We live in shitty knee-jerk reactionary times, but did anyone else see his tweet at the time? At best, it seemed in poor taste. At worst, the outcome seems depressingly predictable.
I don't know what I'm trying to contribute here, except that whilst I have no problem with EFF working on this, their article here seems overly shrill and over-reactionary at how shrill and over-reactionary the airline was in their response to what (admittedly, in hindsight) could have easily been interpreted as a threat by an over-zealous corporate drone blind to smily-face emoticons.
This isn't exactly a new phenomenon - even before 9/11, a careless joke at baggage check-in ("Did you pack your own luggage today, Sir?" - "No, my wife probably put a bomb in there.") would often result in the joke not being recognised or treated as such. Said jokester gets taken to one side, scrutinised by the boys in blue, and eventually told that they "will not be flying today, sir."
In the age of Twitter, such hijinks are amplified further due to their world-readable nature. The problem with innocent, uncomfortable-but-well-intentioned jokes is that you have to consider how it will play with someone whose job it is to flag up and respond to any and all threats, no matter how credible.
Fundamentally it's your joke versus a member of staff who is not in a position to deviate from the procedure and brush it aside.
Plus, who'd want to be the guy who gets their face on the news after an incident because they ignored a threat and thought it was a joke? They won't, and often CAN'T, take that risk - they are simply not in a position where they are allowed to do so.
As you say, we live in shitty knee-jerk reactionary tines, but whatever the rights and wrongs, in this kind of situation it's prudent to moderate one's comedy appropriately.
The baggage questions is so stupid, IF you wanted to do some evil with things packed, WHY would you say something that isn't the "right" answer to them?
It's an excellent question if people pay attention - the question, (at least as asked in Singapore), is, "Did you pack your own luggage, are you aware of everything in it, has anyone given you anything to place in your luggage, and has your luggage been under your control/observation the entire time."
Every time they ask me that question - I do a quick mental checklist, always mention that my luggage did leave my control when placed in the boot of the cab - which they always understand is an acceptable loss of control.
There are a couple alternatives that one could take to further increase security - first, presume that 100% of people are threats, and do a full security scan, and hand check/rejection, of 100% of checked luggage. Likewise, enhance the carry-on security check, and further restrict what people can carry-on. In particular, shift the carry-on check to the gate (where it should be).
>Every time they ask me that question - I do a quick mental checklist, always mention that my luggage did leave my control when placed in the boot of the cab - which they always understand is an acceptable loss of control.
I'd bet that a fair number of the people who thoughtfully answer that question give an answer that is calculated to produce the least amount of hassle for themselves, even if they know that their luggage could have potentially been tampered with. Most people probably aren't aware enough of their surroundings to give an informed answer. I'd like to know out of the number of extra checks that have been initiated due to this question, how many have yielded anything useful.
It also has the peripheral advantage of ensuring that you never carry a package for someone else, and that you are leery about carrying luggage/bags packed by someone else.
Really? I would have no problem bringing a wrapped gift from a friend or colleague, the contents of which I do not know on a plane. And lying about packing my bags myself.
In fact, I don't see why anyone would have a problem with that...it's a constant and (imo) fair assumption of mine that my friends are not trying to kill me.
As someone else has noted, the set of things that won't harm you, aren't necessarily the same set of things that you are allowed to carry on a plane (leatherman), or check (LiOn batteries).
Also - while you can be trusted to make judgements about your own safety, the airlines have to make somewhat more conservative decisions about the safety of everyone else on the plane.
And carrying packages for someone else is just one of likely hundreds (thousands?) of factors that they are concerned about.
This doesn't guarantee airplane safety (Nothing ever will), but it reduces the number of easy attacks one can make, such that it's becoming somewhat more difficult for a passenger to bring down the plane they are flying on now. Of course, now we have to worry about the pilots (a thankfully rather rare vector)
The airlines don't care if you are carrying a package for someone else. Although if a stranger asks you to carry a package, then it is suspicious. But these questions don't really do anything to reduce the attack surface.
Heh. I had a moment of sudden panic when a security agent at Ben Gurion airport in Tel Aviv asked me if I had packed everything myself, and I remembered I had a http://en.wikipedia.org/wiki/Rosh_Hashanah gift from a client in my case. So I said 'No.'
Then, with images of airport holding cells and enhanced interrogation jumping to mind, I hastily explained what I meant. Interestingly, the agent was happy not to unwrap and open the present, and just inspected the rest of the contents...
Because you might not be aware that you're being used. I can't find the reference right now, but that question started being asked after a man put an explosive in his wife's luggage (when she was flying without him, naturally)
Look at the vast numbers of people who fall victim to ridiculous 419 scams.
People are easy to manipulate into carrying a parcel across international borders.
