Hacking In-Flight Entertainment Is Harder Than Hackers Would Have You Believe
For better or worse, hacker Chris Roberts has made a name for himself as that guy who hacked in-flight entertainment (IFE) systems and claimed to make his plane fly sideways.
Industry experts question the validity of his claims to access the engine control systems, because the systems in question are not connected to the same networks that control the IFE he allegedly exploited. Both Airbus and Boeing indicate that their so-called wireless cockpit systems are isolated from the networks for in-flight connectivity and in-flight entertainment. As an Airbus spokesperson told us when we asked:
“What the passengers use on board uses a totally different network to what the pilots may use in the cockpit. The cockpit system would also utilize a completely different transmitter/hotspot with a different radio frequency band. In short, they’re completely segregated – including: different hardware; different hotspot; different frequency band; different network etc.”
The various connectivity suppliers we spoke to echoed this same message and added that the messages transmitted by the aircraft’s hardware for the purposes of maintenance tracking, what we’ve previously referred to as connected aircraft, are “read-only.” The information can be read, but the connection cannot be exploited to access the systems.
What is more, critical data transmitted is encrypted on satellite connections which themselves, because they also control sensitive exchanges of government, industry and financial institutions, are protected by the satellite company’s own cyber security centers, which rely on the expertise of many highly qualified individuals.
Hardware suppliers and communications suppliers, aircraft manufacturers, all have their own cyber-security experts addressing threats. Hacker groups point out that no system is entirely invulnerable, and no one feels a need to argue that point, which is why the industry employs experts to deal with cyber security.
Still, there is a threat to aviation and it is constant and ongoing. Concerns over aviation security are not limited to an issue of software on the IFE box, but let’s start with the box.
“Chris Roberts advised that he had identified vulnerabilities with IFE systems on Boeing 737-800, 737-900, 757-200 an Airbus A320 aircraft. Chris Roberts published the information because he would like the vulnerabilities to be fixed,” the FBI affidavit following the seizure of Robert’s hardware assets states. “He compromised the IFE systems approximately 15 to 20 times during the period 2011 through 2014. He last exploited an IFE system during the middle of 2014. Each of the compromises occurred on airplanes equipped with IFE systems with video monitors installed in the passenger seatbacks.”
While the FBI does not say in its affidavit that it has confirmed the access Roberts claims to have gained to aircraft controls, it can confirm that Roberts compromised the systems because he physically broke into and intentionally damaged the boxes to test his theories.
“He would get physical access to the IFE system in the seat in from of him by wiggling and squeezing the box,” the affidavit states. “After removing the cover he would use a cable to connect his laptop computer to the IFE system while in-flight.” It continues, but this is really enough.
Roberts got on an aircraft intending to cause damage, he did so, then bragged about it. His damage may, in point of fact, have been minor, but it could have been more severe.
Aviation has already seen what lengths people go to do harm on an aircraft, and all of us go through daily security scrutiny to address threats potentially posed by our bottles of shampoo, nail clippers, knitting needles and other various and sundry items. Yet, a person can break into electronic hardware, get off the plane and get back on again at some future date to mess with a new system on a whim.
According to the FBI affidavit, Roberts Tweeted on February 23, 2015: “Two civilized but direct warnings in the last week not to mess with certain things means I’ll be modifying a few upcoming talks.” On April 15, 2015 Roberts sent the infamous tweet which got him in trouble with United Airlines.
Roberts demonstrates no sense of having done something wrong by tampering with aircraft equipment even now, and would likely do it again in a heartbeat.
Of course, that Roberts, in his own words, isn’t too worried that he might one day crash a plane with his antics could be of some solace to the public and help answer questions about the alleged vulnerabilities of these systems.