facebook
twitter
search
search

Hacker took control of United flight and flew jet sideways, FBI affidavit says

Computer security expert Chris Roberts was met by FBI agents following a flight to Syracuse last month, after United Airlines reported a suggestive tweet.
By Doug G. Ware   |   May 16, 2015 at 6:11 PM
| License Photo

NEW YORK, May 16 (UPI) -- A security researcher suspected of hacking into computerized systems aboard a United Airlines Boeing 737 from Denver to Chicago last month told federal authorities that he once manipulated a jetliner's flight controls to steer the plane sideways, an FBI agent's affidavit states.

Chris Roberts, a security researcher with One World Labs, was met by FBI agents after exiting a United flight in Syracuse, N.Y., on April 15 for a tweet posted on his account that suggested he may have hacked into a flight's entertainment system -- activity that he'd supposedly told agents previously that he would stop doing.

The details of Roberts's alleged in-flight activities were detailed by an FBI agent in an application for a search warrant of Roberts' electronic equipment, and reported by Wired magazine and Canadian broadcaster APTV late Friday.

According to the court document, FBI Special Agent Mark Hurley said he had met with Roberts in February and March of this year to inquire about potential security vulnerabilities in some in-flight entertainment systems (IFE) aboard Boeing 737, 757 and Airbus A320 aircraft.

During the conversations, Hurley wrote, Roberts disclosed that he had previously hacked into IFE systems, manufactured by Panasonic and Thales -- which provide video monitors in the passenger seatbacks -- about 15 or 20 times on various flights between 2011 and 2014.

According to the document, Roberts said he gained access to the systems by plugging his own laptop computer into the IFE system's electronic boxes mounted under passenger seats. Once in the system, he said he was able to access other systems -- including the jets' Thrust Management Computer, which is responsible for providing power to the plane's engines.

Special Agent Hurley wrote that Roberts even claimed that he overwrote code in the Thrust Management Computer while aboard one particular flight and "successfully commanded the system he had accessed to issue the "CLB' or climb command.

"He stated that he thereby caused one of the plane's engines to climb, resulting in a lateral or sideways movement of the plane."

The agent also wrote that Roberts claimed to have used software to monitor air traffic from a system in the plane's cockpit.

Exactly which flight, on what type of aircraft and when Roberts supposedly performed the sideways maneuver was not specified in Hurley's affidavit.

At the time of the questioning in February, Agent Hurley wrote, he warned Roberts that hacking a plane's in-flight systems is a federal crime and that he can be prosecuted for it -- to which the security expert replied that he would no longer perform such activities on flights.

Then on April 15, United Airlines contacted the FBI after a tweet was posted by Roberts' account that read, "Find myself on a 737/800, lets see Box-IFE-ICE SATCOM. Shall we start playing with EICAS (engine-indicating and crew-alerting system) messages? PASS(enger) OXYGEN ON Anyone?"

EICAS messages alert pilots to information about a jetliner's engines.

Another Twitter poster replied to the message with, "...aaaaaaand you're in jail" -- to which Roberts's account tweeted, "There IS a distinct possibility that the course of action laid out above would land me in an orange suite (sic) rather quickly."

After he exited the flight in Syracuse, Roberts was met by FBI agents and all of his electronic equipment was confiscated. Agent Hurley's application seeks a search warrant to perform a forensic analysis on the equipment to look for evidence of illegal activity.

Among the items seized by agents were a MacBook laptop, an iPad, three hard drives and numerous removable flash drives.

Later that day, a subsequent tweet appeared on Roberts's account that read, "Lesson from this evening, don't mention planes....the Feds ARE listening."

The warrant application states that the United 737/800 Roberts flew to Chicago ended up in Philadelphia, where FBI agents boarded the jet and found evidence of tampering on two electronic boxes that were mounted directly beneath and adjacent Roberts's seat. In fact, the document says, one of the electronic boxes had been damaged.

"Technical specialists with the FBI believed that he may have just [hacked the plane's system] again, or attempted to do so using the equipment then in his possession," it said.

Upon learning that Roberts was scheduled to return to Denver two days later, FBI agents confiscated Roberts' equipment in Syracuse. The report states that Roberts denied at that time that he hacked into any systems during the flight from Denver to Chicago.

"We believed that Roberts had the ability and the willingness to use the equipment ... to access or attempt to access the IFE and possibly the flight control systems ... and that it would endanger public safety to allow him to leave the Syracuse airport that evening with the equipment," Hurley's report states.

The affidavit indicates that the extent to which Roberts explored airliners' security gaps possibly went further than he had previously disclosed to Wired magazine in an April report that discussed potential flight security vulnerabilities.

In that article, Roberts stated that he did access in-flight networks during various flights but had not done anything beyond explore the networks and observe data traffic that crossed them.

Roberts has not yet been charged with a crime and no additional information about the case has been released by federal authorities.

It is also unknown whether Roberts's supposed manipulation of a plane's Thrust Management System actually did turn the jet laterally -- or whether Roberts simply believed it did, Wired reported.

"If that is the case he deserves going to jail," Wired cited AlienVault Labs Director Jaime Blasco as saying in a tweet. Similar criticism was also leveled by Yahoo Chief Security Information Officer Alex Stamos.

Roberts was contacted by Wired for his response to the details in the FBI affidavit, which he said he did not expect to be made public. Regarding the statement about him steering a plane sideways, Roberts said the FBI has taken his remarks out of context.

"There is context that is obviously missing which obviously I can't say anything about," he said. "It would appear from what I've seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others."

United Airlines recently announced a "Bug Bounty" program, which offers a million sky miles to anyone who can find security vulnerabilities in the airline's website, mobile phone apps or online portals.

Related UPI Stories
Latest Headlines
Top Stories
Videos