- June 02, 2015
- Suggested Reading
The question whether passengers could take control of an airplane's commands from their computer in the plane made a lot of headlines this last month. This is thanks to the saga of Chris Roberts' claims, and the subsequent actions by United Airlines and the FBI. In brief, Chris Roberts, a security researcher, tweeted about sitting on an airplane and issuing commands to the avionics system.
This paper attempts at giving as complete a view on the topic, by providing links to relevant press articles. The news stories linked from this article are picked for exemplary purposes, and not to endorse or condemn specific publications or authors.
Who did what?
Chris Roberts is a security researcher, founder of a computer security vulnerability research company, and speaker at several information security conferences. Roberts claimed in the past to have been able to tamper with critical systems, like changing the temperature of the International Space Station (Ars Technica, http://arstechnica.com/security/2015/05/alleged-plane-hacker-said-he-pierced-boeing-jets-firewall-in-2012/).
In April, while on board a United Airlines flight, he tweeted (https://twitter.com/Sidragon1/status/588433855184375808) about manipulating critical in-flight systems.
Roberts was scheduled to take another United Airlines flight a few days later. The airline banned him from this flight, as reported by the BBC (http://www.bbc.com/news/technology-32380071).
The FBI was waiting for Roberts after his in-flight tweet, and interrogated him (https://securityledger.com/2015/04/hacker-on-a-plane-fbi-seizes-researchers-gear/). They also seized his computers, hard drives, and other electronics. The search warrant is based on alleged claims by Roberts that he managed to briefly alter the course of a plane after hacking the In-flight Entertainment System (http://aptn.ca/news/2015/05/15/hacker-told-f-b-made-plane-fly-sideways-cracking-entertainment-system/, http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/)
The week after, the FBI and the TSA published an alert to airlines. This alert urged airlines to look out for, and report, intrusion attempts and tampering of In-flight Entertainment Systems. (http://www.wired.com/2015/04/fbi-tsa-warn-airlines-tampering-onboard-wifi/, www.theregister.co.uk/2015/04/22/fbi_tsa_hcker_panic/).
What did the Press Say?
Reuters was very critical of the airplane industry's slow response to cyber security issues (http://www.reuters.com/article/2015/05/25/us-tech-aviation-cybercrime-idUSKBN0OA1GK20150525).
The Washington Post's headlines was on the sensationalist side, even though the article about the incident itself was pretty-well balanced (http://www.washingtonpost.com/business/economy/fbi-probe-of-plane-hack-sparks-worries-over-flight-safety/2015/05/18/8f75e662-fd69-11e4-805c-c3f407e5a9e9_story.html).
Some commenters, like Robert Graham, had very harsh words for the FBI (http://www.washingtonpost.com/business/economy/fbi-probe-of-plane-hack-sparks-worries-over-flight-safety/2015/05/18/8f75e662-fd69-11e4-805c-c3f407e5a9e9_story.html), while others questioned security researcher ethics (http://www.theage.com.au/it-pro/security-it/chris-roberts-midair-plane-hack-raises-big-questions-around-white-hat-ethics-20150519-gh4dkm.html).
Overall, the best researched articles on whether planes can be commandeered by a passenger with a laptop were recently published by Wired (http://www.wired.com/2015/05/possible-passengers-hack-commercial-aircraft/) and The Register (http://www.theregister.co.uk/2015/05/19/airplane_hacking_panic_why_its_a_surely_a_storm_in_a_teacup/).
About "Suggested Articles" from ENISA
With the “Suggested Reading” series ENISA aims at giving the interested reader guidance on controversial and inscrutable NIS related discussions that are carried out in Media, by suggesting selected pre-reviewed articles that in our view explain the issue at hand and related circumstances in a reasonable and understandable manner. This view is derived from past experiences and common sense; in no way should “Suggested Reading” be understood as recommended course of action in a specific incident or investigation, or being a final conclusion. Feel free to get in touch with ENISA to discuss or inquire more information to the “Suggested Reading” series (email@example.com).