More on Chris Roberts and Avionics Security

Last month, I blogged about security researcher Chris Roberts being detained by the FBI after tweeting about avionics security while on a United flight:

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There's some serious surveillance going on.

We know a lot more of the back story from the FBI's warrant application. He had been interviewed by the FBI multiple times previously, and was able to take control of at least some of the planes' controls during flight.

During two interviews with F.B.I. agents in February and March of this year, Roberts said he hacked the inflight entertainment systems of Boeing and Airbus aircraft, during flights, about 15 to 20 times between 2011 and 2014. In one instance, Roberts told the federal agents he hacked into an airplane's thrust management computer and momentarily took control of an engine, according to an affidavit attached to the application for a search warrant.

"He stated that he successfully commanded the system he had accessed to issue the 'CLB' or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights," said the affidavit, signed by F.B.I. agent Mike Hurley.

Roberts also told the agents he hacked into airplane networks and was able "to monitor traffic from the cockpit system."

According to the search warrant application, Roberts said he hacked into the systems by accessing the in-flight entertainment system using his laptop and an Ethernet cable.

Wired has more.

This makes the FBI's behavior much more reasonable. They weren't scanning the Twitter feed for random keywords; they were watching his account.

We don't know if the FBI's statements are true, though. But if Roberts was hacking an airplane while sitting in the passenger seat...wow, is that a stupid thing to do.

From the Christian Science Monitor:

But Roberts' statements and the FBI's actions raise as many questions as they answer. For Roberts, the question is why the FBI is suddenly focused on years-old research that has long been part of the public record.

"This has been a known issue for four or five years, where a bunch of us have been stood up and pounding our chest and saying, 'This has to be fixed,'" Roberts noted. "Is there a credible threat? Is something happening? If so, they're not going to tell us," he said.

Roberts isn't the only one confused by the series of events surrounding his detention in April and the revelations about his interviews with federal agents.

"I would like to see a transcript (of the interviews)," said one former federal computer crimes prosecutor, speaking on condition of anonymity. "If he did what he said he did, why is he not in jail? And if he didn't do it, why is the FBI saying he did?"

The real issue is that the avionics and the entertainment system are on the same network. That's an even stupider thing to do. Also last month, I wrote about the risks of hacking airplanes, and said that I wasn't all that worried about it. Now I'm more worried.

Posted on May 19, 2015 at 8:00 AM • 204 Comments

Comments

AnuraMay 19, 2015 8:12 AM

That there is any wireless access to avionics systems seems pretty insane to me. I can't imagine the development process that would allow that to happen considering how rigid the standards are; but I guess it's possible that until they needed internet access and individual devices for video there was no easy access, so no one considered gaining network access to be a realistic threat.

Dimitris AndrakakisMay 19, 2015 8:21 AM

@Bruce: "But if Roberts was hacking an airplane while sitting in the passenger seat...wow is that a stupid thing to do"

From Wired:
"Roberts had previously told WIRED that he caused a plane to climb during a simulated test on a virtual environment he and a colleague created, but he insisted then that he had not interfered with the operation of a plane while in flight."

So Roberts seems to deny that.

Leonardo HerreraMay 19, 2015 8:24 AM

Just the idea that a cable from an isolated control network could be wired behind a panel in a plane that could be accessed by a passenger, that would be enough of a security concern to me. But the avionics network sharing any resources with a publicly accessible network seems beyond stupid.

If anything of this is true, then the inmates are running the asylum.

(To the previous commenter, I don't think wireless was mentioned.)

AnuraMay 19, 2015 8:37 AM

@Leonardo Herrera

You're right, I read in-flight entertainment and assumed it was through the wireless systems (which is used for passenger internet access as well as the video tablets).

Andrew WallaceMay 19, 2015 8:38 AM

Experimenting on a live aircraft full of passengers when you cannot be sure of the consequence is endangering an aircraft.

The male doesn't know how the electronics of the aircraft will behave because of a rogue command.

It could confuse the aircraft and send it into a nose dive to correct the 'climb' command that he is reported to have instructed the aircraft to carry out.

Why this male has not been put even on primary charges is a mystery to me.

In the UK we would not have released him without charge.

We would have got him for at least a breach of the peace.

But I feel there is a strong case for endangering an aircraft by carrying out a live experiment where the consequence wasn't known.

I believe it is within the public interest for the male to be charged.

I want decisive action to re-arrest the male.

The rest of the security research community should distance themselves from him entirely.

He is a grown man who has alleged to have taken control of an aircraft mid flight: That is usually called hi jacking an aircraft.

There is enough here to throw the book at this male but I feel that the FBI are consulting with others before deciding what to do.

My overseas colleagues at the FBI have not been tough enough with the male in question thus far.

I'm happy to meet with people in the United Kingdom on my stance in this post.

Andrew

WinterMay 19, 2015 8:57 AM

"Why this male has not been put even on primary charges is a mystery to me. "

"It did not happen" might be a good explanation.

paulMay 19, 2015 9:17 AM

It's probably a bad sign for the public credibility of the FBI that my first thought when I read that story was, "Oh, the FBI either accidentally or deliberately misunderstood what he said about hacking a simulation." Of course, it's possible that he did the same thing to a real flight that he did to a simulated flight, but it seems odd that he would deny it to someone who couldn't put him in jail and assert it to someone who could.

Vincent ArcherMay 19, 2015 9:21 AM

Note that a fairly large segment of the Aerospace engineering community is calling bullshit on that story.

Despite what one may think, airplanes have to undergo certification before being allowed to use any US airport, and that certification specifically prohibits any form of physical interconnection between avionics and passenger-accessible networks. All modern airplane models are built according to those specifications, and retrofits of older airplanes are required to undergo certification, which will be rejected by the FAA and almost all authorities.

In other words, if an airplane that was vulnerable to M. Roberts hacks was flying, it would be an airplane that has not undergone certification, and attempting to flying it over the continental US would probably result in a massive fine for the company that attempted that stunt.

ZenzeroMay 19, 2015 9:36 AM

@ Paul

"but it seems odd that he would deny it to someone who couldn't put him in jail and assert it to someone who could."

That thought crossed my mind too and ironically, he had met with the FBI at their request 3 times when they were asking for guidence/help in stopping hackers from attacking planes.

BradMay 19, 2015 9:55 AM

@Vincent

You're making a pretty big assumption that the FAA and other aerospace people have the technical expertise to understand how the IFE system may interconnect to avionics despite whatever claims the manufacturer might make that they are isolated (either physically or logically somehow). They aren't info security experts, that much is incredibly clear. They'll claim in one breath "There's no problem here, we're obviously secure from hackers." while in the other screaming "He ought to be locked up, he can whistle launch codes into a payphone and start WWIII!". They have no idea what they're talking about.

K.S.May 19, 2015 9:55 AM

The automotive industry has the same problem, infotainment system is directly connected to CAN bus and has been exploited. Now that in-dash browsers getting rolled out it is only matter of time until someone rolls out malicious script for run-away acceleration via Ad Network targeted at cars.

As to Roberts, he had to do it "while sitting in the passenger seat". Airplane manufacturers are doubling-down on security through obscurity, and it isn't like non-state actors could buy an airplane to conduct research on safely. Still, yes, this isn't safe...

Frequent ReaderMay 19, 2015 10:00 AM

In the original blog post I was shocked at his actions while many assumed he was harmless and was in fact the victim of the FBI and United. The reactions on other news sites by other security researchers were a bit shocked by his actions. Now it seems the folks on this site, are in the same boat as everyone else.

Don't pen test a plane carrying passengers you ignoramus. He knew what he was doing was wrong as he said: “There IS a distinct possibility that the course of action laid out above would land me in an orange suite [sic] rather quickly :)”

Everyone remain calm, he put a smilie at the end of that comment!

bizzyunderscoreMay 19, 2015 10:01 AM

Vincent, both Boeing and Airbus have filed what are called "Special Conditions" as part of the certification process for their large passenger jets. These filings disclose that the avionics and IFE networks do share physical media and network infrastructure like bridges and routers. The filings also disclose that the only thing segregating passenger traffic from control traffic are software firewalls, integrated into the routers joining the avionics and passenger segments. Here's a filing from Boeing for the 787: https://t.co/RLbCGYXGPn

Sancho_PMay 19, 2015 10:02 AM


Don’t fall into the elite’s honeypot: Officials unofficially accuse someone until he’s guilty.

I concur with Robert Graham:
( http://blog.erratasec.com/2015/05/our-lord-of-flies-moment.html#.VVpY375YxKM )

“Likewise, the FBI is notoriously dishonest.” [Rem: That‘s part of their job, don’t expect otherwise]

“There is a war on researchers.” [Rem: Yes, if they embarrass the powerful]

Suspicion isn’t guilt.
Technicians should know better.
Also:
This allegation is intentionally distracting from the real point.
A smokescreen, set up by the powerful, to hide their wrongdoing.

The real point is twofold:
First is the poor construction in awareness of ill willing people.
Second is the inadequate reaction to concerns regarding safety, from manufacturer to authority.

And last but not least it’s an unneeded vulnerability.
See Winn Schwartau and Robert Steele:
http://www.phibetaiota.net/2015/05/winn-schwartau-airlines-in-cyber-panic-plus-robert-steele-comment/


To get it right we should try to see it from the other side:

1) Vulnerabilities are wrong, hacking is not.
2) To exploit vulnerabilities is wrong, hacking is not.
3) To steal data / IP / whatever is wrong, hacking is not.

4) To report vulnerabilities is welcome and must be rewarded.
5) To hide vulnerabilities is wrong and must be punished.

Simple, isn’t it?
But it doesn’t make money.

AnonMay 19, 2015 10:06 AM

@Andrew Wallace: threatening or arresting the guy is dumb. That will make him shut up, on advice from his attorney. You want to gain his cooperation, to get the details on how to correct this. But authority figures gonna do their authority trip, because that's all they know. He went for the dramatic because (as we've seen in the past) security people point out problems and are ignored. Then it gets real and the first/emotional response is "kill the messenger." Fools.

paulMay 19, 2015 10:07 AM

I wonder what kind of logging there is for commercial aircraft busses. Obviously there are black boxes, but those typically only get examined in case of incidents/accidents, and I don't know if they log commands or only aircraft actions. Is there other logging, or are systems supposed to be stable enough (and constrained enough) that it's not required? Because otherwise unless Roberts logged his actions in an accessible way there's not much solid to base a prosecution on.

Andrew WallaceMay 19, 2015 10:10 AM

"You want to gain his cooperation, to get the details on how to correct this."

FBI have his computers to work out what he done. It is called forensics. Why would they want to buddy up with someone who recklessly puts the public at risk?

Andrew

Andrew ConwayMay 19, 2015 10:10 AM

Yes, I blogged about this yesterday. If you read the search warrant, it's full of typos, and the idea of making a plane fly sidewards is aerodynamically questionable. The warrant was obviously put together under time pressure with no proof reading or review, so my feeling is that the officer doing it was looking through the transcripts or notes from Roberts previous interviews and took some comments that applied to the emulator out of context, and thought they applied to a real plane.

Nevertheless, the fact that Roberts joking tweet got such an extreme reaction indicates that the airline and/or the FBI think that this is a genuine threat. Don't shoot the messenger. Fix the vulnerability, or prove that it doesn't exist.

Christopher PiggottMay 19, 2015 10:17 AM

I find it strange that an engine would have a CLB (climb) command. That doesn't seem like something I would put into the software model of an engine. Makes me wonder about ALL technical aspects of the reporting.

Jim LippardMay 19, 2015 10:18 AM

"Despite what one may think, airplanes have to undergo certification before being allowed to use any US airport, and that certification specifically prohibits any form of physical interconnection between avionics and passenger-accessible networks. All modern airplane models are built according to those specifications, and retrofits of older airplanes are required to undergo certification, which will be rejected by the FAA and almost all authorities."

Except for the FAA Special Conditions rules for the Boeing 787 and Airbus A350, as per p. 20 of the GAO report? (http://www.gao.gov/assets/670/669627.pdf)

SteveMay 19, 2015 10:27 AM

No one seems to have considered the possibility that this clown is just running his mouth.

Sorry, but all the stories I've seen on the subject just don't pass the sniff test. If he's done what the FBI (and Roberts himself) claim, where's the evidence?

I can claim I robbed fifteen banks but unless there are records of fifteen banks being robbed, I'm just blowing smoke.

KoehlerMay 19, 2015 10:31 AM

Robets can "claim" anything he likes, but the 'report' that he did (or could) hack into airliner flight control systems is literally incredible (beyond belief).

Problem seems to be over-eager, nontechnical FBI agents misunderstanding Robert's claims and possible exaggerations. Simple passenger hacks into the cabin entertainment system... were falsely expanded to a Movie-Plot
scenario.

This juicy 'story' then exploded into the media and internet ... due to the nominal credibility of the FBI backing this story. The facts will take weeks/months to catch up to the Movie-Plot.

[ and it's very simple for the FBI or United to invite Roberts & his laptop out to a real airliner (powered up on the ground) ... to demonstrate the truth of his hacking skills]


BeepeepeepMay 19, 2015 10:31 AM

@Andrew Wallace

It depends entirely on if he injected commands into the aircraft's systems for if he should be charged with endangering lives.

If he only simulated data injection on his personal equipment, then he shouldn't be treated as if he put lives in danger. I've yet to hear a compelling argument to the contrary.

Andrew WallaceMay 19, 2015 10:41 AM

Has he got the skill set capability to research and carry out hacks not known to industry or is he simply using tools of a standard penetration tester modified for aircraft use? We should find out this stuff.

