A security researcher kicked off a United Airlines flight last month after tweeting about security vulnerabilities in its system had previously taken control of an airplane and caused it to briefly fly sideways, according to an application for a search warrant filed by an FBI agent.
Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane's Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states.
"He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights," FBI Special Agent Mark Hurley wrote in his warrant application (.pdf). "He also stated that he used Vortex software after comprising/exploiting or 'hacking' the airplane's networks. He used the software to monitor traffic from the cockpit system."
Hurley filed the search warrant application last month after Roberts was removed from a United Airlines flight from Chicago to Syracuse, New York, because he published a facetious tweet suggesting he might hack into the plane's network. Upon landing in Syracuse, two FBI agents and two local police officers escorted him from the plane and interrogated him for several hours. They also seized two laptop computers and several hard drives and USB sticks. Although the agents did not have a warrant when they seized the devices, they told Roberts a warrant was pending.
A media outlet in Canada obtained the application for the warrant today and published it online.
The information outlined in the warrant application reveals a far more serious situation than Roberts has previously disclosed.
Roberts had previously told WIRED that he caused a plane to climb during a simulated test on a virtual environment he and a colleague created, but he insisted then that he had not interfered with the operation of a plane while in flight.
He told WIRED that he did access in-flight networks about 15 times during various flights but had not done anything beyond explore the networks and observe data traffic crossing them. According to the FBI affidavit, however, when he mentioned this to agents last February he told them that he also had briefly commandeered a plane during one of those flights.
He told the FBI that the period in which he accessed the in-flight networks more than a dozen times occurred between 2011 and 2014. The affidavit, however, does not indicate exactly which flight he allegedly caused to turn to fly to the side.
He obtained physical access to the networks through the Seat Electronic Box, or SEB. These are installed two to a row, on each side of the aisle under passenger seats, on certain planes. After removing the cover to the SEB by "wiggling and Squeezing the box," Roberts told agents he attached a Cat6 ethernet cable, with a modified connector, to the box and to his laptop and then used default IDs and passwords to gain access to the inflight entertainment system. Once on that network, he was able to gain access to other systems on the planes.
Reaction in the security community to the new revelations in the affidavit have been harsh. Although Roberts hasn't been charged yet with any crime, and there are questions about whether his actions really did cause the plane to list to the side or he simply thought they did, a number of security researchers have expressed shock that he attempted to tamper with a plane during a flight.
"I find it really hard to believe but if that is the case he deserves going to jail," wrote Jaime Blasco, director of AlienVault Labs in a tweet.
Alex Stamos, chief information security officer of Yahoo, wrote in a tweet, "You cannot promote the (true) idea that security research benefits humanity while defending research that endangered hundreds of innocents."
Roberts, reached by phone after the FBI document was made public, told WIRED that he had already seen it last month but wasn't expecting it to go public today.
"My biggest concern is obviously with the multiple conversations that I had with the authorities," he said. "I’m obviously concerned those were held behind closed doors and apparently they’re no longer behind closed doors."
Although he wouldn't respond directly to questions about whether he had hacked that previous flight mentioned in the affidavit, he said the paragraph in the FBI document discussing this is out of context.
"That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about," he said. "It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others."
Roberts began investigating aviation security about six years ago after he and a research colleague got hold of publicly available flight manuals and wiring diagrams for various planes. The documents showed how inflight entertainment systems on some planes were connected to the passenger satellite phone network, which included functions for operating some cabin control systems. These systems were in turn connected to the plane avionics systems. They built a test lab using demo software obtained from infotainment vendors and others in order to explore what they could to the networks.
In 2010, Roberts gave a presentation about hacking planes and cars at the BSides security conference in Las Vegas. Another presentation followed two years later. He also spoke directly to airplane manufacturers about the problems with their systems. "We had conversations with two main airplane builders as well as with two of the top providers of infotainment systems and it never went anywhere," he told WIRED last month.
Last February, the FBI in Denver, where Roberts is based, requested a meeting. They discussed his research for an hour, and returned a couple weeks later for a discussion that lasted several more hours. They wanted to know what was possible and what exactly he and his colleague had done. Roberts disclosed that he and his colleague had sniffed the data traffic on more than a dozen flights after connecting their laptops to the infotainment networks.
"We researched further than that," he told WIRED last month. "We were within the fuel balancing system and the thrust control system. We watched the packets and data going across the network to see where it was going."
