Feds Say That Banned Researcher Commandeered a Plane | WIRED (http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/)

FBI: researcher admitted to hacking plane in-flight, causing it to ?climb? | Ars Technica (http://arstechnica.com/security/2015/05/fbi-researcher-admitted-to-hacking-plane-in-flight-causing-it-to-climb/)

Chris Roberts, told the FBI that he:

"connected to other systems on the airplane network after he exploited/gained access to, or "hacked" the [in-flight entertainment] system. He stated that he then overwrote code on the airplane’s Thrust Management Computer while aboard a flight. He stated that he successfully commanded the system he had accessed to issue the climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after compromising/exploiting or "hacking" the airplane’s networks. He used the software to monitor traffic from the cockpit system.":ugh:

SAN FRANCISCO — A computer security expert hacked into a plane's in-flight entertainment system and made it briefly fly sideways by telling one of the engines to go into climb mode.

In an interview on Feb. 13, 2015, Roberts told agents he had hacked into in-flight entertainment centers on Boeing 737s, 757s and Airbus A-320 aircraft "15 to 20 times."

Someone tell me that these a/c have physically separate networks for flight systems vs entertainment. Did the bean counters save a few $$$'s by using only one network device instead of 2?

This guy is a white hat. Probably formally requested a fix before demonstrating vulnerabilities as a last resort.

I'm sure the military would be very interested in an aircraft that can fly "sideways" :)

Complete nonsense there is no connection from the IFE system to the EEC utter rubbish

Utter tosh on the 737/757...

Amazed the IFE was working though...

Old news. This bloke made headlines last month after United blacklisted him following a (hopefully) tongue-in-cheek tweet about Deploying the oxy masks in flight (http://www.foxnews.com/us/2015/04/19/researcher-denied-flight-after-tweet-poking-united-security/).


That being said, I have no doubt it would be possible for someone sufficiently talented to view data on board, and perhaps even modify it. External systems are even easier. Howabout a TCAS RA based on a series of non-existent ADS-B transmissions? A false "Beware, pax in 14D is a hijacker" ACARS message to the crew?


How long it'll be before someone uses these vulnerabilities remains to be seen.

Afaik TCAS gets range/distance from radio interrogation roundtrip time and extrapolates from differences to determine whether an a/c is getting closer. Angle/bearing from directional antennas. Both pretty hard to spoof... (unlike ADS-B altitude, heading and position). Most of these reported "hackers" seem to be attention whores who peddle hot air to journalists.

Feds Say That Banned Researcher Commandeered a Plane | WIRED (http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/)

and the search warrant is at

http://aptn.ca/news/wp-content/uploads/sites/4/2015/05/warrant-for-Roberts-electronics.pdf

IF- big IF true- then there is a bit of splainin to do by the so called ex- spurts ! :8:ooh:

But be sure to read the whole article !!

Complete nonsense there is no connection from the IFE system to the EEC utter rubbish

How does IFE display the position, altitude, speed, OAT, wind ?

How does IFE display the outside camera ?

How does IFE have channel 9 (cockpit and ATC transmissions) ?

While I know its not the EEC, I would think there is an ARINC data bus between the IFE and the aircraft. Given that many of these busses contain bridges and gateways, direct control over an engine may not be required. With FADEC aircraft that connect to an autothrottle, I would think providing false sensor information onto the bus (e.g. change in one TAT input by 20 degrees), and then letting the engine through the autothrottle adjust performance may be a way to get this result.

Certainly convective clouds can have similar asymmetrical effects on TAT readings.

Every time I looked into such "hackers" claims as reported in the media it turned out to be yet another movie plot. For various reasons "providing false sensor information" on an AFDX network/ARINC bus would require physical access to something else than IFE. To give just one example of an obstacle I see to the "hacker commandeers a/c via IFE" scenario is that all devices connected to an AFDX network are known and addressing is based on a fixed table of MAC addresses, and switches do some form of traffic policing. The aim is to lower latency and ensure bandwidth but a side effect is that it hardens the network. While there may be a physical wire between IFE and other devices (this is what inspires the movie plots), from the perspective of an IFE terminal communication between avionics components pretty much happens on a secure channel. If I see a "hacker" with an AFDX analyzer in an avionics compartment I'd be a bit concerned, but a "hacker" with an Android phone or a laptop in his seat, not really.

ADFX is only on the A380, 787, and A350.

The FBI claim to have evidence that indicates physical tampering with the under seat box and the connection of a cable to those boxes.

As for a MAC address itself, it is very easy to change on most devices in software. Often devices like IFE boot from the server, and have their MAC address displayed on the seat back screen during boot.

<<How does IFE have channel 9 (cockpit and ATC transmissions) ?>>

Well, they do - that's for sure!

I don't know about TCAS deriving information from directional antennas? Where did this come from?

swh - I'm thinking out loud. Let's assume you connected your device X to an under the seat box. Yes you can easily change your device's MAC address in software. Now you want to change the MAC address of your device X, to spoof the MAC address of sensor Y. But how do you sniff the MAC address of sensor Y if there is no packet from or to Y on the segment of the network you're listening to? It also doesn't introduce itself to you with ARP broadcasts. You also can't alter the hardcoded table of MAC addresses that every device except yours has. Assuming you figured out a way, now how do you insert your spoofed packets to go beyond a switch that discards your packets?

But be sure to read the whole article !!

I agree, it does repay reading.

"Based on the investigation described above [principally an interview with Roberts and his Twitter claims], probable cause exists to believe that inside the Devices(s) described in Attachment A [iPad, MacBook, various hard drives and thumb drives, etc] will be found evidence, fruits and instrumentalities of a violation of Title 18, United States Code sections 1030(a)(2), 1030(a)(5)."

