When security researcher Chris Roberts was removed from a United fight last month after tweeting a joke about hacking the plane's inflight entertainment system, the security community was aghast at the FBI's over-reaction and United's decision to ban him from a subsequent flight.
But with publication of an FBI affidavit this month asserting that Roberts admitted to hacking a plane inflight, causing it to veer slightly off course, reaction in the community swiftly shifted. Wrath that had been directed at the FBI was now directed at Roberts.
How could a professional security researcher put passengers at risk by doing a live and unauthorized pen-test of a plane's network while in the air?
Equal to the clamor over the alleged actions, however, was that over the veracity of the claim. Many insisted that either the FBI had misunderstood Roberts, or the researcher had spun them a tall tale. Boeing and independent aviation experts asserted that what the FBI affidavit described was technically impossible.
“While these systems receive [plane] position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions,” Boeing said in a statement.
The statement seemed a contradiction in terms, though. Were the avionics and infotainment networks connected by communication links or were they isolated? And if connected, how could Boeing be certain a hacker couldn't leap from the entertainment system to the avionics system and manipulate controls? After all, a report released last month by the Government Accountability Office raised this very concern, as did an FAA document issued to Boeing in 2008.
So in the interest of providing clarity, we've examined the FBI claims in the hope of providing some answers.
According to the affidavit (.pdf) filed by FBI Special Agent Mark Hurley this month to obtain a warrant to search Roberts's computers, Roberts told agents that he was able to access the inflight entertainment system (also known as IFE) aboard an unspecified aircraft and obtain access to the Thrust Management Computer. The TMC, which works with the autopilot, calculates the power at which engines should operate under various conditions and maintains that power.
According to the affidavit, Roberts was able to issue a "climb command", which "caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane."
Many critics took issue with the idea of a plane flying "sideways," but this likely refers to the plane's nose veering slightly to the side of its intended course as a result of the engine thrust, says David Soucie, a former investigator with the Federal Aviation Authority. He told WIRED this scenario can occur if the plane's autopilot is not engaged.
If the thrust increases in one engine and not the other, it will produce torque that might cause the plane to become imbalanced. But planes are balanced by design to compensate for this so that "you can shut one engine down and keep the other at full throttle and it won’t flip the plane over [or] fly sideways," Soucie says. If the autopilot is engaged, as it normally would be at cruising altitude, computers would sense a single thrusting engine and correct to keep the plane on course. If the autopilot were off, however, a thrust "would create a dip in the wing," Soucie says, that could pull the plane slightly. "You’d have to really change the throttle, where the passengers would really notice it, to pull it off course." The nose would veer slightly in the opposite direction of the thrusting engine.
Whether it's possible to create this condition by issuing a command from a passenger seat is a different matter, however. Soucie and others who WIRED spoke to agree with Boeing that this isn't possible. But unlike Boeing, they provided clearer details explaining why.
Peter Lemme, who was a lead engineer on Boeing's thrust-management system for eight years until 1989, says the system provides the auto-throttle function that actually controls the engine thrust, and doesn't allow the throttles for the engines to operate independently of one another.
"The auto-throttle wants to keep the engines together. It does not want to split the engines," he says. "The only command [available] is to drive them together, not to drive them apart." Consequently, there's no command Roberts could have issued that would have caused one engine to thrust separately from the other.
The only way someone could hack the system to throttle one engine would be if they were able to gain access to the box housing the system and reprogram the software for the throttles. "But you can’t just reprogram a box. There are all sorts of interlocks to make sure that software can’t change inflight," Lemme says. What's more, if the auto-throttle did something out of the ordinary, the pilots could immediately take over. "The pilot can grab the throttle, and the hand of the pilot wins out," says Lemme. "Those switches take away the ability for the computers to override [the pilots]."
Soif Roberts wasn't able to alter the thrust of an engine, would he have at least been able to access the avionics system to do other things? Soucie and Lemme say no.
