Slashdot Mirror
FBI Accuses Researcher of Hacking Plane, Seizes Equipment
chicksdaddy writes: The Feds are listening, and they really can't take a joke. That's the apparent moral of security researcher Chris Roberts' legal odyssey on Wednesday, which saw him escorted off a plane in Syracuse by two FBI agents and questioned for four hours over a humorous tweet Roberts posted about his ability to hack into the cabin control systems of the Boeing 737 he was flying. Roberts (aka @sidragon1) joked that he could "start playing with EICAS messages," a reference to the Engine Indicating and Crew Alerting System.
Roberts was traveling to Syracuse to give a presentation. He said local law enforcement and FBI agents boarded the plane on the tarmac and escorted him off. He was questioned for four hours, with officers alleging they had evidence he had tampered with in-flight systems on an earlier leg of his flight from Colorado to Chicago. Roberts said the agents questioned him about his tweet and whether he tampered with the systems on the United flight -something he denies doing. Roberts had been approached earlier by the Denver office of the FBI which warned him away from further research on airplanes. The FBI was also looking to approach airplane makers Boeing and Airbus and wanted him to rebuild a virtualized environment he built to test airplane vulnerabilities to verify what he was saying.
Roberts refused, and the FBI seized his encrypted laptop and storage devices and has yet to return them, he said. The agents said they wished to do a forensic analysis of his laptop. Roberts said he declined to provide that information and requested a warrant to search his equipment. As of Friday, Roberts said he has not received a warrant.
Roberts was traveling to Syracuse to give a presentation. He said local law enforcement and FBI agents boarded the plane on the tarmac and escorted him off. He was questioned for four hours, with officers alleging they had evidence he had tampered with in-flight systems on an earlier leg of his flight from Colorado to Chicago. Roberts said the agents questioned him about his tweet and whether he tampered with the systems on the United flight -something he denies doing. Roberts had been approached earlier by the Denver office of the FBI which warned him away from further research on airplanes. The FBI was also looking to approach airplane makers Boeing and Airbus and wanted him to rebuild a virtualized environment he built to test airplane vulnerabilities to verify what he was saying.
Roberts refused, and the FBI seized his encrypted laptop and storage devices and has yet to return them, he said. The agents said they wished to do a forensic analysis of his laptop. Roberts said he declined to provide that information and requested a warrant to search his equipment. As of Friday, Roberts said he has not received a warrant.
To anyone who has a shred of fear of flying, the game of "screwing with the pilots for laughs" is not fucking funny.
FTA, "Roberts said he had met with the Denver office of the FBI two months ago and was asked to back off from his research on avionics – a request he said he agreed to."
So he's scaring people and breaking/threatening-to-break his word, and they're being dicks to him. This may not be statutory justice, but it's poetic.
On the irrelevant issue of his research turning up vulnerabilities and the manufacturer's response being "shhhhhh, maybe no one will notice," I'd be completely on his side if he wanted to go on TV and talk about it with the world. I would contribute to his legal defense fund if he was in this for the good fight.
But if his frustration with Boeing and Airbus is going to drive him to be a fear-mongering troll, then any inconvenience caused him by the FBI seems utterly fair.
No local cover here in any of the Syracuse media. Any other time if something happens at the airport, that passes for front page news.
“Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)”
Looks like he threatened to turn on the Passenger Oxygen Light (as someone with the skill and tools to do it that's not an idle threat), Nothing that would cause a mass panic on a plane or anything like that. I mean you post a public comment like that I would far more surprised if the FBI didn't forcibly remove you from the plane. The article itself seems very biased as well.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
So when I first read about this I thought who thought in flight WiFi should be piggy backed into avionics. Then I read a guy was actually removed from the flight and now accused of hacking into the avionics. If the FBI has any proof of this occurring, this guy is in big trouble. No matter if he was just trying to prove a security hole or not and had no malice in mind. He still risks being titled committing a serious offense tampering with aircraft avionics. This might have skirted mainstream media, but the FBI probably doesn't care.
At the same time, wouldn't this be a nice opportunity to fix exploits? You have someone willing to show how terrible your security is right there..
do we call assholes "researchers"? This guy is nothing but a grandstanding asshole. You dont make comments like that and you dont do the FUD slinging that he does after getting denied.
Researchers do real work and publish their findings for peer review, not act like a street cred seeking HAx0r trolling for Lulz.
Do not look at laser with remaining good eye.
