Claims and accusations continue to fly about security researcher Chris Roberts's alleged tampering with airplane flight control systems, with unsealed FBI warrants suggesting that Roberts commandeered a plane briefly and experts questioning the veracity of those assertions.
Roberts, the founder of One World Labs, was detained April 15 in Syracuse, N.Y., when he stepped off a flight from Chicago after tweeting about hacking into the United Airlines plane's systems, including the inflight entertainment system. Several items were seized by the FBI at that time.
Roberts told agents that he'd hacked into airplane systems while in flight 15-20 times from 2011 to 2014, but at first said he had not mucked with flight controls. However, an affidavit signed by FBI agent Mike Hurley noted that Roberts “stated that he successfully commanded the system he had accessed to issue the ‘CLB' or climb command.” As a result, he claimed to have “caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” according to an April 17 search warrant, obtained by APTN National News.
While Dr. Mike Lloyd, CTO at RedSeal, said that among the claims and counter-claims over whether Roberts's actions did impact the plane's flight path, nothing is yet proven. But, said Lloyd in comments emailed to SCMagazine.com, “the whole incident brings focus on the issue of what is called lateral movement – can someone with access to, for example, the in-flight entertainment system of an aircraft use that toe-hold to reach further into the network to do actual harm?”
Noting that aircraft are “much more interconnected now than they used to be” and “connected to the outside world” through satellite-based networks, systems that provide passengers with internet access and other systems, Lloyd said, “As these networks proliferate, they inevitably touch, and any touch point is something an attacker can use. The number of possible weak points multiplies over time.”
That interconnectivity is mimicked in the broader world when “defects in one network can open up access to another,” he said. “Attacks can work upwards like grass through cement, finding weak points and cracking hard defenses.”
Jonathan Sander, strategy & research officer witih STEALTHbits, noted in comments emailed to SCMagazine.com, "Unlike the big heavy door protecting the cockpit from passengers, there is an inviting little portal into critical flight systems under half the seats on many airplanes.”
While an airplane's onboard systems “that run the flight controls would be a great candidate for an air gap to protect them from in-flight entertainment system wired into the cabin,” Roberts's claims show that's not the case. “Now we know for sure it's not behind any kind of gap at all.”
He pointed out as particularly troubling details that Roberts allegedly used “default usernames and passwords built into the inflight systems to access” those systems.
“When you get your new shiny mobile phone, it makes you pick a new password,” said Sander. “Why don't the systems meant to keep airplanes flying straight do that? It's a failure of the basics.”
RedSeal's Lloyd urged organizations to “use technology to monitor technology,” pointing to the “current emphasis in security” on automated testing of defenses” as a way to detect “lateral movement opportunities, so we can isolate the truly critical things – say an aircraft's control network – from the far less important, such as the in-flight movie systems.”
