Hacker told F.B.I. he made plane fly sideways after cracking entertainment system



(Screen grab from One World Labs founder and prominent hacker Chris Roberts during an appearance on Fox News)

Jorge Barrera
APTN National News
A well-known U.S. hacker told F.B.I. agents he took momentary control of an airplane’s engines mid-flight by hacking into its inflight entertainment system, according to a document filed in U.S. federal court and obtained by APTN National News.

Roberts, who has been interviewed at least three times by the F.B.I. this year, is under investigation for allegedly hacking into the electronic entertainment systems of airplanes, according to an application for a search warrant to probe seized electronic equipment.

The document shows F.B.I. agents investigating Roberts believe he has the ability to do what he claims: take over flight control systems by hacking the inflight entertainment computer.

Roberts has not yet been charged with any crime. The allegations contained in the search warrant application have not been proven in court.

Roberts is the founder of One World Labs and he is widely viewed as an expert on counter threat cyber security.

F.B.I. agents obtained the search warrant on April 17 to probe a number of electronic items seized from Roberts after he arrived in Syracuse, NY, from Chicago on April 15. Roberts had posted a joke tweet earlier in the day while on a United Airlines flight between Denver and Chicago. The tweet referred to hacking into the airplane’s in-flight entertainment and passenger oxygen mask system.

During two interviews with F.B.I. agents in February and March of this year, Roberts said he hacked the inflight entertainment systems of Boeing and Airbus aircraft, during flights, about 15 to 20 times between 2011 and 2014. In one instance, Roberts told the federal agents he hacked into an airplane’s thrust management computer and momentarily took control of an engine, according to an affidavit attached to the application for a search warrant.

“He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” said the affidavit, signed by F.B.I. agent Mike Hurley.

Roberts also told the agents he  hacked into airplane networks and was able “to monitor traffic from the cockpit system.”

According to the search warrant application, Roberts said he hacked into the systems by accessing the in-flight entertainment system using his laptop and an Ethernet cable.

Download (PDF, 819KB)

F.B.I. agents let Roberts go after they seized his equipment and questioned him in Syracuse. The agents then tracked the Denver to Chicago airplane Roberts took before connecting to Syracuse. Roberts sat in seat A3 on the Chicago flight.  The airplane was traced to Philadelphia and F.B.I. agents discovered the boxes in seats A2 and A3 showed evidence of tampering, according to the warrant application document.

The document stated the box under A2 was “damaged” with the outer cover “open approximately” half and inch and “one of the retaining screws was not seated and was exposed.”

Roberts was blocked from boarding a United Airlines flight he had booked to fly him out of Syracuse, Wired magazine has reported.

The F.B.I. said it seized Roberts’ electronic equipment in the interest of public safety because they believe he has the ability to take control of airplane systems.

“We believe Roberts had the ability and the willingness to use the equipment then with him to access or attempt to access the (inflight entertainment system) and possibly the flight control systems on any aircraft equipped with an (inflight entertainment system) and it would endanger the public safety to allow him to leave the Syracuse airport that evening with that equipment,” sates the warrant application.

The items seized from Roberts include a black iPad with a “Death Wish Coffee Co.” sticker, a silver MacBook Pro with “multiple” stickers, three hard drives, six thumb drives and two USB cables.

Shortly after the incident with Roberts, Wired reported that the TSA and the F.B.I. issued a bulletin to airlines to be on the lookout for passengers showing signs they may be trying to hack into an airplane’s Wi-Fi or inflight entertainment system. Wired also reported that the U.S. Government Accountability Office issued a report warning that electronic systems on some planes may be vulnerable to hacking.

Roberts told the F.B.I. that he has discovered vulnerabilities in the inflight entertainment systems of Boeing 737-800, 737-900 and 757-200 aircraft along with Airbus A-320s.

Air Canada flies Airbus A-320 aircraft and WestJet flies Boeing 737-800 aircraft, according to the airlines’ websites.

According to Wired, Roberts has been issuing warnings about vulnerabilities in inflight entertainment systems for years.

jbarrera@aptn.ca

@JorgeBarrera

 

Tags: , , , , , , , , , , ,

  • Tedde

    You don’t turn an airplane by using the engines, an engine can’t “climb” and the term is not used together with engines.