How the living fuck is something like what this guy is talking about even plausible? Why don't planes have extremely strong security that would make something like this essentially impossible, even for experts in the field?
I have as much sympathy for someone who messes with the FBI as I have for someone who messes with a pack of pit bulls. Yes, the pit bulls shouldn't eat people but....
Some things need to be said...
This guy is showing ignorance of the law. He gave them a reason to believe he did something wrong, and then wants a warrant? First, the warrant will be rubberstamped based upon his comments, but second, they don't need a warrant once that is established.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
He did *NOT* screw with the pilots. He jokes about hacking the aircraft system to his followers who are smart enough to know a joke.
If being nice means not investigating security holes, then yes, he needs to be a dick, at least in some peoples eyes. Imagine if the QA in a software company didn't dig too hard for bugs because it upset the programmers?
It's not illegal to be a dick and often quite necessary. He should not have to watch his words for fear some moron FBI agent might be reading.
“Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)”
His mistake is obvious. He used a smiley face instead of a winky face.
systemd is Roko's Basilisk.
Roberts has been demonstrating vulnerabilities in the avionics systems used on modern airplanes for the past five years, warning that modern planes have converged critical systems and non-critical systems such as in-flight entertainment and wi-fi in ways that create serious security and safety risks.
He isn’t alone. Ruben Santamarta a Principal Security Consultant for the firm IOActive demonstrated at the 2014 Black Hat Briefings how satellite based communications devices (SatCom) used to provide Internet access to planes in flight could be used to gain access to cockpit based avionics equipment. Brad “RenderMan” Haines has also demonstrated methods for moving from in-flight entertainment systems to critical control systems aboard planes.
If plane manufacturers are putting in-flight entertainment systems on the same network that a planes control systems are on, then Roberts are doing the public a great service by exposing this horrible security debacle.
This is how U.S gov, its agencies, and Americans in general, assert themselves and try to make themselves and everything they do seem utterly important - by blowing up every little thing as much as possible.
Stupid goverment method. hide head in sand...
If theres hole in planes systems, it must be found, reported and fixed ASAP. Im sure train companies will thank government after few planes have been dropper by terrorist in means of hacking...
> HE claimed he was able to hack the plane. That would be a potentially very serious public safety issue. It is only right that they question him and search his equipment to see if that is true.
I hereby claim that I have hands, therefore I am able to stab someone. Should I be detained and my property seized because I am ABLE to commit a crime? 50/50 chance you have the skills and equipment to be a hooker. Therefore you should be treated as a hooker?
Knowing quite a bit about crew management, if this clown would have messed with the system as he pondered he could have crashed the plane. FBI for once were right to remove this clown from the plane. I can only imagine how a overworked crew would have responded if they were alerted to Oxygen systems being enabled; Chances are they would have began to exchange messages with control to decend with the suspicious of insipid cabin decompression. Combine that with nerves getting rattled and you could easily ignite piloting errors that cascade into a disaster. A 737 and older non-fly by wire designs are not the best planes to troll the crew on it could be very costly. In any case, if he were a real researcher he would have disclosed it to the manufacturer with a SOLUTION; and then disclosed non-specifics to the AIRLINE flying community. He could have even marketed the solution to companies and enetered into entroperneurship WHILE helping us increase safety (in which he would have well deserved riches). But, in the end I guess Lulz are worth more to him. Toss him in the brig for a little while.
Maybe they should be hiring him to help consult on how to secure the systems instead of trying to intimidate him and silence the truth?
FBI warned him to stay away from research on airplanes and to rebuild virtual lab & demonstrate discovered vulnerabilities at the same time?
Police don't find humor in life threatening situations.
Maybe they should be hiring him to help consult on how to secure the systems instead of trying to intimidate him and silence the truth?
The 1970s called, they want their common sense back.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
of what Bruce Schneier would call "security theater".
How much closer to being in a prison do we need to be before we figure out we're in prison?
What kind of idiot would do any kind of testing on a system on which peoples lives depended in f'ing production. Calling this guy a researcher is a stretch.
Putting a smiley face after shouting fire in a crowded theater doesn't excuse the behavior, the same as the following tweets wouldn't be excused by Mr. Roberts:
Shall we burn Chris Robert's house down while he's away at convention? :) :)
Shall we abduct Chris Robert's mother and stick a 16 inch dildo up here anus?
