Feds: Bloke 'HACKED PLANE controls' – from his PASSENGER seat The FBI has accused an infosec security researcher of hacking into the controls of a United Airlines plane in midair via the inflight entertainment system, causing the aircraft to temporarily fly "sideways". Infosec chap Chris Roberts allegedly made that audacious claim to special agent Mark Hurley of the FBI, who subsequently …
"shooting the messenger
No. If he'd just reported the problem, or hacked it while on the ground and stationary, then yes. But apparently he hacked into and changed the operation of an aircraft in flight.
How could be absolutely certain that this would not have any other consequences? It's not impossible that he could have crashed the system badly enough to crash the aircraft. He was utterly irresponsible and deserves the book thrown at him. An aircraft with passengers is not his toy to play with to show off what a great hacker he is.
That what's the feebs are saying he did. From his tweet its sounds like they have muddled the work of 5 years into the events of 1 flight. He has presumably other ways of testing his hacking ie against simulated systems running the same code base.
It always pays to assume The Man has an interest in bigging up the case in these scenarios.
I'm guessing the FBI guys either outright lied or through sheer, massive lack of understanding, misrepresented the facts in the "interview" with him. I don't have links handy, but I know he's said in the past that he's gotten access to flight controls IN A SIMULATED ENVIRONMENT. Of course, all the major airplane manufacturers claim that there is no connection between the in-flight entertainment system and the flight controls system. So, which is it, are the flight controls on a network connected to the entertainment system or aren't they? Can you really just find a tombstone under any number of aisle seats, pop it open, and plug in (with a little fiddling) to the network and take over the plane?
"all the major airplane manufacturers claim that there is no connection between the in-flight entertainment system and the flight controls system."
1) Their PR people would say that wouldn't they. And other employees aren't contractually allowed to comment.
2) There's a lot of wriggling going on here, trying to avoid admitting that critical data and noncritical data may (sometimes do) share the same physical network wiring on a modern aircraft equipped with AFDX/CDN/ARINC664 (not to be confused with old skool stuff like ARINC429 where there's no scope for sharing).
Think about VLANs in the datacentre. Logically separate networks over physically shared cables. Now, in your datacentre vLAN, what is the correct answer to "is the management vLAN separate from the backbone network?". Yes, no, "it depends", all may be valid answers for the same setup, depending on context.
On an aircraft network there are lots of other additional design and implemetation constraints intended to make it "safe" for aircraft use.
If the equipment design is correct and has been correctly implemented with no potentially worrying loopholes or failure modes, all should be OK.
Note: ***should be*** OK. And almost all the time, it will be OK.
Is anyone going to offer a guarantee that it won't ever misbehave in an exploitable way? That would be a brave person.
"It always pays to assume The Man has an interest in bigging up the case in these scenarios."
Exactly.
And in any case if he managed to pull what they said he pulled it would be all over the aviation press as uncommanded activity causing the pilots to declare an inflight emergency and precautionary landing.
>He was utterly irresponsible and deserves the book thrown at him.
The ends justify the means. As it stands hundreds or thousands of people are flying in identical airplanes right now and could crash the plane using the entertainment system. The longer a crappy manufacturer keeps a problem like this under wraps, the more entrenched the problem becomes. If Roberts has been talking about these issues for years, clearly he needed to endanger lives to save lives. If he gets punished for this, he should be pardoned.
> hundreds or thousands of people are flying in identical airplanes right now and could crash the plane using the entertainment system.
If you're going to make such a bold statement you need to back it up with some actual facts. As a senior software engineer that works in avionics I can tell you that this claim is both technically impossible and also utter bullshit. The entertainment network (or anything else) isn't in any way connected to the avionics network and they are VERY careful about that.
OK Niz, what you say makes sense.
I admit, this story had my bullshit detector on overload.
Given that, for example, sensitive military hardware control systems have not uncommonly been Internet connected (maybe not lately, but several examples were obvious at the time of the Iraq invasion, 12 years ago), are you 100% sure that no manufacturer would ever do such a screw-up?
I can see your logic.
If you read, for example, the Wired article, Roberts says he set up a simulation system at home, using some of the same components as in the real vehicles, researched the manuals, pulled off the tricks on the simulator, then repeatedly did it, at least to the data-logging level, on flights, and claims to have had control over critical systems at least twice.
Is it just a massive hoax or a massive flaw in design of the 'Dreamliner', presumably the aeroplane in question?
It is conceivable that he could have reached the aircraft systems but I can't believe he could be so dumb as to try to alter flight characteristics while the plane is in the air. Plane crashes, 150 people die but self-righteous hacker scored a moral victory and got some publicity for his book/company. Except that he'd be dead too.
