FBI: Security researcher admitted to hacking planes 15 to 20 times while in-flight

Security researcher Chris Roberts allegedly did much more than shoot off a joking tweet about hacking a commercial airliner; according to the FBI, Roberts hacked a plane while it was in-flight and caused it to “climb.”

The FBI claimed it had probable cause for a search warrant as Roberts’ devices were believed to contain “evidence, fruits, and instrumentalities” of violations of Title 18, U.S. Code 1030. In a search warrant application (pdf) first published by APTN National News, FBI Special Agent Mark Hurley wrote that Roberts “exploited vulnerabilities with IFE [In Flight Entertainment] systems on aircraft while in flight” about 15 to 20 times between 2011 and 2014.

The affidavit claims that Roberts compromised Thales and Panasonic IFE systems which had “video monitors installed in the passenger seatbacks,” as well as Seat Electronic Boxes (SEB) installed under passenger seats. The FBI said he removed the SEB cover, plugged in an Ethernet cable and hacked the in-flight entertainment system. There are two SEBs installed per row; according to the FBI, the SEBs near where Roberts was sitting allegedly “showed signs of tampering” or were “damaged.”

Regarding those accusations, Roberts said, “Those boxes are underneath the seats. How many people shove luggage and all sorts of things under there? I’d be interested if they looked at the boxes under all the other seats and if they looked like they had been tampered. How many of them are broken and cracked or have scuff marks? How many of those do the airlines replace because people shove things under there?”

The warrant application also states:

He then connected to other systems on the airplane network after he exploited/gained access to, or “hacked” the system. He stated that he then overwrote code on the airplane’s Thrust Management Computer while aboard a flight. He stated that he successfully commanded the system he had accessed to issue the climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after compromising/exploiting or “hacking” the airplane’s networks. He used the software to monitor traffic from the cockpit system.

FBI Agent Hurley noted that the affidavit for a search warrant did not include “each and every fact known to me concerning this investigation.” In the rundown under “electronic storage and forensic analysis,” Hurley wrote that after “examining forensic evidence in its proper context,” an expert can “draw conclusions about how electronic devices were used, the purpose of their use, who used them and when.”

Was Roberts’ statement taken out of context enough to be inaccurate?

Although some security researchers and pen testers have blasted Roberts for hacking a plane filled with innocent people while it was mid-flight, Roberts maintains that his damning statement was not taken in proper context. The FBI had talked to him a couple times in February as well as in April after he tweeted:

Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? 🙂

— Chris Roberts (@Sidragon1) April 15, 2015

Roberts told Wired, “The federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.”

While “not arguing hacking airplanes mid-flight is a good idea,” Errata Security’s Robert Graham believes:

It’s almost certain that the FBI’s account of events is not accurate. The technical details are garbled in the affidavit. The FBI is notorious for hearing what they want to hear from a subject, which is why for years their policy has been to forbid recording devices during interrogations. If they need Roberts to have said “I hacked a plane” in order to get a search warrant, then that’s what their notes will say. It’s like cops who will yank the collar of a drug sniffing dog in order to “trigger” on drugs so that they have an excuse to search the car.

United Airlines bug bounty program

The entire incident may have pushed United Airlines to launch a bug bounty program, inviting researchers to report flaws in its websites, apps,and online portals. The airline will award 1 million air miles for discovering an eligible remote execution flaw, 250,000 for finding issues like authentication bypass, brute force, timing attacks or PII leakage, and 50,000 for cross-site scripting, request forgery flaws or third-party bugs that affect United. However, hunting for “bugs on onboard Wi-Fi, entertainment systems or avionics” is among the United’s list of “do not attempt” to hack rules; violating the “do not attempt” list could result in a criminal investigation.