The tweet didn't suggest he was threatening to do anything. Posing a question is not the same thing as a threat. You can post a question for any number of reasons and in this case it was obvious what the reason was. He posed the question of should he do something horrifically dangerous. He never implied in the tweet he intended to do so. Anybody who understands English should realize (that isn't a prude or has some other prerogative) the guy was making a point and not making a threat. Being able to do something and actually doing it are two different things. If you can't distinguish between the two you have no business being in the law enforcement arena. He clearly was making a point that there were dangers not being addressed and that there are people capable (ie him) of doing bad stuff (not that he has suggested he would, and nothing has indicated he was psychologically unsound, so thus clearly not even a danger).
This guy who fancies himself a "aviation hacking expert" goes around the country giving lectures on all sorts of things he sees as "risks" in all sorts of things just got himself in trouble by saying stupid things at the wrong time. It's like a security expert who gave talks about preventing Hijacking was talking about his presentation as he goes though the TSA checkpoint or with the flight attendant. Somebody took exception to the topic being discussed because of the context (he was actually ON an airplane at the time) and in the abundance of caution he was detained and questioned. I'll bet he never attempted any hacking, much less validated any of his perceived risks, most likely he made some inane statement like "I could hack into this plane and cause .... to happen" which got the attention of the flight crew who called the FBI who stops him as he gets off the plane.
But NOW this guy has a PR angle to play. And why not? Here is some self proclaimed "expert hacker" who has even been questioned by the FBI about possible hacking attempts and had his electronic devices taken in the process while he was on his way to give a talk on the very subject. Play that up, get more speaking gigs by playing up your qualifications.
This guy has nearly zero credibility with me. He's never really tested any of his theories on real equipment, doesn't work for anybody who would have access to the actual design specifications. Never worked for Boeing, Airbus or any avionics manufacturer. Has never demonstrated any successful attack and to my knowledge hasn't even attempted to hack anything. About all he has are a series of power point presentations that outline a lot of perceived risks he's come up with, but never verified, yet now he's the subject of international news? I sure hope he wasn't stupid enough to actually have tried his theories out on an actual commercial flight because the FBI is going to make an example of him if he did.
This guy's angle is all about milking the PR now. He's hit the short term jackpot and will be the featured speaker at "aviation security" conferences and I hope he makes some money. He's going to need it to pay the lawyers. However, IMHO, he's a nut job with power point skills and very little actual knowledge. He's just some lucky nut with a big mouth who fancies himself an expert on some issue that happens to be the news story of the day.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
....is a royal fucktard...
i would cheer him on.
I recently discovered that my old arcnet card has a vulnerability that allows me to hack the planet Mars. I plan on crashing it into the planet Vulcan. (Damn those pointy eared freaks).
I also plan on hacking the Atlantic Ocean and renaming it to the Great Eastern Ocean. This hack is so powerful that even paper maps will spontaneously change to reflect the update.
1. His laptop. (It may be returned in 20 years after a lengthy legal process involving hundreds of thousands of dollars.)
2. The ability to ever fly aboard an aircraft ever again without major interference from the TSA. His name has promptly been placed on watchlists.
3. The ability to pass between national borders without being hassled. His name will be on the appropriate lists and he will be treated like an ISIS commander at every checkpoint he ever finds himself passing through.
4. The illusion that the federal government feels a need to follow any law.
This is how I imagined it went down:
Him: "You need a warrant to search my laptop"
Government goon: "No, we don't. However since it would otherwise bring about negative PR, we have sent a notice to our favorite judge with the appropriate verbage we'd like on the document and it will arrive in a day or two. Meanwhile we will search your laptop, your personal belongings, your home and your entire internet presence. We'll go ahead and place your entire family and circle of friends on the 'high threat' list in our domestic surveillance programs. I can have charges drawn up against you for everything from traffic tickets to pedophilia if you don't give me your laptop's whole disk encryption password."
Does this mean Star Citizen is delayed even further?
Up front, let me say this guy does have a point. Avionics systems were never designed to be secure, since the technology for unauthorized users to access them didn't exist when they were developed. If you're an Airbus designer building the A320's core messaging bus back in the late 80s, do you assume people are going to have wireless network access and phones with the power of laptops in their pockets? Of course, you do now...but not back in the 80s. And once an aircraft system gets certified, changing it is an extremely drawn out process, hence the inertia. If you want another example, look at magstripe credit cards -- another system where, when it was invented, magnetic readers/encoders were "magical devices" that only huge companies could afford, so therefore there was no encryption.
