U.S. law enforcement officials have no credible evidence that commercial airplane cockpits have been hacked from passengers’ seats, contradicting a man who claims he did just that.
While most airplanes can’t be hacked because flight-control computers are separate from the connections passengers use, newer aircraft have more interconnections, the U.S. Government Accountability Office said an April 14 report. Chris Roberts, founder of security intelligence company One World Labs, claimed to FBI agents that he exploited such interconnections 15 to 20 times, and in at least one instance sent commands to an engine.
Investigators don’t believe that such attempts could be successful, a senior law enforcement official said Monday. The official asked not to be named because an investigation is continuing into Roberts’s claims of tampering, which would be illegal under federal law.
Roberts, while on a United Airlines flight to Chicago on April 15, said via social media that he might “start playing” with a computer system that monitors the engines and other systems. Agents from the Federal Bureau of Investigation detained Roberts after he got off a separate flight the same day in Syracuse, New York, and seized his Apple MacBook Pro, iPad and various external hard drives and USB drives.
During questioning, Roberts bragged about his ability to hack into the seatback entertainment systems in order to access more sensitive avionics systems, according to an affidavit filed April 17 by Special Agent Mark Hurley.
Roberts was already known to the FBI, having had two conversations earlier this year with agents and told them he had plugged into entertainment systems’ electronics located in aircraft seats on 15 to 20 occasions from 2011 through 2014, according to the affidavit.
He told agents that on one flight he was able to access a computer system running the plane’s engines, according to the affidavit. He commanded one of the engines to climb, or to increase thrust. That caused the plane to yaw sideways as a result of the uneven thrust, he said.
He also was able to monitor “traffic from the cockpit system,” according to the affidavit.
Both Boeing Co. and Airbus Group NV, the world’s largest makers of commercial airplanes, have issued statements questioning Roberts’s claims.
Boeing’s entertainment computers receive some data from other aircraft computers, but are isolated from critical aircraft electronics, the company said in a statement. The planes are also designed with backup systems and pilots have the final say over flight controls, the company said.
“Airbus has robust systems and procedures in place for our aircraft and their operations to ensure security against potential cyber attacks,” Mary Anne Greczyn, a spokesman for Toulouse, France-based Airbus, said in an e-mail.
Both companies declined to discuss specifics about security measures.
The FBI said it warned Roberts earlier this year that hacking into airplane electronics was illegal, according to the April 17 affidavit.
“Chris Roberts advised that he understood and he would not access airplane networks,” the document said.
Roberts didn’t respond to an e-mail or phone message left at his company.
The FBI questioned him again on April 15 because he had sent a message via Twitter indicating he was on a United Continental Holdings Inc. plane, a Boeing 737-800, on a flight from Denver to Chicago. He suggested he was considering tampering with a computer system that monitors the engines and other systems.
He continued to Syracuse on another plane. Later that day, an FBI agent examined the initial aircraft he had flown on and found evidence that boxes containing entertainment electronics on his seat and the seat in front of him had been tampered with, according to the FBI.
Hacking into a plane’s critical flight controls is at least theoretically possible on some new models, computer security experts told the GAO.