Don't Punish the Plane Hacker
Bringing down a plane carrying hundreds of passengers doesn't require a suicidal pilot, a missile or a terrorist bomb. Now, someone has claimed to demonstrate that it could be done by hacking into the airliner's entertainment system. If true, this would have scary implications not just for air travel but for the entire Internet of Everything concept, as well as for society's attitude to hackers who track down such vulnerabilities.
The amazing case of Chris Roberts, a cybersecurity expert with One World Labs, is laid out in a search warrant application by the Federal Bureau of Investigation, which sought permission to seize his MacBook Pro "w/multiple stickers," his iPad and a number of external storage devices. Here's what he told the FBI he once did on a flight:
After removing the cover of the Seat Electronic Box that was installed under the passenger seat in front of his seat, he would use a Cat6 ethernet cable with a modified connector to connect his laptop computer to the in-flight entertainment system while in flight. He then connected to other systems on the airplane network after he exploited/gained access to, or "hacked" the IFE system. He stated that he then overwrote code on the airplane's Thrust Management Computer while aboard a flight. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after compromising/exploiting or "hacking" the airplane's networks. He used the software to monitor traffic from the cockpit system.
Bloomberg News threw some cold water on these claims Monday, citing investigators who said there was no credible evidence that Roberts had hacked commercial airline cockpits.
Roberts came to the attention of the FBI because he liked to post tweets about hacking planes. The bureau warned him in February that such actions were illegal, but Roberts persisted, and on April 15, he tweeted,
He's been covering his run-in with the authorities, too, so we know the search warrant produced results:
Recently, however, Roberts has been told -- presumably by lawyers and the agents on his case -- to keep his mouth shut about the details:
So I guess I won't be able to figure out how to "compromise/exploit or 'hack'" the next flight I'm on and make it go sideways. That doesn't mean, however, that somebody else won't. At worst, Roberts appears to be a benign hacker who is just a little too fond of playing with his "toys." He wasn't afraid of getting caught because his ultimate goal wasn't glory (he has fewer than 7,000 Twitter followers) but to prove to airlines they didn't take network security seriously enough. Next time, however, someone with far more evil intent could exploit a vulnerability.
Even if Roberts actually made a plane fly sideways -- an incredibly foolhardy thing to do, and probably a crime (he claims the FBI took his statements out of context), it's in the interests of authorities and aircraft builders to find out what he knows, and maybe even let him continue his experiments. I'd be surprised if the manufacturers weren't already thinking about removing those electronic boxes under the seats or shutting off in-flight entertainment systems until they can be secured. And there's almost certainly a vulnerability no one has found yet. Eventually, someone will.
Various half-measures have been suggested, such as a "full disclosure policy" for security researchers that would require them to pass on all discovered vulnerabilities in the software they've hacked (and expect a response within five days). That won't solve the problem, if only because some of the people looking for security flaws aren't researchers. Hacking is a business, and there's a market for vulnerabilities, though I shudder to think who the buyers might be for the aeronautical variety.
We need to think hard about the benefits of a fully connected world. The Internet of Everything is a $19 trillion opportunity with major implications for future economic growth.
In some cases, as in equipping factories and warehouses with networked devices, the efficiency improvements may outweigh the security risks and justify serious investment in combating them. But there are areas -- such as energy grids, traffic management systems and defense -- where the risks of over-reliance on networked devices may be too grave because a single breach can do irreparable damage.
Then there are applications that are simply unnecessary. These include connected teddy bears that, if hacked, can be used to monitor your home, as well as Internet-capable faucets that can be turned on remotely, causing flooding in your home. In-flight connectivity and entertainment fall into this category. Anyone can watch a video on a phone, tablet or laptop, so why should airplane makers endanger passengers by providing that service?
The Internet of Everything imposes important choices on consumers and, ultimately, on regulators. It's time for legislators, tech companies and cybersecurity professionals to begin figuring which applications of network technology are acceptable. Input from companies such as One World Labs should be part of that discussion. It certainly isn't the fault of researchers that vulnerabilities exist, and it shouldn't be held against them that they sometimes fail to announce their findings in the most tactful way. Roberts's scrutiny by the FBI and the withdrawal of funding from his company by investors aren't the right responses: They discourage further disclosures that could ultimately save lives.
(Adds investigators' doubts about hacker's claims in fourth paragraph.)
This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.
To contact the author on this story:
Leonid Bershidsky at firstname.lastname@example.org
To contact the editor on this story:
Max Berley at email@example.com