The relevant USC sections:

"1030(a)(2) Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;

1030(a)(5) Whoever-
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

shall be punished as provided in subsection (c) of this section."

Heathrow Director: as I understand it, a directional antenna with four slightly overlapping 90+ degree segments, is used to reduce overlapping transmissions/garble, multipath interference and/or other interesting things I know little about. TCAS II (current) uses a directional antenna on top of the a/c and most installations also a directional option at the bottom. Very neat and well engineered. A side effect is that there is some directional information which can't be spoofed easily...

see Introduction to TCAS II V 7.1 from the FAA, p 11, 12, 18, 19, much more details

cue "a firm grasp of the non-essential" for checkers.

Edit: TCAS doesn't derive angle/bearing from directional antennas (this was intented in TCAS III, but precision isn't good enough), yet the directional antennas could be an obstacle to a "hacker" :)

Complete nonsense there is no connection from the IFE system to the EEC utter rubbish

And there we have it - the attitude responsible for every successful computer security breach ever.

The so-called evidence of someone tampering with the Ethernet port near the "hacker's" seat is a slightly damaged housing and some slightly backed-out screws. Coincidentally this is the same damage the housing would receive if bumped a few hundred/thousand times by passenger feet and/or luggage.

Remember the first rule of aviation journalism is it's nearly certain the story has something to do with an aircraft, all other details are highly questionable. The reporters and editors in general interest "journalism" wouldn't notice the difference between a C-152 and B-747 carrying the Space Shuttle. If the hacker claimed to have hacked the microwave ovens in the crew-rest area of a Piper Cub to communicate with Mars they wouldn't spot anything fishy.

Now you want to change the MAC address of your device X, to spoof the MAC address of sensor Y. But how do you sniff the MAC address of sensor Y if there is no packet from or to Y on the part of the network you're listening to?

The MAC comments were in relation to ADFX which was developed for the A380, and then adopted by industry. Earlier aircraft like the one this person targeted use a different ARINC bus, my understanding these are linear buses where any device on the bus can listen to the bus. The bus design itself can be centrally controlled, or as in ARINC 629, control over the bus is distributed. Those buses are normally segregated/partitioned according to their function, and gateways/bridges connect different partitions.

If the hacker claimed to have hacked the microwave ovens -----

Actually, you might be surprised at the aviation mayhem you could generate with a hacked microwave oven with the door open, but I will not be the one to provide the details.

swh - Arinc 629 is B777 (and A330/340)? and yes it's linked to a standard TCP/IP network (this is where the "hacker" is), but it's one way communication.

Those buses are normally segregated/partitioned according to their function, and gateways/bridges connect different partitions. which is why all stories about "hacking" of aircraft so far have been fictitious. Each path on the gateway must be programmed.

My summary of a/c hacking stories so far is this: There is a wire from the headphone socket on seat 29C which is connected to [insert something here] which again is connected to a wire via [insert box here], and through various other devices, I have now, very ingeniously, traced physical wires/"connections" from the headphone socket to the FMS. They're physically connected, it must mean something can be hacked, because it's computers! Yet if I plug my [insert evil hacking tool here] into the headphone socket I have no control over the FMS, despite the "physical connection".

Good post deptrai. Let's hope your post puts an end to the drivel that's being posted within this thread.

The so-called evidence of someone tampering with the Ethernet port near the "hacker's" seat is a slightly damaged housing and some slightly backed-out screws. Coincidentally this is the same damage the housing would receive if bumped a few hundred/thousand times by passenger feet and/or luggage.

That would be entirely consistent with Roberts' statement that, despite his provocative Tweets, he had made no attempt to access the SEB on the flight in question.

Not sure what that does or doesn't prove.

As a security consultant, part of my job involves ethical hacking and supervised penetration attacks on client sites. I've only ever done this in financial institutions; I've never tried to hack a plane, and, to be honest, my hardware and software experience aren't up to that task. I often need the assistance of a hacker of systems at the desktop layer in order to then penetrate the underlying systems.

A couple of observations:

Professional hacking is, of course, done in a very heavily supervised manner, with every step documented for subsequent analysis and mitigation.

Professional hackers never ever attempt to hack systems without invitation and without an appropriate contract in place.

Professional hackers never disclose their findings to anyone other than the client. Any findings are the sole property of the client. To successfully penetrate a system and to broadcast the fact would directly compromise the client's security - and our job is in the opposite direction.

There are a lot of idiots out there making wild claims in an effort to gain some notoriety. There are also dedicated professionals who quietly and without fanfare are paid to expose vulnerabilities in order that these can be eliminated.

I doubt that he has hacked a plane's systems. I wouldn't be certain that it can't be done, though.

Hacking an aircraft may be possible by a disgruntled LRU manufacturer employee, or a government.

The 'hacker' will have been able to read items such as the ARINC data provided for moving map / flight info features from a secondary bus. It's not that hard to read - a little bit harder than 'hacking' someone's Facebook page (when they leave it open...).

As mentioned, currently, IFE systems are fed by secondary busses, connected on a 'read only' basis.

If you have any understanding of typical aircraft architecture, you will understand why claims to have "taken control" of an aircraft are extremely improbable.

Additionally, if you understand the ARINC standards (there will be very, very few people on this board that have the knowledge I'm alluding to - it's detailed system design level depth of knowledge), and the aircraft systems logic, you'll find the claims even more improbable.

There are not many aircraft types with integrated networks. These have special conditions relating to security attached to them.

So-called "experts" may scoff, but i know what I know, and one of the things i know is that using my iPad I can turn the chemtrail dispenser on whenever the aircraft I'm in is over France. It annoys the hell out of them.

Hullo, here we are in JB....there's a surprise.

I guess this is obvious, but hacking into the IFE would violate the criminal statute, whether it's connected to anything else or not.

Not only obvious, but already stated.

See the post with the link to the FBI search warrant application, which quotes the relevant statutes.

I was waiting for the chemtrail connection, Capot :ok:

In all of this there also needs to be clarification on what constitutes a hack.

I am subscribed to a lot of sources on hacking as part of my job, and it really is telling how many people show a failed logon attempt to a banking system as evidence of a "hack". No. What is happening there is that the system is protecting itself as designed.

I was once booked to speak on mainframe security at a conference and decided to research the other speakers. Two of them had speeches on the subject of mainframe vulnerabilities on YouTube. Their perception was laughable. On reflection, I decided not to speak. To do so would have involved rebutting their naive assumptions and thereby drive them into efforts which were potentially more fruitful than the culs de sac they were describing.

Hacking an aircraft would probably suggest one the following aims:

Claiming complete control of the aircraft systems;
Inputting false data to those systems;
Completely disabling those systems.

A more benign aim would be merely to eavesdrop on what was happening on the systems.

I would imagine that the software engineers have incorporated penetration testing in the development cycle and continue to do so as they enhance their systems.

In the meantime, those systems have a very effective backstop in that the systems are very real-time and any anomalies should be noticed and over-ridden by the people at the front end of the machine.

Regarding the guy mentioned in this thread, if he had any ethics as a hacker he has a very simple avenue open to him if he found a vulnerability and if he warned the airlines and if his warnings were ignored.

His option is to demonstrate it to officials from any flight regulatory authority that will listen to him. It doesn't need to be his own domestic authority. Record the outcome and use registered post to keep the whole thing a matter of record. Give them 6 months to have the issue addressed, with a subsequent paid PenTest to verify that the opening is now closed with immediate revelation to the Press if the systems are still proven to be vulnerable.

In the meantime utter confidentiality is maintained out of a healthy respect for self-survival. Hell, if I found that I could hack aircraft systems the last thing I'd do is go public. I wouldn't fancy being forced to spill the details while looking down the barrel of a terrorist's Uzi, or, worse, being forced to prove my technique on a real flight while my family cower and whimper under the cover of same Uzi.

tl;dr version: I'd guess that the systems have possible weaknesses but I'm sure that stringent penetration testing is ongoing. Aircrafts have pilots who should be able to override any system anomalies. Any hacker who would advertise a claimed hack of these systems is an idiot who is putting his life and that of others at risk.

Our guys in engineering say this is highly unlikely - Flight Certified is a phrase with at least a little meaning and proof of concept behind it. What's more, Mr. Roberts fails to follow ethical hacking guidelines as a "white hat" gent. Seems to many that in matters commercial aviation computer security, he is a publicity seeking hound and nothing more.

I guess this is obvious, but hacking into the IFE would violate the criminal statute, whether it's connected to anything else or not.

That is one of the legal issues which is foremost when people pay me to hack their systems. For the purposes of the exercise my access to their systems is considered to be authorised by them, but there are obvious and severe curtailments on what I can do when I break through. Once I get in, the design of the system architecture will normally reveal just what I can or can not do without my having to actually transfer funds from the client to my numbered Swiss account.

On occasion once a penetration has been made and I've reported it I'll then be given a legitimate logon to a test system where I can really do some destructive stuff in a quarantined environment.

I'm not sure how layered or embedded aircraft systems are, but in the world of commercial systems the application layer is often riddled with holes. I'd imagine that on an aircraft the systems are very embedded.

Sorry about going on about this at such length, but these celebrity hackers tick me off no end. Those that go public in an effort to show how clever they are are no better than those thugs who mark the backs of people at ATMs in order to allow confederates to mug them down the street.

An illustration suffices: an unnamed client had an exposure which I discovered in an application which allowed userids with a certain level of access (the IDs were defined within the application and were easy to identify and clone) to move massive amounts of money to be transferred. I'm speaking massive amounts. A couple of userids could be created for the purpose of moving the money and then deleted. There was no audit trail showing who had created and deleted the IDs. The only control was that an ID had initiated the transaction and another had authorised it. The police would have issued an APB for a Mr Mickey Mouse and his partner-in-crime Ms Minnie Mouse.

When I demonstrated this in their test environment there were pale faces around the room. A couple of hours later I was presented with a very binding NDA and told that I was to be escorted off the premises until such time as the problem was remediated. Until then I would be on my full daily rate, forfeited if I made any attempt to log on again and with the most severe financial penalties if they suspected that I had leaked the information. I was perfectly happy with this arrangement and have worked for them many times since.

Anyone else see this titbit?

FBI: Security researcher claimed to hack, control plane in flight (http://www.engadget.com/2015/05/15/fbi-security-researcher-claimed-to-hack-control-plane-in-fligh/)

Seems a little far-fetched. Never seen an Ethernet port on the IFE kit on my type, maybe some latest-gen experts would care to comment?

