Hacker’s Tweet [Passenger planes can be hacked],Reignites Ugly Battle Over Security Holes; ‘Shooting The Messenger — Rather Than Addressing The Substance Of What He Discovered
Kim Zetter, writing on the April 21, 2015 website, WIRED.com, discusses the fallout and ramifications of the recently reported incident whereby a network security researcher exposed the vulnerability in U.S. passenger airline Wi-Fi, that could potentially allow a terrorist, or someone up to no good — to commandeer and take over the airplane. In the wake of the deliberate crash of the Germanwings airliner into the Swiss Alps — this disclosure struck a raw nerve with United Airlines — whom the researcher was flying with at the time — and, ultimately resulted in his detention by the FBI; and, United banning him for life — from ever flying with the airlines again. If the researcher is correct, the airline should be thanking him. Instead, it would seem to be a classic case of “shooting the messenger.” Or, as the saying goes — “No Good Deed Goes Unpunished.”
“A United Airlines Boeing 737-800 was at cruising altitude on the Chicago to Syracuse corridor last Wednesday,’ Ms. Zetter writes, “when news broke of a government report describing potential security holes in Boeing and Airbus [passenger] planes. The report, from the Government Accountability Office (GAO), noted that security issues with passenger Wi-Fi networks, on several models of aircraft, could allow hackers to access critical avionics systems and hijack the flight controls.”
“This wasn’t news to passenger Chris Roberts, a respected cyber security professional with OneWorldLabs, who has, since 2009, extensively researched the security of airline systems. He was on the United flight’s Wi-Fi network, following tweets about the report; and, decided to join the discussion.”
“Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone?,” 🙂 he wrote in a tweet, punctuating it with a smiley face,” Ms. Zetter wrote. “The tweet was a joke, laced with sarcasm,” Ms. Zetter notes. “Roberts is a veteran of the vulnerability disclosure wars, having tried for years to get Boeing and Airbus to heed warnings about security issues with their passenger communications systems. His tweet about the ‘Engine Indicator Crew Alert System or, EICAS, was a reference to research he’d done years ago on vulnerabilities in inflight infotainment networks, vulnerabilities that could allow an attacker to access cabin controls; and, deploy a plane”s oxygen masks.”
“It was the wrong message to send,” Ms. Zetter writes.
“The Feds were waiting when Roberts landed in Syracuse,” she wrote. “As passengers stood in the aisle to deplane, a flight attendant instructed everyone to take their seats. Two Syracuse police officers and two FBI agents boarded the plane. Before they even looked at him, Roberts knew they were after him. “Shall I get my luggage?,” he asked. He spent the next four hours in an airport conference room,on the business end of an interrogation. Before he left, agents seized his company-issued laptop, backup disks, and other electronics, — without a warrant. When Roberts attempted to board another United Airlines flight to San Francisco days later, he was barred by the airline; and, had to book a flight with Southwest. Roberts has since retained a lawyer from the Electronic Frontier Foundation, who is interested to know under what authority the FBI seized his electronics. U.S. border agents can seize electronics at entry points, as someone comes into the country; but, seizing them without a warrant — from someone taking a wholly domestic flight — is a different matter.”
“The Twitterverse has been divided on the actions of Roberts and the Feds. Some say Roberts should have known better than to tweet his joke from a plane. It’s common knowledge that a joke about bombing, or hijacking a plane — can earn you a back-room consult with the Feds. But, others say the government overreacted (count me in that number) — in this case. And, some people are disturbed at how closely the government appeared to be monitoring social media…that it saw his tweet so quickly, and had a greeting party waiting for him when he arrived. They also say his treatment is a sign that his criticism hit home with the airline,” Ms. Zetter wrote.
“The circumstances around the Robert’s case, are not black and white, though,” Ms. Zetter notes. “United Airlines apparently told the Feds there was evidence of tampering under the seat of where Roberts sat, seemingly implying that he had connected his laptop to the network connection points beneath his seat. Roberts told WIRED he did nothing to United’s network on that flight; but, has on 20 to 30 occasions, explored the aircraft networks, and configurations on other flights, while a passenger, going beyond what some researchers might deem wise in the interest of research.”
“Roberts recent experience has invoked a heated debate in the security community, stemming from a longstanding Cold War between security researchers…,and, the industries whose faults they expose,” WIRED noted.
