Bringing down a plane carrying hundreds of passengers doesn’t require a suicidal pilot, a missile or a terrorist bomb. Apparently, a guy with a computer may be able to pull it off by hacking into the airliner’s entertainment system. This has scary implications not just for air travel but for the entire Internet of Everything concept, as well as for society’s attitude to hackers who track down such vulnerabilities.
The amazing case of Chris Roberts, a cybersecurity expert with One World Labs, is laid out in a search warrant application by the FBI, which seeks permission to seize his MacBook Pro “w/multiple stickers,” his iPad and a number of external storage devices. Here’s what he told the FBI he once did on a flight:
“After removing the cover of the Seat Electronic Box that was installed under the passenger seat in front of his seat, he would use a Cat6 ethernet cable with a modified connector to connect his laptop computer to the in-flight entertainment system while in flight. He then connected to other systems on the airplane network after he exploited/gained access to, or ‘hacked’ the IFE system. He stated that he then overwrote code on the airplane’s Thrust Management Computer while aboard a flight. He stated that he thereby caused one of the airpline engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after compromising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.”
Roberts liked to post tweets about hacking planes, which is why the FBI took an interest in his research. The bureau warned him in February that his actions were illegal, but Roberts was so hooked he couldn’t stop.
He’s been covering his run-in with the authorities, too, so we know the search warrant produced results: “Also found my attack tools, 0-Days and other toys, so only thing back I’d like (if @FBIDenver is listening) are the photos of my daughter …”
Recently, however, Roberts has been told — presumably by lawyers and agents on his case — to keep his mouth shut about the details: “Over last 5 years my only interest has been to improve aircraft security … given the current situation I’ve been advised against saying much.”
So I guess I won’t be able to figure out how to “compromise/exploit or ‘hack’ ” the next flight I’m on and make it go sideways. That doesn’t mean, however, that somebody else won’t. Roberts is a benign hacker who is just a little too fond of playing with his “toys.” He wasn’t afraid of getting caught because his ultimate goal wasn’t glory (he has fewer than 7,000 Twitter followers) but to prove to airlines they don’t take network security seriously enough. Next time, however, someone with far more evil intent could exploit the same vulnerabilities.
Even if Roberts actually made a plane fly sideways — an incredibly foolhardy thing to do, and probably a crime (he claims his words to the FBI were taken out of context), it’s in the interests of authorities and aircraft builders to find out what he knows, and maybe even let him continue his experiments. I’d be surprised if the manufacturers aren’t already thinking about removing those electronic boxes under the seats or shutting off in-flight entertainment systems until they can be secured. And there’s almost certainly another vulnerability no one has found yet. Eventually, someone will.
Various half-measures have been suggested, such as a “full disclosure policy” for security researchers that would require them to pass on all discovered vulnerabilities in the software they’ve hacked (and expect a response within five days). That won’t solve the problem, if only because some of the people looking for security flaws aren’t researchers. Hacking is a business, and there’s a market for vulnerabilities, though I shudder to think who the buyers might be for the aeronautical variety.
We need to think hard about the benefits of a fully connected world. The Internet of Everything is a $19 trillion opportunity with major implications for future economic growth.
In some cases, as in equipping factories and warehouses with networked devices, the efficiency improvements may outweigh the security risks and justify serious investment in combating them. But there are areas — such as energy grids, traffic management systems and defense — where the risks of over-reliance on networked devices may well be too grave because a single breach can do irreparable damage.
Then there are applications that are simply unnecessary because the benefit they provide is disproportionately small compared with the dangers. These include connected teddy bears that, if hacked, can be used to monitor your home, as well as Internet-capable faucets that can be turned on remotely, causing flooding in your home. In-flight connectivity and entertainment fall into this category. Anyone can watch a video on a phone, tablet or laptop, so why should airplane makers endanger passengers by providing that service?
The Internet of Everything imposes important choices on consumers and, ultimately, on regulators. It’s time for legislators, tech companies and cybersecurity professionals to begin figuring which applications of network technology are acceptable.
Input from companies such as One World Labs should be part of that discussion. It certainly isn’t their fault that vulnerabilities exist, and it shouldn’t be held against researchers that they sometimes fail to announce their findings in the most tactful way. Roberts’ scrutiny by the FBI and the withdrawal of funding from his company by investors aren’t the right responses: They discourage further disclosures that could ultimately save lives.