Also, isn't it the start of gathering evidence? If you say it's your bag and you had control of it and then they find it full of contraband they can use your comments to tie the bag and contents to you?
It's not actually intended to catch YOU. It's actually in response to a case where a passenger was given luggage containing a bomb, unbeknownst to them. See https://en.m.wikipedia.org/wiki/Hindawi_affair
it exists to weed out the absolute moronic and deranged. not everyone is a supervillain with an iq of 300.
plus, i guess it also exists for legal reasons. lying to the question can be used against you.
there is a lot of smart people out there, working keeping things running and safe. if something looks ridiculous from the outside, it still might be ok - you just might be lacking context to understand it.
Absolutely, but a credible security researcher, on a plane, talking about its configuration and asking "shall we start playing with EICAS messages?" is not a joke that can be disambiguated in real time.
That is achieved through men with badges, confiscation of property, the disruption of travel, and the kind of inconvenience being written about here.
I think the infosec community needs to grow up. We all hate when legislators use the word 'cyber.' Title 18 is a mess. The new computer crime proposals are worse. Every couple of years we get the occasional story about licensing security professionals. It is because of exactly this type of clownish behavior.
There are consequences for the attention seeking type of behavior. This idiot is catnip for government regulation.
It isn't exactly his fault though. Our community has been doing this to garner press attention for the sake of the attention. He is following the pattern that has long been set. Stunt hacking scares the shit out of normal people. Eventually people will demand regulatory intervention.
Every response to this I've seen from "the infosec community" (my connection to that community tends sharply towards vulnerability researchers, since that's my background) has been critical of this guy. I can't think of anyone I've seen cheerleading him. I've even seen rare glimmers of people criticizing EFF for trying to make a cause celebre of him.
But you're taking things too far by casting aspersions on all of "stunt hacking".
The problem with this idiotic tweet is that, if there is a vulnerability in the electronics of an airplane, this is exactly the thing you'd expect to see before some moron accidentally forced an emergency landing by tinkering with it. Vulnerability researchers disrupt and disable systems all the time without trying to.
The same is not true of people using logic analyzers on car CANbus systems (the archetypical example of stunt hacking).
The real criticism I've seen of stunt hacking is that (a) we don't learn all that much from it and (b) it's not particularly difficult ("look at this debugger debugging", as a friend of mine summarizes most stunt hacking talks).
I've seen a lot of people cheering for him. I've seen the man in person at various cons, and I think he's brilliant. The problem is, what are we supposed to do? Responsible disclosure: companies don't give a shit and will hide it. Full disclosure: you get sued and thrown in jail. Stunt hacking disclosure: people get scared even though it's easy to do. People demand something be done about it. The person who did the disclosure is alternatively viewed as a hero or a villain, but the thing is people are talking about the issue.
What's going to get people talking about security? "Target got hacked" "Oh, what a shame, I'll replace my card then go shopping at Target again". Or what about "I can bring down a plane while it is flying without needing a bomb. I can shut down hydroelectric dams from my living room and flood the entire state of Washington". Now you've got people talking.
"It's not particularly difficult" is the precise problem. It should be difficult. People should be demanding that gaining access to flight control and SCADA systems be made impossible by the general public. Dismissing a hack as "easy" means you're forgetting that it's a hack. It's not supposed to be possible, let alone trivial.
>>The person who did the disclosure is alternatively viewed as a hero or a villain, but the thing is people are talking about the issue.
This is what I have concerns with. It's this "ends justify the means" argument that disregards some important consequences.
There are many ways to breach these topics. You can go to the FAA. You can go to the individual companies. You can post on mailing lists. Ultimately, it may be a grind. But going the press route with inflammatory statements has consequences that exceed your own experiences with law enforcement. The legislators want to regulate infosec. It won't be pretty when they do.
We need people to understand that a successful disclosure doesn't require headlines in arstechnica. You have to be empathetic to interactions with large organizations. Flashy press may get attention to your issue, but it can also have disastrous consequences for the rest of the community. Is it worth it?
How about this: don't publish a message to the world on Twitter saying that you are tinkering with what you believe to be flight control systems on an actual aircraft in transit?
The problem is, he's done it before. And reported it to the airlines. And they've done nothing about it.
I've heard him talk for years. Same thing every year. So seeing what I saw on Twitter was no surprise. He's not publishing an exploit on Twitter, he's making a joke to the followers he has that all know what he's done. He's making the joke that this year, again, the flight control systems are still vulnerable to literally anyone with a laptop and an ethernet cable.
It's not that he's saying he's tinkering with what he believes to be flight control systems on an actual flight in transit. Of course he wouldn't do that... again. He's already done it once, years ago. Why was there no outrage then?