The Cold War In Security Research
“Years ago,” Ms. Zetter writes, “a prominent hacker/researcher who went by the name Rain Forest Puppy, crafted a “full disclosure” policy for publishing information about security holes. It became something of an industry standard for bug hunters,” she added. “It came during a heady time in computer research, when bug hunters were regularly threatened with prosecution, or lawsuits for reverse-engineering software, or exploring web sites to uncover security flaws. Often, researchers would disclose the vulnerability to a software maker, or web site owner, only to be ignored or, worse, served with a stern letter accusing them of illegally hacking, or reverse-engineering the software or system. Many researchers, therefore, opted for a more provocative route: they found that going directly to the public made the embarrassed vendor more likely to fix the hole; and, leave the researcher alone. Researchers increasingly began marching to the media, or hacker conferences, like DefCon and Hope — to expose the problems they found, while vendors fumed.”
“Puppy proffered a truce of sorts. In his full disclosure manifesto, he proposed that researchers should reveal vulnerabilities to vendors — before publishing them; but, vendors would be required to respond within five business days, or the researcher would go public. The vendor didn;t have to fix the vulnerability within that time; it could negotiate a reasonable timeframe for doing so. But, if a vendor didn’t at least acknowledge the bug report; and respond politely, the researcher would be free to tell the public,” Ms Zetter wrote.
“Many thought this was a reasonable, and responsible compromise. This was in the days before bug bounty programs, when vendors were still getting free research from security pros volunteering their skills to improve products and security,” Ms. Zetter noted. “In exchange, researchers hoped for public acknowledgement and thanks, and to boost their resumes. It didn’t work out this way, however. Instead, the history of computer security became littered with researchers put through the ringer over what they considered to be Good Samaritan acts.” As I said before, “No good deed goes unpunished,” especially in this city.
The CISCO Surprise
“One of the most egregious, and famous examples of full-disclosure failure, occurred in 2005, between a researcher named Mike Lynn, and CISCO,” Ms. Zetter wrote. “Lynn, who worked for Internet Security Systems in Atlanta, uncovered a serious security hole in CISCO’s iOS, the operating system underpinning thousands of CISCO routers worldwide, some of them critical to the Internet backbone. After disclosing the finding to CISCO, Lynn prepared a presentation to discuss it at the Black Hat security conference in Las Vegas. But then, CISCO, and Lynn’s employer swooped in with a last-minute injunction to stop him — even though CISCO and his employer had approved his talk before he submitted it to the conference for consideration. Conference organizers had to scramble to delete Lynn’s slides from 2000 conference CD-ROMS, and rip 20 pages from the printed program.”
“Lynn was livid,” Ms. Zetter wrote. “There already were signs that Chinese hackers might have found the vulnerability, and were perhaps taking steps to exploit it But, there was little he could do against the court injunction. He was also facing the prospect of an FBI probe, until he reached a settlement with CISCO, and Internet Security Systems. He agreed, among other things, to erase all of his research materials about the vulnerability, to keep secret — details of the attack, and to refrain from distributing copies of his presentation.”
“In 2008, a group of MIT students preparing a talk at the DefCon hacker conference had a similar experience,. They’d discovered vulnerabilities in the Massachusetts mass transit payment systems that would allow someone to get free rides. A week before their talk, they met with the Massachusetts Bay Transportation Authority, to discuss the issue, and address the authority’s concerns that going public could teach others how to defraud the system. The students assured the authority they would withhold key information from their presentation. They left the meeting believing the authority’s concerns were resolved, only to learn two days before their presentation that the MBTA had obtained a temporary restraining order barring them from discussing the vulnerabilities. A judge later dismissed the gag order, ruling it an unconstitutional restraint of free speech, but the damage was done. Their DefCon talk never occurred, and security researchers were left feeling burned — and, yet again silenced.”
“And, this is the struggle at the heart of the Roberts’ story,” Ms. Zetter contends. “Though his tweet may have been ill advised, it was borne out of years of frustration from being ignored by the airlines.”
Calling All Airlines
“Roberts began investigating aviation security about six years ago, after he and a research colleague, whom he prefers not to name (given the FBI’s treatment of him) — got ahold of publicly available flight manuals and wiring diagrams. The documents showed how in-flight entertainment systems were connected to the passenger satellite phone network, which to their surprise — included functions for operating some cabin control systems. These systems were in turn, connected to the planes avionics systems. The researchers built a test lab using demo software obtained from infotainment vendors and others. “Planes are happy to tell you who they use for suppliers, and suppliers give you demos and downloads,” Roberts explained.
