote in his Schneier on Security blog, “There’s some serious surveillance going on.”
United Airlines United Airlines United Airlines United Airlines