At some point, the corporations and authorities in America are going to have to get over this knee-jerk reaction complex they have in going after citizens kindly pointing out technology and security flaws for them. You see this over and over and over again: someone notices a flaw in a system, points it out publicly instead of exploiting the flaw, and is thoroughly punished for his or her efforts. Often times there is a mealy-mouthed explanation for these punishments, which, chiefly, have to do with security risks in publicizing the flaw even though the ultimate goal should be fixing the exploit to begin with.
The latest version of this has gotten the EFF involved in defending a security intelligence expert who tweeted from aboard a United Airlines flight about his ability to hack into the flight’s WiFi and access some level of the flight’s communications.
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? 🙂 — Chris Roberts (@Sidragon1) April 15, 2015
It may not mean much to you, but he’s talking about getting access to communications systems and even some level of controls within the plane itself. And if that doesn’t scare you, it should. It scared the feds, too, but it didn’t scare them into actually, you know, addressing the security concerns. But it did scare them enough that upon the plane landing Roberts was scooped up by the FBI, questioned for several hours, and had his encrypted computer, tablet, and drives snatched from him. No warrant for any of this, mind you, at least not at the time of this writing. As you can imagine, he’s not pleased. Mostly, though, he’s confused as to why the feds are picking on him at all.
Roberts told FORBES he was disconcerted by the actions of US law enforcement. “Feds have known about issues in planes for years, why are they hot now? I’m a researcher, that’s what I do, I don’t go out to harm or hurt, why pick on researchers? If not us then who will find flaws?”
Which is the entire point. The government should be thanking its lucky stars that a benevolent force such as Chris Roberts was the one who found this exploit, rather than someone who might actually wish to do harm. Tweeting about it may alert more nefarious folks that such an exploit exists, sure, but it also got the attention of the federal government who had damned well better be fixing this tout de suite. As far as anyone interested in actually fixing this exploit should be concerned, mission freaking accomplished. And yet Roberts is targeted, not because he’s an actual threat, but merely for doing what people in his profession do.
And not just at the conclusion of that flight, either, I should add. The harassment continued afterwards.
Roberts was back at the airport on Saturday evening, headed to San Francisco to attend two high-profile security conferences, the RSA Conference, where he is scheduled to present on Thursday, and BSides SF. After Roberts retrieved his boarding pass, made his way through the TSA checkpoint and reached the gate, United corporate security personnel stopped him from boarding the plane. Roberts was told to expect a letter explaining the reasons for not being allowed to travel on United. Thankfully, Roberts was able to book a last-minute flight on another airline and has now landed safely in San Francisco.
Nevertheless, United’s refusal to allow Roberts to fly is both disappointing and confusing. As a member of the security research community, his job is to identify vulnerabilities in networks so that they can be fixed. Indeed, he was headed to RSA speak about security vulnerabilities in a talk called “Security Hopscotch” when attempting to board the United flight.
This should be seen as useful for the public, which now knows somewhat certainly that United Airlines would much rather attempt to achieve security through obscurity rather than seeing experts like Roberts as a boon to their own safety product. Should you need to fly anytime soon, do you really want to board a flight run by a company that has now demonstrated that it tolerates vulnerabilities aboard its flights and also would rather try to put its head in the sand than deal with those vulnerabilities? I sure wouldn’t. Keep in mind, by the way, that United is getting this important information into its own security for free. But rather than be grateful, out come the cross hairs.
It’s enough with this crap already. No amount of embarrassment is justification for harassing a security researcher who happens to be fault-testing technology on high-profile targets. And doing it free of charge, I might add. In the realm of security, Roberts is a helpful force, not a harmful one. It’d be nice if the Feds and United Airlines would behave gratefully, rather than targeting the man.