(a) There is no real flaw here, other than the potential for maybe sending scary messages to people's In Flight Entertainment screens, and so the disruption he's causing by suggesting that there might be a flaw has no upside.
(b) There is a real flaw here, for instance a message he can send across in-flight wireless that would deploy an oxygen mask, and his broadcast that he intended to tinker with that system is actually threatening.
"I've even seen rare glimmers of people criticizing EFF for trying to make a cause celebre of him."
Perhaps it's entirely possible that the EFF is just like any other organization that needs to find ways to justify their existence. The same with security researchers cloaking many of the things that they do in some quest for the greater good (the "if it wasn't for us" argument).
You know locksmith tools are available for purchase over the internet. But that's not enough! We should teach lock picking in schools so that people develop new and better ways to prevent their own locks from being picked and invest in more security against people that have been trained to pick locks. Because disclosure and transparency makes everything better and nobody thinks there is any value at all in obscurity or making things a bit more difficult by not being so out in the open.
Pretending that finding some security flaw is not about capturing the flag and all about saving humanity really bothers me to no end.
With physical locks you are exposed to the few people that can walk up to the lock without attracting attention. With digital security, you are potentially exposed to every connected system on the planet. An invisible attacker can't pick your lock, but could hack your security system. That is why digital security is paramount.
Robots are not going door to door picking locks, but that is exactly what happens every second of every day to every system on the Internet. It only takes one, and there are lot of disenfranchised smart people around the globe.
They don't want to be secure, they want to feel secure. That's why when somebody shows how insecure people are the common reaction is to want to punish that person. They didn't make people less secure, but they made them feel less secure.
This is exactly what I am trying to call attention to. I have tremendous sympathy for the sentiment you are expressing. Unfortunately, the splash damage of flasy exploitation publicity as an incentive for vulns remediation is government regulation of security professionals.
The flashy stories have been happening for close to 20 years now. Are vulnerabilities becoming more rare?
Vauge non-specific demands of a loose and fluid group with little to no control over it's members set the group up for inevitable failure.
Without critical thought, it appears to be a reasonable request. Which is why the people who never want to listen to The Cavalry or EFF say it, and why the rest of us propagate the idea. But it's a trap.
There is some amount of control when you are accepting and possibly celebratory in response to behaviour that should be discouraged.
For example, if you never sexually harass someone yourself, but you are silent while other do so, you are ceding a control that you have over the situation.
If more people that were respected in the community called out these behaviours when they happen, you may see them happen less (though this isn't an absolute control, so they wouldn't go away completely).
At the same time, you can always claim that "the community isnt doing enough" because "enough" and "the community" as so ill defined that you can always castigate "the community".
Somewhat OT, but this is something I wish people could understand about groups like Occupy and GamerGate. The criticisms of both are often measured in such a way that the targets of the criticism can never do "enough".
The fact that somebody scares the uninformed public shouldn't be the determining factor for whether it's appropriate. Especially if it's true: "a hacker can bring down the plane" is an important claim to investigate. Even if you disagree with how he said it (and I certainly do), it shouldn't be forbidden just because it's sensational.
The appropriate sanction is the professional scorn that he's already beginning to receive.
If he was going to harm the aircraft, he wouldn't have announced it in a tweet. If the FBI already had reasonable suspicion he would, they shouldn't have let him get on the plane in the first place.
There is no rational reason for their action. This is simply a PR move by United and the FBI. Which leads to the same conclusion: just don't tweet things like this. Not because you're wrong, but because they are assholes.
"If he was going to harm the aircraft, he wouldn't have announced it in a tweet."
Many, Many bad actors have a pretty good trail/history of signals that made it clear that they were going to do something stupid. And a lot of them are stopped because authorities stepped in when those signals were reported.
Would you want to be the person who was notified that someone was communicating they were considering interfering with the proper operation of an aircraft, and ignored them, only to discovery they later on did do damage to the aircraft?
I think at the very least, people responsible for flight safety can engage with those making claims they are going to endanger airplanes, and subject them to a strenuous interview to determine what their actual intent is.
It's one thing to unobtrusively investigate a suspicious person, but actually interrupting their life just because your heuristics aren't good enough sound like a ding to free speech. If everyone joked about hacking planes, that would no longer be a risk factor.
I learned at the age of five or six to never make jokes about airplane safety - and that was 20 years prior to 9/11. Most adults in North America have enough common sense, particularly after 9/11, not to start mouthing off about endangering airplane security. It's like being humorous regarding the safety of the president - it's just one of those things that if you do it, you know are going to get a visit by the authorities, and, quite possibly, go to prison. There are certain topics around which you do not have absolute freedom to say whatever you want, particularly when you are in an airplane.