AND the Warrant at

http://aptn.ca/news/wp-content/uploads/sites/4/2015/05/warrant-for-Roberts-electronics.pdf

Case 5:15-mj-00154-ATB Document 1 Filed 04/17/15 Page 1 of 22

and also

Hacker told F.B.I. he made plane fly sideways after cracking entertainment system | APTN National NewsAPTN National News (http://aptn.ca/news/2015/05/15/hacker-told-f-b-made-plane-fly-sideways-cracking-entertainment-system/)

and Shortly after the incident with Roberts, Wired reported that the TSA and the F.B.I. issued a bulletin to airlines to be on the lookout for passengers showing signs they may be trying to hack into an airplane’s Wi-Fi or inflight entertainment system. Wired also reported that the U.S. Government Accountability Office issued a report warning that electronic systems on some planes may be vulnerable to hacking.

Roberts told the F.B.I. that he has discovered vulnerabilities in the inflight entertainment systems of Boeing 737-800, 737-900 and 757-200 aircraft along with Airbus A-320s.

Air Canada flies Airbus A-320 aircraft and WestJet flies Boeing 737-800 aircraft, according to the airlines’ websites.

According to Wired, Roberts has been issuing warnings about vulnerabilities in inflight entertainment systems for years.

1) he did hack the IFE in flight

2) That is a big NO NO

3) He claims no hack to change controls in flight but on a virtual simulator

4) His company got clobbered as a result

5) Even the GAO issued a warning

IMHO anyone who tells you their system cannot be hacked is living in a fools paradise. The question is how much damage/control can be done.

IMHO Absolute physical separation ( air gap ) AND EMP protection of critical systems is a must. :8

And for the non believers- even a fiber optics system/cable can be tapped/hacked. This was known over 20 years ago. AS was reading the output/screens of CRT display remotely via cheap electronic receivers. While CRTs have essentially disappeared and current screens **may** not be read remotely with no physical- video link- anyone care to bet ??

Arinc 629 is B777 (and A330/340)? and yes it's linked to a standard TCP/IP network (this is where the "hacker" is), but it's one way communication.

Yes it is 777/A330/A340. It is not Ethernet, it is not simplex, it is time division multiplex (multiple source, multiple sink), with a limit of 128 devices per bus. Inductive coupling is also used by design.

My summary of a/c hacking stories so far is this: There is a wire from the headphone socket on seat 29C which is connected to [insert something here] which again is connected to a wire via [insert box here], and through various other devices, I have now, very ingeniously, traced physical wires/"connections" from the headphone socket to the FMS. They're physically connected, it must mean something can be hacked, because it's computers! Yet if I plug my [insert evil hacking tool here] into the headphone socket I have no control over the FMS, despite the "physical connection".

He is talking about connecting his PC to the IFE network by cable.

I'm not sure how layered or embedded aircraft systems are, but in the world of commercial systems the application layer is often riddled with holes. I'd imagine that on an aircraft the systems are very embedded.

The boxes under the seats are essentially disk-less single board computers running windows or linux connected to a windows/linux server. They boot off the server with bootp or similar. The kernel versions I have seen boot are very old.

Lots of these under seat boxes are available, even complete IFE racks. Many of these early generation IFE systems and seats have already been scrapped by airlines, and anyone can buy a seat, IFE rack, or even a full fuselage from a scrapper for the right price.

Many of these early generation IFE systems and seats have already been scrapped by airlines, and anyone can buy a seat, IFE rack, or even a full fuselage from a scrapper for the right price.

The going rate for a used 747 SEB (Rockwell Collins) on Ebay is around US$35.

1) he did hack the IFE in flight

2) That is a big NO NO

3) He claims no hack to change controls in flight but on a virtual simulator

4) His company got clobbered as a result

5) Even the GAO issued a warning

IMHO anyone who tells you their system cannot be hacked is living in a fools paradise. The question is how much damage/control can be done.

IMHO Absolute physical separation ( air gap ) AND EMP protection of critical systems is a must.

And for the non believers- even a fiber optics system/cable can be tapped/hacked. This was known over 20 years ago. AS was reading the output/screens of CRT display remotely via cheap electronic receivers. While CRTs have essentially disappeared and current screens **may** not be read remotely with no physical- video link- anyone care to bet ??

He hacked the plane in flight? Are you sure? What was the extent of that "hack"? What capabilities did it give him?

Let me be very explicit about this: I am deeply involved as a professional IT consultant in the area of system security. If I penetrate a system my job is to push my chair back from by desk and not to touch the keyboard under any circumstances. I will reach for the phone and tell my client that I am in and will tell them under which ID I have gained access. They in turn will kill my access.

If I were to gain access - whether through deliberate or accidental means - to a plane's system (and I'm speaking of someone who is paid to hack on occasion) I would immediately recoil in horror and hand my unpowered laptop to the cabin crew with a full account passed to the captain.

It's that simple.

There would be no guarantee that an inadvertent keystroke might confound the systems.

I also would not need to be told that the carrier is no longer prepared to have me as a passenger; I would simply not wish to fly with that airline or on that type ever again.

I'm a reasonably proficient hacker, but there are some better than I am out there, and they tend to be of the bragadaccio mindset which says "Now that I'm in the system, let's see what I can do. The guys will be really p1ssed when they see this at the next convention *alt-PrntScr*.

No system is perfect; that's why I have made a reasonably lucrative career analysing these imperfections. However, It is my job to reveal these issues to the client and their auditors and not to a hacking community who are all too happy to exploit these imperfections.

There's another issue. I'd like to know how a pilot would react if a passenger on his flight reported that he or she had got into the flight systems. Voluntary admission accompanied by a willingness to remain under restraints and separated from the device used to get in to the systems. Would the captain deem this to be a compromise to the plane's safety and land at the nearest?

It's a genuine question; I have no idea what the protocols would be. Other applications such as banking are less immediate and have the luxury of mitigating the threat while taking steps to eliminate it. At 35k feet the same luxury isn't available. Would vulnerability to the flight control systems be considered in the same way as a hull breach or an engine loss?