Now, that said, there are way better methods for getting the word out on stuff like this. I'm assuming he already went to the vendors on this, but if he acted anything like what he displayed here, they may have just ignored him as a crackpot. If the guy doesn't have a lot of emotional intelligence, it can significantly impact his credibility in the eyes of the "normal" population. That seems to be a problem with a lot of the security types -- they're obviously very intelligent and spend vast amounts of time digging around in the internals of the systems they're hacking. When it comes time to communicate this knowledge to others, they can do so in ways that might get them lumped into the "nerd living in Mom's basement" camp, deserved or not. Threatening to demonstrate your latest find in a live environment would certainly not be my first choice. Imagine if he had turned on the passenger oxygen warning -- air crews don't go back and check whether a warning like that is legit or not. Pilots follow checklists, and I would imagine the first thing they do is descend very quickly to a safe altitude just in case the cabin actually did depressurize!!
"I mean you post a public comment like that I would far more surprised if the FBI didn't forcibly remove you from the plane."
So now we've become accustomed to the fact that the FBI is listening to everything we say.
Here we go again. Instead of offering him a job to help the airline industry make planes safer they tell him to stop his research? Wow! Way to Go!
The someone saying that the "expert hacker" has "zero credibility with me" and "He's never really tested any of his theories on real equipment" gives me the creepy crawlies. How the hell would he know what the "expert hacker" has done and has not? What are you some kind of FBI spin doctor? PR is right! How about we make passengers board planes gagged and handcuffed? Would that work for you? Forums and anywhere comments can be posted and seen are perfect for the FBI to run a PR war and they are damn good at it.
Syracuse is, as the crow flies, within 100 miles of the Canadian border. His equipment belongs to the US government now.
This is the exact equivalent of a bomb joke when on a plane. This guy is an idiot. Did he think his tweets were private?
....are "allowed" to cyberjack any Boeing (or other commercial airliner) jet!
Syracuse? What where the FBI doing in Sicily?
Some people are just arrogant pricks.
Disallow in flight Wi-Fi. Problem solved.
We've flown for years without it, never had an issue. Try reading or something. . . . it works. . lol
You know the companies aren't going to disclose any security vulnerabilities since it would cost them to ground the planes. Many times you'll get ignored when trying to bring an important issue to light. This is because Profit > Safety. Only when Fines / Lawsuits > Profit do recalls happen and problems get fixed.
If you can't get the owners of the Airlines to fix their problem, a better way to make it happen is to get folks with more authority involved. Hence: The FBI.
NOW, the issue will get the microscope and spotlight treatment. NOW, if a vulnerability does exist, the Airlines WILL get it fixed or their planes will get grounded for them. Maybe they'll actually start taking folks seriously from now on. . . . but I doubt it.
It looks like this researcher was trying to old two CORPORATIONS accountable in a country where CORPORATIONS ARE PEOPLE my friend...
Silly researcher... :-)
...is because there is a century of the best engineering behind them, with levels of failure and fault identification and mitigation that most people would find obsessive and arcane. Throw in a Swiss cheese like WiFi access and you have a serious disruption and a non-trivial influence that I for one, as an engineer designing aircraft safety systems, do not particularly want to see, It's nice that I can read my Kindle during take-off. That's enough.
"Our opponent is an alien starship packed with atomic bombs," I said. "we have a protractor"
I'm confused. He didn't yell fire in a theatre.
If he did, would they take his lighter/matches away?
I think the FBI is wrong. I'd much rather have someone working to hack these systems in the open than someone doing it in secret and testing it out on a real aircraft.
That's just me.
We need to repeal all the anti-thought laws.
For the good and simple reason that you've redefined "hacker" to mean "bogeyman", and those are dicks. Then again, so are you.
if he is right, air safety demands that the airlines and feds should want to know.
I think they should put him on a plane on the ground and ask him to drop the o2 masks.
He should have a lawyer make sure that it is an approved white hat act.
If the feds want to throw a carrot, they can offer to not go after him for any attempted inflight hacking in exchange for the public service.
That should give him sufficient incentive to do it if he can.
This, likely with an nda, should be the state's first desired outcome in this.
If he can, planes should not have any more wifi until it is sorted out.
If he can't, that's good too.
Either way, the case against him for doing something dumb on a real flight should not change.
That's about crying fire in a theater, not about setting a fire.
Same case if he can or can't.
"officers alleging they had evidence he had tampered with in-flight systems on an earlier leg of his flight from Colorado to Chicago"
This I think is much more interesting than the tweet. (And not just because practically everything is more interesting than a tweet (including literal tweets from birds).)
