Slashdot Mirror
FBI Alleges Security Researcher Tampered With a Plane's Flight Control Systems
Salo2112 writes with a followup to a story from April in which a security researcher was pulled off a plane by FBI agents seemingly over a tweet referencing a security weakness in one of the plane's systems. At the time, the FBI insisted he had actually tampered with core systems on an earlier flight, and now we have details. The FBI's search warrant application (PDF) alleges that the researcher, Chris Roberts, not only hacked the in-flight entertainment system, but also accessed the Thrust Management Computer and issued a climb command. "He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system." Roberts says the FBI has presented his statements out of their proper context.
Somehow I doubt this actually happened. While I can believe that in theory it might be possible. I just dont see this guy, a security researcher from what I understand has a great reputation would have done this.
More likely the government is trying to save face right now. and since the TSA cant seem to catch any real terrorists, might as well make an example out of someone instead.
have you seen my sig? there are many others like it but none that are the same
No researcher would be so reckless as to actually screw with an airplane's engines mid-flight. The fact that the FBI alleges that he did means that they know damn well they have nothing to do on, but need to paint this guy as a terrorist in order to save themselves looking like idiots for arresting a guy based on a single twitter message.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
This guy might be a giant dick who tried to crash a plane, and if that's the case we should hold him accountable like any other person who endangers others.
But isn't the real problem here that, if what the FBI describes is true (which I doubt), the FAA allowed -- and is still, today, allowing -- a plane to fly with a passenger entrainment system that can access flight controls? The power train CAN bus in my car has better isolation and security than that.
Of course, if it were possible to take control of a plane like this, the government would immediately ground all those planes until the security flaw could be fixed, right? Funny, haven't heard that they've done that.
Do not under any circumstance EVER talk to law enforcement. It's that simple stupid. I don't care if the cop threatens to tow your car and take your children. STFU. If they have something on you they will do it anyway and if they don't then they're trying to get you to say something for which they can arrest you. Nothing you say will ever help you in a court of law. Law enforcement are TRAINED TO LIE in order to get the responses they're after. "Sir- I'll need to ask you to step out of your car so I can search it". He's not ordering you to step out of your car. He's asking permission to search your car. If you comply he'll testify in court you gave permission for them to search your car. The exact phrasing will never be heard in court as the cop will just summarize it as "I asked for permission to search he responded yes". Had you STFU and only surrendered your name and address and if driving your ID, insurance, and registration you would never have ended up arrested. Yes- cops will "get angry" if you don't "cooperate". They will threaten to arrest you. However these are generally lies to get you to do what they want (allow a search, etc). If you don't "cooperate" they won't actually arrest you 99% of the time because they haven't got anything on you.
As I professional pilot can I say that while I have no insight into what may or may not actually have happened on this flight, the write-up in the article is utter bollocks from a flight dynamics perspective. If the case really rests on such a flimsy explanation of what happened than the FBI need some above from somebody who knows anything whatsoever about aircraft and flight dynamics.
Am I reading this right? This guy accessed the plane's avionics through the in-flight entertainment system?!? I don't believe it. There's no way that entertainment/wifi/anything-accessible-to-a-passenger could in anyway be connected to those critical systems...is there?
I didn't think anyone would ever design the passenger network connected to the control network, but there it is, opens up a can of worms for "missing" flights.
"If any question why we died, Tell them because our fathers lied."
What's your IP?
"If any question why we died, Tell them because our fathers lied."
Any system that connects to the same data network or data ports as the flight control system would be required to be certified at that level. That would make for a very expensive and incredibly boring in flight entertainment system. Fantasy.
The Wired and other headlines at Drudge Report and other places are false. The "Feds" did not say he tampered with anything. They only say that he said that he did. There is no evidence that he did what he said he did.
It's ironic that he had just lost funding for his long-time project to try to prove that flight control systems could be tampered with . . .
Com'on, be nice to the PHP programmer.
Whew, I feel safer already! I'm sure this will prevent anybody from doing anything bad to the flight computer, ever! /sarcasm
...was just looking for a new angle on the Wing Commander franchise.
Did he use Excel to land the aircraft?
ID: the nose did not occur naturally, how would we wear glasses otherwise? (apologies to Voltaire)
It's sad when the FBI makes a statement and I automatically don't believe them.
If he actually did do this, wouldn't the pilot know what something had happened? Maybe it got put down as "turbulence", but I have some doubts here. Also, why would he be so stupid as to experiment on the plane he was sitting in? An "oops" here might be pretty deadly. Then again, there are idiots everywhere...
Its sad when the FBI makes a press release and I automatically don't believe them.