From 2013:

https://www.federalregister.gov/articles/2013/11/18/2013-27343/special-conditions-boeing-model-777-200--300-and--300er-series-airplanes-aircraft-electronic-system#h-9

He hacked the plane in flight? Are you sure? What was the extent of that "hack"? What capabilities did it give him?

PUUUHHLESE read the FBI warrant request posted several times

http://aptn.ca/news/wp-content/uploads/sites/4/2015/05/warrant-for-Roberts-electronics.pdf

granted these are allegations- but he ( hacker ) was specific about the In flight entertainment systems ( IFE). The ongoing argument is that such could not impact flight/cockpit controls. Even so hacking the IFE is a federal crime.

One could ask - then why- since he admitted it - isn't he in Jail now ?:mad:

his conversations with the FBI lasted for hours, and he later claimed the statements in the warrant were taken out of context. Years ago he built a small "lab" with some IFE parts bought off ebay etc which he then "hacked". As far as I understand the "hacking" of his lab setup (not an aircraft) was limited to some eavesdropping. My guess is his recent references to IFE hacking referred to his lab setup on the ground, and he didnt touch anything on the flight in question. The FBI warrant is probably useless to understand what happened, it was written only to provide a reason for searching his electronics, not for anything else. For some reason he made a stupid "joke" on twitter about his hacking, the equivalent of the equally stupid "I have a bomb". This alone suggests to me he is a nutcase. That's all there is to see here.

@Sampublius:

PUUUHHLESE read the FBI warrant request posted several times

http://aptn.ca/news/wp-content/uploa...lectronics.pdf

granted these are allegations- but he ( hacker ) was specific about the In flight entertainment systems ( IFE). The ongoing argument is that such could not impact flight/cockpit controls. Even so hacking the IFE is a federal crime.

One could ask - then why- since he admitted it - isn't he in Jail now ?

PUUUHHLESE?

Don't treat me like a :mad: teenager. Just don't. I've been in the business which I occupy for more than thirty years.

Now please show me where in the whole litany of Due Process a search warrant is proof of guilt. Then you say that he "admitted it". Admitted or claimed? While you're turning his boast into an admission please specify the precise degree of the hack.

One good reason why he may not be in jail is because of the fact that he may be a BS artist who didn't manage in any way to do what he has claimed. The hacker community is full of BS artists. I've invited them to hack systems that they claim to have hacked. They couldn't.

It's that simple. There are several protections against brute force attacks. On the mainframes I've worked, enumeration (random scrolling for valis IDs) doesn't work. Three failed attempts blocks the IP address and the Logical Unit Address. Even with a valid ID, three failures does the same thing, though in some cases also blocks the entire subnet.

My clients have offered money to self-professed hackers to display their wares - they have never succeeded despite significant financial inducements.

It's the quiet ones which should be of concern.If they can really hack a system they'll keep it quiet and turn their technique into gold very quickly for fear that the entry point has been spotted.

Then you say that he "admitted it". Admitted or claimed? While you're turning his boast into an admission please specify the precise degree of the hack.

Feds Say That Banned Researcher Commandeered a Plane | WIRED (http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/)

Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane’s Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states.

“He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI Special Agent Mark Hurley wrote in his warrant application (.pdf). “He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.”

FBI: researcher admitted to hacking plane in-flight, causing it to ?climb? | Ars Technica (http://arstechnica.com/security/2015/05/fbi-researcher-admitted-to-hacking-plane-in-flight-causing-it-to-climb/)


Roberts did not immediately respond to Ars’ request for comment, but he told Wired on Friday that this paragraph was taken out of context.

Further Reading
Researcher who joked about hacking a jet plane barred from United flight

United's move comes three days after FBI detained white hat hacker for 4 hours.
"It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others," he said, declining to elaborate further.

So what did he say -? Did the FBI agent lie?- under penalty of perjury. Was the FBI allegation without foundation ?

Check my initial post on the subject and the links and the claims by both sides and the supposed quotes.

Bottom line - there ARE concerns at least for older planes prior to 777 for example per the fed register post earlier.

And read the concerns stated at

http://www.gao.gov/products/GAO-15-370

(PDF Page 22)

http://www.gao.gov/assets/670/669627.pdf

re

http://www.gao.gov/assets/670/669627.pdf page 18


According to FAA and experts we interviewed, modern communications
technologies, including IP connectivity, are increasingly used in aircraft
systems, creating the possibility that unauthorized individuals might
access and compromise aircraft avionics systems. Aircraft information
systems consist of avionics systems used for flight and in-flight
entertainment (see fig. 4 below). Historically, aircraft in flight and their
avionics systems used for flight guidance and control functioned as
isolated and self-contained units, which protected their avionics systems
from remote attack. However, according to FAA and experts we spoke to,
IP networking may allow an attacker to gain remote access to avionics
systems and compromise them—as shown in figure 4 (below). Firewalls
protect avionics systems located in the cockpit from intrusion by cabinsystem
users, such as passengers who use in-flight entertainment
services onboard. Four cybersecurity experts with whom we spoke
discussed firewall vulnerabilities, and all four said that because firewalls
are software components, they could be hacked like any other software
and circumvented. The experts said that if the cabin systems connect to
the cockpit avionics systems (e.g., share the same physical wiring
harness or router) and use the same networking platform, in this case IP,
a user could subvert the firewall and access the cockpit avionics system
from the cabin. An FAA official said that additional security controls
implemented onboard could strengthen the system.

