Headlines during the weekend screamed that a hacker had taken control of a commercial airliner and been able to make it move “sideways” in flight. There’s a lot to unpack about this story, but let me get out a few points quickly.
1) There is no evidence that a hacker altered the flight of a plane. Instead, the FBI says a hacker told them he was able to briefly take control of a plane. These things are very, very different. What we have is a single sentence in an affidavit filed in support of a search warrant in which the FBI claims a well-known avionics security researcher named Chris Roberts claims he was able to issue a command to an airplane engine and make a plane move sideways. We don’t have the flight date or number; we don’t have any other evidence to support the assertion. We don’t even know what it means to make a plane “move sideways.” It’s important to note: the burden of proof for assertions in an affidavit to obtain a search warrant is quite low. The FBI had already seized Roberts’ computer and a series of flash drives that were encrypted, and it wanted the right to keep the equipment and examine it for evidence. An agent asking a judge to sign such an order will throw the whole kitchen sink into the affidavit.
2) This might be hacker-speak. There is a long history of hackers — or for that matter, anyone trying to call attention to a serious problem that’s not getting the attention it deserves — engaging in hyperbole or puffery. If you read the FBI affidavit, you get the sense that Roberts’ conversation with the agents interviewing him might have gone something like this: “Yes, I’ve managed to break into the in-flight entertainment system and from there, jump networks and eventually access avionics controls. Why don’t you folks listen? I’ve done it 15 or 20 times! Heck, I once issued a command to an engine! I’m not going to say I was flying the plane, but did I make the thing move sideways a bit? Well, I proved my point, anyway.” Roberts isn’t giving interviews, but before he stopped talking, he did tell Wired’s Kim Zetter that his comments to the FBI were taken out of context.
“That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about,” he said.
3) He’s not crazy, though. The energy being used to investigate Roberts might be better used researching the attacks he’s calling attention to. The GAO issued a report to Congress just a few weeks ago ringing the alarm bell about increased interconnectivity of airplane avionics systems and the risks that poses. Let’s be clear: Roberts has been very public about his research, and he volunteered all this information to the FBI during discussions in February and March. He was stopped for questioning, and his computers seized, after a flight to a security conference in April. The timeline is important. The claim of moving a plane sideways (and what does that mean, anyway? Planes don’t go sideways), is months old, and references a flight that is perhaps much older than that. If he really altered the flight of a plane, there’d probably be other evidence of that by now.
4) Not to be overlooked, hacking an airplane full of people is flat-out wrong, even with the best of intentions. Back to the timeline. The FBI says Roberts spoke to them, shared all this information about his ability to hack airplanes, and then a month later Tweeted about possibly hacking into an airplane before a flight in April to a security conference. When he landed, the FBI says, agents found evidence that the in-flight entertainment computer (“seat electronic box”) located under his seat showed evidence of physical tampering. If that’s true, Roberts better have a good lawyer. (He does: The Electronic Frontier Foundation is representing him now). Nobody I know would support that kind of research. But please remember: these are merely allegations made in an FBI affidavit. They aren’t even allegations made in an indictment. Roberts told Zetter the Tweets, which might have been an ill-advised poke at airline security, were a joke. And he had told Zetter in the past that he had only attacked avionics using a simulator. So let’s not jump to any conclusions. (Really, to best understand this story, read her entire Wired piece.)
Unless you are a security researcher, the bottom line for you, dear airline passenger: You need not be afraid that someone can hack the movie screen on the seat next to you and take control of the aircraft. That is, as Carl Sagan might have said, an extraordinary claim that requires extraordinary evidence, and we don’t even have basic evidence. So don’t worry about your flight today. Some day, there will be something to worry about. Is that 10 years in the future or next month? I cannot say.
What do you do have to worry about today? If I were getting on an airline during the next week or so, I’d be pretty careful about stray cables hanging needlessly out of my carry-on bag; and I’d make sure I didn’t do anything that might look like I was trying to fiddle with the “seat electronic box” under your seat. And I might worry about in-flight entertainment systems being disabled some day soon so FAA and airline researchers can examine Roberts’ research more carefully.