@ Christoph
Judging from the article you can't be absolutely certain that the guy in the next seat with the laptop couldn't deliberately crash the plane so we should be extremely grateful for Chris Robert's actions. Please go and head-butt a library until you calm down.
Allegedly hacked it while in flight. That seems to be one of the points in contention.
Normally I give the benefit of the doubt to the gmen because they've got a tough job and these days cops are everybody's second favorite bogey man. But the bit about flying the airplane sideways makes me dubious about the warrant.
so has it been confirmed by an independent third party that what he said is true?
My understanding is that the in-flight entertainment and the flight operations systems are air gapped, completely preventing this type of thing.
Jumping to conclusions because someone you don't know said something was wrong with something is popular around these parts.
This is where a proper criminal justice system wins over the internet court of hearsay.
Actually Richard Clarke specifically mentioned the linked networks in an airplane (not sure if it was that model) in a book "Cyber War", which was published several years ago. However, I think his #1 concern was for the links between the Internet and the power grid controls.
@AC:
"Not the first time an IFES has caused a problem, see this deadly crash caused by shoddy install"
That is a miserably imprecise, and therefore not extremely useful, Wiki article
The exact cause was specified as failure of the Kapton wiring insulation
https://en.wikipedia.org/wiki/Kapton
which caused arcing and then ignition of the Kapton insulation. The fire then spread, inside the enclosed overhead wiring space, to the insulation within the overhead space and spread into the main cockpit undetected, until it was too late.
Kapton was found, after hundreds of thousands of miles of it had been installed in airplanes all over the world, to have excellent insulation properties for its weight but, unfortunately, horrible physical abrasion resistance. It is believed Swissair 111 was downed due to physical abrasion failure of the infotainment wiring harness; all MD-11 infotainment systems were shut down by all carriers out of concern until the exact cause was determined by the NTSB. Swissair 111 was one of the key factors of Kapton being pulled from all those planes after the fact.
A sad, horrible tale.
One can say that the Douglas DC-10 (the MD-11 was the revised, stretch version) was cursed.
Seriously ?
The issue in that crash was an arc in the wiring of the IFES, NOTHING TO DO WITH SYSTEMS OR SOFTWARE BEING INTEGRATED. i.e. it was a WIRING issue that could have arisen with ANY electrical component that involved a wiring loom.
Also worth noting is that this is presumed to have been the initiating cause of the fire, but the primary finding of the investigation was that the materials used for retardation of combustion were inadequate. There was no finding of any causal relationship directly attributable to the IFES that gave any cause for changes to that system to be either considered or even recommended.
Posting a link to that incident with the implication that this somehow "PROVES" that IFES hacking is possible or that IFES issues have previously been shown to be involved in the downing of an aircraft, not to mention loss of life is frankly downright irresponsible not to mention offensive to the memories of those that died in that crash, and their families.
>not to mention loss of life is frankly downright irresponsible not to mention offensive to the memories of those that died in that crash, and their families.
You made your point and then had to go right over the top and ruin it. You'd think the original poster was denying the holocaust or something.
"Not the first time an IFES has caused a problem, see this deadly crash caused by shoddy install:"
You could have as easily said ""Not the first time <system X> has caused a problem, see this..." Even if the theory regarding Swissair 111 is correct, the wiring caused the fire, the IFES wasn't sitting in the fuselage with a zippo lighter, chuckling maniacally.
Yes. They are that dumb. Aircraft systems are very good but things get dumbed down by the penny pinchers.
My car ABS refuses to work on ice. All I want is a button to disable ABS when on ice. Never going to happen because of Health & Safety.
This happens every few years with aircraft. Services are extended or whatever. People die. Lessons "are learned".
"My car ABS refuses to work on ice. All I want is a button to disable ABS when on ice. Never going to happen because of Health & Safety."
My Mercedes will, upon command (pressing the brake pedal harder), lock up the wheels at slow speeds. Great for studded tires on icy hills.
My car ABS refuses to work on ice. All I want is a button to disable ABS when on ice. Never going to happen because of Health & Safety.
Pull the fuse on the ABS pump. No power, no pump; no pump, no ABS.
Anon because if you do this and make a mess / fireydeathball, I don't want your mum taking me to court.
> My car ABS refuses to work on ice. All I want is a button to disable ABS when on ice.
