Warrant: Researcher Claims He Commandeered Flight Through In-Flight Entertainment System

Nearly a month after a government report identified security weaknesses within the airline industry, including the possibility that newer airplanes with interconnected WiFi systems could be hacked, a recently obtained Federal Bureau of Investigation search warrant shows a security researcher claims he briefly took control of an aircraft after hacking into the plane’s in-flight entertainment system.

Wired reports that Chris Roberts – the same researcher who was kicked off a United Airlines flight last month after Tweeting that he might hack into that flight’s network – was approached by federal investigators in February and questioned about his testing of in-flight network vulnerabilities.

According to an application [PDF] for a search warrant filed by the FBI – and obtained by Canadian news outlet APTN – Roberts told authorities that he had hacked the in-flight entertainment (IFE) system of several planes over the past 3 years.

The search warrant application was filed after Roberts was removed from the Chicago to Syracuse, NY, United flight in mid-April and authorities confiscated two laptops and several hard drives and USB sticks.

“He compromised the IFE systems approximately 15 to 20 times during the time period 2011 to 2014,” the search warrant applications states. “Each of the compromises occurred on airplanes equipped with IFE systems with video monitors installed in the passenger seat backs.”

Roberts reportedly obtained access to the networks through the Seat Electronic Box (SEB) located under passenger seats on certain aircraft. After removing the SEB cover he allegedly connected a modified ethernet cable from the box to his laptop.

“He then connected to other systems on the airplane network after exploited/gained access to, or “hacked” the IFE system,” the application states.

In one specific instance, the affidavit states that Roberts told agents “he overwrote code on the airplane’s Thrust Management Computer while aboard a flight. He stated that he successfully commanded the system he had accessed to issue the “CLB” or climb command.”

By issuing the command, Roberts allegedly told agents he was able to cause the airplane engines to climb, resulting in a lateral or sideways movement of the plane during the flight.

Roberts tells Wired that some of the information contained in the affidavit was taken out of context by agents.

“That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about,” he said. “It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.”

He tells Wired that conversations depicted in the application were a result of two FBI requested sit-down interviews in February regarding his and a partner’s research related to vulnerabilities in aircraft network systems.

Roberts said that agents had wanted to know what was possible and what he and his colleague had done to test such vulnerabilities. At that time, he says he disclosed that they were able to sniff the data traffic on more than a dozen flights after connecting their laptops to the infotainment networks, but didn’t say he was able to override code on the flight.

Instead, he told Wired that the researchers had only tested modifications to avionic systems ons simulation devices, never an actual plane.

Roberts denied trying to access the United aircraft’s in-flight system after being removed from the flight in April.

Wired reports that he told agents that the laptops and thumb drives he was carrying during the flight included “nasty” malware and schematics for the wiring systems of a variety of airplanes – all of which he says is standard for a security researcher to have.

However, an FBI agent who later examined the plane said he found the SEBs under the seats where Roberts had been sitting showed signs of tampering. That issue, coupled with the his knowledge of flight systems, led the FBI to believe he “had the ability and the willingness to use the equipment then with him to access or attempt to access the IFE and possibly the flight control systems on any aircraft equipped with an IFE systems, and that it would endanger public safety to allow him to leave the Syracuse airport that evening with that equipment.”

Still, while Roberts admits he had information on him during the flight, he maintains that he never messed with that particular plane’s SEB boxes. Instead, he contends that the boxes under the seats routinely come in contact with luggage and other passenger possessing, which could have resulted in scuff marks and cracks.

Following Roberts’ tweet in mid-April and the release of the Government Accountability Office report on potential weaknesses in aircraft in-flight networks, the FBI and Transportation Security Administration issued an alert warning airlines to be vigilant about monitoring for such threats.

Feds Say That Banned Researcher Commandeered a Plane [Wired]