​Jokers, hackers, and airline safety

A security researcher joked about hacking a plane and was picked up by the FBI. They didn't think it was one bit funny.

Chris Roberts, security researcher and founder and CTO of One World Labs, is well known for speaking his mind on airlines not taking in-flight networking security seriously. They may not, but the FBI does. After Roberts tweeted, "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)" He found himself detained at the next airport for four hours and his gear confiscated.

chrisrobertsairlinetweet.png
Neither the FBI nor United Airlines found Chris Roberts' tweet funny. (Image: Screenshot by ZDNet)

This came two weeks after Roberts had told Fox News, "We can still take planes out of the sky thanks to the flaws in the in-flight entertainment systems." He continued, "Quite simply put, we can theorize on how to turn the engines off at 35,000 feet and not have any of those damn flashing lights go off in the cockpit."

The day before Roberts tweeted from his United Airlines flight, the US General Accounting Office (GAO) had issued a report that said it is possible for on-board hackers to bring down a plane.

In a worst-case scenario, a terrorist with a laptop would sit among the passengers and take control of the airplane using its Wi-Fi, said Rep Peter DeFazio, an Oregon Democrat on the House Transportation and Infrastructure Committee, who requested the investigation.

So it was not the best day for Roberts to have made a public joke about airline security. Of course, as anyone who's ever made a joke about wanting to visit Cuba while standing in a Homeland Security line knows, it's never a good time to make jokes about airline security.

Roberts seemed to take the matter in his stride. He claimed to CNN that he made his remark because he was "frustrated that nothing is getting fixed". Roberts' troubles weren't over yet.

When Roberts tried to board a United Airlines flight from Colorado to San Francisco to go to the RSA security conference this week, he was denied admission to the flight. United Airlines spokesman Rahsaan Johnson told the Associated Press, "Given Mr Roberts' claims regarding manipulating aircraft systems, we've decided it's in the best interest of our customers and crew members that he not be allowed to fly United. However, we are confident our flight control systems could not be accessed through techniques he described."

In the end, Roberts was able to make it to RSA on SouthWest Airlines. He is expected to speak on Thursday about transportation security issues.

In the meantime, the Electronic Frontier Foundation (EFF) is defending his actions. Andrew Crocker, EFF staff attorney, wrote, "As a member of the security research community, his job is to identify vulnerabilities in networks so that they can be fixed." Therefore, "we'd also like to see companies recognize that researchers who identify problems with their products in order to have them fixed are their allies. It would avoid a whole lot of trouble for researchers and make us all more secure."

While I see the EFF's and Roberts' points, I think suggesting from a plane that it can be hacked in-flight comes close to shouting fire in a crowded theater. Sure, we know that Roberts is a white hat and wasn't making a threat. But if you're in charge of flight safety, would you assume someone was making a "ha-ha only serious" joke? I wouldn't.

After all, it's not even a month after a co-pilot on Germanwings flight 9525 seems to have deliberately crashed his Airbus A320 into the Alps with no survivors. If someone who might potentially have the ability to crash a plane starts making jokes about it, it must be taken seriously.

I think it's also possible that Roberts' security worries are overstated. As Patrick Smith, an active airline pilot and author, recently wrote in The New York Times, "The notion of the automatic airplane that 'flies itself' is perhaps the most stubborn myth in all of aviation. The idea that jetliners today are super-automated machines whose pilots serve merely as backup in case of an emergency" simply isn't true.

Still, Roberts' security concerns should be taken seriously. Boeing may claim that its planes meet or exceed "all applicable regulatory requirements for both physical and cybersecurity", but that's not good enough. We need proof that airplane Wi-Fi and infotainment systems can't be hijacked by Roberts' methods. Airplane safety is not a joking matter.

Related stories: