Chris Roberts knows a lot about hacking planes. But not because he's trying to make them fall out of the sky. In fact, his job as a security researcher is to figure out how bad guys could hack computer systems so that companies can fix them.
But a tweet joking about "playing" with a plane's on-board communications systems made while Roberts was on a United Airlines flight last week landed him in hot water: The FBI questioned him for several hours after he landed and confiscated his laptop and hard drives. And then, over the weekend, he was blocked from boarding another United flight while on the way to speak at a security conference.
Roberts was able to book a last-minute flight on another airline. But his research raises bigger questions: Just how hackable are the planes millions of travelers rely on to get around the world? The answer, it turns out, is up for debate.
Planes are increasingly designed to give passengers more access to digital systems, mostly for entertainment purposes via in-flight WiFi. But this connectivity may have a dark side: Last week, the Government Accountability Office released a report saying that security researchers have warned that this trend leaves planes less secure by providing a "direct link" between an aircraft and the outside world that could be leveraged by hackers.
Keeping flight-related and entertainment systems separate can be one way to limit an attacker's access, but not all planes seem to be designed with that in mind. In 2008, the FAA expressed concern that the Boeing 787 Dreamliner combined some of that digital infrastructure — saying that the design "may result in security vulnerabilities."
Modern planes use digital defenses called firewalls to protect cockpit systems against intrusions from someone connecting through other parts of the aircraft, like in-flight entertainment systems, the report said. Some cybersecurity experts worry that isn't enough, arguing that "because firewalls are software components, they could be hacked like any other software and circumvented," according to the report. But some critics of the report say it may have overstated the risks.
Boeing and competitor Airbus defended the security of their systems in statements to CNN in response to the GAO report. "Multiple security measures and flight deck operating procedures help ensure safe and secure airplane operations," Boeing said.
But over the years, many researchers have warned about potential problems — including Roberts, the founder of One World Labs, who has given several talks about airplane cybersecurity.
Brad “RenderMan” Haines, a researcher who has investigated potential vulnerabilities in aircraft tracking systems, said limited access to avionic systems can make it hard to do comprehensive audits. "A lot of our research we can only take so far because we don't want to cause problems — but all of the evidence seems to point to there being issues that remain unresolved."
Haines said he would love to be proved wrong, but airlines and aircraft manufacturers seem uncomfortable with independent researchers reviewing their systems — possibly allowing political fears to trump providing the best security possible. "We're trying to be part of the solution, and being ignored for it," he said.
In an interview with CNN after being detained by the FBI, Roberts said he personally tested theories about how much visibility into avionic systems he had from the passenger cabin — pulling out his laptop and connecting it to a box underneath his seat 15 to 20 times on actual flights — and was able to view sensitive data from the flight systems. These statements, combined with the tweet, seems to have set off alarm bells at United.
"Given Mr. Roberts' claims regarding manipulating aircraft systems, we've decided it's in the best interest of our customers and crew members that he not be allowed to fly United," United spokesperson Rahsaan Johnson told The Post over the weekend. "However, we are confident our flight control systems could not be accessed through techniques he described."
The FBI did not immediately respond to a request for comment about Roberts's situation, but in a recent interview with the Security Ledger, the researcher said the agency's Denver office asked him to back off his aviation research in recent months.
The Electronic Frontier Foundation, which represents Roberts, called United's decision to ban the researcher "both disappointing and confusing."
"Security researchers are allies, not opponents, and their work makes us all more safe, not less," said EFF staff attorney Nate Cardozo. "We fear that United's actions here will cause a real chilling effect, and that researchers will be less likely to help United improve their security in the future based on its over reaction to Mr. Roberts's statements." Roberts, Cardozo said, was still willing to work with United and the rest of the airline industry to improve their security.
Haines, at least, said he is feeling that chill — but expects to continue his research. After all, he has a vested interest in making planes safer: He frequently flies to present at conferences.