Security researcher Chris Roberts tweeted in April 2015 that he was on a United Airlines Boeing 737-800 passenger jet, referencing “playing” with flight controls to manipulate communications and oxygen systems — he would contend that he was joking, but the FBI appropriately wasn’t laughing.
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? 🙂
— Chris Roberts (@Sidragon1) April 15, 2015
As soon as Roberts landed in Syracuse for a connecting flight, federal agents questioned him for four hours and seized his laptop, tablet, and storage devices, without consent nor a warrant at the time. Subsequently, United Airlines blocked him from boarding his next flight.
I initially sided with Roberts, thinking that United and the FBI’s knee-jerk reaction was unnecessary; that they were targeting someone with good intentions making a bad joke, rather than targeting concerning vulnerabilities that could put lives at risk.
Roberts has a history of demanding that vulnerabilities on planes be fixed. Against big companies like Airbus, Boeing, and United Airlines, Roberts’ insistence that these issues be corrected felt like a worthy David versus Goliath situation. The Electronic Frontier Foundation (EFF) agreed, writing in support of Roberts and identifying him as their “client.”
Two days after the April 15 seizure, a U.S. Magistrate Judge issued a search warrant for the devices the FBI seized, based on a detailed affidavit alleging the devices would contain evidence of violations of the Computer Fraud and Abuse Act.
The affidavit stated that months prior – February 13 and March 5, 2015 — Roberts was interviewed by the FBI on a voluntary basis to obtain information regarding vulnerabilities with In-Flight Entertainment systems.
It’s not clear under what circumstances the FBI was interviewing Roberts at that point, but the affidavit claims that Roberts’ goal was to see the vulnerabilities get fixed.
According to the FBI affidavit, Roberts admitted to “… exploit[ing] vulnerabilities with [in-flight entertainment] systems on aircraft while in flight … 15 to 20 times …” and that he “… remove[d] the cover for the [seat electronic box] under the seat in front of him by wiggling and squeezing the box…” which he then connected an ethernet cable to.
The affidavit continues to detail Roberts’ statement that he “… then overwrote code on the airplane’s Thrust Management Computer while aboard a flight … [and] successfully commanded the system [to] issue the … climb command …”
The affidavit elucidates technical detail that Roberts apparently provided the FBI on how he actually conducted this “hack”. Roberts was naïve for talking to the FBI and essentially admitting to violations of federal law, but at that point the FBI merely warned him.
Many will give the FBI no benefit of the doubt; they’ve certainly been unfriendly toward the security community. But I would believe that if Roberts was dumb enough to talk to the FBI at all, he was also dumb enough to admit to all of the foregoing.
So, if I were to take the affidavit at face value, the FBI appropriately jumped into action by seizing Roberts’ computer equipment after he tweeted about doing exactly what the FBI warned him to stay away from. There’s no question that if Roberts did what he claimed to have done, it was reckless and illegal.
And yet, even after all of that, Roberts continued to voluntarily talk to the FBI.
The affidavit goes on: “Roberts advised that the thumb drives in his possession contained virtual machines and malware to compromise networks. He described the content as ‘nasty.’”
Further, Roberts apparently “… voluntarily showed the FBI wiring schematics related to multiple airplane models … on [his] MacBook Pro … [which he stated] had been powered on since [the] flight.”
Roberts is obviously senseless, although some would say that we shouldn’t be focusing on Roberts’ conduct and personality, but rather the security vulnerabilities themselves. If someone can sit in a passenger seat on a plane and issue commands to the aircraft, that is an alarmingly critical vulnerability.
But I am going to focus on Roberts for one reason: his conduct has been so damaging to the white hat community.
Security researchers with good intentions are the “white hats” while malicious attackers intent on harm or financial gain are the “black hats.” And of course, there’s many shades of grey in between.
“Responsible disclosure” is the concept of reporting a security vulnerability to a company or vendor quietly and privately so that it can be fixed, prior to releasing information to the public, to ensure minimal damage. That’s not to imply that any disclosure outside of those parameters is “irresponsible,” but of course, vendors prefer silence.
Just because a security researcher identifies and responsibly reports a security vulnerability doesn’t mean that they’re a “white hat.” In fact, some researchers will claim to have a vulnerability and only release information leading to identification or a fix upon payment; essentially holding a vendor hostage.
These situations pain me, because it makes all well-intentioned security researchers look bad. It puts vendors in a defensive and vulnerable situation: instead of putting a vulnerability reporter in contact with a development team to fix a bug, they’re more likely to send it off to corporate attorneys who will proceed to scare the researcher away under threat of a plethora of civil claims and criminal hacking charges.
When that happens, nobody wins.
Even in a good scenario with no attorneys involved, a security researcher responsibly reporting a vulnerability through official channels is likely to get ignored. And so, vulnerability reporters often speak in terms of worst-case scenarios and theoretical situations not because they want the attention for themselves, but because they want attention for the vulnerability and are sick of vendors eschewing accountability.
In the event of silence from a vendor, public pressure does wonders to induce a corporation or even an entire industry to implement better security practices. But when security researchers publicly hype up what could happen, they’re sometimes viewed as threatening, paranoid, or criminal.
Security research is at times a practice in public relations.
The least important part of any security research is the researcher who identifies a vulnerability. When names and faces are attached to vulnerability reporting, the issue sometimes gets conflated in the minds of non-technical people, which can be a distraction.
In this case, though, Roberts didn’t stop at what could happen; he actually claimed to have exploited it. In the air. On a plane.
And now instead of talking about scary vulnerabilities in planes and holding Boeing’s feet to the fire, journalists are using up news cycles finding old videos of Roberts’ laughing manically about hacking the Space Station – an absurd claim – rather than on the very real possibility of exploitable planes.
Even if we are to believe Chris Roberts’ claims, he’s established himself as foolish, malicious, and jeopardizing the lives of many. The FBI, while uncharacteristically stopping someone that has shown themselves to be dangerous, has managed to attack the messenger to some extent, and caused further harm to their reputation among the security community. And United Airlines has basically shrugged their shoulders and walked away.
Nobody wins here.
But at least we got a new meme that I’m sure will be all the rage at DEFCON: “I made a plane fly sideways!”
Irony: for FBI to make its case against Chris Roberts, they’re going to have to seriously harm confidence in the aviation industry.
— Matthew Green (@matthew_d_green) May 16, 2015