Now about the claims that such a system can never be hacked ? :ugh:


Could the guy have done just what he said ?:eek:
" ALL four ex-spurts " agree ??

Maybe he did and maybe he didn't; but obviously the FBI isn't the only agency which thinks it's possible.

If it's possible, then we have to assign probability and react accordingly. I'm no expurt, but in my opinion some of the posts here ring of complacency or even denial. :rolleyes:

There seems to be an attitude of "no one with any brains would design a system with such vulnerabilities." Unfortunately the historical record indicates otherwise.

A few well known examples:

Apollo 1
Challenger
Columbia
Pinto
Drive On - Drive Off ferry boats
HMS Sheffield
And many others....

"It appears that there are enormous differences of opinion as to the probability of a failure with loss of vehicle and of human life. The estimates range from roughly 1 in 100 to 1 in 100,000. The higher figures come from the working engineers, and the very low figures from management. What are the causes and consequences of this lack of agreement? Since 1 part in 100,000 would imply that one could put a Shuttle up each day for 300 years expecting to lose only one, we could properly ask "What is the cause of management's fantastic faith in the machinery? .. It would appear that, for whatever purpose, be it for internal or external consumption, the management of NASA exaggerates the reliability of its product, to the point of fantasy." - R. Feynman

From my last post in this thread....

Hullo, here we are in JB....there's a surprise.Ah well, wrong again. Here we are in North America; same thing, really.

"Maybe he did and maybe he didn't; but obviously the FBI isn't the only agency which thinks it's possible.

If it's possible, then we have to assign probability and react accordingly. I'm no expurt, but in my opinion some of the posts here ring of complacency or even denial."


It's possible that there are a few people actually working in this area involved in the discussion. It's unlikely that they are complacent.

If you have any understanding of typical aircraft architecture, you will understand why claims to have "taken control" of an aircraft are extremely improbable.

How improbable? And again, I'm not saying this guy did it. What I'd like to know is your opinion of the probability of someone with the expertise being able to do it.

Not trying to offend or be aggressive, I'm just curious.

It's a well defined number and concept in the aviation systems design world, no?

10^-9 or less.


Edit: And with your edit, mine comment looks aggressive...! :-)

One in a billion? I hope you are right.

Then what accounts for the concerns in the GAO report? I know I'm oversimplipifying, but wouldn't you first need to find the very few guys who could do it, and from them find the tiny portion who would do it?

Are the GAO, the FAA, and the FBI responding to a non-existent threat? If they are, it wouldn't be the first time...

There is not a single incident or accident report yet which would indicate "hacking of aircraft" is a problem; that could help to estimate the probabilities even without knowledge of a/c system design. It's an imaginary problem so far. The scaremongering is a real problem though, some statistician with a better grasp of numbers than me estimated that around 1600 people died following 9/11 because they chose to travel by car, instead of flying. I wonder what the probability is that someone will get killed in a road accident because they read stories about "hacking of aircraft"...probably more than those who get killed by "hacked" aircraft?

Agreed, that's a very good point.

I wonder how many more have suffered stress related health problems resulting from the frustrations of waiting in screening lines? ;)

Years ago he built a small "lab" with some IFE parts bought off ebay

Holy cow I just realised my EBay account was established in 2002. We are all getting too old too fast. :ugh:

@SAMPUBLIUS

Now about the claims that such a system can never be hacked ?

However, according to FAA and experts we spoke to,
IP networking may allow an attacker to gain remote access to avionics
systems and compromise them—as shown in figure 4 (below)

Figure 4 is a very simplistic view of how an aircraft may be configured, and it has a number of important assumptions.

The first is that the avionics and FMS are exposed via an IP port to the rest of the aircraft systems. I would find it extremely unlikely that there would be permissive access from any other system inbound to any critical system on an aircraft. That's security 101. Door is shut, reinforced, welded and concreted.

Secondly, there is an assumption (that in this case), the avionics actually talk IP at all. As someone asked - "well how to the get the moving map?" How do I get it off FlightRadar24? I'm obviously not connected to an FMS to see where the plane is.

Thirdly, that given I get get access to an unlikely exposed TCP port, how am I going to deploy a payload to an embedded system that I don't know, or have an exploit framework for. It'd be like trying to exploit a Mainframe switch major node with a Zeus attack. Pretty pointless, even though the major node talks IP.

If the guy in this story "hacked" anything, he probably owned the IFE. And he didn't need plug in to do that if it was WiFi.

In terms of the GAO report, it's the same security principles that any enterprise organisation would implement. It's nothing new, and really it's just a bunch of the usual security talking heads doing the rounds on the speech circuit. Security Professionals for Hire.

Look, the paradigm may be different for the A350 and B787, but heck, if you expose a service, expect the door to be knocked on. Which is why you would have to say that door is closed and locked...

Well yssy:

What's your definition of "Extremely Unlikely"?

I'm not qualified to form my own opinion, I'm just taking a survey.

Do you agree with 10^-9?

What's your definition of "Extremely Unlikely"?

I'm not qualified to form my own opinion, I'm just taking a survey.

Do you agree with 10^-9?

Thcrozier - you'd be hard pushed to put a figure on it. However, if it doesn't talk IP (and I'd have to say the majority of them don't, and all of them would be ring fenced networks), the number doesn't matter, because it's just not possible.

IDK about any of that cr@p, but a simple click click would solve everything.

IDK about any of that cr@p, but a simple click click would solve everything.

Click Click?

Click click?

