Last month, I told you about a security researcher who was taken off of a United Airlines flight after tweeting a message about hacking into the aircraft's computer systems. Now the FBI claims that the man, Chris Roberts of One World Labs, did a lot more than just tweet a joke about airline hacking.
According to an FBI search warrant, Roberts told the FBI that he had hacked into in-flight entertainment centers on Boeing 737s, 757s and Airbus A-320 aircraft "15 to 20 times." Now this is where the story gets weird. The document also claims that during one of those flights, Roberts tapped into an airliner's computerized engine control systems, and commanded one engine to "climb."
“He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI Special Agent Mark Hurley wrote in an application for a judge to grant the search warrant.
Here's a little background. If you've ever been in a row boat or a canoe, you probably know that if you paddle on just one side of the boat, it will turn in the opposite direction that you are paddling. To move the boat straight, you must paddle evenly on both sides. The same is true on a twin-engine aircraft. If one engine produces more power than the other, that unbalanced difference will try to make the airplane turn toward the side with the weaker engine.
So if indeed Roberts was able to trick one of the engines to produce more power as if to climb, the result would be what pilots call a "yaw" as the airplane turns. However, the aircraft's autopilot would normally be programmed to follow a specific path and would presumably counter the change in engine power to maintain the intended direction. In fact, pilots are required to frequently practice flying straight with just one engine to be prepared in case one engine fails.
The FBI's search warrant goes on to explain how agents believe Roberts connected to the plane's computers. Apparently, some aircraft have a connection into the in-flight entertainment system under each row of seats.
After removing the cover to the Seat Electronic Box, or SEB, by “wiggling and Squeezing the box,” Roberts told agents he attached a Cat6 ethernet cable, with a modified connector, to the box and to his laptop and then used default IDs and passwords to gain access to the inflight entertainment system. Once on that network, he was able to gain access to other systems on the planes.
Though these connections are supposed to be securely locked away from passenger access, the FBI says its investigation showed that the connection box under Robert's seat showed signs of tampering.
“The outer cover of the box was open approximately 1/2 inch and one of the retaining screws was not seated and was exposed,” FBI Special Agent Hurley wrote in his warrant application.
However, in an interview with WIRED, Roberts' disputes the FBI's conclusion that he tampered with the box under his seat.
“Those boxes are underneath the seats. How many people shove luggage and all sorts of things under there?,” he said. “I’d be interested if they looked at the boxes under all the other seats and if they looked like they had been tampered. How many of them are broken and cracked or have scuff marks? How many of those do the airlines replace because people shove things under there?”
As a security researcher, Roberts and his company, One World Labs, are often hired by companies to find security flaws before the bad guys do. Over the past few years, even before these latest incidents, Roberts had conversations with both aircraft builders and the FBI about the state of airliner cybersecurity. “We had conversations with two main airplane builders as well as with two of the top providers of infotainment systems and it never went anywhere,” he told WIRED last month.
If this incident gets the attention of aircraft builders and airlines, it could prevent something truly horrific from happening if someone with bad intentions were able to use these same hacking techniques. If that's the case, this could turn out well.
However, if it turns out that Roberts did hack into an actual airliner inflight, while carrying dozens or hundreds of innocent lives, then that really is inexcusable. No matter how well intentioned he may be, 30,000 feet is not the place to be experimenting with computer code when lives are in the balance.
As of now Roberts has not been charged with any crime. USA Today did request comment from the FBI, United Airlines and Roberts' company but as of this writing has not received any response.