While United is busy offering free miles to researchers who can root out bugs in its website, there’s a much larger cybersecurity risk the airline still refuses to touch: The possibility of a hacker accessing critical avionics controls through an in-flight network.
Which, it so happens, is exactly what cybersecurity researcher Chris Roberts has apparently done over a dozen times. In a warrant application released yesterday, the Feds say Roberts admits to hacking the in-flight entertainment system on an airplane and issuing a command that caused the plane to briefly veer sideways. Yikes.
“He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI Special Agent Mark Hurley wrote. “He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.”
Roberts, a heretofore respected security researcher, has been issuing warnings about the vulnerabilities in the networks on certain aircraft models for years. His troubles with the Feds began several weeks back, when he was pulled off a United flight after posting a tweet that jokingly suggested he could tamper with the plane’s oxygen masks. Or maybe not so jokingly, given the new revelations. Either way, United’s new, purportedly proactive stance on information security seems to have come about as a direct result of this incident.
Which is why it’s more than a little ironic that the airline’s new bounty program explicitly forbids researchers from reporting bugs in onboard systems, noting that “testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi” could result in criminal investigations. If Roberts is telling the truth about commandeering a plane, he probably ought to end up behind bars. But his actions also underscore the fact that airlines ignore security warnings at their peril. [Wired]