A few weeks ago on Techlicious, we discussed how a large number of passenger airplanes are vulnerable to hacking through their in-flight entertainment systems. We didn’t have any proof at the time that the plane was vulnerable to hacking. But, a newly discovered FBI search warrant application reveals that security researcher, Chris Roberts was accused of hacking an April 2015 United Airlines flight and at least a dozen more since 2011.
According to the warrant, Roberts physically accessed the plane’s network by attaching a Cat6 Ethernet cable to the Seat Electronics Box located under a seat in each row on the plane. He signed on to the network using default IDs and passwords, and then used the connection to access the plane’s varied electronics systems.
Roberts bragged about using this connection, at one time, to commandeer the plane.
FBI Special Agent Mark Hurley in the warrant application said, “(Roberts) said that he thereby caused one of the airplane engines to climb, resulting in a lateral or sideways movement of the plane during one of these flights.
He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.”
On April 15, 2015, Roberts posted a number of messages to Twitter suggesting he was actively accessing a plane’s electronics systems. A warrant was then filed and Roberts was met on the plane and detained by FBI agents. Charges have yet to be filed.
Naturally, Roberts’ alleged actions have drawn a massive amount of criticism from fellow security experts for endangering his fellow passengers. But questions remain as to whether he was really able to hack a plane mid-flight. Plane manufacturer Boeing says that the described hack is impossible, as its entertainment system is “isolated from flight and navigation systems.”
Roberts said much of what he told the FBI has been taken out of context, and that he only ran a simulation of a hack.
Either way, it appears there’s a clear need for airplane manufacturers and operators to improve their computers’ security. It’s incredibly irresponsible to leave these systems accessible by default usernames and passwords. At the same time, it’s even more irresponsible for a security researcher to access plane flight controls without permission during their normal operation.
We only hope that the attention being brought to this issue will lead to more responsible security practices from all involved in the future.
Image credit: CC by Shutterstock.com