In this case, all the authorities did was interview him, and seize his electronics. My reading of the story is they didn't even charge him with a crime or put him in a cell. I don't find it surprising whatsoever that United Airlines does not want him flying on their planes.
I hate how often this line is used to defend bullies and blame victims. It's an attitude that ensures the overly aggressive can browbeat their way to getting whatever they want.
Bullies proactively seek to hurt others for their own amusement. For better or worse the Secret Service (in the case of the president) and the FBI (in the case of airplane safety), are reactively responding to potential threats.
So if you don't want them to react, don't threaten the president, don't make threats about messing around with aircraft EICAS systems.
Remember, the FBI isn't responsible for designing safe aviation comms systems, their job here is to investigate potential threats. I think most of us on HN would suspect that Roberts is not a threat, but from the perspective of the FBI, he's certainly a potential threat that needs to be investigated.
Bullies proactively seek to hurt others for their own amusement.
This is definition is too narrow, in my opinion. Workplace bullying, for example, isn't just for amusement, or even to hurt others deliberately.
I would define a bully as anyone or any group that uses coercion to get their way, rather than persuasion. Alternatively I would say a bully wantonly throws their weight around.
As such, using the power of the FBI to seize equipment as the first response to an unproven alert is bullying.
I've looked up the definition of "bully" - and I have to admit, they all define the word in pretty much the same way you just have, which surprised me, as it wasn't my sense of the word "bully." It seems to me, though, that by that definition, any police action in which the suspect doesn't just acquiesce and come meekly along, is an example of Bullying - which really stretches my sense of the word.
It should be noted though, that in the case of the FBI seizing the equipment, it turns out to be the case that Roberts actually was guilting of making the threat/joke about messing with the airplane's EICAS system, so it's not clear to me that we can claim it was an "unproven alert."
You can always seize the equipment, perform an investigation, and then return it. But if you fail to seize the equipment, then the suspect can wipe it/destroy it if you later determine you do need to review it.
I'm guessing the FBI (any police agency), in this situation will follow the "Better safe than sorry" approach.
And, as to how you can avoid having your shit seized by the cops - most of us were taught at the age of 5 not to use the B word in an airport - just extend that logic to not making jokes about messing with the aircraft safety and you should be fine.
If anything Chris Roberts would be the bully in this case, effectively saying "You are weaker than me (or at least your software is), should I give you a swirly?"
Someone tattled (Twitter) and he was taken to the principle's office to explain his comments. He was not suspended or kicked out of school (possibly because they decided he had not actually threatened the weaker student, etc).
> I don't find it surprising whatsoever that United Airlines does not want him flying on their planes.
This is more a function of the airlines just being stupid though. There was a case where an Arabic family was taken off of an airplane because on of the teenagers asked how safe it was to sit in a seat next to the wing. The FBI cleared them, but the airline refused to allow them back on a plane.
Robert's exact statement was, "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)"
I.E. He was talking about directly interfering with the planes EICAS system. What if he'd joked about running a GPS, or VOR (http://en.wikipedia.org/wiki/VHF_omnidirectional_range) jammer during final approach? At what point do the authorities decide they need to have a conversation with such an individual?
The issue is that the authorities did have a talk with him, but the airlines have deemed that the authorities' assurances are inadequate. That was the portion of the example that I was referring to. The airlines have said "FBI says this guy is ok? Screw that, don't let him on anyways!"
Would you want to be the person who was notified that someone was communicating they were considering interfering with the proper operation of an aircraft, and ignored them, only to discovery they later on did do damage to the aircraft?
That's the problem with concentrating blame. It leads to net counterproductive behavior. One in such a position is thinking about their position, not just the people they are protecting.
> If he was going to harm the aircraft, he wouldn't have announced it in a tweet.
You can't know that.
> If the FBI already had reasonable suspicion he would, they shouldn't have let him get on the plane in the first place.
They may well have stopped him getting on the plane if he'd made similar tweets beforehand. "I'm going on a plane next month. What should I do with EICAS ;-)" would probably have had the same effect.
He shouldn't have had his stuff confiscated, but he has no excuse for not knowing how "they" reacted. Their over reaction is entirely predictable, not just from theory but from their past behaviour.
(Using four spaces and long lines makes those lines unreadable on mobile.)
> Oh god, this plane has <security vulnerability>. That does not make me feel safe. What if someone did <bad thing>? D:
No! There are plenty of examples of people who stumbled over a security vulnerability, and who responsibly, confidentially, reported those vulns to the companies, and who then faced scary legal action.
I agree that the actions taken against him are far too severe; and that there should be a way for people to talk about security flaws without facing this level of harassment.