Secondly, there is an assumption (that in this case), the avionics actually talk IP at all

IFE does, have a look at this video on youtube http://youtu.be/F1-rfMBp6vw

i386 computer running Redhat Linux 2.4.10, starts IP services, including ICMP, UDP, TCPIP, IGMP, and connects with port 50071. It uses Iptables as well, so there is more than enough information to understand how they have set it up. As another poster pointed out, you can buy one of these computers off ebay for $35.

No hacking or sniffing, no hardware, not even on the aircraft, just watching a youtube video.

How do I get it off FlightRadar24?

What is seen on FlightRadar24 comes from two feeds, one from ATC (in some parts of the world), and the other from people with a receiver and a computer connected to the internet that sends the observed positions back to a centralized network. You can build a receiver that will obtain the ADS-B position as well as ACARS messages from aircraft very cheaply, all you need is a USB TV tuner and an antenna, and run free software on your PC. That is not how IFE systems work, they obtain position, wind, altitude, outside air temperature within the aircraft. IFE also has ground based, and space based communication links from the aircraft. Space based communications needs to know the exact position so it knows where to point the antenna, i.e. MH370 antenna pings.

Click Click?

his point is when the aircraft doesn't do what he wants he turns of the autopilot

Hi swh,

IFE does, have a look at this video on youtube

I'm certainly well aware the the IFE has a front end that is based on a listener on an IP port. I use one on a regular basis. :-)

However, the question of the possibility of using the IFE as a pivot to access FMS and avionics packs is the item under discussion. And on that point, the likelihood of a threat actor actually managing to do what the "ethical hacker" has claimed to be able to do is, as far as I am concerned, not possible. I'm calling BS on that. He can claim to have done whatever he thinks. Show me the proof.

What is seen on FlightRadar24....

I've got a handle on ADS-B, MLAT and the ATC feeds that power FlightRadar. I host a receiver for FR24. :-) I know you mention that the moving maps use on-board data to plot the map, but I'd be interested in the way that data is retrieved. Is it purely a GPS based system which extrapolates velocity and altitude? That wouldn't require any access to the avionics of the aircraft. There will still be a very big gap between something that has an IP stack running linux, and something that is embedded and talks a very different protocol.

his point is when the aircraft doesn't do what he wants he turns of the autopilot

Ah right, very good.

:D

Is it purely a GPS based system which extrapolates velocity and altitude?

IFE displays the outside air temperature and wind, that does not come from GPS information, it requires air data.

Yes it is 777/A330/A340. It is not Ethernet, it is not simplex, it is time division multiplex (multiple source, multiple sink), with a limit of 128 devices per bus. Inductive coupling is also used by design.

Pardon me, SLF but maybe this can be interesting (?).
I've watched multiple reboots of a 747 IFE on a flight and it used a Windows CE OS and an xmodem protocol (which should be half-duplex?) at 115K baud rate.
There also were mentions of memory addresses.
Is this what you are talking about?

IFE generally takes data from secondary, read-only busses (i.e. not integrated GPS / accelerometers, etc.). They don't provide data to any critical systems; if they did, the certification of any IFE system would be a whole lot more difficult than it currently is.

The number of aircraft flying around with anomalies in one or the other of the data types on the flight information / moving maps is an indication that deciphering the information, even once you've got a feed, is not completely trivial.

System analysis & risk assessments are performed to ensure that the likelihood of a catastrophic failure is extremely improbable.

IFE displays the outside air temperature and wind, that does not come from GPS information, it requires air data.

Thanks swh - that is indeed true. The question remains - is the method that is used to retrieve that data from the FMS an exploit vector? I think Dagegen sums it up quite well. No.

is the method that is used to retrieve that data from the FMS an exploit vector?

To answer your question, there is morbid fascination with movie plot scenarios in the media, not helped by self-declared "experts" (like the guy we are talking about). I think this is the reason why this issue is getting discussed now. And no, it's not an exploit vector.

I agree that there is an appatite for dramas like this, and - to pursue the analogy - there are a ready supply of actors prepared to take on the role of hero or baddy in it.

If this guy Roberts is telling the truth and if he managed to gain control of as much as the reading light over his seat other than through the normal method then he should be able to recreate it.

If you look at hacking tools they almost all generate activity logs and screenshots. The latter make for a more entertaining slideshow at the next hackers convention.

The thing is that I stopped attending these years ago. The fact is that the most many hackers can manage is to *see* the systems. I heard too often the formulaic: "having got this far I stopped for fear of the feds". Those I have spoken to about mainframe penetration admitted that they know nothing about the underlying hardware and the control block structures of address ranges. They weren't equipped to cause meaningful damage even if given a logon to the system.The ones I would fear are those that somehow *do* know the systems. The quiet ones.

If this guy Roberts is telling the truth

if I look at his tweet that started all this hysteria: "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)"

https://twitter.com/sidragon1/status/588433855184375808

he's throwing around words like "Box-IFE-ICE-SATCOM". So let me speculate a bit here...If he uses a packet sniffer on the ethernet, TCP/IP IFE network he can see that word, probably the IFE server host name. "PASS OXYGEN ON": when oxygen masks deploy, then there will be a message to the IFE to trigger a shutdown of the IFE. It does not mean he can deploy oxygen masks, as some media misunderstood. No signs that he could "hack" anything, except that he is able to use an ethernet packet analyzer (edit: obviously he could be able to turn off the IFE if he spoofed that message). There is nothing dramatic here, what I see is someone who is more like a 12 year old kid who plays with computer networking for the first time and thinks he is a "hacker" now because he downloaded some analysis tools, and then goes on to create a big drama about his abilities, and loves the attention. The "PASS OXYGEN ON" is something he would not have seen in flight, so I also believe he just regurgitates innocent things he "simulated" in his ground based lab with parts scavenged from ebay.