Eventually, Roberts and his research partner determined that it would take a convoluted set of hacks to seriously subvert an avionics system, but they believed it could be done. He insisted to WIRED last month, however, that they did not "mess around with that except on simulation systems." In simulations, for example, Roberts said they were able to turn the engine controls from cruise to climb, "which definitely had the desired effect on the system—the plane sped up and the nose of the airplane went up."
Today he would not respond to questions about the new allegations from the FBI that he also messed with the systems during a real flight.
Roberts never heard from the FBI again after that February visit. His recent troubles began after he sent out a Tweet on April 15 while aboard a United Airlines flight from Denver to Chicago. After news broke about a report from the Government Accountability Office revealing that passenger Wi-Fi networks on some Boeing and Airbus planes could allow an attacker to gain access to avionics systems and commandeer a flight, Roberts published a Tweet that said, "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM,? Shall we start playing with EICAS messages? 'PASS OXYGEN ON' Anyone?" He punctuated the tweet with a smiley face.
The tweet was meant as a sarcastic joke; a reference to how he had tried for years to get Boeing and Airbus to heed warnings about security issues with their passenger communications systems. His tweet about the Engine Indicator Crew Alert System, or EICAS, was a reference to research he'd done years ago on vulnerabilities in inflight infotainment networks, vulnerabilities that could allow an attacker to access cabin controls and deploy a plane's oxygen masks.
In response to his tweet, someone else tweeted to him "...aaaaaand you're in jail. :)"
Roberts responded with, "There IS a distinct possibility that the course of action laid out above would land me in an orange suite [sic] rather quickly :)"
When an employee with United Airlines' Cyber Security Intelligence Department became aware of the tweet, he contacted the FBI and told agents that Roberts would be on a second flight going from Chicago to Syracuse. Although the particular plane Roberts was on at the time the agents seized him in New York was not equipped with an inflight entertainment system like the kind he had previously told the FBI he had hacked, the plane he had flown earlier from Denver to Chicago did have the same system.
When an FBI agent later examined that Denver-to-Chicago plane after it landed in another city the same day, he found that the SEBs under the seats where Roberts had been sitting "showed signs of tampering," according to the affidavit. Roberts had been sitting in seat 3A and the SEB under 2A, the seat in front of him, "was damaged."
"The outer cover of the box was open approximately 1/2 inch and one of the retaining screws was not seated and was exposed," FBI Special Agent Hurley wrote in his affidavit.
During the interrogation in Syracuse, Roberts told the agents that he had not compromised the network on the United flight from Denver to Chicago. He advised them, however, that he was carrying thumb drives containing malware to compromise networks—malware that he told them was "nasty." Also on his laptop were schematics for the wiring systems of a number of airplane models. All of this would be standard, however, for a security researcher who conducts penetration-testing and research for a living.
Nonetheless, based on all of the information that agents had gleaned from their previous interview with Roberts in February as well as the Tweets he'd sent out that day and the apparent signs of tampering on the United flight, the FBI believed that Roberts "had the ability and the willingness to use the equipment then with him to access or attempt to access the IFE and possibly the flight control systems on any aircraft equipped with an IFE systems, and that it would endanger public safety to allow him to leave the Syracuse airport that evening with that equipment."
When asked by WIRED if he ever connected his laptop to the SEB on his flight from Denver to Chicago, Roberts said, "Nope I did not. That I’m happy to say and I’ll stand from the top of the tallest tower and yell that one."
He also questions the FBI's assessment that the boxes showed signs of tampering.
"Those boxes are underneath the seats. How many people shove luggage and all sorts of things under there?," he said. "I’d be interested if they looked at the boxes under all the other seats and if they looked like they had been tampered. How many of them are broken and cracked or have scuff marks? How many of those do the airlines replace because people shove things under there?"
Regardless of whether the authorities have a case against him, however, there has already been some fallout from the incident. Roberts told WIRED that today investors on the board of directors of One World Labs, a company he helped found, decided to withdraw their investments in the company. As a result, One World Labs had to lay off about a dozen employees today, half of its staff.
Roberts said there were other factors contributing to the board's decision but his legal situation "was probably the final straw."
"The board has deemed it a risk. So that was one factor in many that made their decision," he said. "Their decision was not to fund the organization any further."