When airport security researcher Chris Roberts tweeted about his ability to hack the in-cabin control systems aboard his Boeing 747 flight, he probably wasn’t anticipating the quip would get him detained by the Feds. But some jokes, the FBI doesn’t find very funny.
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)
— Chris Roberts (@Sidragon1) April 15, 2015
The tweet may be rather meaningless to the average Joe, but the US government officials monitoring Roberts’s Twitter account picked up on the reference to the Engine Indicating and Crew Alerting System (EICAS), a critical in-flight control system. Roberts was questioned by FBI agents for four hours Wednesday evening upon arrival in Syracuse, New York. They also confiscated his laptop, iPad, hard drives, and other computer gear for further investigation into potential illicit activities.
The irony here is that Roberts, the founder and Chief Technology Officer of the security research firm One World Labs, has been issuing warnings about the security vulnerabilities of commercial planes for years, and, on the very eve of his alarming tweet, was scheduled to give a talk on said vulnerabilities to an audience of law enforcement officials.
As Roberts told CNN Money, anyone can plug a laptop into a box underneath his or her seat and access critical plane controls, including the engine and cabin lighting. He’s tested the theory out on over a dozen flights, connecting his own computer to the box under his seat and viewing sensitive avionics information including the thrust control and flight management systems.
In an interview with CNN money, Roberts admitted that the cavalier tweet was “probably a little more blunt than I should have been,” but expressed deep frustration that his warnings have fallen on deaf ears. Aieroplane companies, he says, haven’t yet learned the lessons of technology firms like Microsoft about how to properly respond to security vulnerabilities disclosed by researchers.
“It feels like this [airline] industry is going through the same issues,” Roberts told The Security Ledger. “The problem is, if I break an F5 device or a Cisco device, I’m not harming anybody. I screw around with an aeroplane, I’m taking 100 to 400 people out of the sky and you’re not recovering from that.”
Which is to say, maybe we ought to start taking Roberts’s warnings seriously, and sooner rather than later. The FBI can chase down security researchers all it wants, but not everyone who talks about hacking planes is joking around. [ The Security Ledger]