According to the FBI affidavit, Roberts got access to the thrust-management system through the in-flight entertainment system. The affidavit indicates that he found vulnerabilities in two models of IFE made by Panasonic and Thales, a French electronics firm that makes a variety of components and security products for the defense and aerospace industries and others.
On at least 15 different flights, Roberts evidently compromised IFE systems by obtaining physical access through the Seat Electronic Box, or SEB, installed beneath passenger seats. After removing the cover to the SEB by “wiggling and Squeezing the box,” the affidavit says Roberts took a Cat6 ethernet cable with a modified plug on the end and attached it to the box and his laptop. On at least one flight, he then used default IDs and passwords to access the IFE system and work his way to the thrust management computer.
IFE systems provide audio and video entertainment for passengers through a monitor embedded in a seat-back, an armrest or the ceiling. They can also display an animated map showing the flight route and the plane's speed and progress across the map.
A connection between the avionics system and the IFE does exist. But there's a caveat.
Soucie and Lemme say the connection allows for one-way data communication only. The systems are connected through an ARINC 429 data bus that feeds information from the avionics to the IFE about the plane's latitude, longitude and speed. The IFE uses this to populate the animated map passenger's can use to track the plane's movement.
"On every airplane it’s done a little differently and is done in a proprietary way," Lemme says. But in each case, the ARINC 429 is an output-only hub that allows data to flow out from the avionics system but not back to it, he says. To talk back would require a second input bus. "I can't think of why there would ever be an interface like this. If it’s out there, I haven’t heard of it."
This would seem to be what Boeing was describing in its statement when it said that although inflight systems "receive position data and have communication links" to other systems on the plane, they are "isolated" from systems that perform critical functions.
But WIRED was able to find a document online (.pdf), which indicates that Boeing's line of 777 planes use ARINC 629 buses. These buses are designed for two-way communication.
It's unclear, however, if these are used only for communication between critical components within the avionics system, or if they are also used for communication between the avionics and non-critical systems like the IFE. Boeing did not respond to a request for comment.
Lemme says this doesn't matter, though. Even if data were transmitted from the inflight system back to the avionics system, the latter would know not to accept it, since rules programmed into the avionics system would tell it that the inflight system is untrustworthy and shouldn't be sending it data.
"The data exchanges are pre-programmed as a part of their system requirements---each transmitter and receiver is programmed for specific data to be provided at a specific rate," Lemme says."Each receiver is checking that the data is being received when it should be received, and that it is receiving valid data."
The big question in this case would be whether the restrictions programmed into the avionics software were properly coded to reject the communication. Lemme says avionics systems are designed according to strict standards and undergo extensive code review and testing to ensure that something that shouldn't be talking to a critical system isn't.
"People suggest that it’s possible there’s unintended ways of using that interface if it wasn’t [implemented] 100 percent [correctly] and they left some gaps. But I don't believe these gaps exist," he says. "I do believe that there are ways to get into boxes, but as far as causing boxes to do things while inflight, I don’t believe that. You’d have to cause them to use information that they don't normally use, and that would involve reprogramming them."
Lemme says there may be some aircraft that now use ethernet connections in place of ARINC 429 buses to transmit data from the avionics to the entertainment system. But in a design like that, he says, there would be a box sitting between the avionics system and the in-flight system to securely convey information to the latter without allowing a connection back to the avionics from the IFE.
When asked about this, Roberts declined to answer. Instead, he pointed WIRED to a PowerPoint document (.pdf) authored by Jean-Paul Moreaux, chairman of the Airlines Electronic Engineering Committee's Aircraft Data Networks Working Group. The document, which appears to have been created in 2004 or later, discusses proposals to transition planes from ARINC 429 to ethernet. Efforts to reach Moreaux and the AEEC were unsuccessful. But Lemme says that although some planes use ethernet in their avionics systems, they're using what's known as Avionics Full Duplex Switched ethernet, or ADFX. This is a more secure data network, patented by Airbus, and it's used only between critical components that are part of the avionics system, not to communicate with IFE and other non-critical systems.