Andrew

Vulnerability ResearcherMay 19, 2015 11:19 AM

@Dimitris

From Wired: "Roberts had previously told WIRED that he caused a plane to climb during a simulated test on a virtual environment he and a colleague created, but he insisted then that he had not interfered with the operation of a plane while in flight."So Roberts seems to deny that.

And yet, a number of posts afterwards do not take this in mind when writing their posts...

@All
As an actual vulnerability researcher, I very often - over the course of my career - have seen people who state their opinions on our work without ever actually engaged in the work their own selves. This is often grating to me, but I am used to it. Point is, if you have never actually done this sort of work, you do understand it is beyond your knowledge and skillset, right? So, why are you assuming you understand it, though it is not your field, and you have not put in the time and effort to try and understand it?

That this field is so core to much intelligence, military, and law enforcement work is especially meaning it is a field that is remarkable in how often decisions are made without understanding anything about it.

One needs to bear in mind here: this is not a field where you have people twenty years ago with doctorate degrees operating in it. It remains poorly taught in computer science curriculum, and much of the technology and operations of the field did not even exist ten years ago, much less, fifteen years ago.

This means the law enforcement involved very often won't even have an advisory expert. They may have technicians, but being able to have someone who has actually experience in that field, this they will not have. So you can expect cases like this.

It reminds me of a murder documentary I watched the other day. Small town cops try and solve a mass murder in their city. Horrible work. They stayed on one very unlikely suspect for years and refused to throw out that theory or let evidence guide them. Does this happen on the federal level? Of course it does. These guys don't have much training to begin with.

There are vulnerability analysts - computer security researchers - who work for the FBI. And guess what they are doing? For the most part, they are working at defense contractors finding security bugs for their most covert operations, such as those involving counterintelligence. They are surely not advising FBI on cases like this.

Lawyers definitely are not capable of doing this. I suppose there are a lot of people who may even work in computer security, but they hear opinions of federal special agents and their lawyers and think that is authoritative? They do not have much experience in even their very niche branches of computer security, or they would not offer these sorts of opinions.

Fact is: I have that experience, but I can not offer much opinion on this case. Ars originally reported this quote above from the FBI as the FBI claiming it meant he really did take control of the plane in flight. I immediately dismissed that, noting the explanation given by the suspect that it was one quote from many hours of discussions taken out of context. That was highly believable to me. Reading the above, that was one consideration I had, that he simply had a string of sentences which, if people wanted, could take entirely out of context.

That said, I do not know the guy. There are some security researchers who do really dumb stuff. Not many, not many professionals. Why? Because it is your job and you know the boundaries or you are a noob. For all I know, the guy could be involved in 'who knows what' off hours weirdness. Who knows. I do not know the guy.

But as this stands, from the evidence we have, nothing happened. The guy made some flippant remark on twitter, it was misconstrued. Maybe he has a history of performing unauthorized research, so it was right to be cautious. Or maybe the feds just don't have much to do and wanted an arrest.

The later is far more the norm then the exception.

In context of making such statements of slander simply to pose as an "expert" and as "patriotic" or "pro-law enforcement", and other such nonsense is entirely unflattering.

It is simply 'mob rule', and is anti-'law enforcement' as one can get.

Unless locking up innocent people and letting guilty go free is your idea of being 'lawful minded'... :/

Andrew WallaceMay 19, 2015 11:28 AM

WIRED comment does not prove one or the other.

WIRED comment only shows that he (might have) tested on a closed environment before recklessly trying it out on the real thing.

Andrew

Vulnerability ResearcherMay 19, 2015 11:39 AM

@paul

It's probably a bad sign for the public credibility of the FBI that my first thought when I read that story was, "Oh, the FBI either accidentally or deliberately misunderstood what he said about hacking a simulation." Of course, it's possible that he did the same thing to a real flight that he did to a simulated flight, but it seems odd that he would deny it to someone who couldn't put him in jail and assert it to someone who could.

Somebody tried to make it into a sensational news story before the basic facts were even investigated, is what it looks like.

As for "FBI credibility", they have enormous credibility in some areas, and many of their agents are critical for the computer security process. Those agents and that work even has some level of credibility, though much of that work is new and few of the good efforts ever make the mainstream news.

But, when I read your statement I am reminded of the Sabu case. Why? Because the FBI controlled Sabu while he engineered extremely damaging hacks on major defense contractors and other important national defense or law enforcement sites. Further, they controlled Sabu while he engineered attacks, globally, on what is a target list typical for American intelligence, such as foreign embassies and foreign government institutions.

Did any of that make the mainstream news? No. And what does that say about FBI credibility in *some* computer cases? It is horrendous.

Conversely, the most routine good cases they operate in this field they do not send to all news sources and perform press releases and "accidental" anonymous leaks on... to bolster some people's careers and assure everyone they are "doing something".

Not that many arrests are made in the field. The field is chaotic, and an enormous amount of the work is performed by corporations. That is very much unlike most other areas of crime. Corporations do not solve murders or can offer much on burglaries or violent crime. Even if they could, they do not have the capacity to lock up people.

In computer crimes, it tends to be about not locking up people, but simply getting their money back.


GF FounderMay 19, 2015 11:44 AM

So it's pretty safe to assume that the bad actors are also trying to expand their exploits on in-flight networks.

If this were not the case, I'm sure this discussion wouldn't be in the press and public forum.

Is it really a stretch to expect in-flight network engineers to put up air gapped networks, VLANs, etc????

Technology can fix plenty, but it can't fix stupid.

OliverMay 19, 2015 11:44 AM

Hi Bruce
I'm a bit surprised about your quiet acknowledgement of the facts as they are reported. During those Snowden revelations you came out forcefully (and rightly i might add) against that kind of government surveillance. But here you almost seem like it's just a concern. I would have wished an equally forceful oppositon to these airplane stunts, because you are an authority and public face of computer security research.

Oliver

John Galt IIIMay 19, 2015 11:55 AM


Anything involving government agents or agencies is suspect. The currency of their realm is image, not substance. Here's a dark chapter of FBI history:

WHITEY & THE FBI | Part 4: The price of protection
The Boston Globe
Cases disappear as FBI looks away
http://www.boston.com/news/local/massachusetts/articles/1998/07/22/cases_disappear_as_fbi_looks_away
At the dawn of his deal with the FBI, James “Whitey’’ Bulger was an angry leg breaker at a Dedham restaurant looking to collect an unpaid loan. Leaning across a table, he gave the owner a choice: Pay, or have his ears cut off and stuffed in his mouth.
...
Some potential cases that went nowhere:
- In 1982, a wise guy turned FBI informant was gunned down after Connolly, according to testimony, told Bulger and Flemmi that the man had implicated them in a string of gangland slayings and the murder of an Oklahoma businessman.
- In 1984, a Boston police detective told Connolly that Bulger and Flemmi were trying to seize a liquor store owned by the detective’s relatives with a “can’t refuse’’ offer. But Connolly did not report the incident to superiors and, within days, Bulger sent word to the victims that he knew they had complained to the FBI and warned them to “back off.’’
- In the late 1980s, FBI agents John Newton and Roderick Kennedy failed to document or follow up on a realtor’s claim that a gun-toting Bulger threatened to stuff him in a body bag if the realtor didn’t pay him $50,000.
- In 1988, another FBI agent, supervisor John Morris, who had pocketed $7,000 in payoffs from Bulger, warned Bulger and Flemmi that the FBI had tapped the telephone of a Roxbury bookmaker who worked for them. While indictments resulted from the wiretap, including some Boston policemen for taking payoffs, Bulger and Flemmi went untouched.

Andrew WallaceMay 19, 2015 12:02 PM

My understanding is the male made the oxygen tweet.

Member of the public contacted United on Twitter.

The twitter junior contacted seniors and the seniors contacted FBI.

All this idea of surveillance of the male's Twitter account is absurd when it can be simplified to the above I've explained.

United and FBI have better things to do than stalk out every tweet of an attention seeker.

Andrew

GaryMay 19, 2015 12:05 PM

As I see it the first question to be answered is "did this thing actually happen?" and until that is answered everything else is speculation. Has anyone asked Roberts to clarify? Wouldn't United have a record of any unexpected deviations from flight path?

AndrewMay 19, 2015 12:06 PM

steve: "I can claim I robbed fifteen banks but unless there are records of fifteen banks being robbed, I'm just blowing smoke."

We are living in Dark Age of digital era where people are convicted based on text assumed to be sent from their computers.

In this age of RATS, backdoors, hackers and surveillance anybody can be framed by being impersonated with a simple tweet, so this is the first things that should be denied or kept silent if the police state ever tries to link something like this to you.

The people are put in jail or even killed based on internet text/records without further investigations. The simplest file or message related to the victim is today a proof. Nobody cares to look for more physical evidences.

I just wonder how a plane could fly sidewards or if any of you being able to access the flight commands while in a plane would ever risk to perform a software command...

65535May 19, 2015 12:10 PM

@ Vincent Archer

“Note that a fairly large segment of the Aerospace engineering community is calling bullsh*t on that story.”

I agree that most airline “experts” are indicating this is not possible and Roberts is generating media coverage for himself [and his company].

I think the FBI is having difficulty cracking his laptop and other equipment to see what hacks he really has. If they had a case Roberts would be booked and probably in jail.

[example posts from Airliners.net]:

mandala499
There is an ARINC feed to the IFE system used for the flight map display and other flight details... but that's about it (and that's probably how he can tap into data about the airplane streaming through)... its a one way feed. That goes to the IFE server or designated data bus gateway. From there, the wiring is separate from the essential databus/link for the flight controls and flight management. Even the power cabling is separate... it comes out of the IFE server or power gateway depending on the architecture you use.

The FBI probably pulled him off for suspicion bad intent or to ensure he doesn't spread undue panic.

The real security risk from most onboard internet is your personal security... A connected cabin with today's atchitecture is a petty thief's aladdin's cave... not a terrorist's path of least resistance.

This IT guy forgot that there is a physical power supply switch for the galley/IFE... if it gets through (in his wildest dreams), just switch it off and the hack is finished.

sunilgupta

On what basis do you make this statement? Very few busses are actually bi-directional on the same wires. If I give you only the TX relative to the source) and GND from an RS-232 cable, then you have a one-way serial feed. ARINC 429 is similar - separate TX and RX sides. Trying to send data on the TX would result in - absolutely nothing at best or temporarily stopping the transmission at worst. And lest you think that shutting down the TX will somehow screw up the airplane, it won't... it only means that you won't be getting data.

Sunil

CALTECH From United States of America, joined May 2007, 2540 posts, RR: 26
Reply 35, poste

Quoting 777ER (Reply 5):

Anyone can plug a laptop into the box underneath his or her seat and reach key controls in the plane, such as engines and cabin lighting. That's the claim made by Roberts and the cybersecurity firm he co-founded, One World Labs."

Pure fabrication. Drama queen trying to get attention. Not possible.
Quoting HAWK21M (Reply 11):

How can you hack the Aircraft system through the Entertainment system......Its not possible.

Totally agree.

Quoting moo (Reply 13):

I've read the article, the blokes a loon and has no creditability in actual IT security circles.

He's the IT equivalent of chemtrail enthusiasts and anti-vaxers.

Just trying and succeeding in bringing attention to himself and his company. Making statements he can not back up.

Quoting FlyHossD (Reply 17):

His claims are bogus. Hacking an entertainment system is not the same as hacking the other aircraft systems.

In the article I saw, he claimed to be able to hack the 737s EICAS. Um, the 737s don't have one like the newer types.

This Roberts gent is full of it. Working on IFE systems and seats over the last decade, there is no way. Fabrication. Heard the 787 had a concern but the issue has been deactivated and it wasn't the IFE system.

Quoting Aquila3 (Reply 22):

All these discussions are pointless until someone hints us with how this can be done from a technical point of view and this, for a lot of reasons, won´t happen. I cannot believe that A or B or any avionics manufacturer made so stupid mistakes on security design. People is watching too much cheap movies about IT and news are leveraging on that .

Can not be done. This Roberts guy hasn't a clue.

Quoting mandala499 (Reply 14):

There is an ARINC feed to the IFE system used for the flight map display and other flight details... but that's about it (and that's probably how he can tap into data about the airplane streaming through)... its a one way feed. That goes to the IFE server or designated data bus gateway. From there, the wiring is separate from the essential databus/link for the flight controls and flight management. Even the power cabling is separate... it comes out of the IFE server or power gateway depending on the architecture you use.

Total hogwash by this guy Roberts. As mandala499 states, the cables have no physical connection other then power to any other system. Data Cable runs for the engines are not even in the same area as the entertainment cables. Wireless IFE systems have no connection to aircraft data other then the simplistic aircraft flight display for the moving map. Wireless or a laptop hooked up to a seat is not how aircraft computers are loaded or give their data to displays and flight computers.

http://www.airliners.net/aviation-forums/general_aviation/read.main/6375985/1/#1

TrippinMay 19, 2015 12:22 PM

Somebody should hire Chris Roberts: the TSA, the FBI, the airlines. It's a mistake to treat security researchers as if they were a threat. They are a resource!

Andrew WallaceMay 19, 2015 12:28 PM

"United and FBI have better things to do than stalk out every tweet of an attention seeker."

Hence why United banned him from the airline so they wouldn't need to bother checking his tweets everyday.

As for the FBI they don't have the attention span or interest we do to check his tweets everyday unless there is a clear law broken.

FBI have other cases to get on with.

Anyone monitoring his account are members of the public and general security enthusiasts who would be more than happy to flag up anything to an airline that looks suspicious.