“In 2010, Roberts gave a presentation about hacking planes and cars at the BSides security conference in Las Vegas. Another presentation followed two years later. He also spoke directly to airplane manufacturers about the problems with their systems. “We had conversations with two main airplane builders, as well as with two of the top providers of infotainment systems, and it never went anywhere,” Roberts told WIRED.
“About four months ago, the FBI Field Office in Denver, Colorado, where Roberts is based, requested a meeting. They discussed his research for an hour, and returned a couple of weeks later for a discussion that lasted several more hours. They wanted to know what was possible; and, what exactly he and his colleague had done. Roberts disclosed that they had sniffed the data traffic on more than a dozen flights — after connecting their laptops to the infotainment networks.”
“We researched further than that,” Roberts told WIRED. “We were within the fuel balancing system, and the thrust control system. We watched the packets and data going across the network to see where it was going.”
“Eventually, Roberts and his research partner determined it would take a convoluted set of hacks to seriously subvert the avionics system; but, they believed it could be done. He insisted, however, that they did not “mess around with that except on simulation systems.” In simulations, for example, Roberts says they were able to turn the engine controls from cruise to climb, “which definitely had the desired effect on the system — the planes sped up, and the nose of the airplane went up.”
“Roberts thinks the first meeting with the FBI in Denver months ago, was about making a case against him. When the agents returned for their second visit, however, they seemed more interested in helping getting the problems fixed. But, they said they needed evidence to convince Boeing and Airbus the problems were real. Roberts said the research was old, and he’d have to recreate it. But, he wanted immunity first. The agents left, after advising him to drop his aviation research, and he never heard from them again,” Ms. Zetter wrote.
“Then last month, Fox News did a story about his work on [passenger] airplane security. The Government Accountability Office followed that with its own report last week, after lawmakers asked it to look into the issue of airplane security. Roberts thinks his tweet was simply too much for Boeing and the FBI to take — in the wake of so much attention being brought to airplane vulnerabilities,” according to WIRED.
“I tweeted out something in jest, with a smiley face, and I’m guessing that was probably the final straw for at least one area of the federal authorities,” he said.
“Where things go now remains unclear,” Ms. Zetter wrote. “Roberts is awaiting a letter from United Airlines, explaining exactly why he was barred from his flight to San Francisco. United sent WIRED a statement addressing why it refused to let Roberts on his San Francisco flight.”
“Given Mr. Roberts claims that he has manipulated aircraft systems while in-flight, a clear violation of United policy, we’ve decided it’;s in the best interest of our customers and crew members that he not be allowed to fly United,’ United spokesman Luke Punzenberger wrote in a statement to WIRED. “Notwithstanding his attempts, we are confident our flight control systems could not be accessed through techniques he described.”
“The Electronic Frontier Foundation (EFF) is awaiting an explanation from the FBI, about which authority it was using to justify seizing Robert’s electronic gear without a warrant,” WIRED noted. Kurt Opsahl, Deputy Executive Director, and General Counsel for EFF, and Robert’s representative, says the FBI’s move is puzzling. Roberts was not talking about bombing a plane,” he said. “This was in no way intended as a threat, or as an intent to actually do anything to the plane.” A commentary Roberts has spent years trying to get people to hear, Ms. Zetter wrote.
“Opsahl says it’s in the interest of companies like United and Boeing to work with researchers — not fight them. “Whether a company should be treating a security researcher — who has identified potential flaws and vulns as an ally, or as someone to be arrested from a plane?,” he asks. “The allied approach is going to make us all more secure.”
It would seem, based on this article and others I have read, that both Mr. Roberts and United mishandled this entire issue. And, while Mr. Roberts may have crossed a line in conducting his research, “shooting the messenger,” rather than addressing the substance of Mr. Robert’s findings — is adding insult to injury and not doing anyone any favors. And, now that the information on these security flaws are so public and widely available to read on the worldwide Web — the airlines need to drop their crusade and focus on Mr. Roberts; and, instead figure out a way to negate these flaws. Otherwise, Mr. Roberts will be the least of the airlines worries down the road. The al Qaeda and the Islamic State, among others, may already be taking advantage of this information — and, may attempt to exploit these flaws at some future date. V/R,RCP