I'm starting to think that Slashdot thinks that people who have no idea what the hell they're doing shouldn't be making airplanes, medical devices, Lexuses, and smart refrigerators.
According to TFA, he didn't accomplish the hack via WiFi. The inflight entertainment screens have a wired connection, and he connected to them by plugging an ethernet cable into that system (supposedly accessible if you take the right cover off the right box under the seat).
I wouldn't have thought that this system is connected to vital systems, but TFA notes that the seat-back satellite phones are connected to this same system, which seems reasonable.
So, maybe it makes sense that everything is connected for historical reasons. When those phones were added, it didn't make sense to isolate them from the rest of the plane's systems -- because they were just phones; what harm could they do? So, maybe the phones just piggybacked off the existing system. When the inflight entertainment stuff was added, maybe they just piggybacked on the phone system, which was itself piggybacking on the important systems. Clearly, if things were designed from scratch, that wouldn't have happened. But I'm sure many /. users are aware what happens when networks evolve more, uh, organically -- especially in penny-pinching corporations.
(Replied to wrong comment above; reposting here.)
According to TFA, he didn't accomplish the hack via WiFi. The inflight entertainment screens have a wired connection, and he connected to them by plugging an ethernet cable into that system (supposedly accessible if you take the right cover off the right box under the seat).
I wouldn't have thought that this system is connected to vital systems, but TFA notes that the seat-back satellite phones are connected to this same system, which seems reasonable.
So, maybe it makes sense that everything is connected for historical reasons. When those phones were added, it didn't make sense to isolate them from the rest of the plane's systems -- because they were just phones; what harm could they do? So, maybe the phones just piggybacked off the existing system. When the inflight entertainment stuff was added, maybe they just piggybacked on the phone system, which was itself piggybacking on the important systems. Clearly, if things were designed from scratch, that wouldn't have happened. But I'm sure many /. users are aware what happens when networks evolve more, uh, organically -- especially in penny-pinching corporations.
rilly! sez fbi
Does anyone believe that you can hack the flight control through the shitty onboard entertainment system?
The FBI asks him to describe what he was able to accomplish in his theoretical lab. He does, they cut and paste it into the affidavit leaving out the part that it was in a simulated environment. You should never believe what's in an affidavit, it's designed to get a warrant, or get a DA to prosecute, not to be truthful.
USA today "FBI: Computer expert briefly made plane fly sideways"
http://www.usatoday.com/story/tech/2015/05/16/chris-roberts-fbi-plane-hack-one-world-labs/27448335/
Seriously... WTF
If his statements are true this is scary!
Should anyone withhold such knowledge from public despite potential personal incrimination?
..."FBI Alleges"
On most passenger aircraft I am familiar with (can't vouch for Airbus aircraft, or some of the the newer ones) the only common connection between the various networks on board are the power supply system. Unless the engineers have done something really stupid, the only possibilities I see are:
1. The idgit is lying.
2. The FBI is panicking because they think the idgit is telling the truth.
3. Both.
My avionics experience is a little dated, but I remember EICAS being a "drive the flight data displays" system, and not a "engine control system." Think a tachometer instead of a throttle.
Now, it is possible that he actually did gain read-access to EICAS-like messages, as some of the newer SEB's (2010 and newer?) supposedly compute the "here's where you are" map display based on real-time data instead of a common video signal generated in the entertainment suite. I would assume these newer SEBs get this data via a NMEA-like output stream. But "controlling" the aircraft via this route would the same level of impossibility as sending command and control signals to a GPS satellite by "transmitting" up the NMEA output connection. Ain't gonna happen.
However, you never know what a "remodeling" company will do to an aircraft's interior. There are some really scary FMO horror stories out there.
He said if he was an attacker he could "access the control computer, ... issue a climb command..." etc.. FBI has just taken those quotes out of context to justify its warrant.
In this case he was dumb and was reporting what he thought was a vulnerability to the FBI, and explaining the possible attack scenarios, and the FBI have thought "great! finally we can justify our terrorism budget!" and arrested him.
As to whether there is a cat5e ethernet port that connects to the flight computer under a passenger seat. Why would there be such a thing? The only network there is the inflight entertainment system and those systems have no physical route to the flight controls.
The guy actually said he had never truly tampered with flight control systems EXCEPT in simulator settings. So, no, he never hacked into real planes.
"I decided I could write something better than everything out there in two weeks. And I was right." - Linus Torvalds
Chris Roberts doesn't have the technical skills to pull something like this.
The "Entertainment System" should be completely separate from all other computer and control system.
Department Of Homeland Security Requirement that Control Systems are connected to Entertainment Systems is very Curious in the lease!
The "Reason" is obvious.