    • MJN1957

      If an aircraft engine is not located on the center-line of the aircraft, any change in thrust (e.g., power) that is not accompanied with an matching change in thrust by an engine on the other side of the center-line (e.g., the thrust of both engines increased or decreased in-sync), the aircraft will turn unless other flight controls (the rudder) are utilized to counter the turning force.

      Once an aircraft is trimmed to level flight at a given speed, ANY change in ANY number of flight controls can cause a climb (or a descent, or a turn).

      Increasing engine thrust, which is a form of flight control, will increase the speed of the aircraft, which typically increases lift, which leads to a climb, unless the increased speed/lift is offset by other flight controls (such as the elevator[s]).

      • Andy Branigan

        You’re forgetting the Yaw Damper system. On any modern aircraft it’ll more than compensate for loss or gain of thrust on one engine vs. the other. That’s why McD put an “Engine Out” indicator on their widebodies. The crew might not notice an engine loss on takeoff because the rudder would more than compensate. Even the 777 will climb straight ahead with an engine lost on takeoff. It’s the result of the workload reduction rule that allows for two man cockpits. (okay, two person flight compartments.)

    • Hack Sentinel

      1. Engines can have thrust “modes”, e.g., “climb mode”.

      http://en.wikipedia.org/wiki/Autothrottle

      2. Differential thrust is an awkward way to turn a plane, but can be used to turn. The resulting maneuver could be characterized as flying “sideways” (a little bit).

      http://www.google.com/patents/US6102330
      http://en.wikipedia.org/wiki/Flight_with_disabled_controls#Control_techniques

      Example emergency usage of differential thrust was employed to save many people on UA Flight #232 (note four para, last sentence of this section)…

      http://en.wikipedia.org/wiki/United_Airlines_Flight_232#Chronology_of_the_flight

      • MJN1957

        “Climb Mode” is more about maintaining a given airspeed as the aircraft climbs due to pilot input. Like with any moving object, to move an aircraft further away from the center of the Earth (e.g., ‘climb’) the aircraft has to overcome gravity which will cause the aircraft to slow-down unless power is applied. Auto-throttle ‘climb mode’ just reduces the burden on the pilot(s) by making sure the aircraft maintains a relatively steady speed as it maneuvers, but it is not generally how the aircraft climbs.

        Differential thrust is much like how a ground-pounding tank maneuvers. It stays flat but pivots around the track that is moving slowest – which, coincidentally, is typically the track with the least power applied to it. I THINK the proper term is that it ‘skews’, but it sure does feel like it is flying sideways.

  • Tedde

    However, increasing engine thrust could result in a sideslip – a small lateral movement, but that would not be called “CLB” or climb. Controlling one engine, (depending on if he is sidestepping the FADEC) could result in serious harm to the engine (or not).

  • dravo1

    My worry is someone activating an engine thrust reverser while in flight. Horrific consequences.

    • Andy Branigan

      Unless you’re in a DC-8 the reversers are interlocked to prevent deployment off the ground unless there’s a mechanical failure.

    • Scott Hanson

      This is just another Y2K panic story. It only sounds believable to people that know less about airliners than clueless reporters and editors. These are the same reporters and editors that report the miracle curative powers of coffee, or something else, and then report the opposite next week.

  • john mcginnis

    I think the FBI and FAA are looking at this wrong. I agree Roberts was tampering, just to get that out of the way. The FBI/FAA should be turning their gaze on the airline manufacturers. No aircraft should be that exposed to tampering nor should the entertainment system be on the same information bus as flight controls.

    Rather one should these days look at an aircraft like a typical data center run by Google or Facebook. The same physical, electronic and personnel procedures learned in 20+ years of IT security should be applied to aircraft system information design. And due caution would suggest that every passenger is a potential hacker.

  • cloud_buster

    Obviously the FBI agents had to say they believed he had the ability to do what he says in order to get the authority to seize his equipment, but I don’t think they really know, and I’d wager he can’t — that he’s a deluded crank. Boeing and Airbus can’t comment one way or another, because to issue any public statement, confirmation or denial, would be to make dangerous intelligence public. Even if it is not possible to access the flight control computers through the in-flight entertainment system, confirming that allows potential hackers to stop wasting time on that avenue of penetration — a win for hackers.