During an interview with WIRED in April, Roberts said he found vulnerabilities that allowed him to jump from the satellite communication system (SATCOM) to the inflight entertainment and cabin-management systems. One cabin system he explored controlled the deployment of passenger oxygen masks, and he told WIRED that he would have been able to trigger the masks to deploy. He also thought it might be possible to access the avionics system via the cabin management system, though he says he didn't verify this.
The FBI affidavit doesn't address the SATCOM system, but Lemme says Roberts would not be able to access the avionics in this way, either.
Satellite communication system is usually mounted in the ceiling in the back of the plane and connected via cables to the avionics system located in the equipment bay beneath the flight deck in the pilot's cabin. Information about the plane's latitude, longitude, and speed gets transmitted from the avionics system to the satellite system through a different ARINC 429 bus than the one used to transmit data to the IFE. The satellite system uses this data to steer antennas on top of the plane so that radio signals will be sent in the direction of the nearest satellite. This data goes only one way, agree Lemme and Michael Exner, a long-time private pilot and former owner of a satellite communications firm that competed with Inmarsat in the late 70s and 80s.
There's also a separate data link from the avionics system to the SATCOM system to send messages from the ACARS management system back and forth to the ground. This interface is bi-directional to allow messages to go on and off the airplane. Separately, the SATCOM also transmits passenger communications to the ground, such as credit card transactions, internet access and email.
Lemme says all communication between avionics and SATCOM and the inflight entertainment system and SATCOM are done through separate, dedicated radio channels. "We have some radios dedicated to the passenger cabin and some to the pilot, and these are air-gapped and don’t cross over at all," he notes. The separate L-band radios used for the communications of pilots and passengers are stacked together and housed in a single unit, but each operates as a standalone radio using separate radio channels.
So the SATCOM theory doesn't hold much water, either.
All of this appears to add up to the conclusion that there's no way Roberts could have hacked the thrust controls of a plane and manipulated the aircraft, either through the IEF, the SATCOM or anything else. But then how to explain the FBI affidavit?
Roberts told WIRED after the affidavit came out that the FBI took what he said out of context---that he had multiple conversations with agents and that they highlighted only a small portion of the conversation in the affidavit. This suggests they cherry picked, and possibly jumbled, his statements.
Exner met with Roberts over a long lunch in early May. Although the conversation around Roberts's activities was somewhat guarded, Exner came away with the impression that "he probably did some of the things that he said he did, but he did them in simulation not in a real aircraft."
He says he asked Roberts pointblank if he had ever taken control of a plane inflight. "[H]e said no. He said things that would lead me to believe that he did it in simulation, not in a real aircraft," Exner says. As for what he did during an actual flight, Exner says, "I doubt very seriously that he ever got beyond the IFE."
He suspects that Roberts may have breached the entertainment system "and convinced himself that he was looking at a lot of traffic that may have looked like traffic coming from the other network but probably without a return path. But that's a lot of guesswork on my part."
He notes that Roberts's words are often laced with sarcasm, and it can be hard to parse when he's serious and when he's not. "He says a lot of things that can't be taken literally. I suspect that much of the confusion that ended up in the FBI affidavit is a result of his communication style."
With all of this said, Roberts continues to insist that the plane networks he examined are vulnerable to hacking, and Boeing continues to insist the avionics systems at least are not. Unless Roberts identifies definitively the vulnerabilities he uncovered and explains how he got into an avionics system then we're left with unanswered questions. Boeing could clear up these questions by providing more than blanket assurances about the security of its networks, but the company has so far declined to do so publicly.
Regardless of whether Roberts hacked a plane or not, Lemme says one thing is clear. "This behavior of a passenger connecting to something that they're not supposed to connect to ... we've got to at least say that's a bad thing. That is just as bad as somebody taking a hammer and starting to beat on the airplane. That's effectively criminal behavior and is not a casual exercise."