You may want to consider
a) A defensive driving course (to keep you off the ice in most instances)
b) An ice driving course (to teach you what to do when Plan A has failed)
c) (Optional) A race driving course (to teach you about threshold braking)
I was once looking through some assembler code and found the comment in the error handling after a call to the OS, which read: "error at this point too horrible to contemplate". The program then continued as though successful.
Subsequently, several years experience in IT at a major airline also convinced me that much airline-related software is, shall we say, NOT of the highest quality standard.
"experience in IT at a major airline also convinced me that much airline-related software is, shall we say, NOT of the highest quality standard."
Good job the airlines don't write the software for the aircraft then.
Not that the likes of Boeing, Airbus, and their safety-critical subcontractors are necessarily better. But they are *supposed* to be better at doing safety critical stuff than (say) the people doing seat allocation software.
I've worked (NB: on hardware, NOT in the SW group) for a firm that, among other things, has written flight control software. It's tightly regulated to prevent vulnerabilities, and requires a really horrendous* effort to verify. See http://www.adacore.com/gnatpro-safety-critical/avionics/do178b//
*Except when verification catches something.
Lots of words and no TLDR. Sorry.
"I've worked (NB: on hardware, NOT in the SW group) for a firm that, among other things, has written flight control software."
Excellent. I've worked with/for firms that do safety critical hardware and software for aircraft. Since a long time ago.
"It's tightly regulated to prevent vulnerabilities"
DO178 ? It's tightly regulated to ensure a defined process is followed. Whether this prevents errors and vulnerabilities is an entirely separate discussion.
E.g. when a DO178 audit is done, the auditors main task is to ensure that the development process is appropriate and properly documented, and that work follows the documented process. They will not spend much time looking at the actual design, code, tests, etc.
An earlier commenter in another thread described DO178 certification as "tick list" stuff and it's not far wrong. "Best engineering practice review" it surely isn't.
"requires a really horrendous* effort to verify."
It does indeed, which is why one big name aerospace company I'm familiar with now wants verificaton to be done largely (preferably solely) on the design, rather than the implementation of the design. It's so much cheaper to verify the design, then generate the implementation from it and take it on trust that everything is bug free and perfect. What could possibly go wrong?
Unfortunately for the beancounters, aircraft aren't operated by designs, they're operated by implementations. But that won't become obvious to the beancounters until there's a significant price to pay.
Quite how verifying the design actually helps verify the implementation is a question which the good people at Adacore, and others elsewhere, might want to think about. After all, no Ada compiler ever had code generation bugs that ACVC, ACATS, etc, didn't discover, did it.
Same for hardware - if the design passes its validation suite, the actual hardware must be right, mustn't it, so no need to test the actual hardware.
So following these principles you could switch a design and its implementation from one model of PowerPC to another, or from PowerPC to something completely different (ARM? does anyone ever use ARM for safety critical avionics?), and nothing would need to be re-tested, re-validated, whatever.
Very nice (for the beancounters). Not so nice for the people in the aircraft.
If you want something a bit closer to "best engineering practice", MISRA might be a place to start. Maybe.
Depends on exactly what the system is carrying and how they are linked.
If the IFE is carrying internet traffic (which seems to be an up-selling point these days) and sending other data about the flight via the internet, you probably can't afford the weight for two independent receiving systems. Frequently a logical separation is deemed sufficient. Of course that needs to be properly implemented and is subject to attack.
From my post a few weeks ago:
Why?
Is there such important connections in the passenger cabin? And why are they active during a flight? Surely any need for such connections would be when the plane is on the ground for maintenance and not in the air?
http://forums.theregister.co.uk/forum/1/2015/04/22/fbi_tsa_hcker_panic/
Because this did not happen. At all. It is impossible.
He may have hacked into the inflight entertainment system. That's probably fairly easy as I doubt it's particularly hardened.
But there is not, has not and never will be a backchannel that is physically capable of sending anything from the passenger cabin data systems into the flight control systems.
The FBI are talking utter bollocks.
If you read some other news sources, you'll find this quote:
"Senior law enforcement officials said Sunday that no evidence gathered thus far suggests that such a capability, as outlined by Roberts, exists. 'While we will not comment on specific allegations, there is no credible information to suggest an airplane's flight control system can be accessed or manipulated from its in flight entertainment system. Nevertheless, attempting to tamper with the flight control systems of aircraft is illegal and any such attempts will be taken seriously by law enforcement.'
That last sentence is a major point, i.e., that even ATTEMPTING to tamper with actual flight controls is a crime. So is CLAIMING you've tampered with a plane, or passenger safety, whether you did or not.