In order for Department of HomeLand Security to justify its existence is to enable third parties to compromise systems on airborne commercial airliners!
More downed planes and killed passengers aid the Mission of the Department of Homeland Security. Obvious.
The "Security Agent" who did the bidding of the FBI and Department of Homeland Security is just no more than a homeless vagrant doing the bidding of local Police to have some fun and get Congress to give Department of Homeland Security more Billions of US Dollars that it does not deserve.
Ha ha
Also the FBI do NOT permit the audio recording of their interviews EXACTLY so they can lie in court.
http://jonathanturley.org/2013/05/11/why-the-fbi-doesnt-record-interrogations/
"At a time when recording a conversation is as easy as whipping out a cellphone or iPod, the FBI policy on electronic recording of witness interviews is: “agents may not electronically record confessions or interviews, openly or surreptitiously, unless authorized by the SAC or his or her designee.”
Be clear this is just another case of a dumb 'security researcher' thinking he's warning the FBI of a security hole, trying to be helpful, they query him about the sort of scenarios he could do, 'as an attacker'. He stupidly lists the sort of things he thinks he could do, and the FBI man is smiling inside, knowing that he can lie to a jury about the nature of the conversation by selective quoting and get a conviction. That will look nice on his arrest record.
DO NOT TALK TO POLICE EVER.
https://www.youtube.com/watch?v=i8z7NC5sgik
If you want to disclose security vulnerabilities, do it anonymously.
127.0.0.1, come get me!
LEAs are not rational actors. You will get fucked if you assume otherwise. Your hubris can and will be used against you.
The FBI has a track record that makes the Keystone Cops look competent by comparison.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
What if the protection on planes is so bad that a passenger can use the inflight entertainment system to gain virtual access to the controls of the plane?
Suppose you are a security researcher and find this out. What do you do? Tell boeing! They... do nothing. Tell the airline! They.... do nothing.
It all starts with a belief issue. You hack into the entertainment system, compromise the firewall and see plane-control messages flying around on the network you now have gained access to. This is enough for a sufficiently technical person to be convinced of having gotten too far for comfort. At that point you know you are only one step away from taking control of the airplane.
Tell anybody less technical about it and they will not be convinced that you'd be able to move the plane. For example, today with this news today someone already voiced: "he might only THINK he moved the plane" (... while in fact the pilots initiated that maneuver).
So... to prove to the world that there indeed is a dangerous situation, you need to actually make the plane move.
And this is where everybody gets their panties in a knot. Suddenly the guy who reports that the planes are not secure enough is the bad guy and needs to be thrown in jail.
Examples of people reporting security problems and being ignored include: On a saturday night two men walking their dogs notice that the bank has left a window open. A person can just climb into.. the bank! So monday morning they walk into the bank, tell them about it, bank says thank you and... nothing happens. Next weekend, window is again left open. So they tell the bank again. And again. After a few times, to prove the point, they decide to climb in, and photograph what access they have once inside the bank. They got into a lot of trouble for that. But since then, the window has been closed.
Personally I have reported security problems in computers without going that extra mile of "making the plane move". In one instance I've reported such a misconfiguration to over 100 system administrators. Two hours later, saturday afternoon, the first response: "Thanks, fixed". Come monday morning, one response: "we know, not a security issue, get lost.". And all others were "no response". A year later more than 50% of the computers where I reported the configuration error were still vulnerable.
With laws being written in such a way that the "white hats" (*) can be thrown in jail, we create an environment where the white hats are either ignored or thrown in jail. Before you know it, the "white hats" are too afraid to report anything and stop reporting real problems. In that situation, you only find out the problems when a bad guy ends up crashing a plane.
Boeing: invite the guy over to show you the problem. Once that hole has been closed, invite him over, pay his hotel an meals for a week while he hacks at a "fixed" plane on the ground at your facilities. Credit him for making aviation safer.
(Do this, before someone makes it stick that: "Boeing created this system with such bad security that it put passengers at risk.").
(*) the researchers that report the problems they find without causing real harm,
Yup, shut up. Nothing good can come from talking. I'm amazed to see how many prosecutions happen where if the person had just shut up they would have had no evidence.
It's not even possible in theory. There are several reasons for that.
1. The routing of data is hardcoded into the switches and cannot be changed without physically accessing the switch. The routing table not only determines which devices may talk to which devices, but also the direction of the data flow. This means that a monitor device cannot talk to an engine because the monitor is configured only to receive data.
2. But even if they managed to get the monitor device to send data, the switch would recognize this as a device malfunction (because it's not allowed to send) and disable the port it's sending on. This is not due to security against hacking but more due to "a malfunctioning device should not be able to DOS the plane's network".
