A security researcher kicked off a United Airlines flight last month after tweeting about security vulnerabilities in its system had previously taken control of an airplane and caused it to briefly fly sideways, according to an application for a search warrant filed by an FBI agent.
Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane’s Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states.
“He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI Special Agent Mark Hurley wrote in his warrant application (.pdf). “He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.”
Hurley filed the search warrant application last month after Roberts was removed from a United Airlines flight from Chicago to Syracuse, New York, because he published a facetious tweet suggesting he might hack into the plane’s network. Upon landing in Syracuse, two FBI agents and two local police officers escorted him from the plane and interrogated him for several hours. They also seized two laptop computers and several hard drives and USB sticks. Although the agents did not have a warrant when they seized the devices, they told Roberts a warrant was pending.
A media outlet in Canada obtained the application for the warrant today and published it online.
The information outlined in the warrant application reveals a far more serious situation than Roberts has previously disclosed.
Roberts had previously told WIRED that he caused a plane to climb during a simulated test on a virtual environment he and a colleague created, but he insisted then that he had not interfered with the operation of a plane while in flight.
He told WIRED that he did access in-flight networks about 15 times during various flights but had not done anything beyond explore the networks and observe data traffic crossing them. According to the FBI affidavit, however, when he mentioned this to agents last February he told them that he also had briefly commandeered a plane during one of those flights.
He told the FBI that the period in which he accessed the in-flight networks more than a dozen times occurred between 2011 and 2014. The affidavit, however, does not indicate exactly which flight he allegedly caused to turn to fly to the side.
He obtained physical access to the networks through the Seat Electronic Box, or SEB. These are installed two to a row, on each side of the aisle under passenger seats, on certain planes. After removing the cover to the SEB by “wiggling and Squeezing the box,” Roberts told agents he attached a Cat6 ethernet cable, with a modified connector, to the box and to his laptop and then used default IDs and passwords to gain access to the inflight entertainment system. Once on that network, he was able to gain access to other systems on the planes.
History of Researching Planes
Roberts began investigating aviation security about six years ago after he and a research colleague got hold of publicly available flight manuals and wiring diagrams for various planes. The documents showed how inflight entertainment systems one some planes were connected to the passenger satellite phone network, which included functions for operating some cabin control systems. These systems were in turn connected to the plane avionics systems. They built a test lab using demo software obtained from infotainment vendors and others in order to explore what they could to the networks.
In 2010, Roberts gave a presentation about hacking planes and cars at the BSides security conference in Las Vegas. Another presentation followed two years later. He also spoke directly to airplane manufacturers about the problems with their systems. “We had conversations with two main airplane builders as well as with two of the top providers of infotainment systems and it never went anywhere,” he told WIRED last month.
The Tweet Heard Round the World
Roberts never heard from the FBI again after that February visit. His recent troubles began after he sent out a Tweet on April 15 while aboard a United Airlines flight from Denver to Chicago. After news broke about a report from the Government Accountability Office revealing that passenger Wi-Fi networks on some Boeing and Airbus planes could allow an attacker to gain access to avionics systems and commandeer a flight, Roberts published a Tweet that said, “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM,? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone?” He punctuated the tweet with a smiley face.
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ?
— Chris Roberts (@Sidragon1) April 15, 2015
Full article: Feds Say That Banned Researcher Commandeered a Plane (Wired)