“Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone ? :)”
ArsTechnica reports a
researcher who specializes in the security of commercial airplanes was barred from a United Airlines flight Saturday, three days after he tweeted a poorly advised joke mid-flight about hacking a key communications system of the plane he was in.
Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane’s engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft’s functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone ? :)” FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices.
In related information, the Homeland Security Digital Library writes about an April GAO report titled “FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen.
The report on Air Traffic Control exposes flaws in newer airliners that could lead to hacks and system failures. The implementation of the Next Generation Air Transportation System (NextGen) seeks to replace the “decades old, point to point, hardwired information systems, that share information only within their limited, wired configuration.” The Federal Aviation Administration (FAA) shift to NextGen is a “modernization effort […] to transform the nation’s ground based Air Traffic Control (ATC) system into a satellite based Internet Protocol (IP) system” to increase efficiency. However, the changes present cyber security challenges in three areas; 1) protecting ATC information systems, 2) protecting aircraft avionics used to operate and guide aircraft, and 3) clarifying cyber security roles and responsibilities among multiple FAA offices.
The Electronic Frontier Foundation (EFF) is representing Chris Roberts to help get his Twitter equipment returned. The EFF wrote:
…United’s refusal to allow Roberts to fly is both disappointing and confusing. As a member of the security research community, his job is to identify vulnerabilities in networks so that they can be fixed. Indeed, he was headed to RSA speak about security vulnerabilities in a talk called “Security Hopscotch” when attempting to board the United flight.
EFF has long been concerned that knee-jerk responses to legitimate researchers pointing out security flaws can create a chilling effect in the infosec community. EFF’s Coders’ Rights Project is intended to provide counseling and legal representation to individuals facing legal threats, which is why we’re glad to represent Chris Roberts. However, we’d also like to see companies recognize that researchers who identify problems with their products in order to have them fixed are their allies. It would avoid a whole lot of trouble for researchers and make us all more secure.