People make harmless jokes that are applicable to your life at a daily basis, you're just not party to them. Thinking a joke is dangerous just because you observe it is a base rate fallacy.
But, at the same time, thinking that "a joke" is safe when observed, is also not necessarily true.
Good judgement needs to be taken into account. I recall having to "reapply" for my temporary job in the computing center every semester (because, of course, it was "temporary") - and one of my fellow students, after having done this for a couple years, and having a bit of ego, basically just scrawled on his application form, "Hire me again or I will murder all of you." You see, if you knew him, it was actually really, really funny. We were all a close group, and everyone on the team thought it was hilarious. The HR organization that unbeknownst to this student, screened all applications, and had no idea who he was, took a decidedly different perspective on his application.
The proper response was to alert security, and thankfully his hiring managers - who then de-escalated the situation.
The problem with the airline situation - their is no easy "oracle" who can confirm that this person is most decidedly not a threat.
People in general are very afraid of flying despite the fact it is reasonably safe. Making a joke about fucking with an airplane is in poor taste considering many people are on edge.
It'd be like making a rape joke when you pass a woman on a dark street.
It's just a bad joke. People also have an obligation to control their own hearts instead of waiting for someone else to tell them how they should feel.
It's not my job to make anyone feel safe. That is merely the bias of my personal style. Pure coincidence. The fact is, talking about religion with derision could incite violence, pain, and fear. Am I someone who gets off on pain? No. But I'm not going to go out of my way to protect someone's heart either. It's their job to rule their own heart. It's not their psychiatrist's job or their pastor's job. On a side note, I would add that many religions go out to deliberately propagate fear ("Jesus is the sacrifice to save us from hell"). Nobody cares. I have a friend who is really pained by the thought that he can't convert his close friends, and worse of all, his parents! What agony he must go through now that somebody decided to exercise their free speech and tell him about the eternal torture of hell. It was his job to rule his own heart.
Similarly, it is not the job of students to avoid discussion of rape on campus because the mere mention of rape could cause a reliving of trauma. It is instead out of personal will for a healthier future that we deliberately choose superior speech over unrefined speech.
It is okay for society to shame those they think are tactless. It's not okay to bring logistical or material pain to someone's life because they made one feel terror, or angst, or outrage. Discussion of hell could bring more pain into someone's life than most other subjects one can summon up without a priori knowledge.
I absolutely think the EFF is making poor use of their funds defending someone who was doing penetration testing on live planes with people aboard.
If the security is as bad as he claims, the risk his testing might inadvertently put people in danger could be pretty high. And he was a repeat offender, as by his own admission he'd hacked planes 15-20 times so far in a live environment. That's incredibly dangerous, and it takes an incredible amount of ego and an incredible lack of consideration to fail to realize that he could be putting people at risk himself.
This is the world we live in. Question, detain, and let the courts handle the interpretation of the law. Whether it's the NSA, FBI, CIA, it matters very little to them. After 9/11 we as a country wrote them a blank check. And while this guy shouldn't have taken to twitter to say planes can be hacked pretty easily, it's not shocking to see what happened after he did.
Yes, it's a stupid tweet. But essentially saying "I could bring this plane down with my laptop hackery" is a statement about security, not about intent.
The guy has bad judgment, but he's not saying anything that should trigger any action against him (they should investigate the basis for his claim, not him as an individual).
If he were to announce to the passengers on the plane, "I could bring this plane down with my laptop hackery", people would be terrified and want him off the plane. They don't give a shit about intent, they just know the guy is talking about being able to bring down the plane they are on.
The issue is that he was hacking the plane. Intent is irrelevant. The reality is he could inadvertently damage an aircraft system while playing around. A responsible security researcher would not put 200 people at risk to do his testing.
I clicked on the word "tweeting" in the article twice before realizing it wasn't a hyperlink. I totally assumed it would be. And now I see why EFF didn't link to this.
I'm sorry, but that tweet actually is threatening in my eyes. Note that I know __nothing__ about airplane-system-security, but that looks to me like he gained some kind of cmdline and/or admin-tool access and "PASS OXYGEN ON" looks like something that would cause the oxygen masks to drop down for all passengers. And he did this while on the plane with other passengers while it was flying? If so, he got what was coming to him. Sorry.
You should always make your own copy in cases like this.
Archive.org will delete everything on request. For example if you add a robots.txt file blocking them they will automatically remove the entire history for your domain
Could someone be so kind as to translate this tweet so that those of us that aren't security experts can understand what was said? Or perhaps point me in the direction of some recommended, intro-level reading? I feel distinctly ignorant at the moment!
> Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)
737/800: is the type of aircraft and specific model (Boeing 737, stretched version (800)).
Box-IFE-ICE-SATCOM: Is a theoretical (or actual?) exploitation path.
Box: I'm assuming is in-flight WiFi
IFE: Is the in-flight entertainment system
ICE: Is also part of the IFE, but I'm guessing he specifically referenced that due to the "I" (in ICE) namely, the information that gets fed into the IFE from the flight systems (speed, altitude, and position)
SATCOM: The uplink used by in-flight WiFi but also the IFE to provide "latest news." If can be used to deliver information to the airline about the aircraft so they can keep track of if its on schedule and such.
EICAS messages: Used on aircraft's secure network for flight crew alerts and diagnostic information. Some of these may be relayed onto the insecure network and forwarded to the airline (similar to ACARS, but over SATCOM).
PASS OXYGEN ON: The implication is he wants to cause the oxygen masks to drop down into the passenger cabin (although in reality sending this wouldn't do that, it would just set off a warning on the flight deck letting the pilots know that the oxygen masks dropped, even if they physically hadn't).
If he could send EICAS messages to the aircraft's secure network, that would be a legitimate safety concern. However if he just witnessed EICAS messages from the insecure network, that isn't really a concern except maybe he could send misleading ones to the airline and give them a metaphorical heart attack.
I'm somewhat familiar with avionics system on a 737, and that above is a pretty accurate description. The FMS* basically forwards the messages through CANBUS for the IFE, via a gateway.
At worst this guy could send a fake message to other passengers, and maybe cause a IFE system warning in the cockpit. Oxygen Masks are controlled by a completely separate system to the IFE.
* The 737NG has various displays for warnings, but its not quite the same as the Airbus EICAS
I'm relatively uninformed in this area, but I assume it was a proposal for an exploitation path. "Box-IFE-ICE-SATCOM" would most likely be a plan meaning exploiting and escalating privileges from the actual passenger's client interface or in-seat screen(box), escalating to the in flight entertainment system (IFE), to the inter-communications system (ICE), and finally to the Satellite Communications system (SATCOM). Not sure how realistic it is, because I know really nothing about info-sec with regard to aircraft, but it's no different than planning something like web app/service vulnerability -> database -> backend systems.
I have a problem with the often used phrase "legitimate researchers", because it suggests that certain freedoms should only apply to certain people.
"legitimate researcher" is not a specific job, researching is an activity any citizen can and should be free to conduct within the confines of the law, and all of that is "legitimate".
The whole "legitimate researcher" creates a huge loophole through which the powers that be can create some kind of registered researcher status, with the obvious consequences for everyone else.
I agree with your problem with the phrase "legitimate researcher". I'm usually supportive of the EFFs position on most issues, but sending a Tweet like this guy did was pretty dumb. Even the disruption from a "overreaction" is a problem.
Also, the gateway between the aircraft safety systems and the CANBUS is one-way. The worst he could have done is shutdown the In-Flight Entertainment system, and inconvenienced a bunch of passengers.
I'm not saying that the possibility of security flaw isn't there, only that this CANBUS issue isn't it.
A legitimate researcher would arrange a ground test, or even a test flight, and not experiment on an airliner with passengers. They can do "hardware in the loop" tests on the ground, with minimal risks. The FAA are actually involved in requesting security assessments on airline systems with safety implications.
IMHO This guy come very close to crossing the line of "interfering with the safety of an airliner" when he conducted previous tests, and that is most certainly is illegal. People have gone to prison for less.
The EFF should be pushing for further evaluation of the actual issues, whatever they may be, in an appropriate manner. If Boeing/Airbus blow off the EFF, push back harder.
A well trained crew can operate a 737 quite safely using the Standby Flight Instruments for an emergency landing, even if some sort of compromise shut down the primary Flight Management System and Primary Flight Displays.
I happen to know several computer programmers/security researchers who are also test pilots. More than one called the CANBUS risks "inconvenience" and not safety of flight.
I don't think they mean legitimate as professional or industry recognized, but more as a way to distinguish from an actual bad guy hacking for criminal intents and then claiming he is a researcher and should have carte blanche.
In France there is a crime labelled "association de malfaiteurs" (criminal's gathering). Fantasizing about a crime is allowed. But actually laying out plans, watching the neighbourhood, or performing concrete steps towards the crime with the intent of actually performing it… well, that is forbidden.
Makes sense to me. Mere thoughts should never be forbidden, but acting on a criminal intent, even if the acts, taken independently, wouldn't be forbidden, is something else entirely. First, actions can be punished. Second, actions are actual evidence for the intent.
Not necessarily. Otherwise it would be impossible to prosecute someone for meticulously planning a terrorist action, who is only stopped when they are just about to purchase the materiel required to carry out the act. No action has tajen place - actual terrorism has not occurred, and there are no physical tools or similar present. But the intent (or Mens Rea, guilty mind) is there, so you can be prosecuted.
