FBI claims infosec bod made airplane FLY SIDEWAYS
Airlines sceptical commercial planes can be ‘hacked’.
Security researcher, Chris Roberts, told FBI agents that he’d hijacked an aircraft’s thrust management computer and briefly altered its course. The claim was made by Chris Roberts, the founder of the cybersecurity firm One World Labs, who was escorted from a United Airlines flight last month after sending in-air tweets bragging that he could deploy the oxygen masks.A security researcher for airline vulnerabilities told the FBI he hacked into controls while on board a flight and made the aircraft climb and briefly fly sideways, Wired reported, citing an application for a search warrant filed by an FBI agent.A renowned cybersecurity expert who is trying to cast light on airplanes’ hacking vulnerabilities once used his knowledge to maneuver a plane from his passenger seat, according to an FBI search warrant application.
Photo: Fox News Figures in the Australian aviation industry are sceptical whether it is possible to ‘hack in’ to the cockpit of a plane, after an American man allegedly told the Federal Bureau of Investigation (FBI) he had taken control of a plane’s engines with his laptop. The allegation that Mr Roberts said he had affected the actual performance the plane was made in an FBI affidavit applying for a warrant to search his computer, iPad and other electronic items that were confiscated by investigators after the tweeting incident. The tweet, since deleted, was apparently in jest and saw Roberts suggest he could tap into the aircraft’s crew alert system and cause passenger oxygen masks to drop. He used the software to monitor traffic from the cockpit system.” Roberts attempted to board a United flight from Colorado to San Francisco to speak at a major security conference in April but was stopped by the airline’s corporate security at the gate.
According to a warrant application obtained by Wired, Mr Roberts claimed he had hacked the in-flight entertainment systems on 15 to 20 flights between 2011 and 2014. “[Roberts] stated that he thereby caused one of the aeroplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI agent Mark Hurley wrote. He’d been removed from an earlier United flight by the FBI after landing in Syracuse, New York, and was questioned for four hours after jokingly suggesting on Twitter he could get the oxygen masks on the plane to deploy.
Roberts was able to gain access to the access to the in-flight system after prying open the electronics box under his seat before connecting his laptop via an Ethernet cable. “You cannot promote the (true) idea that security research benefits humanity while defending research that endangered hundreds of innocents,” wrote Alex Stamos, chief information security officer of Yahoo. “That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about,” he said. “It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.” The information in the warrant application demonstrates a “far more serious situation than Roberts has previously disclosed,” Wired reported, adding that Roberts earlier mentioned the ability to control a plane during a simulated test in a digital environment — but not while on a commercial airline. But despite Roberts’ assurances his only motivation in researching vulnerabilities in aircrafts was to improve security, Australian aviators have doubts the “hack” he detailed to the FBI works. United Airlines has launched a program that provides rewards to people who report security flaws in their apps, websites and portal but have strictly outlawed any testing on their aircraft systems. The Civil Aviation Safety Authority, a government agency which oversees the safety of Australian aircraft, said the prospect of remotely controlling a plane was “unrealistic”. “These are issues that would be addressed by the manufacturers of the aircraft – Boeing and Airbus – in conjunction with the aviation regulators that first certified the aircraft – the FAA and EASA.” Steve Jackson, Qantas Group head of security, facilitation and resilience, said the airline had “extremely stringent” measures in places that were “more than enough” to stop someone hacking in. “The Qantas Group has extremely stringent security measures in place which are continually reviewed as part of normal business practice – these are measures that are more than enough to mitigate any attempt at remote interference with aircraft systems. “The Qantas Group complies with, and in many cases exceeds, all regulatory requirements and manufacturers’ recommendations when it comes to the safety and security of our fleet.” Budget airline Tigerair Australia does not have in-flight entertainment equipment, so the airline would not comment on the hacking specifically, but said they also had high standards of security. “Tigerair Australia has strict and comprehensive procedures in place to ensure the highest levels of safety and security in-flight are maintained at all times,” a spokeswoman said.
The agents asked for authority to conduct full searches of the equipment Roberts was traveling with, including his iPad, MacBook and several external drives, but he hasn’t been detained or charged with any crimes. Washington: Penn State University, which develops sensitive technology for the US Navy, said on Fridaythat Chinese hackers have been sifting through the computers of its engineering school for more than two years. Roberts told Wired magazine after the April questioning and seizure of his gadgets that he had simulated hacks of plane’s piloting systems but never tried it on real planes, the publication reported. He told WIRED that he did access in-flight networks about 15 times during various flights but had not done anything beyond explore the networks and observe data traffic crossing them.
The Wi-Fi networks and Internet capability now common on most flights appear to worsen the threat, a Government Accountability Office report concluded last month. “According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors,” the report says. The GAO review credits the Federal Aviation Administration for implementing greater protection of the networks but warns that systems with weaknesses may be susceptible to exploitation. US engineering schools – Massachusetts Institute of Technology, the California Institute of Technology, Berkeley, Carnegie Mellon, and Johns Hopkins – have been among the top targets of Chinese hacking and other intelligence operations for many years. These forays have been for both commercial and defence purposes, and universities have struggled to secure their computers against these advanced attacks. In addition to online activities, the Chinese have sent legions of graduate students to US schools and have tried to recruit students, faculty members and others at both universities and government research facilities, several recent law-enforcement investigations show. “There is an active threat and it is against not just Penn State but against many different organisations across the world, including higher education institutions,” said Nick Bennett, a senior manager at Mandiant, a security division of FireEye Inc., which aided the university in the investigation.
The documents showed how inflight entertainment systems one some planes were connected to the passenger satellite phone network, which included functions for operating some cabin control systems. We watched the packets and data going across the network to see where it was going.” Eventually, Roberts and his research partner determined that it would take a convoluted set of hacks to seriously subvert an avionics system, but they believed it could be done. He insisted to WIRED last month, however, that they did not “mess around with that except on simulation systems.” In simulations, for example, Roberts said they were able to turn the engine controls from cruise to climb, “which definitely had the desired effect on the system—the plane sped up and the nose of the airplane went up.” Roberts never heard from the FBI again after that February visit. Roberts responded with, “There IS a distinct possibility that the course of action laid out above would land me in an orange suite [sic] rather quickly :)” When an employee with United Airlines’ Cyber Security Intelligence Department became aware of the tweet, he contacted the FBI and told agents that Roberts would be on a second flight going from Chicago to Syracuse. When an FBI agent later examined that Denver-to-Chicago plane after it landed in another city the same day, he found that the SEBs under the seats where Roberts had been sitting “showed signs of tampering,” according to the affidavit.
He advised them, however, that he was carrying thumb drives containing malware to compromise networks—malware that he told them was “nasty.” Also on his laptop were schematics for the wiring systems of a number of airplane models. How many people shove luggage and all sorts of things under there?,” he said. “I’d be interested if they looked at the boxes under all the other seats and if they looked like they had been tampered.
Share this article:
Other articles of the category "Fly":
Google may be planning major changes to its photo ...
Google Acquires Photo, Video Editing Specialist Fl...
Google Acquires Photo, Video Editing Specialist Fl...
Google Photos gets stronger with acquisition of Fl...
Fly Labs Joins Google, Photos To Get Video Editing...
Google acquires Fly Labs to build video editing to...
Google Acquires Fly Labs To Bring Photo Editing To...
Google acquires Fly Labs, a photo and video editin...