The FBI has issued a search warrant for a hacker who controversially claims to have used his laptop to briefly seize control of a plane during flight, tilting it briefly.
Chris Roberts -- described by Wired as "a respected cybersecurity expert" -- told the FBI he used his laptop computer to tap into in-flight entertainment (IFE) systems during multiple flights in recent years.
In a bolder claim, he said he once commandeered the avionics of a plane mid-flight and forced the aircraft to "fly sideways", according to an affadvait (posted, below).
He also claimed that he had consulted with airplane manufacturers Boeing and Airbus about security flaws but "it never went anywhere". He said his frustration on using official channels led him to take action on his own, interfering with airplane IFEs multiple times.
A need for "bug bounties"?
Roberts' story, regardless of its veracity, raises the question of whether airlines should follow a model set by the technology industry in offering bug bounties, or programs that reward hackers for discovering security flaws.
Exhibit A: Software storage company Dropbox has no limit on how much it will pay for bugs discovered by hackers.
United is the first major airline worldwide to experiment with a bug bounty program, which it announced on 18 May in a blog post. The airline's rewards are in frequent flier miles, not cash, such as 50,000 points for "cross-site scripting bugs" and up to one million miles for finding truly egregious security flaws.
United's program focuses on testing the security of its website. It explicitly rules out "bugs in onboard Wi-Fi, entertainment systems, or avionics".
Avionics penetration testing worth discussing?
Travel industry analyst Henry Harteveldt said in a phone interview:
"The idea of whether airlines should work with hackers to find weaknesses in their networks, their equipment, and so on, is not a topic that can or should be dismissed out of hand.
It would be an interesting, but not a risk-free, decision to try to work with hackers to explore where avionics or other systems may be vulnerable. There’s a lot of thoughtful discussion and study required here.
It wouldn’t be just airlines. It could potentially involve the Federal Aviation Administration, aircraft manufacturers, avionics manufacturers, and potentially other stakeholders.
What I don’t know is, to what degree would Department of Homeland security or other organizations need to determine how to assign responsibility among the various industry participants, like the airlines and the manufacturers?
An airline differs from a bank or a tech company in that, obviously, an airline carries people. There are huge issues of risk to people, property, and potentially even national security.
But if it's somehow workable, by extension you have to wonder should this be considered for cruise lines, commuter and inter-city rail, and any other sectors that involve transportation and logistics.
Eventually, as Google and other companies make fast advancements on their driverless vehicles, at some point, they may be asking themselves if they should start thinking about how to involve hackers to make sure those vehicles remain safe."
John Walton, writing for Airways News, wrote:
"Somewhat tellingly, neither Panasonic Avionics nor Thales, cited by the FBI as the reported route to Roberts’ ability to access flight systems, would appear to offer a publicised bug bounty program....
Regulators, airlines, airframers and IFE manufacturers need to take this seriously, consider whether their inhouse staff has the correct set of skills, offer real money bug bounties for their actual products, and provide access to their systems in order to provide assurance that the increasingly electronic aviation industry remains the safest way to travel."
Practical concerns
Sounding a more skeptical note was Brett Snyder, the aviation industry's leading blogger at CrankyFlier.com. In a phone interview, Snyder said:
"Historically, it ends up with good results in other industries. It’s like Catch Me if You Can: You got to work with DiCaprio, get him with you on your team. The hackers know best, and they’re going to try to do it anyway, so co-opt them.
An airline doing something like this for their website is a different story. Less risk. Makes sense.
But once you start getting into, 'Hey, let's have people hack our airplanes,' that’s concerning stuff....
Does a program require you to give hackers access to aircraft they wouldn’t otherwise have? How does that even work?
If you put a bounty program out there, can you really qualify people to start working on it? Can you make them go through security background checks? I don’t know.
But, in general, I think that manufacturers should be getting on this straight away, bringing people on payroll, getting them security clearances."
As backstory, the affadvait was discovered by the Canadian news service APTN (see story). It's embedded, here:
FBI Search Warrant for Chris Roberts
EARLIER: How a travel technology company is grappling with an ethical hacker
Dark Arts: Why some OTAs fool hotels with fake prices
NB: Image a screengrab from a Fox News report on Chris Roberts.