And, of coure, there are crimes of "Conspiracy to X" that involve merely the intent to commit a crime.
A crime requires the confluence of the required mens rea and the required actus reus; the former alone is not sufficient.
For the kind of plot you describe, prosecution would usually occur when there are multiple persons involved based on conspiracy charges, which require an overt act in furtherance of the conspiracy (which can be a fairly minor act, but it still requires an act.)
Mens rea is a required component of many crimes, yes, however it is not sufficient alone to be criminal. Research with malicious intent is not a crime. What you describe is not criminal.
And yet, people in the UK have certainly been prosecuted for looking up jihadi websites with the intent to download bomb-making instructions... Although, the actual crime may be posession of said information? It's hard to tell, particularly living in a country where 'glorifying terrorism' is now a crime - http://en.wikipedia.org/wiki/Terrorism_Act_2006 - as is 'encouraging terrorism' too.
I bet the prosecutors are kicking themselves for not thinking of that one earlier, as well - they could have simply rocked up to certain pubs in Belfast and arrested and jailed everone singing IRA songs ;)
Reminds me of this 2012 story about two British tourists being barred from their flights for tweeting they were going to "destroy America" (slang for "having a blast"):
I wonder how they connect the tweets to the persons? Do they actually actively search Twitter for keywords, and when they hit they dig into it until they have found a name, which they check against their passengers lists? There's probably some shortcuts they can use, but it still seems weird to me.
I would guess they go off passenger list first, then expand from there. Find Facebook, twitter, other social accounts. Then scour for keywords. "So I saw you threatened to 'Bomb that test' when you were in college in 2001, Mrs/Mr tripzilch, please step over here and follow this officer to the enhanced interrogation area".
The way we keep airplanes full of passengers from falling out of the sky is that we talk openly about the risks up front, so that the people who created those risks get fired or demoted, and their bosses (or, failing that, regulatory authorities) make sure the risks get fixed. It isn’t a smart idea to short-circuit that process; that’s how we ended up with things like the Ukrainian famine, the Great Leap Forward, Lysenkoism, and presumably Windows Vista. Use a bit of judgement; we’re trying to have a civilization here, Nero.
What would your response be to the person who "joked" that they were pissed off with United Airlines, and would like to remind them that his house was on the approach path to SFO, and the next time United lost his luggage, he would be more than happy to repay them by taking a few potshots at their 747s with his trusty .22?
Sometimes the way we keep airplanes full of passengers from falling out of the sky, is by looking for, and engaging, potential bad actors. The way to determine if someone is a bad actor, is by looking for signals of such intent. And, I think all things equal, this guy probably was throwing off signals that he was a bad actor, even if it's obvious to anyone who knows him, that he's just being a jackass.
One can't investigate every threat. You have to prioritize. Part of prioritizing is determining how much damage can be done with the resources available to the person.
If someone says "I'm gonna bring down the Golden Gate Bridge with this 12" stick of balsa wood." you don't give them a second thought. They may have hostile intent, but they clearly lack the understanding of how to, or the means to[0], cause harm to the bridge.
If someone says "I'm the operator of this container ship full of high explosives and I'm going to ram it into the GG Bridge and detonate the explosives.", then you investigate that, as the person very probably has both the intent and means to cause actual harm.
We -as a society- used to refuse to be terrorized. We used to laugh off incredible[1] threats as the insanity, bluster, or cathartic ranting that they clearly were. We (or maybe just our investigative and enforcement organizations) freak out much more over much smaller things these days. Our society is poorer and weaker because of this.
I hope that encouraging people to learn to put threats into perspective will help reverse this trend. Perhaps a calm, level-headed populace will calm its over-reactionary leaders, investigators, and enforcers.
I’d tell him that if he wants to waste law enforcement’s time, he’d need to come up with a more realistic threat, and suggest that maybe instead he ought to try going dancing, or maybe relax on the beach. Also, maybe call him up next time there’s a falling bullet injury in Hunters Point.
"I am on a plane messing with what I believe to be control systems" is a threatening message, even if it isn't intended to be. Moreover: every computer system in the world is vulnerable. The process of finding those flaws is disruptive. It can't be the case that knowing in the abstract about those flaws is a predicate to allowing people to disrupt systems to find specific instances of them.
So for aspiring infosec people, can someone explain how he can crack the encryption of EICAS? Different commenters on different site articles claim that the 737 never had EICAS, or maybe they mean that the Oxygen Mask On light is of course not connected to the internal avionics network.
Are there people who know this stuff better and have pointers? I would love to know more.
The 737NG engine instrument display is somewhat similar, except non-engine warnings are on other displays. Some warnings go on the Primary Flight Display. The 737NG also has a warning panel with lightbulbs.