Andrew

999999999May 19, 2015 12:33 PM

@Andrew Wallace
"Experimenting on a live aircraft full of passengers" did not in fact happen. There is this software program that people can run on their computer that makes it look like a different computer . It is called a virtual machine. According to all accounts Mr. Roberts (AKA "the Male") created such a virtual system and made a virtual airplane make a virtual turn(or spin or whatever the aerobatic maneuver is called). Mr. Roberts further contends that had he been sitting in an actual plane he could have made it turn also. But he didn't. He did make a tweet and that is not a crime. The FBI did many things wrong but they rightfully ignore the rants from "Security experts"(AKA Mr. Wallace) who can't perform a simple reading comprehension task.

"FBI have his computers to work out what he done." Yes. It is called illegal search and seizure.
"It is called forensics." It is called encryption. What blog did you think you were posting this to? reddit? i love ponies? ScriptKiddies.com?
"Why would they want to buddy up with someone who recklessly puts the public at risk?" I don't know why they want to buddy up with the airplane system manufacturer who put everyone at risk by building crapware. They should instead be talking to the security researcher who found the vulnerability (4 years ago!), made it public and finally got some attention for it due to their authoritarian yet clueless reaction.

"Has he got the skill set capability to research and carry out hacks not known to industry or is he simply using tools of a standard penetration tester modified for aircraft use? We should find out this stuff." We should? Who is this "we" you speak of? I don't think anyone owes you any explanations. If you want to know about this stuff I suggest you read a book on software architecture, then read a book about avionics systems and software. This is called doing the work yourself. All I see here is a researcher who did the work (Mr. Roberts) and you wanting to benefit from his hard work. Do the work yourself or read about it in the open media like all the other peasants.

"My understanding is the male made the oxygen tweet." Your understanding has been known to be wrong in the past so "We" can just ignore this part of the rant.
"Member of the public contacted United on Twitter." But was it a male or female. Inconsistency in terminology is a sign of kludge code.

"All this idea of surveillance of the male's Twitter account is absurd when it can be simplified to the above I've explained." Thank you for explaining. It is not absurd. Snowden's ex-employer was monitoring his Twitter feed->They contacted the FBI and manufactured an alternate yet plausible route for the information-> FBI arrests Mr. Roberts -> Mr. Wallace goes on a rant and calls a plausible explanation "absurd".

"United and FBI have better things to do than stalk out every tweet of an attention seeker." All evidence points to the contrary.

Andrew WallaceMay 19, 2015 12:39 PM

"All evidence points to the contrary."

All evidence points to a crazed attention seeker who tweets a lot and has grandeur delusions about state surveillance as a result.

Andrew

Wallace AndrewsMay 19, 2015 1:04 PM

@Andrew Wallace

Why do you keep referring to Chris Roberts as "the male"?

Also, why do you sign your name to your comments even though your name is clearly displayed at the top of every comment you make?

Vulnerability ResearcherMay 19, 2015 1:04 PM

@Trippin

Somebody should hire Chris Roberts: the TSA, the FBI, the airlines. It's a mistake to treat security researchers as if they were a threat. They are a resource!

They do, anyone with any kind of credentials has a job. This guy in question has a job.


Vulnerability ResearcherMay 19, 2015 1:25 PM

@John Galt II, @Andrew Wallace, @the case

Anything involving government agents or agencies is suspect. The currency of their realm is image, not substance. Here's a dark chapter of FBI history:

in which the poster details a story of some corrupt FBI agents in the Whitey Bulger case


Andrew, you make a lot of posts like these. It is the common error of extrapolating singular security events and making global rules from them. There is endemic "corruption" in first world powers, but it is rarely because of agents and agencies literally taking money from criminals or terrorists. There are situations in countries where this is patently not true. For instance, in Mexico, there is rampant corruption of that kind, and Pakistan or Bangladesh are other good examples, albeit on the other end of the spectrum of corruption.

In first world nations the corruption is more about incompetence and bad processes. There are an enormous amount of people who do not actually end up doing anything, because there is very bad oversight and a strong willingness to have resources to use and money to spend. If you contrast these governments to criminals, you might figure them as 'like those who engage in secret ponzi schemes pretending to be investment counselors'. It is worse, however, as they know they are not actually doing anything helpful deep down, but they live a lie of a life pretending otherwise.

Like with investment counselors secretly using ponzi schemes to keep their boats afloat, they rely on secrecy to evade detection.

And they rely on obscurity of their work.

On this case, the federal investigators probably were wrong to investigate this matter. Somebody made some joking statement on twitter. Was there evidence that they, in the past, had seriously done anything like this? As far as the evidence we have at this time, no.

"Federal investigators do not have the time to individually watch all twitter statements from potentially suspect individuals"

That is a very untrue statement. In fact, there is an immense glut of individuals working in the mass Industrial-Law Enforcement-Intelligence Complex who have literally nothing to do. I mean, they do work, sure, but it is duplicative of other work, and really provides anything of value. It all ends up into mountains and mountains of paper analysis work that is absolutely worthless to read.

Your statement implies you are ignorant of this fact, which means you do not know very much about how the system operates in America. I think you should probably disengage from conversing on areas entirely alien to you. My understanding is, further, that you are British, so of course, you do not know anything about how these matters work in the States.

As a clue, you can note that the Iraq War never should have happened. Which means that was a massive failure on the heads of an immense number of people in US and British - and other first world nations - intelligence and law enforcement infrastructure.

FYI, I, personally, am not against the efforts there. But for very different reasons. It was valuable to invade and screw up the area so that the larger problems of Islamist supremacy in the region could be addressed. And, I am also not alarmed by the massive mountains of useless activity in these governments, because they serve a very useful purpose of effectively operating as disinformation and diversion for all real useful projects.

But those who do not even put those basic components in their analysis are really missing everything entirely. It reminds me of those who sell snake oil to live forever, but then do not bother about the fact that while they made some money... they are not actually living forever.


Tony H.May 19, 2015 1:40 PM

@Andrew Wallace

"I believe it is within the public interest for the male to be charged."

"I want decisive action to re-arrest the male."

Etc. ad nauseam. Proof, as if it wasn't clear earlier, that "Andrew Wallace" is just a poorly implemented bot with the self-importance knob turned up too high..

MarkHMay 19, 2015 1:44 PM

@Christopher Piggott:

I had the same thought: why would an engine controller have a "climb" command? Does the controller really need to know where the engine is going?

I've just done a little web searching, and found that CLB is a commonly used term for a thrust management mode on jet aircraft.

In the olden days, pilots controlled thrust throughout the flight by positioning the thrust levers (which in the early days of jets were simple fuel throttles). Now that things are highly automated, thrust levers are inputs to an electronic control system, and outside of the "analog range" in which thrust lever position maps smoothly to varying thrust settings, there are several detents (positions at which the lever "clicks" into place), one of which is CLB.

(A more famous thrust management mode, with its own detent, is TO/GA for Take-Off/Go Around, corresponding to the maximum safe thrust the engines can provide temporarily at low altitude.)

CLB corresponds to the maximum thrust for climbing the aircraft, which may or may not correspond the MCT (maximum continuous thrust, an engine integrity limit) depending on circumstances (for example, whether one engine is shut down).

So indeed, typical jet engine controllers (called FADECs, for Full Authority Digital Engine Controls) for transport planes do indeed accept a "CLB" input/command as part of their control input domain.

JustinMay 19, 2015 1:59 PM

"I would like to see a transcript (of the interviews)," said one former federal computer crimes prosecutor, speaking on condition of anonymity. "If he did what he said he did, why is he not in jail? And if he didn't do it, why is the FBI saying he did?"
There seem to be a lot of doubts about whether he actually hacked into anything on that particular plane at that particular time. My take is that the FBI just wanted to look at his laptop to make sure, and the tweet gave them probable cause. I seriously doubt they have or expect to find sufficient evidence to charge him with any crime for that particular incident. If they did, of course he would be in jail.

MarkHMay 19, 2015 2:24 PM


When Your Head is in the Clouds, You'd Better Keep Your Feet on the Ground

Acknowledging that there are lots of unanswered questions related to this story, here is my summation of what seems most likely true, based on published reports.

Starting with Roberts' own statements:

1. Roberts claims to have made an ethernet (wired) connection to under-seat in-flight entertainment (IFE) boxes on several flights.

2. Roberts claims to have used this connection to "sniff" IFE network traffic.

3. Roberts claims to have "logged in" to one or more IFE boxes using default credentials.

4. Roberts claims to have assembled (on the ground!) at least one system to simulate an airliner data network, perhaps including some real airliner hardware (for example, an IFE box which is easy to purchase).

5. Roberts claims to have successfully commanded an engine controller on his simulated airliner network.

6. Roberts claims that he has not tampered with flight controls on any airliner.

Note well that these claims do NOT include "penetration testing" against the flight control network. Note well that published reports do not include any evidence that Roberts interfered with anybody's watching of in-flight movies, or playing of casino games, let alone evidence that a flight on which Roberts was a passenger experienced an engine control disruption.

Moving on to sources other than Roberts:

7. An FBI search warrant application claims that Roberts claimed to have substantially changed to flight path of an airliner on which he was a passenger, via his internet connection. Note well that this is meta-claim: a claim about a claim.

8. Other aviation and security analysis sources have suggested that Roberts' ground simulator includes non-aircraft elements, in part because the genuine avionics would be difficult and/or extremely expensive to obtain; and further, that Roberts' ability to send a command to an engine controller depends on his simulator lacking safeguards that exist in the actual airliner networks.

Now, consider that the FBI can readily obtain a list of flights on which Roberts was a passenger; that cockpit crew would surely notice a large asymmetric thrust excursion they had not commanded; that the flight data recorder would surely include a clear record of such an anomaly; and that such an anomaly would likely trigger at least a maintenance log entry, and perhaps a safety investigation.

If what the search warrant claims had actually happened, how likely is it that there would be no reference to the specific flight with which Roberts supposedly interfered?

I suggest that the simplest hypothesis consistent with available information, is that FBI agent Mark S. Hurley made an innocent f*ck-up in writing the warrant application, confusing a statement Roberts made about his simulator experiments with an exploit against an airliner in flight. Probably, such understandable and human mistakes appear in warrant applications quite often, but because of the sensational nature of the claim, and the attendant press coverage, this poor agent's mistake is going to get a lot of embarrassing exposure.

ZenzeroMay 19, 2015 2:26 PM

@ Tony H. on

He's a troll that been going for a while and constantly banned on forums, google his name n3td3v, enjoy 8+ pages of troll reports all leading back to Wallace. Interestingly, his address on his dns registration for his site points to a location called "st Andrews house" (really), which is a government building in Edinburgh, and a call there reveals no one of that name is known to them.

Troll or deluded and living a weird walter mitty'esq reality where fraudulently pretending to be part of the IC is ok.

Andrew WallaceMay 19, 2015 2:49 PM

I can confirm I've never been a troll and use my real name while online.

What you see on public search engines is criminals and online trolls attempting to undermine me and create problems.

This characteristic is similar to what "Zenzero" is doing at the moment.

The people carrying it out do not have the audacity to use their real name or link to a verifiable Facebook profile.

Therefore I tend to ignore them until they can prove their assertion is sincere.

Andrew

Marcos El MaloMay 19, 2015 3:28 PM

I would like to stay out of this, but Andrew Wallace certainly engages in all manner of troll behavior. Regular readers of the comments know that he cannot be taken at face value (much as we have tried and hoped for a change in behavior). If it walks like a duck, quacks like a duck, and in every major respect behaves like a duck, it matters little if it claims it is not a duck.

If there are any questions about the accusation of trollery, please visit this thread: https://www.schneier.com/blog/archives/2015/05/more_on_the_nsa_1.html#comments

Witness Andrew Wallace's behavior, including derailing the discussion, not supporting his arguments, and making legal threats. I'm surprised he hasn't been banned for making threats.

Let's just ignore the troll before another article is hijacked.

Andrew WallaceMay 19, 2015 3:37 PM

I've checked the thread you've linked to.

That is criminals and online trolls who were attempting to undermine me.

They were asked to prove their identity at every turn but were unable to do so.

Pinch of salt comes to mind.

Andrew

Vulnerability ResearcherMay 19, 2015 3:47 PM

@Andrew Wallace, @the post

WIRED comment does not prove one or the other.WIRED comment only shows that he (might have) tested on a closed environment before recklessly trying it out on the real thing.

Actually, in context, the statement is worthless. It is proven worthless. Why? Because, for one, he made statements which did implicate himself. For instance, he admitted to Wired he had made unauthorized network penetration tests on airplanes while they were flying.

Maybe he has actually taken controls of an airplane in flight, but there is not evidence of that which is given to the news that can stand up in court.

This does not matter, however, as he has admitted to unauthorized access of their networks to perform security reviews on. Even if that access was just "passive" collection and exploration, his access was unauthorized and so illegal.

It is highly unprofessional for a security researcher to do that.

This is the same kind of thing people slammed the FBI for in the Silk Road case. It is definitely within the bounds of the most basic computer federal law of unauthorized access of a computer.

If you want to test a company's live networks, get hired and get permission. Otherwise, do not do it.

If you want to test a company's applications which reside on your own system and your own networks, you have the legal right to do that.

But testing web applications of a company that has not authorized you to do this where those applications reside on their systems and their networks is illegal. And very reasonably so.

Likewise, and how much moreso, testing airplane networks on flying airplanes, lol. WTF.

How is this unprofessional? Even web penetration testers know when they test web apps they have to schedule the testing. They will usually test on debug, not production sites. Anybody who ever tests any kind of applications on other people's servers and networks knows this drill -- whether they are inhouse or outside consultants.

But it is also illegal, and at a very basic level illegal.

