A renowned cybersecurity expert who is trying to cast light on airplanes’ hacking vulnerabilities once used his knowledge to maneuver a plane from his passenger seat, according to an FBI search warrant application.
Chris Roberts, the founder of cyber security protection consulting company One World Labs, told the Feds he “successfully commanded the system he had accessed to issue the ‘CLB’ or climb command” and turned an aircraft “in a lateral or sideways movement” in February and March conversations with FBI agents about planes’ security weaknesses, says the affidavit, which Canadian outlet APTN News published Friday.
The FBI questioned Roberts again on April 15 after he had posted Tweets bragging sarcastically that he could take over a United Airlines’ plane’s in-flight entertainment system if he wanted to, according to the document.
He had previously told them he actually pulled off that trick about 15 to 20 times between 2011 and 2014 in an effort, he said, to help prevent the nightmare scenario of a terrorist breaking into an airplane’s servers this way and seizing control of a plane’s piloting software.
Agents who later examined the United plane claimed to have found evidence of tampering in one of the aircraft’s seat electronic boxes, which are located in every row of passenger planes. But Roberts, who has spoken out against the electronic boxes as allowing for entry to a plane’s servers and therefore their aviation controls, denied he had hacked his flight from Denver to Chicago, the affidavit says.
The agents asked for authority to conduct full searches of the equipment Roberts was traveling with, including his iPad, MacBook and several external drives, but he hasn’t been detained or charged with any crimes.
Roberts told Wired magazine after the April questioning and seizure of his gadgets that he had simulated hacks of plane’s piloting systems but never tried it on real planes, the publication reported. He didn’t respond directly to the magazine’s queries on the claim that he had used the method to move the airplane.
“That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about,” Roberts told Wired. “It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.”
There was no answer to multiple calls to the FBI’s national press office to ask for verification of the search warrant application that appeared to have been filed on April 17 in the U.S. District Court for the Northern District of New York.
Sorry it’s so generic, but there’s a whole 5 years of stuff that the affidavit incorrectly compressed into 1 paragraph….lots to untangle
— Chris Roberts (@Sidragon1) May 17, 2015
But the issue of cyber safety aboard passenger planes has certainly come to authorities’ attention before. The Wi-Fi networks and Internet capability now common on most flights appear to worsen the threat, a Government Accountability Office report concluded last month.
“According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors,” the report says.
The GAO review credits the Federal Aviation Administration for implementing greater protection of the networks but warns that systems with weaknesses may be susceptible to exploitation. The FBI and the Transportation Security Administration also advised airlines to be on the lookout for hackers late last month.