MIAMI — It happens every year: conveniently prior to a major information security conference, a researcher claims to be able to hack a plane and the general media demonstrates its negligence in aviation. (Headline: “FBI: Computer expert briefly made plane fly sideways”.) This year, it was the turn of network researcher Chris Roberts, who claimed he was able to access a variety of systems by connecting a cat-6 Ethernet cable to inflight entertainment seat electronic boxes (SEB) from both Thales and Panasonic Avionics on board United Airlines Boeing 737 and Airbus A320 aircraft.
According to an FBI warrant, which was used to confiscate a variety of devices and drives from Roberts, he claimed to have “exploited vulnerabilities with IFE systems on aircraft while in flight. He last exploited an IFE system during the middle of 2014. Each of the compromised occurred on airplanes equipped with IFE systems with video monitors installed in the passenger seatbacks”, and “to exploit/gain access to, or ‘hack’ the IFE system after he would get physical access to the IFE system through the Seat Electronic Box (SEB) installed under the passenger seat on airplanes. He said he was able to remove the cover for the SEB under the seat in front of him by wiggling and squeezing the box”.
Continues the FBI, paraphrasing Roberts’ claims, “After removing the cover to the SEB that was installed under the passenger seat in front of his seat, he would use a Cat6 ethernet cable with a modified connector to connect his laptop computer to the IFE system while in flight. He then connected to other systems on the airplane network after he exploited/gained access to, or ‘hacked’ the IFE system. He stated that he then overwrote code on the airplane’s Thrust Management Computer while aboard a flight. He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command. He stated that he thereby caused one of the engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after compromising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.”
On two separate occasions in February 2015, “Special Agents with the FBI in Denver advised Chris Roberts that accessing airplane networks without authorization is a violation of federal statute, and that Roberts may be prosecuted for obtaining access to airplane networks or scanning airplane networks. Chris Roberts advised that he understood he would not access airplane networks.”
Shortly after, the FBI gained a warrant and confiscated a laptop, iPad, hard drives and thumb drives from Roberts. United banned Roberts from its aircraft, but a month later the airline has issued a bug bounty program for its websites or apps — though, notably, the “bugs that are not eligible for submission” category includes “bugs on onboard Wi-Fi, entertainment systems or avionics”. Testing on aircraft or aircraft systems will lead to “permanent disqualification from the bug bounty program and possible criminal and/or legal investigation,” United states.
It’s good to see an airline taking a public interest in tech industry style penetration testing by the security research community, but United is only offering frequent flyer miles for bugs — not actual money. As the top comment on YCombinator’s Hacker News forum story covering the piece says, “paid in United miles? Not really an incentive there.”
For the top bugs involving remote code execution, United is offering a million miles, while Google offers US$20,000 for bugs affecting its top products. Facebook has no maximum limit, but paid out $1.3m to 321 researchers worldwide last year, with the top five bug reporters receiving a total of $256,750. (Yes, it would probably be possible to get more than $20,000 of value from a million United miles for a knowledgeable miles-and-points hunter or a points booking service, mainly by booking first class travel on airlines that are not United, but the fact remains that there is already a standard currency in use: money.)
Somewhat tellingly, neither Panasonic Avionics nor Thales, cited by the FBI as the reported route to Roberts’ ability to access flight systems, would appear to offer a publicised bug bounty program.
Now, it’s important to take the FBI’s warrant reporting of Roberts’ claims in context. There are a number of points in the search warrant application that should raise eyebrows, not least that apparently a Special Agent with the FBI who notionally has either a working knowledge or a set of specialists with expertise of consumer technology would call an iPad an “I-PAD”. And Roberts is not the first white hat who claims to be able to penetrate an aircraft.
Yet whatever the facts of this case — and let me be the first to say that I am firmly skeptical of the story being as dramatic as is being made out — there are real questions that need to be answered, and not just to the satisfaction of airlines.
The reaction to Germanwings flight 9525 reminded us that passengers (and human beings in general) are not entirely rational about dread risks, the high-consequence, low-probability occurrences that represent most incidents in commercial aviation. Airlines need to satisfy their customers (and their regulators) that they are taking every practicable step to ensure their safety.
Incidents like the recent FAA Airworthiness Directive concerning the Boeing 787 Dreamliner’s onboard electrical systems requiring a restart every 248 days thanks to what appears to be an entirely predictable integer overflow — issued “to prevent loss of all AC electrical power, which could result in loss of control of the airplane” — do not smack of adequate testing and cross-industry competence.
Regulators, airlines, airframers and IFE manufacturers need to take this seriously, consider whether their inhouse staff has the correct set of skills, offer real money bug bounties for their actual products, and provide access to their systems in order to provide assurance that the increasingly electronic aviation industry remains the safest way to travel.