Is it worth pursuing the guy for? I do not know. Probably. He does not even understand he should not be exploring inflight networks, that he has no right to. He is not stupid, so there must be some other problem.

Has he taken control of an actual airplane in flight? Evidence of that is not given, it appears to be misconstrued statements of his made to investigators. Confessions, in general, are horrible sources of evidence, anyway.

They should stick with the charges of unauthorized access and keep it to that, unless he wants to change his story. As it stands, he has not changed his story, and there is no evidence he did anything but passive network exploring. That is, however, illegal enough.


BystanderMay 19, 2015 3:49 PM

There was a lot of talk about if this was really possible/done.
Roberts was painted as the bad guy,as stupid or as [insert favourite cliché here]

There was a lot talk about the FBI and LEO in general.

There is something missing or at least I haven't seen it put forward enough for my taste:
The accountability of companies/organizations making bad design decisions possible or even desireable (cost!).

There was nothing in the media I noticed as everybody was focused on Roberts.

The whole thing had already a history before this erupted into the event discussed.

I think there is more surface to spread the blame...

GeorgeMay 19, 2015 4:08 PM

@ Vulnerability Researcher

"The guy made some flippant remark on twitter, it was misconstrued."

Making tweets about hacking an airplane while flying on it? Is that supposed to be funny?

Vulnerability ResearcherMay 19, 2015 4:09 PM

@Bystander

Is airplane computer security probably crap? Yes. I am sure it is. Does it help for unauthorized "security researchers" to go out and find their own security holes? No. No, that should be for authorized security researchers.

That gives a bad name to the entire field, and can threaten to make nasty government regulation that is unnecessary and potentially very harmful to the field... and so to the security of everyone.

Government has to enforce these kinds of audits. If the airlines are not doing it, which they probably are not. Like any business, including your own.

Why is it likely government has not? Because they do not know what they are doing and there is little to no oversight on most of this kind of work. It is secret. There is no profit line or accountability. GAO is a fangless animal.

And so most people do not even know what GAO is or what it stands for....

For companies, proactive security does not fit the bottomline unless they frequently are a target. Risk driven direction for the computer security field is in its' infancy.


Encouraging anyone and everyone to attack whatever systems they want is not wise. Even "passive" exploration sorts of security tests can absolutely cause severe malfunction. While this may be unknown to people who never have performed security tests, believe me, it is routine for those who have and do. Plenty of systems are just crashed by walking through the functionality of it or spidering the contents.


Vulnerability ResearcherMay 19, 2015 4:16 PM

@George

"The guy made some flippant remark on twitter, it was misconstrued." Making tweets about hacking an airplane while flying on it? Is that supposed to be funny?

In context, his statements were clearly joking. He even said he was joking. I am sure you have made jokes which, if someone took you seriously, could be alarmed.

Not everyone can understand sarcasm, even metaphor, nor jokes. There are plenty of people with ADHD who have severe problems understand metaphor and often mistake what people say.

Should we have individuals with crippling ADHD in law enforcement operating in a capacity of attempting to understand people or interview suspects? Hell fucking no.

Did these people have ADHD? No. No, they simply were bad cops. Clearly they wanted to get some headlines. Being a good cop and wanting to make sensational headlines are opposed to each other. I would argue. Maybe you disagree.

Plenty of cops all about their own career advancement and headlines out there. They probably won't get fired anytime soon. They will advance in the ranks. Does not mean they help anything in their job.

There is a real case here: the guy admitted to Wired he broke the law. He really did access onboard networks on operational aircraft vehicles. Get him with that. Maybe not as many headlines and maybe no job promotion. But it would be a real arrest.

Andrew WallaceMay 19, 2015 4:17 PM

Before the criminals and online trolls came into the thread to start picking on me.

I said that there are pictures of alcoholic drinks on the male's Twitter page.

It is entirely possible the male was tweeting under the influence of alcohol.

It could be the case the male was also under the influence during FBI interview.

It is entirely possible that the FBI did not realise the male was under the influence.

In the United Kingdom a subject must be entirely sober during interview.

I'm not privy to the rules in America.

The whole case could be some drunken drinking trip on a plane that went wrong.

Andrew

GeorgeMay 19, 2015 4:21 PM

"Andrew Wallace • May 19, 2015 10:41 AM

Has he got the skill set capability to research and carry out hacks not known to industry or is he simply using tools of a standard penetration tester modified for aircraft use? We should find out this stuff."

I thought you're against full disclosure, Andrew? Willy nilly on your stance is bad for public image... right?

I think you're right about full disclosure in this case. Better plug the holes and tighten loose ends before disclosing the "vulnerability". Stirring sh*t up like this "male" does certainly isn't the right way to handle it. However, if he were right about airliners ignoring his research findings, then he should probably contacted the feds first before partial disclosure.

BystanderMay 19, 2015 4:28 PM

@VR

Authorized security researchers act on purchase order. The costs are usually kept as low as possible.

Do you see the gap?

Roberts made apparently trials in a self-defined testbed. This could have been the occasion to wake up.

I am not encouraging everyone to start security testing, but reported issues should be considered and not brushed off or treated solely as thread as there is homework ahead.

The other cases described are the result of not getting basic functional testing right.

Companies and organization waiting too long to act should not be painted as victims.
Remember Ford Bronco?

GeorgeMay 19, 2015 4:34 PM

@ VR

" I am sure you have made jokes which, if someone took you seriously, could be alarmed. "

Does, but really I try very hard to avoid doing that.

:-)

Vulnerability ResearcherMay 19, 2015 4:35 PM

On the "joke":

To be specific he literally said in the same communication he claimed he was hacking the onboard flight network he was joking. It was not something he said afterwards. He had it in the communication.

That communication was not to the flight attendants, passengers, nor flight crew. It was on the internet and to that audience.

Had he made this joke on the plane to people on the plane, there would be real cause for alarm, and understandable reason for arrest.

Had his joke been about bombing the plane, on twitter, it would have been extremely bad taste. But probably not worthy for any kind of criminal charge if he was clear in that communication he was joking.

Personally, I have even had a TSA employee make a bomb joke with me before. I was nervous about missing my flight, it was late night, no one else was around, and his joke consoled me. I knew it was a joke, he knew it was a joke. We also both knew nobody else was around. There was no confusion. He could tell from my manner and dress I was not such a threat. I was not. And he could tell I could appreciate such a joke. I could.

How many airline passengers have made jokes in SMS over the years which would have been illegal to make on the plane? Probably, a lot. It is a tense situation and so ripe for joking. Humor helps tense situations be... defused. :-)


Vulnerability ResearcherMay 19, 2015 4:41 PM

@George

" I am sure you have made jokes which, if someone took you seriously, could be alarmed. "Does, but really I try very hard to avoid doing that.:-)

Heh. :-)

I pride myself in my ability to make people take me seriously when I am joking with them. Does not matter how often I do this, they always take me seriously.

JohanMay 19, 2015 4:55 PM

"Even 'passive' exploration sorts of security tests can absolutely cause severe malfunction."

Umm ... isn't that the kind of thing you'd definitely want to know? If your 'authorized security researchers' are so rubbish at thier job that they didn't pick that up, then you'd better hope and pray that a friendly UNauthorized security researcher finds it and lets you know about it before the blackhats do.

BeepeepeepMay 19, 2015 4:57 PM

@Vulnerability Researcher

Sounds like you're describing Weev, only with less calm and composed talk of genocide.

Vulnerability ResearcherMay 19, 2015 4:59 PM

@Bystander

Companies and organization waiting too long to act should not be painted as victims.

What happens if a terrorist hijacks a plane from the onboard network? And what if they down it? So, this is one good result of this story. That the FBI and the researcher have made it very well known that this can be done.

There are even covert operations like this. A government agent will take a false identity to perform a 'red team' attack. The issue needs to be raised to public awareness for funding. The case can even be where the guy gets arrested and goes to jail. Only, that is all just as fake as his identity and just part of the job. Having a fake identity lost in a prison system is way easier to manage then a fake identity that is supposedly out there working for some news agency or corporation.

That even could be the case here. No one would know.


I can not say much for any good reason as to "why" the airlines - and other airlines, I am sure - have not performed adequate security. Post-911 where that is a multi-trillion dollar investment, there is no excuse.

I can say that lack of understanding what even needs to be done can be a problem.


But, while it helps our security that anyone can tear apart applications from vendors they can host on their own system and own network... and report those vulnerabilities found... it does not do this for doing these same tests on production systems and production networks.

The difference may be granular, but when you are talking about doing unauthorized tests on operational passenger aircraft... I kind of think that removes the granularity.

This may not be as well known to you: for me, even passive tests I have seen do horrible things on production systems. I have seen ATM systems and routers get downed from passive tests. I have seen clients somehow get mass emailed overnight. I have seen inboxes flooded and databases destroyed. Not a good thing to do on on an airplane.


If a terrorist hacked the plane, guess what? They would take massive blame. They would probably go out of business. The government would take massive blame. That is what happens in these situations.

What the government needs to do is go, "Holy shit, what, who is regulating exhaustive tests are performed on these systems?" The airlines needs to go, "So, uh, these security folks we pay, have we actually tested our airlines systems? And why are passengers able to get onto the onboard network? Ever."


They might actually do this from this case.

And maybe this was the researchers intention. Maybe this was the Feds intention.


But, in general, no, I do not believe any researcher should normally do this kind of testing, and it is against federal law to do so.

Andrew WallaceMay 19, 2015 5:06 PM

Vulnerability Researcher

Are you suggesting the male is a govt agent to push the subject of plane hacking into the main stream?

If so I think it has backfired on the male *personally* and didn't go *exactly* to plan.

And now the male has tweeted that his legal team have told him to keep hush hush because the media and people like us are crawling all over him and the FBI's actions at the moment, putting him and the agency into unintended jeopardy.

We will see what happens next. If he is a red team member and the FBI were asked to release him.

Andrew

Vulnerability ResearcherMay 19, 2015 5:07 PM

@Johan

Umm ... isn't that the kind of thing you'd definitely want to know? If your 'authorized security researchers' are so rubbish at thier job that they didn't pick that up, then you'd better hope and pray that a friendly UNauthorized security researcher finds it and lets you know about it before the blackhats do.

Sad thing is there are countless systems out there which have received no security analysis at all. That is exactly why these passive tests can break them. Everyone will have these kinds of systems on their own networks. Routers tend to be a good example. But, with "the internet of things", you can guarantee more and more systems will be coming online with no security testing whatsoever.

Many primary systems nations rely on have no security testing or very little.

Also, even when security reviews are performed - often by outside consultants not exactly vested in anything - very often there is no money for fixes.


But, no, I do not believe everyone wants unauthorized security researchers going crazy on onboard networks of inflight systems, especially not when you are on the plane.


That the guy could even connect to the network is extremely bad. It did reveal a problem and he took risks to do so. Maybe he felt he had to do a 'Jack Bauer' to get that done, now it has a lot of attention.

And yeah, it is exactly the same kind of thing.

Nick PMay 19, 2015 5:17 PM

Interesting discussion. Let's look at everything we have.

Lessons learned from allegations against Chris Roberts and their reporting

In the beginning, airplanes were invulnerable to computer hacking because they didn't have computers. Later, they added computers for their benefits while not having networks. Later, they added networks but air gapped critical things to avoid reliability and security problems. Boeing and Airbus, along with others, decided to save on equipment, maintenance, and fuel costs by converging safety-critical and malicious networks. They knew that this could get people killed. Profit was more important so they went on. High assurance, low weight guards were available to carefully share between networks. Instead, in name of profit, they asked to use weak (cheap) technology and got it maybe around 2007. Another mention in 2014.

Throughout these events, many people and organizations point out the huge risk to passengers. This includes defense contractors, FAA, GAO, and security researchers. Manufacturers and airline industry continue to largely ignore this risk. I have to call out Boeing particularly because they could've used their own firewalls at cost. Manufacturers and airlines are criminally negligent in that they ignore real risks to human lives in order to increase profit. They march on with the risky setup despite vulnerability reports from Chris Roberts and others lasting years. Regulators look the other way.

Chris Roberts, presumably under FBI surveillance, makes a joke online. People freak out. FBI interrogates him, airline bans him, FBI gets a search warrant making all kinds of criminal claims, FBI does *not* charge him, and media reports FBI's claims mostly without fact-checking. People across the nation talk like he's guilty and call out for him to go to prison despite presumption of innocence and due process in our legal system. Aerospace professionals begin to claim what he did was impossible due to security standards despite (a) avionics are only certified to *safety* (NOT SECURITY!) standards and (b) plenty of evidence there was an exemption whereby manufacturers intentionally added risk for profit.

Overall, the situation doesn't look good. It looks like, as this article pointed out, the FBI just destroyed a guy with a mere accusation and even security industry went along with it. An unusually large number of online trolls supported that work. Even worse, most reporters missed the most obvious reason not to trust the FBI's claims: they said he *confessed* (instant conviction) to hijacking and controlling the plane but they haven't charged him. Since when does the FBI have a confession to a crime and not use it? That they're not proceeding with the case until they get his computer files shows that either (a) they're lying or (b) whatever they actually have is too weak to convince a judge despite court's bias against hackers.

So, we shouldn't trust their claims. That the FBI is repeatedly found in courts and news articles to misrepresent situations for convictions is further reason not to trust them. We should treat Roberts' case as "he was accused, but not charged, with hacking airplanes." That's bad, but people get accused of stuff all the time. That doesn't make you a criminal and he shouldn't be treated like one.