3. There are actually two networks, sending identical data for redundancy. Now guess what happens if one of the networks sends different data than the other? Right: The offending port / device gets shut down.
4. The network protocol is a modified UDP protocol (no need for TCP) which makes the network deterministic - data delivery is guaranteed within a certain timeframe. Which means, again, that you need specialized hardware to even talk to the network.
5. And even if you managed to take down both switches, there'd still be a manual override in the cockpit which allowed the pilot to steer the plane without the network.
In essence, you need pretty hefty physical access to modify the planes flight mechanics. Something you will not achieve while the plane is in the air and even very unlikely while the plane is on the ground.
we always referred to it as a "short circuit between the headphones".
Remember "News for Nerds, Stuff that Matters"? Help make it a reality again! http://soylentnews.org
So the FBI is going after a guy for doing bad things to planes because the flight control system is on the same wireless net work as the email and pay per view movies. WHY THE F**K ARE THESE UNSECURED REMOTE CONTROLLABLE TERRORIST BOMBS ALLOWED TO FLY? They should be grounded immediately and not allowed to enter US airspace until they can be proven to have secured their flight controls from anyone outside of the cock pit. Perhaps we should loudly petition the FAA to ground these dangerously unsecured hostage filled terrorist missiles before the stereotypical ISIS computer genius bad guy figures out how to use social media to hack into the inner workings of these potentially lethal death drones and crash them into a high profile targets while posting the play by play to twitter and Facebook.
Of course what will really happen here is that one security expert will be "prosecuted" until he "suicides," while a "Protect Americans While Flying Freedom Act" rushes through congress requiring the TSA to arrest anyone caught with an "Airplane Electronic Control Device" and that those villains shall to be sentenced to 500 years in a super max isolation cell, ban all electronic devices from airports and aircraft unless stored without the battery in the stowed luggage where the ever vigilant TSA security mavens can recoup any additional expenses by "securing" those "potentially lethal" iPhones sorry -"Airplane Electronic Control Devices" in the "to be sold on eBay box", but if you agree to a brief background check and a generous donation to the TSA's Frequently Searched Club, you can by pass the whole process and you get a spiffy medallion to wear on your I "Heart" TSA sweat shirt (comes in five colors and in Men's M, L XL, XXL, XXXL, XXXXL, and women's XXS).
Creative Spelling Copyright (2002). May use without Persimmons
first, where is the report the pilot made of a malfunctioning control system, and where are all the passengers that ca confirm the sudden yaw?
I don't knwo if anyone else does.
"Chris Roberts, not only hacked the in-flight entertainment system, but also accessed the Thrust Management Computer and issued a climb command."
Have they considered not connecting the Thrust Management Computer to the In-Flight Entertainment System ?
How the hell are you suppose to fix it?
I remember this same sort of thing about a Boston college student who show the transit authorities there card system was broken. They called him a hacker and want to prosecute him, for showing them their system was broken.
Please genius public official, shoot the messenger!
So when his program crashes the plane literally crashes. :(
What isn't this security researcher not already in jail?
The day after the "shoe bomber" tried to down a plane, we were all removing our shoes at the airport.
If it was actually possible to control critical plane functions via an ethernet jack under the seat, all electronic devices would be prohibited on board until further notice.
You can still get on board with a laptop and ethernet cable, so we know it's not actually possible to do what the guy and FBI seem to be claiming.
The real story is why the US Treasury Department wired a 1 Billion cash transfer to a Swiss Bank account owned by the US Government, which then wired the transfer to the CEO of Boing. A few seconds after the transfer from the Swiss Account cleared, another transfer of 100 million dollars cash from the Boing CEO's bank account occurred and was directed to a bank account owned by Janet Napolitano the Director of Homeland Security at the time.
Why does DHS and TSA demand that Boing ensure that the "entertainment system" on the planes is hackable and connected to flight control systems?
What did Janet Napolitano do for CEO of Boing to give here 100 million dollars from the 1 Billion dollars from the US Treasury?
How many African sex slaves does the CEO of Boing keep in his "summer villas" around the world?
How many African sex slaves does Janet Napolitano keep in he home in California?
Haha, sucker! I just hacked the router at 127.0.0.1 & am flashing the firmware with a custom ROM that I wrote just for you - enjoy never accessing the internet again!
...carrier lost
Ever heard of a guy named Kevin Mitnick? That guy was locked in solitary confinement for years for fear that he would launch nuclear missiles from a prison payphone if released into the general population at the prison complex he was being housed in. This level of ignorance the FBI is showing is nothing new.
Mod parent up for clever sarcasm i think!?