There are other such "hackers" who claimed they found vulnerabilities in real avionics (not only IFE), like a Flight Management System, and it turned out they had experimented with a PC based simulation of a Flight Management System (which is used as a training tool for Pilots). But believing that they can find vulnerabilities by using a PC based simulation which simulates some functions, is more than naive, the certified, proprietary, embedded system, running on a particular RTOS is coded very differently from a PC based learning tool...

and as you said Nialler, no professional would ever try to create publicity in this way :) United Airlines, which understandably banned him after he made a lot of people worried for no reason, even has a formal program to reward researchers who find bugs/vulnerabilities, if he was smart, he would have just submitted his findings there, if there was anything at all.

for those who believe this "hacker" is a threat to aircraft, here some more reading:

http://www.forbes.com/sites/thomasbrewster/2015/04/16/us-government-flight-security-claims-fallacious/

http://www.runwaygirlnetwork.com/2015/05/17/boeing-ife-experts-hit-back-at-hacker-claims-in-fbi-report/

This story seems a bit unlikely. From the standpoint that there would never be a reason to interface HAL with any IFE system.
Did hacker take control of U.S. flight from his seat? (http://news.yahoo.com/hacker-plane-in-flight-system-fbi-160211211.html)

Old news.Thread running here:

http://www.pprune.org/north-america/561537-hacker-turns-c.html

...that United started a big advert campaign offering to reward any successful hacker. If this is supposed to be spin control, its clumsy.

First, if I saw this nimrod tampering with the wiring next to me I would probably club him to death with my cellphone or laptop, and probably have a dozen helpers. This guy needs to be placed on the no-fly list and go to jail for risking the lives of everyone on the planes he may have imperiled.

Second, even if he were an AFDX expert (which I doubt), his simulations were undoubtedly based upon COTS routers and not real hardware, since he would have to get through dedicated, single purpose point-to-point virtual links certified to DO-178 standards to move up the tiers. The same scrutiny applies to the older protocols.

The whole thing seems like a bunch of hype, and the Feds rightfully called his bluff. I'll bet he does time.

Just waiting a bidding war between Boeing and Airbus for this guy. His ability to get a fixed wing aircraft to fly sideways is a massive breakthrough. Just image the scenario.
Tower: BA123 you are on short finals and 1 mile left of centre line.
BA123: non problem Tower, I'll just activate the Chris Roberts mode!

Hi swh,



I'm certainly well aware the the IFE has a front end that is based on a listener on an IP port. I use one on a regular basis. :-)

However, the question of the possibility of using the IFE as a pivot to access FMS and avionics packs is the item under discussion. And on that point, the likelihood of a threat actor actually managing to do what the "ethical hacker" has claimed to be able to do is, as far as I am concerned, not possible. I'm calling BS on that. He can claim to have done whatever he thinks. Show me the proof.



I've got a handle on ADS-B, MLAT and the ATC feeds that power FlightRadar. I host a receiver for FR24. :-) I know you mention that the moving maps use on-board data to plot the map, but I'd be interested in the way that data is retrieved. Is it purely a GPS based system which extrapolates velocity and altitude? That wouldn't require any access to the avionics of the aircraft. There will still be a very big gap between something that has an IP stack running linux, and something that is embedded and talks a very different protocol.

If you look carefully, the flight tracker in the IFE (talking A330) only shows great-circle track to destination from present position to destination. So it has no link to route or flight plan. It DOES however have a connection to the ETA at destination in the FMS. Sitting in the back on break one day watched our ETA on the flight-tracker jump 30 minutes early. Called up to see about adjusting break times. Apparently the winds aloft had dumped out somewhere in the climb, and the boys up front re-inserted them so the airplane went from assuming a 30 knot wind (projected based on the current position wind) to a 150 knot tailwind for most of the flight (correct). When the FMS recalculated the landing time, that got fed thru to the IFE. However, it still thought we would be flying the great circle directly over Pyongyang, which did not occur.

So some things are connected, and some are not.

History shows 14 year olds getting into a lot of "inaccessible" computer systems.

Edmund

History shows 14 year olds getting into a lot of "inaccessible" computer systems.

Some examples?

I love the idea of the teenage savant.

Basement dwelling geek probably using freeware like Wireshark to sniff data packets is not hacking. This guy is a fantasist attention seeker, not some kind of James Bond super Villain.

That ridiculous beard will be a useful recognition aid for flight crew in future, the Commander will be able to deny boarding before he gets past check-in.

Exactly. Every intrusion I've encountered has merely been some "hacker" detecting the presence of a system. The moment they start trying anything the IP address is blocked, so brute force password efforts are eliminated.

On the systems I work even unumeration efforts result in an IP block.

Some of these "hackers" may get a thrill from seeing that they have access to a minframe logon screen but their efforts end their. All that they have done i gain access to a port and an IP address which are publicly available but not publicised. That's not hacking, and systems are designed to flick these flies of our butts with a judicious swish of the tail.

That said, I have to fear those who create tools in private.

Chris Roberts, the "hacker", also claimed he has changed the temperature in the International Space Station, and rambles about altering target coordinates in nuclear missiles, in a talk he gave in 2012. I'm not going to post a link the video, it's a waste of time to watch it. The sad thing is that media reported his aircraft story uncritically.

That sounds right.

I've seriously questioned some of these "hackers". Interviewed them. There's lots of money to be made in destructive and penetrative testing. The amount of charlatans I've met...

The thing is I've always wanted to find good ones; the best ones hide their achievements on their CV.