The next lesson is us. Too many of us, myself included, didn't do as much peer review as we could've and certainly helped FBI by repeating their claims without enough caveats. We should know better given their history. I'm almost to the point that we should add at the end "Disclaimer: It was the FBI that made these claims. They have a history of unreliability and even deceit. Treat their claims with the highest skepticism until they've proven them in court." If researchers and enough media do this, then we might be able to counter some of the effect of their "destroy by accusation" scheme. It's not how our Constitution intended for justice to happen, anyway.

Vulnerability ResearcherMay 19, 2015 5:29 PM

@Beepeepeep

Sounds like you're describing Weev, only with less calm and composed talk of genocide.

Weev did break the law in what he did, but he had horrible prosecution against him and did receive an unfair sentence. He is not a security researcher or someone who is a hacker god or something. In fact, he is not even a good guy, he was a racist asshole who prided himself on his own moral and intellectual superiority which he used as justification for his prime time habit of trolling people.

But he did get an unfair sentence, and I am glad it was rescinded.

I do not think he will ever be someone who finds security bugs that make researchers go "wow", nor will he ever write security code that even makes malware analysts go, "Holy Shit". But he got a lot of prime time media for himself.

I am glad it was him and not a valid researcher that had to make that point.

Weev was unfortunate for a beginning security guy, it was the wrong time and the wrong place. In years previous, researchers were finding bugs everywhere in applications. But web applications started to get bigger and bigger. And web applications, unlike these applications of old, nobody actually has the authority to test.

So, he did not understand the law and that difference.

Not very surprising as he was not a professional.

But, yeah, sorry, besides the fact that he is a fraud trying to steal the limelight from real security researchers... I find it a little hard to feel for a self-professed "white nationalist".

But as a security person, a hacker? Zero cred. A poseur and media whore with zero accomplishments worthy of note. (Finding even the bug he found, really low brow crap. Web application bugs are extremely easy to find and exploit.)

Vulnerability ResearcherMay 19, 2015 5:37 PM

@beepeepeep

Oh on the "you are saying genocide about this guy", yeah, what? Did you just try and assert godwin's law when no one even made such a statement? I actually may have just made the plane researcher into a hero in my depiction, even if some statements were critical of his actions.

I take it you are referring to Weev's white nationalism. He is, or was. Obviously, that could have brought into the conversations arguments about the Holocaust....

I did not follow the issue that closely to have noticed. Sadly, white nationalists are a dime a dozen. Their opinions are not worth looking into much.

I noticed, on double checking this, that there were expressions of consternation about how Weev's beliefs could sideline the larger, more important issues at hand. True, that. But, Weev was already a well known creep to begin with. People should not make him a poster boy. At all.

I see at least one documentary that has him up there with some others, who are much more valid individuals. Sad to see people building houses of cards like that.

If anyone should be lionized in those sorts of situations it is Snowden and Manning.

Those are selfless heroes who sacrificed so much for the greater good.

Weev? No.


ZenzeroMay 19, 2015 5:44 PM

@ Nick P

Good synopsis, I mentioned earlier that I do think he knows how to compromise the systems, but that when talking to the FBI (on their request for help) made comments which were later misconstrued by a less technical agent working the tweet alert. Hence the deal made of research which was explained to the FBI over previous years which resulted in no action.

The FBI are more then aware that airlines are at risk and as you said "avionics are only certified to *safety* (NOT SECURITY!)". As you, I and others have pointed out greed is likely behind the rabid protectionism of the airlines.

Andrew WallaceMay 19, 2015 5:47 PM

As "Vulnerability Researcher" has noted the male may have a "get out of jail" card.

He may not have been on a red team assignment at the time and may have been an off the cuff incident where a tweet quickly esculated into unintended terrority.

It is possible the FBI are now fuming because they had no choice but to release him because the CIA or whatever his red team employer is leaned on them to do so.

If I was the FBI and this story is true about red team membership and this being an off the cuff incident where another government agency has pardoned him, then it is indeed a messy situation.

Andrew

Vulnerability ResearcherMay 19, 2015 5:49 PM

@Andrew Wallace

If he is a red team member and the FBI were asked to release him.

Oh, which is denying what I said, so why quote any of it in the first place?

This can not be that difficult to figure out, but: when an agent or officer takes a false identity very often they keep that false identity "alive" long after the operation is finished with.

Again, managing such an identity's persistence when they are supposedly in prison is far easier then ruses like "they moved away" or "are working at a corporation".


But, no, I did not say this researcher was such a person, in such a case. I merely raised the possibility to readers that this kind of thing is done. And they should consider it is very reasonably true that it is done.


If you are wondering if this is illegal for me to have said, then no, it is not.

This is not England, American laws are different, and different people have different leeway.

For instance, a reporter can report on classified material openly, in the US.

MarkHMay 19, 2015 5:52 PM

@Nick P:

"Boeing and Airbus, along with others, decided to save on equipment, maintenance, and fuel costs by converging safety-critical and malicious networks."

Have you found a statement from any credible source, that any certified airliner includes the ability to transfer data from a non-critical network to a critical network?

I've been searching on this, and so far have found nothing.

Kindly cite any sources!

JustinMay 19, 2015 5:53 PM

The post by MarkH is interesting. He is careful to point out that his conclusions are "based on published reports." Almost as if he had access to unpublished information on the matter, in which case it doesn't seem likely that he would be making unauthorized posts. Especially if it is Mark H. himself. Which seems really, really unlikely. But the post seems dead accurate, based on the published reports I have read.

MarkHMay 19, 2015 6:03 PM

Justin,

I'm only using the public interwebs, I have no special access. I say "based on published reports" to distinguish specific claims (be they true or false) from surmise, speculation, fantasy, paranoia, conspiracy theories, or conclusions that go well beyond the specific claims.

So far, most of the data available to us comes from press quotations of statements of Roberts himself (which I presume to correctly represent his statements, absent contrary evidence), and from the warrant application of Special Agent Hurley.

Other sources include people who claim some expertise on how the avionics networks are designed ... but I'd love to hear a lot more from them.

Andrew WallaceMay 19, 2015 6:23 PM

There aren't many people in support of the male I have noticed.

I've noticed John McAfee on You Tube and Twitter sticking up for the male.

I've not seen any *big names* come out in support of him.

Largely everyone agrees wrong doing has taken place in one form or another.

Andrew

CarlosMay 19, 2015 6:31 PM

@ VR

"But, with "the internet of things", you can guarantee more and more systems will be coming online with no security testing whatsoever."

these "things" are very reliant on underlying platform(s). you thought dumb terminals were a great idea for maintenance and security, what makes it any different when it comes to an internet of things?

IoTs are what they are, dumb and limited.

Vulnerability ResearcherMay 19, 2015 6:38 PM

@Carlos

Sometimes, not always. Energy grid and water infrastructure has these sorts of systems. Poorly tested, open for attack. Much standalone functionality. Bloomberg systems were this way. Routers, money machines, medical devices....on board car systems.

External and internal mics and video...

CarlosMay 19, 2015 6:40 PM

@ Andrew Wallace

"It is possible the FBI are now fuming because they had no choice but to release him because the CIA or whatever his red team employer is leaned on them to do so."

Shouldn't you be arguing against full disclosure?

"MarkH • May 19, 2015 5:52 PM

@Nick P:

"Boeing and Airbus, along with others, decided to save on equipment, maintenance, and fuel costs by converging safety-critical and malicious networks."

Have you found a statement from any credible source, that any certified airliner includes the ability to transfer data from a non-critical network to a critical network?

I've been searching on this, and so far have found nothing."

Please do remove them if found on the interweb. That type of info is under NDA, no?

Vulnerability ResearcherMay 19, 2015 6:46 PM

@Andrew Wallace

Is that digging disguised as an innocent observation?

Managed charlie foxtrot tangos are a part of many red team scenarios...

Usually at facilities in controlled scenarios, but when things go wrong there are plans for that.

I think digging beyond that is not useful.

CarlosMay 19, 2015 7:00 PM

@ Nick P

"We should know better given their history. I'm almost to the point that we should add at the end "Disclaimer: It was the FBI that made these claims. They have a history of unreliability and even deceit."

It played out like a well-designed meme. It provokes assumptions who leads to theories like red team exercise, etc. They're playing CR out like a dummy while the good guys go to work on setting things straight. After all the fuss, the IES may just have been a honeypot made too real.

GobblesMay 19, 2015 8:33 PM

And along came a spider -.-

Hai n3td3v,

still up to the old tricks andrew, wouldve figured youd out grown that shit but i guess not, I like this blog as its relevant, your not though man - go back to irrelevance

JacobMay 19, 2015 8:39 PM

@Bruce

According to Wired article from 5/15 :
"When an employee with United Airlines’ Cyber Security Intelligence Department became aware of the tweet, he contacted the FBI and told agents that Roberts would be on a second flight going from Chicago to Syracuse. "

So the discovery wasn't by the FBI actively monitoring Roberts' account.

Vulnerability ResearcherMay 19, 2015 8:41 PM

@Andrew Wallace

I'm saying he made an 'off the cuff' tweet and used his contacts within industry to get released without charge.

I am not making any assertions anything like that. In fact, even the statements I made was made merely in case anyone wanted to consider maybe other theories then what they might ordinarily consider. Or, simply, to take some pause.

Should such a theory be considered over the more likely scenario, that it just 'is what it is'? No. Why should no one have more theories at their disposal? As long as they are plausible theories.

I think that people can understand there are likely red teams which operate 'out there' that have sanction to do so. That do so covertly and in the States. In fact, there are documented reports of this, such as Richard Marcinko reported in "Rogue Warrior". He actually documented how he tasked with doing red team work on physical security of airports way back in the eighties.

They can also probably suspect that there are and have been some operations designed to influence American public opinion. While that can quickly get into dodgy and highly illegal territory, in situations involving public safety... the legitimacy of such operations is not so questionable.

Is it difficult to design and pull off "media stunts" that bring attention to problems people would like to be informed about? It is not, I would suggest.

I will actually go beyond suggesting and outright state: organizing and planning 'media stunts' which attract significant attention to sorely overlooked problems is something that can be consistently put into action and have a very high success rate.

As a "for instance", consider front page news stories of security vulnerabilities. These security vulnerabilities are known to be media fodder and the bigger and more important they are, the higher the chance it can be parlayed well into the media.

Companies regularly allow their security researchers to spend time looking for vulnerabilities in 'other people's applications' exactly because of the press they are assured to get when they deliver these vulnerabilities. Further, this work creates ripe material for conference work afterwards. So the media product keeps on coming. And that for the relatively small investment of the security researchers salaries.

Often these findings are good for general product awareness with consumers. They often are also good for the company, its' self, in general. It increases the brand name awareness and builds the value of the company name in the eyes of those in the market to buy their products.

All of this is nice conspiracy theory. But it is not the most likely case in this situation. Most likely case is, 'it is what it is'. That simple.

So, your contemplations about how difficult it is to have 'get out of jail cards', and how likely it is for one organization to be angry at another organization... these are not useful statements, nor questions. Why should anyone know anything? There is no need for that. Compartmentalization?

People in the very same unit might not know what each other do. How much so if it is a different agency entirely.

Even if they do know what each other do, they sure might not know each other's histories. Definitely not in organizations where there is heavy secret work.

As for your surmising about "who". There are a ton of agencies involved in anti-terrorist work. A lot which have undercover agents. A lot who have domestic responsibility for the safety of citizens. I think you are very interested in pinpointing agencies that might do this sort of thing. But that is a meaningless point.

Andrew WallaceMay 19, 2015 8:54 PM

Jacob

It was a member of the public who alerted United because that is how Twitter is built. To be a system that the public use to search for things of interest. Law enforcement don't need to monitor Twitter because they know the public flag up stuff and go hey maybe you should look at this. Nobody "monitors" his account professionally from a law enforcement perspective because they can see he has 8,000 followers who will say something if he misbehaves. If it was some jihadi account and all the followers were jihadists then maybe law enforcement would need to but not in this case.

Andrew

Nick PMay 19, 2015 9:27 PM

@ Zenzero

Usually is greed and refusal to do things different. That's why history built on insecure, computer architectures even when better things were available. Still do. So, we're stuck with this outside of niche players and markets.

@ Carlos

I doubt it's a honeypot. You're right about things playing out predictably in exactly the opposite way it should.

@ MarkH

"Have you found a statement from any credible source, that any certified airliner includes the ability to transfer data from a non-critical network to a critical network?"

It's a basic security axiom: systems are insecure until proven otherwise. This is doubly true if, as my links indicate, they requested permission to combine critical and malicious nodes onto the same network with software-managed security. That it was evaluated for safety (good design & testing) rather than security and by people who aren't security experts further reinforces my claim.

The statement we need from a credible source is this: "I am a security professional with years of experience designing and reviewing systems intended to resist high attack potential. I've reviewed the design and implementation of the separation mechanism against such criteria (Common Criteria EAL6+). I've found that it meets all functional and assurance requirements. Further, I've spent N hours reviewing the code for common vulnerabilities and found none. I certify that this system shows strong evidence of security."

We have nothing like that despite such tech being available to airlines. So, it's assumed insecure like most COTS firewalls showed themselves to be over time. They can either separate the networks with sharing done through a data diode or certify their mechanism against highly assured criteria via penetration testers. Given their motivations, I doubt I'll see that very soon.

Vulnerability ResearcherMay 19, 2015 9:34 PM

@Andrew Wallace

I will add another point, however, about your 'conflicting agencies' theory. Besides that there are nearly 17 intelligence agencies in the US, there are also organizations in various military branches. And who knows what else. One thing you can know is that there are consultancies, defense contractors, who might perform work of specialized capacities for various agencies.

There is also the concept long relied on for providing cover for some agency groups in other branches of government. For instance, the military has had organizations from the CIA under cover as military units. This sort of setup is useful because it provides consistent, wide, plausible cover: financing, communications, personnel, transportation, and so on.