Joking about tampering with an aircraft should not be taken lightly, though I'm leaning a bit to calling the FBI's response an over-reaction.
But *evidence* of an earlier crime is something else.
Unless the FBI just made that part up....
This guy is most likely a fraud. Why else would he refuse the opportunity to work with Boeing to fix a problem that he claims to be able to exploit but has never actually been done before.
Looking at his twitter profile and his "resume" on the company website... He has never done an-y-thing but gather credentials and bitch. There is nothing the least bit interesting that he has actually done. Certainly nothing to warrant all the attention he gets himself. Just a loudmouth with no skillz.
My career has landed me in the security industry for the last 5 years and I've noticed it is chock full of gas bags like this dude. They grab some encryption packages that someone else wrote, get some certifications, and sudfdenly they are an expert. And they get paid very well to bullshit their way around the country. Meanwhile the real experts keept heir mouths shut, find problems, and hopefully help fix them.
We baited the hook, showed the worm to the fish, and casted and casted and casted. We kept putting the hook with the worm in front of the fish and he wouldn't bite. We asked him to jump into the net for us, and he refused. We asked him to create incriminating evidence so that we could seize what he had created at our request, and he wouldn't do that either. Its like 'Here, take this packet of drugs, put them in your pocket so we can catch you with drugs in your pocket!' and dammit, he just kept saying no. So then we had to shoot him. If the FBI is concerned about the vulnerability of aircraft in-flight systems, then they should (collectively) study, take a course, read a book, get some smarts, and then find any vulnerability for themselves. It always amazes me how stupid people with guns want smart people to do their bidding for them. If you think he is smart, hire him. As for "he had a laptop, so..." is rubbish. You can't interfere with a flight control system with a laptop. You need a medium to connect the laptop to the flight control system. If the laptop is connected to a radio system, then perhaps, but aircraft radio systems don't connect to the flight control system. Radios are used for radios. If you think the electrical part of the flight control system is misbehaving, you can disable it (in the cockpit) and fly by the air/hydraulic system (aircraft manufacturers are *REAL* pedantic about making sure that one seat in the cockpit is all electric, and the other is all hydraulic/pneumatic, and the systems are as isolated as completely as possible). Its intentionally redundant so that if one side craps out, the other side is still good to keep going. Now there is also the 'fear and too much tv' side of things. Cops and suits who are short on smarts and see too much TV don't know any of that, and once the fear-monster boogeyman takes over, they shoot and shoot and shoot, and then learn a little tiny bit, (and sometimes justify their shooting by knowing the tiniest bit), then have more knowledge shoved onto them (knowledge they refuse to admit or acknowledge because they have already shot), and then realize that they were idiots for shooting. Too late.
See subject: Well, @ least WE are FINALLY having great weather here, eh?
* :)
(Didn't know of any other /.'ers from here, so, you're apparently the 1st I ever met...)
APK
P.S.=> I saw you have some experience w/ Delphi too via your post history, so hey: YOU can't be "all that bad", & being a fellow 'Syracusan' too? You're fine by me... apk
Not quite the same. He tweeted in a language completely unintelligible to regular twitter followers, understandable only to friends that already knew him and his gripes about certain alleged vulnerabilities. To make it comparable, he would have to announce it to his fellow passengers and to the crew, in a language that they would understand.
But he was mistaken because there were followers that were not his intended audience, and who knew just enough of the lingo to go an ask him questions.
There is no substitute for common sense. Especially, no body of rules will do.
If this guy did know anything about airplane systems, he would know that the 737-800 does not have EICAS. All the other current Boeing commercial aircraft do, but the 737 does not.
It's pretty damn funny running through an airport terminal yelling "bomb" too. Maybe he should try that next time... for science.
Roberts breached the 'Yelling "Fire!" in a crowded theatre test'. Only in his case it was a plane instead of a theatre
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
They are counting international airports as "the border" now, for purposes of this law. Pretty much anywhere in the US with a population over 40K is within 100 mi of an "international border", under this interpretation. So, the police can seize your belongings, and search your house, vehicle, person, etc. with impunity unless you live in the middle of BF Montana.
You have no rights. If folks started protesting in large numbers, it would become immediately clear when the police start using the 10s of thousands of bayonets* for crowd control that they acquired from the military along with all those tanks and other heavy combat gear.
* google it. NPR (among others) reported US police depts. getting 10s of thousands of bayonets.
Wonder what he used.