  • http://thevailspot.blogspot.com/ Rich Vail

    The real question here is:

    WHY ARE THESE SYSTEMS INTERCONNECTED IN THE 1ST PLACE? There is no reason that the “entertainment” system should be connected to the flight controls at all. This is at the very least aject stupidity…

    • Andy Branigan

      Rich, they aren’t. Relax

  • Andy Branigan

    I’d be very interested in the FDC readouts. There’s no interface between the IFE and FCC’s or the FMC or FMF in any plane I’ve ever heard of. I just love acromyms and abbreviations. They make wannabes sound so knowledgeable, don’t you agree?

  • Robin Munn

    “According to Wired, Roberts has been issuing warnings about vulnerabilities in inflight entertainment systems for years.” (Emphasis mine).

    So after warning them for years, “Hey, someone malicious could take control of an aircraft this way,” he goes ahead and takes control “momentarily”, just to prove it can be done. But because he isn’t malicious and doesn’t want to crash the plane, he stops immediately, and he tries to tell the FBI exactly what the problem is and which plane models are vulnerable.

    What should happen: the FBI and the airlines thank him for pointing out a flaw in the aircraft’s electronic systems, and ask him for all the details on how he did it so that they can work with the airlines to fix the problem. What actually happened: the FBI treats him as a terrorist, siezing his equipment as if it was evidence in a criminal prosecution.

    The FBI’s “shoot the messenger” response here is simply ridiculous.

    • concerndcitizen

      They should be paying this honest person a reward, if it can be shown that he was able to break in (doubtful). If it was my airline, i’d set up a grounded aircraft and have a hackathon with free first class round trip tickets when they find the vulns.

    • Mork Fromork

      If Roberts has been “issuing warnings about vulnerabilities in inflight entertainment systems for years” then one might say he is extremely inafective at what he does. Is it that his earnings are falling on deaf ears or that he doesn’t posess the savvy and the diplomacy to actually “be heard”?

  • Mork Fromork

    First, he is a “script kiddy”. He uses tools downloaded off of the web rather than orchestrating and creating his own tools like real “prominent hackers”. Anyone with these hacker tools and enough time on their hands can do the same thing.
    I’m on the fence about whether he is actually trying to make planes more secure or trying to bring fame and fortune to himself. If it had taken him this many years then he is going about it the wrong way. Do you really have to risk the lives of people on a plane to prove that the plain has a flaw??? That’s just stupid and criminaly negligent. He is not a trained airline pilot. Adding thrust and monkeying around with the plane is a huge risk?

    Second, what is the risk? The risk is that someone will take over the plain and kill lots of people. Guess what, he is going to be the jackass that is accidentally going to do it! Except, he isn’t accidentaly doing it. He is purposely messing with the plains.

    Some will say he is trying to bring awareness. I think he is obsessed with focking with the planes to potentially disastrous outcome so that he can make a name for himself! What he ought to do, from one Brit to another, is spend countless long hours organizing nationwide protests outside airline headquarters and lobbying to get action! Physicaly breaking parts of the plain and then digitally breaking into the planes systems are not the answer; evidenced by the numerous interviews with law enforcement and the many years he has been “trying” to brig attention to these problems with no action whatsoever.

  • Tom Brusehaver

    The IFE and FMS are not connected on the 737, a320 or 757, they are too old. IFE was added after the airframes were certified. There is no reason to hook the flight management system of these aircraft to any IP network. The engine management system talks to the ground over other radios (inmarsat arinc etc). IFE talks to the ground using GOGO Row44 or something else.

    It is unlikely but maybe a newer airframe might have a common network.

    This guy is wishing for attention.

  • AD_Rtr_OS

    For decades, the PTB have discounted warnings about the security vulnerabilities of myriad systems, until those issuing those warnings actually break into something utilizing the exact route that they posted warnings about.
    Then, they end up with a fat consulting contract showing the “experts” how to harden their perimeters.
    This doesn’t seem all that dissimilar.