And, there are unusual situations, such as when the White House created the Plumbers. They did get caught and did a bad job. So you had ex-CIA mixed with Cubans appearing in court. Even that would have been covered up by the CIA and FBI had there not been a leak at the top, in the FBI.

Assuming that sort of organization has never happened before, during, or since would be naive.

However, as for contractor companies, that gets into a really big mess. One company, for instance, might have started out as a unit or units in another organization. They could branch out and become a company. And then get hired back. Finally, it could be where they are hired around by various agencies. Maybe they provide more then just technology or people, they might be provided unusual services such as people who are specially trained to operate with long term and short term disguise. Maybe they are just specializing in language fluency. But, point is, not all who are hired out as mercenaries might be in such a brash area as just those who can carry guns and shoot them.

Does anyone from any of the above groups go to other groups under cover? You can assume this is routine for some. One person might have credentials for one agency, one day; and credentials for another agency, another day. How could government work without that kind of flexibility.

It would be unfair to make sweeping guesses like "it would be cia" and "it would be fbi".

Or even "cia can not ever be fbi and fbi can not ever be cia". Without the organization knowing they are not who they say they are.

JustinMay 20, 2015 12:15 AM

@ Andrew Wallace

"I would like the male arrested and charged with something.

"Something is better than nothing.

"But nothing is just absurd."

Why? Just because he's male? I don't know how it works where you're from, but in the U.S. they need to find some evidence, first. It seems like they're looking awfully hard and coming up short. All that stuff he brags about with his big mouth, the evidence is awfully scant that he actually even did any of it. So maybe he's guilty of bragging up his hacking ability, but that's not really a crime. Meanwhile, it's rather ugly and vengeful to wish for some poor guy to be arrested and charged with something simply because something is better than nothing. In any case, rest assured that if they find actual evidence of a crime, they will charge him with it.

gordoMay 20, 2015 2:34 AM

In my readings on this, someone described airliners as airborne SCADA buckets, or something to that effect. . . which reminded of a high-level depiction of cyber-physical attacks, from Ralph Langer's final write-up on Stuxnet, "How to Kill a Centrifuge"[1], and what’s going on in these kinds of scenarios. This figure is a manual gist from that report:

IT Layer - Propagation
Networks, Operating systems, IT applications

Industrial Control System Layer - Manipulation
Industrial controllers, sub-controllers (frequency converters, pressure controllers etc.)

Physical Layer - Damage by exploiting physical vulnerabilities
Valves, electrical drives, etc

See: Figure 1. The three layers of a sophisticated cyber-physical attack (p. 4)

[1] Langner, R. (Nov. 2013). To kill a centrifuge: A technical analysis of what stuxnet’s creators tried to achieve. The Langner Group. http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf

---

So, with that for some "big picture" context . . .

Hacker In Trouble With Feds After Tweeting About 'Playing' With Plane Comms Mid-Flight
Thomas Fox-Brewster | Forbes | 4/17/2015

Roberts’ troubles started on the same day the US Government Accountability Office released a report suggesting hackers could compromise flight control systems over on-board Wi-Fi. But the government body was criticised by pilot and security expert Dr Phil Polstra, who said the report was “irresponsible” in relaying incorrect information and for its vagueness. He claimed the experts cited in the report did not understand how modern aircraft networks operate. [see article for pertinent links]

http://www.forbes.com/sites/thomasbrewster/2015/04/17/hacker-tweets-about-hacking-plane-gets-computers-seized/

Dr. Polstra, cited in the above Forbes piece, presented on the topic (see below) at Defcon last summer. I found his presentation helpful to my layperson understanding of the subject. YMMV.

Cyberhijacking Airplanes: Truth or Fiction?
Dr. Phil Polstra and Captain Polly @ DEF CON 22 | Aug. 7, 2014

There have been several people making bold claims about the ability to remotely hack into aircraft and hijack them from afar. This talk will take a systematic look at the mechanisms others are claiming would permit such cyberhijacking. Each of the most popular techniques will be examined mythbuster style. Along the way several important aircraft technologies will be examined in detail.


Attendees will leave with a better understanding of ADS-B, ADS-A, ACARS, GPS, transponders, collision avoidance systems, autopilots, and avionics networking and communications. No prior knowledge is assumed for attendees.

https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Polstra

Video [46:07]:
https://www.youtube.com/watch?v=Uy3nXXZgqmg
YouTube page includes a link to presentation slides.

---

Lastly, these snippets are from an article on aviation safety in the wake of the disappearance of Malaysia Airlines Flight MH370:

Cyberthreats against the Aviation Industry
Pierluigi Paganini | Infosec Institute | April 8, 2014

Why has someone spoken about a possible cyber attack?


The hacking of critical systems in an airplane could not be totally excluded, as well as any other electronic system. A report filed on the US Federal Register website indicates that Boeing has implemented additional security measures on the 777 series of aircrafts five months ago to prevent onboard hacking of critical computer systems.

[...]

The “open door” for hackers are passenger seatback entertainment systems which have USB ports and come with Ethernet. Before the modifications mentioned, there was no “separation” between entertainment systems and the overall network of the aircraft
(par. 1 & par. 5, respectively, in first section after introduction) [see article for pertinent links]

http://resources.infosecinstitute.com/cyber-threats-aviation-industry/

MarkHMay 20, 2015 2:53 AM

@Nick P:

We have, from comments on this blog four weeks ago, this description concerning one of the newest airliner types in service, the A380:

"There's no software firewall between cockpit and cabin but they left out the 2 receive wires from the twisted pair cable on the switch. That's a hardware barrier and allows traffic only in the direction from cockpit to cabin (e.g. broadcast of position and flight data for the in-flight entertainment systems)."

Good enough for ya?

My reading so far has disclosed no airliner with a single network for critical and entertainment systems (though this has been proposed for future designs). Just about all of the up-to-date airliners (at least, among those large enough to have IFE) have some kind of a bridge between the critical and IFE networks.

Karl KoscherMay 20, 2015 2:58 AM

"He had been interviewed by the FBI multiple times previously, and was able to take control of at least some of the planes' controls during flight."

This may or may not be the case. If you read the affidavit closely, you'll see that the FBI said that he claimed to do that. This is different than him actually doing it. It's possible that his claims were false, or that the FBI misinterpreted his claims.

Evidence of him tampering with the SEB is also thin. After all, they're underneath the seats where they are likely to get banged up by people stuffing their carry-ons. The affidavit does not mention the condition of other SEBs not by his seat.

I have watched some of his talks and he seems concerned about Intellibus, which AFAIK is not used on commercial aircraft. 737s use a bunch of uni-directional, multi-drop ARINC 429 buses. 777s use something called Safebus, while 787s use a variant of Ethernet called AFDX.

To the extent that IFEs are connected to avionics on 737s, they would probably be a passive receiver on a 429 bus. The only potential risk is if the 429 receiver was built using re-configurable hardware (e.g., GPIO pins) that could be re-purposed into a transmitter (which seems somewhat unlikely given the regulatory constraints) AND the IFEs were on a 429 bus that critical avionics systems were also listening and responding to.

65535May 20, 2015 3:14 AM

@ Nick P

“Chris Roberts, presumably under FBI surveillance, makes a joke online… FBI interrogates him, airline bans him, FBI gets a search warrant making all kinds of criminal claims, FBI does *not* charge him, and media reports FBI's claims mostly without fact-checking… Since when does the FBI have a confession to a crime and not use it?“

I agree.

If the FBI had any solid evidence Roberts partially hijacked an airliner with passengers aboard Roberts would have been booked and be in jail - assuming he could not make bail. Period.

I suspect the FBI is throwing dust in the air because they can’t crack his laptop and other equipment to see the actual hacks he has at his disposal.

Further, I doubt Roberts would be able to go under the cramped seat, unscrew an enclosed electronics box, attach a Cat6 cable with some specialized connector to said IFE system without being noticed and hack away for an unknown amount of time [he is a large man and easy to spot].

[To the technical side]

Ken makes a good argument that the IFE and flight data paths are significantly separated. Please read his post and his link.

https://www.schneier.com/blog/archives/2015/04/hacking_airplan.html#c6694127

I read Ken’s link and found that economics of aviation building and repair seem to require the need for for the IFE and the aircraft navigation/control to be merged but properly fire-walled. It makes sense economically.

https://www.schneier.com/blog/archives/2015/04/hacking_airplan.html#c6694152

I will leave it to the experts to decide the actual risk and reward of such a system.

Clive RobinsonMay 20, 2015 3:24 AM

@ MarkH, Nick P,

They can either separate the networks with sharing done through a data diode or certify their mechanism against highly assured criteria via penetration tester.

It needs to be said that neither method is a good idea for safety critical systems, thus it's more sensible and also prudent to keep the networks issolated as much as possible.

The reason for this starts with the assumptions under which safety critical and entertainment and other non safety critical systems work.

Usually "safety critical" systems need to be either "Real Time" or "extreamly low latency", in entertainment systems this is usually not a design requirment. Also "safety critical" systems need "reliable" data transmission, entertainment etc systems usuall don't.

That is, in your car you and others "need" the brakes to work "every time", and whilst you would "like" the MP3 player not to glitch you will tolerate it "occasionaly".

It sounds like only a marginal difference if you say it quickly enough but the reality is a gulf that makes the Pacific look like a babbling brook in comparison.

People quite glibly talk about TCP and UDP being "reliable" and "unreliable", from a safety critical perspective they are both "a disaster waiting to happen". This is because of an assumption clashing with nonlinear reality.

The assumption is it's OK to "timeout and retransmit" to get reliability of data transmission. The nonlinear reality is "que utilization in a data collision system". The result is "data collision" systems are inherantly unreliable, because their recovery process is to "back off and retransmit" which increases message bandwidth that means that another data collisions becomes more probable. Thus under increasing load the channel bandwidth drops in a non linear and non determanistic way to the point that data collisions can become a "perfect storm" occupying the entire channel bandwidth thus actuall data transmission becomes zero for peeiods of time that increase nonlinearly with load.

The usual attempt at a solution to this problem that is seen to be more reliable in data delivery and time for safety critical systems is for all systems using the data communications channel to be synchronized and given their own time slots in a "switched circuit" system. Which unfortunatly whilst apparently solving the bandwidth issue still has other fault charecteristics that impact on the design of safety critical systems.

The general cure to this problem is "sub channeling" where every function is given it's own permanent bandwidth and the remote end "fails safe" on loss of signal. But latency is the inverse of bandwidth, that is the lower the desired latency of a signal not the signals actuall bandwidth defines the bandwidth it requires in the data communications channel. That is whilst the data bandwidth on your car's brakes signal might be only a couple of bits an hour when motorway coasting you would like the latency to be in the millisecond or less range. So the brakes signal needs a bandwidth approaching a thousand bits a second which is getting on for a million times the coasting change rate bandwidth. Nearly all safety critical systems signals are like this so the data communications bandwidth that is realy needed for "latency" appears "virtually unused" when looked at from the actual data rate perspective, thus appears to be grossly "inefficient" to nearly everyone even some safety critical engineers who are not as conversant with the underlying communications issues as they should be.

But then latency is not always the overriding issue. Many mechanical units like engines have multiple inputs and what is critical is the order or "skew" of those signals with respect to each other. That is if you have an engine some distance away the tolerance on skew may be measured in uS whilst that for latency be in mS thus skew requires a much greater bandwidth than latency...

There is not a "data diode" or guard/sluice in existance that can mediate this onto a shared network with high data rate entertainment systems. Nor are there very many security experts that intuitively understand the issues safety critical issues involved, and I suspect only a few of those who would put their name on a certificate knowing the real risks. Which means those who do are either very very expensive in time and resources or are taking chances, ultimately with other peoples lives. Because we do know that whilst "perfect storms" are both rare and effectivly unpredictable they do happen. The risk might be said to be "one in a billion" which might sound small but is that per nanosecond or millennium?, time makes a real difference, especialy with safety critical systems...

MarkHMay 20, 2015 3:39 AM

THESIS: NOT EVERYBODY IS AS STUPID AS WE EXPECT

In response to Very Dubious Reports about vulnerability of aircraft flight system networks, a lot of folks have been asking (in one form or another), "could the people designing planes really be that stupid?"

Now, the answer might be yes -- we don't have enough authoritative information yet, to return of verdict of Not Guilty. But I want to explain why many of us may be jumping to false conclusions.

A lot of frequent commenters on this blog work as engineers, or other information tech roles that require constant wrestling with the products of engineers. (Disclosure: I'm a software engineer whose early software ran on computers that used magnetic donuts for RAM).

And a lot of us are used to seeing systems put together in ways that are shabby, cobbled-together, hastily improvised, sloppy, slovenly, negligent, disturbing, and even terrifying. We have had "inside perspective" that enabled us to understand how miserable things really were. Decades of exposure to this kind of technical malpractice quite naturally give rise to blends of pessimism and cynicism.

Well, I'm here to tell you that engineering isn't always that bad. If you haven't studied or participated in the process of designing safety-critical systems for airliners (in the US, 14 CFR Part 25), you might be surprised how thoroughly the job is normally done. Quite possibly, at a level you've never seen.

And no, even if you worked on ultra-top-secret military / rocket / missile / crypto / nuclear weapons / comms systems, it is not safe to assume that you have seen the same standard of precaution applied to airliner safety systems.

For me, the Airbus A380 "data diode" described above is a fine exemplar. It is a very, very, very conservative safeguard against possible inter-network failure modes. It is what systems look like, when the engineers aren't stupid.