Roberts is the one who is stupid, if he actually told the FBI he managed to issue a Climb command during a commercial flight - potentially endangering everyone on board - yet somehow figured he wouldn't get in trouble for his statements. He's also stupid if he really thinks even jokingly threatening to release cabin oxygen masks is not going to get the Feds' attention.
That he actually DID tamper with locked, sealed onboard equipment is sufficient for him to be charged with a crime for that matter. Hell, it's illegal to tamper with the restroom smoke detector, and people have been charged and fined for that. Why would Roberts think tampering with the entertainment system - especially in the way he described - would be any different? He's not crew or airline personnel. That stuff is off limits to passengers - Period.
So his tweet was not substantively different than someone claiming they managed to sneak a gun onboard. Or phoning in a phony bomb threat. You may not actually have sneaked a gun on. You may not have actually planted a bomb. But sneaking a gun onto a fight is a felony, as is making a bomb threat, or having a bomb onboard, whether true or false.
So it's a GOOD thing the FBI and other agencies check out ALL those comments to make sure there is no real danger. And it's a good thing they prosecute idiots who try similar scare tactics.
In Roberts case...when you claim you have, multiple times, interacted with actual flight control systems, AND you claim you intentionally, however briefly, took over control from the actual pilots....well, you should be smart enough to know of COURSE the Feds are going to have a nice long talk with you, and explain why messing around with any onboard system is a big, BIG no-no, whether you do any harm or not
Frankly, I also think Roberts is full of crap. But it's unbelievable he doesn't "get" that his claims and tweets are the same as joking about a bomb to your seatmate while getting ready for takeoff. You just don't do that shit.
Only because idiots have rushed through stupid laws that give draconian powers to goons; laws that must subsequently be implemented by law enforcement and legal system people.
There was nothing that the existing security, safety and "wasting police time" laws etc couldn't have coped with but "Something must be done !" was called by those who had no idea what to do.
Good God you can't even make a joke about a possible danger now. Pathetic.
This topic actually came up on Paul's Security Weekly podcast 417 and Chris Roberts himself said it's *very possible* but he did not do it. He simply tweeted that he definitely could if he wanted to.
MP3 of the episode is on here:
http://wiki.securityweekly.com/wiki/index.php/Episode417
Thank you for that link Robot Overlord,
So the only thing that happened is that while he was on a plane to a airplane security conference, he communicated over the internet with somebody else, reacting on a comment, if the plane could be hacked from it's entertainment system, and he replied with "yes I could do that".
So,
A) he did not hack in to the plane systems.
B) he did not threaten to hack in to it.
As far as I'm aware admitting that you can hack in to something is not illegal at the moment, and elreg and some commentards have done a great job in pushing the FBI's FUD while really nothing has happened at all.
Boeing has come out and said that hacking from the inflight entertainment system is BS. That there is no comm from IFE to the flight system. My impression is they're taking any flight info (maps, etc.) and passing it down a one way pipe. The flight system never hears if someone hacks it and tries commands.
I'm thinking either they know and this is true, or they know and are lying. For anyone who flies sake, I hope it's true.
My impression is they're taking any flight info (maps, etc.) and passing it down a one way pipe.
If it is a wire, it is a two-way pipe - bugs and 'sploits aside: If nothing else some griefer could try her luck with a nice, fat, transient down the line and "see what happens".
Some people would think that connecting only the Tx-wires in an Ethernet cable is "one way", but then some of the driver chips are clever enough to be reconfigured for many, many, different modes to make dumb users with the wrong cabling happy.
"If nothing else some griefer could try her luck with a nice, fat, transient down the line and "see what happens"."
I understand where you're coming from, but that's not the best illustration.
Even the dumbest avionics design must reflect the fact that planes frequently get struck by lightning, and stuff has to survive that and ideally remain normally operational. There will be testing that proves that it's done right.
The bit that may be of more concern (given what I've observed in the industry) is that the designers of some of this stuff are not network experts. The stuff is being shipped in relatively small quantities (vs mainstream network kit). Combine those two and you get kit and/or software with designed-in vulnerabilities that the mainstream network industry sorted years ago, with a sufficiently small user base that any new vulnerabilities may or may not take a while to show up.
Sure about that?
The presentations that I have seen on AFDX, the Latest and Greatest in COTS control systems for Airbus and Dreamliner appears to be all Ethernet, with the separation performed by management system in the switches, f.ex.: http://www.afdx.com/pdf/AFDX_Training_October_2010_Full.pdf
The in-flight internet would come from the same antenna array as the other traffic so there will be a physical connection over some form of VLAN at least - unless people cut another opening in the hull for more antennas specifically for this purpose, which I don't think is considered "cost effective".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