Really dumb of this security consultant to have bragged about tampering with airplane control systems in the middle of a flight.
Really dumb of EFF to make a cause célèbre of him.
EFF's analysis of this situation seems to revolve around the consultant's intent. He's a security researcher, ego not a real threat, and undeserving of scrutiny.
I'd have thought that EFF would be better acquainted with pentesters by now. Anyone who spends a lot of time with pentesters knows that when it comes to disrupting or disabling critical systems, intent doesn't have much to do with the outcome of a pentest. We break shit all the time without trying. We break shit even when we're trying not to. Smart clients who have spent the last decade working with pentesters often have e-l-a-b-o-r-a-t-e rules of engagement designed to avoid prod disruption. We still break shit in prod, even when we follow the letter of the rules.
So this goofy tweet the consultant sends: is it what you'd expect right before a terrorist crashes a plane? Of course not. But is it exactly what you'd expect right before some idiot trips a bug that does something to force an emergency landing? It absolutely is.
Is it outside the realm of possibility that some control system somehow bridged to airplane wireless would have a problem that would allow a passenger to deploy the oxygen masks? It is not. Would that design flaw be idiotic? Yes it would. Does the idiocy of that design flaw mean it's unlikely to be there? No it does not. Virtually every system you interact with in the world has idiotic design flaws. Wait, that's not a question. "Does virtually every system..." YES. YES THEY DO.
So imagine that, just like in pretty much every pentest ever, this consultant is merely poking around trying to see what functionality is exposed to him through this design flaw. No intention to make anything happen at all. Now imagine he purely by accident does manage to, I don't know, deploy oxygen masks. No harm done (stipulate nobody on the flight has a severe heart condition). Plane integrity undamaged. Plane fully capable of continuing along its itinerary. Nonetheless, what's the likely outcome here? Unplanned emergency landing.
There probably is no such vulnerability. But then you have to ask yourself: who in United's flight operations chain of command is qualified to assess whether there is? Really, who in the entire flight safety chain of command, from flight captain through FAA to DOJ, is? There aren't that many people in the world who know how EICAS messages work. All they have to work with is the hypothetical. "Unexpected behavior found in in-flight wireless. Tinkering in process!" That's a threat!
I think the thing that frustrates me most about this story is the fact that it's probably not possible to launch anything more than nuisance attacks from the vantage point of a passenger. And yet because of our (admirable and effective) attitude with regard to flight safety, those nuisance attacks are all economically devastating. In other words, this kind of "research" is unhelpful.
Where EFF made me flip out this time: Nevertheless, United’s refusal to allow Roberts to fly is both disappointing and confusing. As a member of the security research community, his job is to identify vulnerabilities in networks so that they can be fixed. Wat. United's decision here is extremely easy to understand: they do not want to offer service to someone who was willing to disrupt a flight to make a point. Meanwhile: the "security research community" does not deputize its members, make them swear an oath, and given them a little tin badge. No part of this guy's "job" gave him the right to tamper with the computer systems on an aircraft. If EFF thinks that's what it means to be a vulnerability researcher, they are broken. They cannot advocate effectively for legitimate research while promoting the idea of special rights for people who call themselves security researchers.
I second the motion that this is dumb. But weakness of airplane security is not unknown. Numerous presentations had been done at BlackHat and DefCon over the last few years, and people generally received good responses. But does anyone know if these presenters ever contacted the airline authority before they went on stage?
'Corporate types' have a lack of humour at the best of times, but that isn't what is going on here.
It's the 1 in 100, 1 in 1,000,000 chance that the tweet wasn't a joke, but a real threat. They can't take the risk that they knew about it, and didn't take it seriously and 100's died.
I don't get what happened. The airline put up a sign saying don't go past this curtain. You went past the curtain. You were surprised when they told you off?
The people in business class (or whatever it was in front of you) have paid more to be less crowded. Therefore the airline puts up a curtain and asks you not to cross it. That seems super reasonable to me.
You don't like the curtain and sign. A reasonable response might be to fly a different airline or pay to get in that section next time.
Deliberately ignoring the sign, going out of your way to tell them that you're going to do that, and then filming the poor guy when he stops you, that seems pretty far off into psycho land to be honest.
In fact, I'm glad that they went out of their way to protect the people in the seats in front of you from being unnecessarily bothered by people like you hiking past.
I don't know what I'm trying to contribute here, except that whilst I have no problem with EFF working on this, their article here seems overly shrill and over-reactionary at how shrill and over-reactionary the airline was in their response to what (admittedly, in hindsight) could have easily been interpreted as a threat by an over-zealous corporate drone blind to smily-face emoticons.