I’ll be honest: when I wrote about Chris Roberts being detained by the FBI for tweeting about hacking his flight’s WiFi, I reacted with a great big eyeroll. On the one hand, security researchers like Roberts look for these vulnerabilities all the time and it’s quite helpful when law enforcement and airlines learn about potential avenues for threats. On the other hand, Chris Roberts is quite obviously not Al Qaeda. The whole thing appeared to be a reaction to embarrassment that the vulnerability had been allowed to exist, rather than any belief that Roberts was in any way a threat.
But if Roberts is to be believed, he did something really stupid on previous flights: he used his WiFi hack to manipulate the plane’s engines.
During two interviews with F.B.I. agents in February and March of this year, Roberts said he hacked the inflight entertainment systems of Boeing and Airbus aircraft, during flights, about 15 to 20 times between 2011 and 2014. In one instance, Roberts told the federal agents he hacked into an airplane’s thrust management computer and momentarily took control of an engine, according to an affidavit attached to the application for a search warrant.
“He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” said the affidavit, signed by F.B.I. agent Mike Hurley.
If true, that would go way beyond identifying exploits, mentioning that you could drop the oxygen masks, or really anything else that deals with in-flight wireless hacks. If the affidavit is to be believed, Roberts dangerously manipulated the flight’s equipment, potentially putting everyone aboard at risk. We have only the FBI’s word for all of this, of course, but the feds are certainly behaving as though Roberts both said all of this and that he’s not simply making fictional claims.
Roberts, who has been interviewed at least three times by the F.B.I. this year, is under investigation for allegedly hacking into the electronic entertainment systems of airplanes, according to an application for a search warrant to probe seized electronic equipment. The document shows F.B.I. agents investigating Roberts believe he has the ability to do what he claims: take over flight control systems by hacking the inflight entertainment computer.
“We believe Roberts had the ability and the willingness to use the equipment then with him to access or attempt to access the (inflight entertainment system) and possibly the flight control systems on any aircraft equipped with an (inflight entertainment system) and it would endanger the public safety to allow him to leave the Syracuse airport that evening with that equipment,” sates the warrant application.
Roberts, for his part, has at least suggested to a Wired reporter that the FBI is twisting his words:
“That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about,” he said. “It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.”
That still doesn’t say he didn’t do it, though.
As with too many of these stories, the end result is that we have absolutely nobody to root for. To be fair, Roberts has been warning the airlines and the feds about these exploits for years, without any of it generating much attention. His purported stunt has suddenly brought a little light to what is obviously an untenable security risk, which doesn’t in any way excuse manipulating an engine mid-flight. That, plainly, is insane, and I don’t think it can be argued that it’s an action that deserves punishment. On the other hand, Roberts still isn’t Al Qaeda and the end result of all of this may be that planes are safer. Intentions matter, after all.
As for the federal government and the airlines: are you kidding me? You’re telling me that not only was all of this possible, which is crazy at the outset, but they had been warned about it and had done nothing? Crazy as it sounds, everyone should be thanking the universe that Chris Roberts was the one manning the keyboard on these flights instead of someone with more nefarious intentions. The feds and the airlines should have simply hired Roberts to battle these vulnerabilities rather than letting it get to this point. Instead, we learn this way that it may indeed be possible to get control of a flight through a plane’s WiFi. And we learn that law enforcement and the airline’s chief strategy to deal with that fact was to pretend it didn’t exist.