Disclaimer: I am not expert on this stuff. People inside the industry may tell authoritatively that I've got it wrong. And we can all make lists of places where the airliner industry missed things and had safety failures -- but, I would suggest, not blindingly obvious things like allowing insecure boxes onto a critical network.

Based on my decades-long interest in aviation technology and safety, I believe that crap designs like Toyota's push-button start/stop for automobiles wouldn't have survived 15 minutes in the engineering culture of airliner design.

Hints:

If you think that "routers" and "switches" on aircraft critical networks resemble the junk sold at the big-box office store -- including capacity for reconfiguration via the network!!! -- you are probably far mistaken.

If you think that the inclusion of SNMP in the ARINC 664 standard means (again) that the network can be reconfigured by network messages, think again. SNMP has uses other than dynamic reconfiguration!

If you think that the designers of airliners will trustingly give critical network access to junky Linux/Windows IFE boxes, think again.

ZenzeroMay 20, 2015 4:46 AM

Here's a link to the report from the Government accountability office that initiated the tweet which brought this whole thing into the spotlight:

http://www.gao.gov/products/GAO-15-370

From page 18 and on on appear to be relevant to the conversation.

"However, according to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them—as shown in figure 4 (below). Firewalls protect avionics systems located in the cockpit from intrusion by cabin-system users, such as passengers who use in-flight entertainment services onboard. Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented."

Avionics are far from my area of expertise and in reality we have no idea what level of actual testing took place, hence we don't know if the experts were talking about risk averse theoretical attacks or real plausible attacks.

One thing we do know however is that more than just Roberts believes Airline avionics are vulnerable.

* There's a list of "Experts Providing Responses to Cybersecurity Challenges Facing FAA" from page 45

SkepticalMay 20, 2015 5:24 AM

An interesting tale. Two points to consider.

First, the Justice Department is obviously still considering which charges to bring against Roberts.

If Roberts told the FBI that he had accessed a commercial aircraft's flight system while in operation, and Roberts actually did so then there will be one set of charges. They will bring down the hammer on him.

If Roberts told the FBI that he had accessed a commercial aircraft's flight system while in operation, and Roberts actually did not do so then there will be a different set of charges. The extent to which the Justice Department will pursue this set of charges will depend in part on the particulars of Roberts's behavior. If Roberts has been accessing IFE systems, and attempting to access flight critical systems, then they'll take a hard view; and especially so if Roberts seems likely to continue that course of conduct.

Either way, if Roberts made such a claim to the FBI, he's in hot water. His explanation - that the FBI took the claim "out of context" - is a bit weak, frankly. Why not forthrightly and plainly say "I did not tell the FBI that I accessed any flight systems in operation, and I did not tell the FBI that I made any inputs to any flight system in operation."?

The purpose of the search warrant is in part to determine the appropriate charges - perhaps if any - to bring against Roberts.

Roberts seems to have a history of telling some fairly wild stories. Playing with the temperature on the ISS and receiving a scolding from NASA for doing so? His tweets from a plane seem par for the course. What Roberts may not have realized is that once the FBI went through the trouble of actually detaining and interrogating him, he entered a new world. Tall tales in that new world aren't simply irritating fodder for news articles or viewed as merely puffed up bragging that can be neither proven nor disproven; it would be a felony, in those circumstances, to lie to federal agents in such a manner, and if motivated those agents will take precisely those measures to prove, or disprove, Roberts's claims in a way that others could not.

Second, the damage to a SEB panel in the seating area used by Roberts does not appear to be the sort caused by a bag or foot banging against it.

Two more points in response to some of the comments.

This has nothing to do with "shooting the messenger." If Roberts accessed a flight critical system, then he didn't simply deliver a message - he inscribed the message on a bullet and fired it in our direction. At the very best, it was highly reckless. We'll read the message, but the act won't escape punishment.

And I'm amazed anyone allowed Roberts to remove a panel and plug in his laptop. The act of doing so is sufficient justification to divert the flight to the nearest suitable airport and to restrain Roberts for the duration. He's very, very lucky that he wasn't attacked by any of the other passengers.

Nick PMay 20, 2015 6:37 AM

@ MarkH

re first comment

"We have, from comments on this blog four weeks ago, this description concerning one of the newest airliner types in service, the A380:"

On one hand, we have airplane manufacturers asking for exemptions to safety checks so they can mix the critical and malicious networks. One the other hand, there's some comments from people claiming to be avionics professionals who promise they did what they need to do. For most stuff, we rigorously evaluate the claims. For the security part, you are just going to take their word for it?

I've seen some good stuff (eg AFDX, ARINC) in avionics systems. Yet, the systems aren't designed or evaluated by security engineers. So, they stay a risk until proven otherwise in my mind.

re second comment

" If you haven't studied or participated in the process of designing safety-critical systems for airliners (in the US, 14 CFR Part 25), you might be surprised how thoroughly the job is normally done. "

I've been posting on DO-178B and other safety-critical stuff here for years. The systems designed for the higher levels are quite amazing. The whole industry is. However, not all parts are done that way and one can see they even argue for exemptions for very critical parts. There's a certain amount of negotiation between the manufacturers and regulators that gives them leeway. That's where the risk is because they sure aren't asking to do things in a safer way.

re not as stupid as we expect

I was actually teamed up with a Boeing manager for avionics once. Studying Five 9's and separation kernels, I asked him what neat technology they were using to protect their systems from failure or attack. He said they had this clever idea to run one box on a Windows-based platform and one on Linux. He said they were sufficiently different that a flaw wouldn't work on both. I tried explaining that (a) they each had a huge TCB (attack surface) and (b) finding a flaw in only two systems is childs play for todays attackers. He couldn't comprehend either concept and was sure their approach to whatever they were protecting was not only solid but state of the art.

I made a mental note to avoid flying on newer Boeing planes. I also tried to find where in their documentation that they say they use the Windows and Linux separation technique. I can't find it. Makes me wonder about the documentation and certification process. Hopefully it's one of the non-certified systems that aren't very important but nonetheless needed high availability. (fingers crossed)

@ 65535

re Ken

"one, I never say never, especially when it comes to the potential of vulnerabilities in complex systems. Two, I have worked in detail in the avionics industry, but not specifically on the A380 or B787, and not in the space of the bridge between the In-Flight Entertainment (IFE) and Satcom systems. "

Oops. There goes his credibility on the modern systems. They're significantly different and more integrated than the older ones. So, it's important to have worked on their avionics to understand their avionics. His statements are applicable to older designs, though. If we're lucky, they're applicable to modern ones. I'm still concerned that claims like this weren't evaluated by security professionals and double concerned that many security professionals aren't concerned about that.

Clive RobinsonMay 20, 2015 6:47 AM

@ Skeptical,

And I'm amazed anyone allowed Roberts to remove a panel and plug in his laptop. The act of doing so is sufficient justification to divert the flight to the nearest suitable airport and to restrain Roberts for the duration. He's very, very lucky that he wasn't attacked by any of the other passengers.

This should be ringing "alarm bells" in many peoples heads for either of two reasons,

1, Roberts did not do it and the FBI are "playing faking it up".
2, Roberts did it in front of crew and passengers without response.

Others are addressing the first point, so let's look at the second, as you say,

... the damage to a SEB panel in the seating area used by Roberts does not appear to be the sort caused by a bag or foot banging against it.

And others have noted Roberts is by no means an unnoticable person. Thus unless he had a row of seats to himself or could unsuspiciously block the view of what he was doing to others, you would expect as you indicate an alarm to be raised after the "shoe & pants bombers".

So it maybe Roberts "got lucky" and was not seen but in the more likely event he was "Why no alarm?". Could it be that the assumption after 9/11 that passengers will fight back is wrong?

If it is then we have a problem, which if addressed in the way the DHS has in the past is going to cause an outcry from the airlines and passengers.

WinterMay 20, 2015 6:59 AM

@Nick P
"He said they had this clever idea to run one box on a Windows-based platform and one on Linux."

Indeed, nothing about which OS' are used.

From 2013:
Boeing 777 Flight Control System
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.86.8618&rep=rep1&type=pdf

Older paper:
Triple-triple redundant 777 primary flight computer
http://www.citemaster.net/get/b5884db0-f01b-11e3-bec6-00163e009cc7/R8.pdf

But see here for a confirmed bug:

Boeing 787 Dreamliner glitch can make it lose power, FAA reports
http://www.tweaktown.com/news/44887/boeing-787-dreamliner-glitch-make-lose-power-faa-reports/index.html

Andrew WallaceMay 20, 2015 7:55 AM

Justin

I'm just wondering what kind of signal it is sending our adversaries and the general public if there is no charge against the male.

Andrew

fajensenMay 20, 2015 9:11 AM

@Clive Robinson
When I am flying, I am mainly watching my drink and occasionally that arab-looking dude a few seats across, who goes to the toilet entirely too often. Priorities. If some fatty suddenly disappears under the seats, I know that he is going after that Oreo he just dropped.

BrianDMay 20, 2015 9:20 AM

@Andrew Wallace

  1. Full disclosure is bad - vulnerability should be reported to company
  2. United has said there is no vulnerability, and that it is impossible to take control of the flight
  3. The male diverted the flight of the plane
  4. The male should be arrested immediately

Can you help me reconcile those facts, or correct which ones are not actually true?

If 3 is true, then I fully agree 4 should be true too.

If 2 and 3 are true, then I strongly disagree with you on 1 -- United is denying the risk after it's already been demonstrated to work.

Or perhaps there's some logic I'm missing where it makes sense for full disclosure to be illegal, it's ok for companies to ignore and lie about severe security vulnerabilities that could lead to loss of life even after they've been proven to be exploitable, and that somehow the person who performed such exploit is inexplicably not under arrest even though he clearly should be since he exploited the vulnerability putting many lives at risk.

name.withheld.for.obvious.reasonsMay 20, 2015 9:41 AM

To add a little clarity to the current topic I offer the following (a hypothesis):

1.) Redundancy is not considered a luxury in avionic control systems (everything from VME, PCI, and hard bus architectures with dual back-plane are part of a single chassis allowing for N+1 management system with any combination of other processing modules. More than likely a multi-bus frame houses a number of IFE boards that run a "Linux variant" on top of a supervisor--without a redundant PS (weight savings over time can be substantial given fuel costs). A separate frame houses the flight control, avionics, communications, and I/O interfaces for a plane's flight "System of Systems".

The control systems are more than likely fully redundant. I'd suspect a modern aircraft would include two or more physical transports (wire, fiber, electro-mechanical) to insure that flight surface controls (fly-by-wire) remain operational. The nervous systems could be coupled to "spine". The IFE is likely a member of the nervous system and would be surprised if it is physically co-terminus with control system network(s). Of course design and production decisions are often at odds with budgets and practicality. ARNIC, 802.1, and other layer two network topologies should be isolated physically, the tendency though to push multiple layer two stacks onto the same fabric is something that would be ill considered.

Many of the multi-core IFE systems are simple PPC, Atom, or P-IV architectures are with limited "polishing". Considering these platforms as side-channel systems is not fully expressed in the context of a "System of Systems". Engineering and design tend to isolate the risk/benefit model with a scope at the "frame" and not to the "transportation system" level.

ZenzeroMay 20, 2015 9:52 AM

Another scenario is just plain profit.

A famous example of this is the Ford Pinto Fuel tank episode.

Ford basically just did a cost/benefit analysis after numerous death's and the facts only came out after a county prosecutor levelled charges of reckless homicide and criminal recklessness.

Example of Ford's internal cost/benefit analysis

Benefits
Savings: 180 burn deaths, 180 serious burn injuries, 2100 burned vehicles
Unit Cost: $200,000 per death, $67,000 per injury, $700 per vehicle
Total Benefit: 180 x ($200,000) + 180 x ($67,000) + 2100 x ($700) = $49.5 Million

Costs
Sales: 11 million cars, 1.5 million light trucks
Unit Cost: $11 per car, $11 per truck
Total Cost: 11,000,000 x ($11) + 1,500,000 x ($ I 1) = $137 Million

So basically they decided that spending $11 to fix the fuel tank was too expensive and would affect profits so they would accept the death's / Injuries of their customers instead.

Back to the topic at hand:
Making changes on the planes would be a large cost for a very slight risk, and quite possible increasing the weight of the plane, hence also incurring additional fuel charges. Also if the attack which caused loss of lives (if it did happen) would likely be terrorist in nature and the American government/people would incur the cost.

I'm not saying united necessarily did a cost/benefit analysis in this case, just hi-lighting that sometimes big companies can very often be tip toeing on the edges of acceptable ethics.

http://users.wfu.edu/palmitar/Law&Valuation/Papers/1999/Leggett-pinto.html

Andrew WallaceMay 20, 2015 10:28 AM

BrianD,

My stance in the wider picture:

I'm against unpatched technical software vulnerabilities being disclosed to an audience of hostile actors on Full Disclosure Mailing List without the permission of the Government or vendor.

My stance in this picture:

If the male had done this which he hasn't in relation to flights I'm pretty sure the male would be detained, charged and lose his liberty without delay or discussion.

Andrew

MartinMay 20, 2015 11:15 AM

I'm beginning to doubt this story. After watching many news sources and reading a number of credible blogs it appears there are too many gaps in the story and gaps in the follow-up / verification actions that normally occur after significant incidents of this type. I might be wrong, but I'm not convinced it happened as reported.

Andrew WallaceMay 20, 2015 11:26 AM

The male could have released a statement by now.

His legal team have told him not to say anything.

However,

The male doesn't need to listen to his legal team and could set the record straight to avoid further damaging speculation to his career and reputation.

Andrew

JustinMay 20, 2015 12:36 PM

@ Skeptical

The FBI can't very well say, "Either he hacked into an airplane or he lied to us," and lock him up. They can't just take "measures" to prove or disprove whatever they want. They need actual evidence.

This guy seems to have been real careful in the claims he made, as outlined by MarkH. He seems to know that there's no way to prove that he couldn't have hacked into the flight systems as he claimed. That seems to be his agenda: he wants people to be unsettled by the possibility.

As to the damaged boxes under his seat, unless somebody saw him do it, or his fingerprints are all over them, or there is some other specific evidence, that is pretty hard to attribute.

@ Andrew Wallace

He has no intention of "setting the record straight". At present, his defense, (and probably his whole agenda,) depends on reasonable doubt.

Andrew WallaceMay 20, 2015 12:40 PM

"At present, his defense, (and probably his whole agenda,) depends on reasonable doubt."

I think the tweet was off the cuff and didn't realise what the response would be from the public, the airline and the FBI and then the media and bloggers.

Andrew

MarkHMay 20, 2015 12:53 PM

Name Withheld has it right -- no transport airplane using data networks for its flight controls can be certified, unless there are completely redundant physical transports.

They must not only be duplicated, but also physically separated, so that mechanical damage to the airframe, or localized destruction due to a severe lightning strike is unlikely to disable all of them.

Universal Datagram PersonMay 20, 2015 1:04 PM

@Clive Robinson,

You've written a lot about safety system communications for no reason because you seem to have misunderstood the sentence you quoted.

Particularly the "sharing done through a data diode" part.

Nobody is talking about making disparate instrumentation on a flight control system communicate with other portions of the control network through data diodes.

The link between your brake pedal and the brakes will obviously be part of the control network on your car. However, somewhere on a controller you want to expose an interface that allows external systems to read the current status and values of parts of the system through a modbus link or other type of interface.

In the systems I've worked on you'll typically have a PC collecting data from a bunch of external control systems. From there you can display it on computer instrumentation within a protected, physically separate network like the cockpit and also send the data out across a tx-only diode via UDP to the public network.

Sometimes it's easiest to have the same type of data collection PC software setup on the public network but you change the configuration so that it gets the data via the UDP packets going across the data diode instead of any kind of modbus interface.

This person was clearly on the public portion of the avionics network and may have seen that some of the architecture was duplicated there with similar commands being sent across the wire. It would be easy to confuse the fact that you can send a "Turn off Engine" command on this network with the fact that you are looking at a mirrored network and your command never even reaches control systems.

Also, with an interface like modbus it can be easy to confuse the fact that you could read an engine speed of 100 from register 40000 and then write back a value of 0 to the same register with the fact that the control system doesnt actually care about your input value and will just overwrite that again with 100 the next cycle.

It's probably not impossible to cause trouble with a control system by sending bad commands or some magic words over the interface but that's why there is a physical separation between the critical network in the cockpit and the rest of the cabin.

MarkHMay 20, 2015 1:09 PM

@Nick P:

"For the security part, you are just going to take their word for it?"

I would much prefer to see the schematics myself, but I don't have them handy.

The comments on this blog I referenced, came from two (ostensibly) distinct persons, one of whom cited as source a 2005 article in a German infotech magazine (I haven't seen it yet, it's behind a paywall), and another claiming to have worked on the A380 systems and saying that yes, he could confirm that the connection between the systems has only one physical data direction.

Further, in light of my thesis that the people doing this work aren't necessarily as stupid as we might suppose ... imagine that people who aren't stupid face an engineering decision between alternatives:

(A) Implement a bi-directional link between the networks, even though the second direction adds very little value. The safety case depends on some combination of extremely high standards for the cheap IFE systems and/or elaborate, complex and error-prone analysis of every conceivable failure mode between the networks.

(B) Implement a hardware data diode, and ensure that the safety of flight controls is completely independent of the integrity of the cabin network.

I can't prove in a court of law that they didn't choose (B), because I don't have the wiring diagram. But I think you know very well, that narrowing the scope of systems that have to be included under the critical safety umbrella makes life Very Very Much Easier.

MarkHMay 20, 2015 1:16 PM

@UDP:

Clive's comment about data diodes also seemed off-course to me.

For one thing, the bandwidth between the flight network and cabin network is actually very small, on the order of a few hundred bits per second!

Second, even if the IFE network has a very high traffic load, and there is poor quality-of-service management that fails to adequately prioritize messages from the flight network, a delay of a second or so in messages getting into the cabin would cause no practical problems.

Andrew WallaceMay 20, 2015 1:22 PM

In all probability the airline is not vulnerable to attack, the male may have made an off the cuff remark on Twitter under the influence of alcohol... and then gave a casual interview without a lawyer with FBI and did not realise how law enforcement would look for a vector to frame him in the worst possible light for the purpose of getting a warrant signed off by a judge to seize his goods for forensic examination.

Andrew

Vulnerability ResearcherMay 20, 2015 1:31 PM

@Andrew Wallace

I'm against unpatched technical software vulnerabilities being disclosed to an audience of hostile actors on Full Disclosure Mailing List without the permission of the Government or vendor.

Many governments have been engaged in the "full disclosure movement". The US government engaged in finding and reporting security issues, in pressuring vendors to come to better fix processes and time schedules, and in creating standards for security issues. This is besides the work by government in taking vulnerability information & creating vast organization systems for bugs, creating libraries for safe code, cataloging and documenting security bug disclosures, reviewing security analysis tools on a regular basis, and so on. The list goes on and on.

And the full disclosure movement has been a resounding success in creating modern computer security as we know it.

This does not mean there are not 'responsible disclosure' guidelines, there are.

As for "why", the reasons are many and obvious. Had bug disclosures been driven underground, they would still be found, but not reported. So the underground market would have grown and companies would not have the tools and processes to protect themselves.

That was not a decision made recently, it was made long ago.

Responsible disclosure processes were kept early on, long before standards were created. Some were jerks about it and caused harm. Their motives were obvious, and they were exposed for who they were. Media whores, poseurs, sociopaths without a care about anyone but their own selves. That was possible because there was a strong, self-sustaining community. So the community could and did have the capacity to perform social ostracization naturally when individuals attempted to buck the trend.

Nowadays it is a multibillion dollar business. People skilled in finding security bugs have a great array of jobs to choose from. They have to really try not to make six figures.

There are conferences monthly in every major city. The opportunity for social praise and acceptance is extremely high.

This idea fascists have about construction can build vast structures at tremendous cost. Cost that typically destroys their society. This is very different from nurturing government, which operates like a gardener and is far from a tyrant.


Vulnerability ResearcherMay 20, 2015 2:19 PM

@ZenZero

Another scenario is just plain profit.... [cost estimates discussion]

...... Fiiiiight Cluuuub ......

(And, for the record, I hated the poseurs who took up that mantle in the full disclosure movement. They defamed such an incredible movie and book. There is Fight Club II now coming out, FYI, but I am not sure if the writer is not going to destroy that pristine work of art he created in the first place. For instance, now the Tyler character's real self has a name besides Tyler, "Sebastian". Ugh.)

To the topic:

As bad as that process is, which you detail, it is not the way software security works. It might be the way the plane business works, I am not sure. I actually have a close friend who worked in that area for years, though he would studying crash data for insurance and lawsuit purposes.

For cars, the problem is the cost of recall. We see a very similar situation when security researchers find security vulnerabilities in lock systems. They are not, like software, easily updated. There is a very high cost of recall.

Many software systems are improperly designed so they are not easily able to be updated. However, due to the disclosure movement, that is not as popular as it was way back when. There have also been many other software movements where the capacity for upgrading is understood as it is: highly cost efficient.

From the vague description of these systems I have heard they can introduce software protection measures. It sounds like they probably want to change how access to the underlying network is performed at a hardware level, too, however. Granted, they may have designed it so security upgrades necessary are impossible to implement on existing hardware. I do not know. I hope not.

There are three main drivers for software security: Customers, Regulations, Risk. Risk is in its' infancy. Risk is the future. Risk has been a driver for many systems, of course, but risk really has not well been worked out for systematic approaches to get security funding very well.

There are burgeoning movements to make risk the primary driver, however. And that is good for the industry, not bad.

What that means is the security team works out like an insurance agency the numbers involved in risk factors. That must involve severity of found vulnerabilities; likelihood of attack in coherent, realistic numbers; and estimated cost of successful attack. Not at all unlike how insurance estimates work.

One major problem is there are very poor sets of data for attack. Many intrusions are not reported, and many investigations are kept secret. Even with ordinary FBI or USSS investigations, many attacks go unreported. Part of that is a kind of counterintelligence mindset, but this extends even to otherwise ordinary criminal attacks. Partly because even many ordinary criminal attacks are known or suspected to be nation based.

Another major factor is in calculating likelihood of attacks by observing data from attempted attacks on the system. It "sounds like", in this case, the airline did not even know someone connected to their network in a flight. A fact the researcher admitted to doing to Wired magazine.

How many others have attempted to do this? That is critical to know to give numbers to higher up executives who could release funding for appropriate security reviews and oversight on development.

The fact remains: training in these specialized fields remains poor. There is expensive training many can engage in via conferences, but much of that is very low brow. Security teams are regularly deeply underfunded and they tend to be very expensive to maintain in the first place. No small part of that is because of very high demand and very low supply.

A lot of the security work which has gone on with airlines has been focused on protecting customer databases. Who flies where and when. There is both surveillance involved there and counter-surveillance. eg, they are aware that if hacked, those databases could be invaluable for tracking agents and other sensitive government employees. If you know who they are and you know where they go and how long they stay, you can get a very good idea of what they are doing.

(Actually a very good example of that was in the movie, 'Duplicity'. However, that is also real world. Not sure who they got to consult on that, but obviously 'somebody'.)

Airflight security could not be more important, however. The immense expansion of resources and money post-911 is nearly indescribable. Those attackers used airplanes in their attacks. So, it would be highly unusual if this recent incident has not alerted and alarmed very many people with the resources, capability, and financing to get their act together.


Walt BoyesMay 20, 2015 2:26 PM

It _is_ possible there's a back door. When the network design for the 787 was being done, some of the designers at Boeing argued quite forcefully for the ability to patch and upgrade the avionics software in flight. To the best of my knowledge, eventually that was hooted down, and isn't possible, at least from the obvious inputs. But back door? Maybe so.

Vulnerability ResearcherMay 20, 2015 2:40 PM

@Andrew Wallace

If you get permission you are good to go.

Different countries have different laws, though all major countries, including Russia and China do work together on many aspects of full disclosure. China, especially, has a very strong record of participating in the full disclosure movement and funding programs very similar to what the US has funded for purely defensive purposes.

They share attack data, to some degree, and work on cases together. Even if, at the end of the day, they might go home from work and attack each other.

I am not sure how many of their participants in the hacking scene or in the full disclosure movement are likely funded directly and guided directly by their host government. But I would far rather they report bugs then use them for attacks.

Some entities do both, but that gives them very little deniability when the target is one that their nation would prize and the researcher who found the bug is from their country. It is even worse when they perform their attack from within their own, national boundaries.


US laws protect researchers and allow them to perform security related research on products. However, there are limitations to this. I have already discussed those limitations in-depth, above.

I did not point out, however, that these limitations can have consequences for security. This airplane incident is a good example.

However, it just can not be legalized to allow anyone and everyone who thinks themself a 'security researcher' to perform attacks to try and find security vulnerabilities on other people's systems and networks.

There is strong and safe procedures for performing security analysis, however almost invariably, these measures limit the results potentially found. For instance, to find memory based issues black box requires a wide variety of extensive fuzzing scenarios which look for crashes on the system. On the other hand, SQL Injection issues may often be discovered relatively safely via a wide variety of detection routines including relying in minimal sleep calls as opposed to data dump calls. But, I have seen even those 'safe' sort of procedures destroy databases and cause other forms of havoc.

In general, the far more productive way of finding security vulnerabilities is grey boxing: you have access to the source code, perform source code analysis, and couple that with extensive black box testing systems.

But except for open source code, white box testing is not possible for outside researchers. With systems where you do not even have access to the box, such as systems residing on a server, you can not even have access to the assembly underlying the code. So it is extremely limited in possibilities.

Andrew WallaceMay 20, 2015 2:49 PM

Vulnerability Researcher

"The full disclosure movement"

The movement was killed in the United Kingdom (John Cartwright) in 2014 after the concept failed.

And is currently on the backfoot in the United States (Gordon Lyon) as a result and on the run from lawyers, Government and advocates.

The movement in question only survives by a thread string due to low level irrelevant bugs of no substance post since Mr Lyon set up a duplicate movement.

All we need is a crazed attention seeker like the male to post something incredibly reckless and the movement will be done and dusted.

Andrew

Vulnerability ResearcherMay 20, 2015 2:50 PM

@Walt Boyes

It _is_ possible there's a back door.

It is highly likely there is a backdoor. 'Programmers like to have backdoors' (Wargames, 83). But, in terms of extensibility of code, they actually are going to have some kind of admistrative access and the capacity to update the code. The question is 'how secure is it'.

If they do not have that capacity, they are actually failing security requirements for extensibility, eg, not having the capacity for fault tolerance, not having the capacity to fix security bugs which are found.

Sadly, a lot of systems that do not have much expectation for hackers or consumer access, have, historically, not had the capacity to upgrade the software or adjust in any meaningful way for security bugs found. Because they have no security tests or even team in place. That wipes a lot of money from the cost of building the system and improves the bottom line for competitive advantage. Obviously, in the short term.

You probably mean effectively unauthorized backdoors, however... those tend to be poorly guarded, both in position of 'how to find it', and in handling authentication and authorization. They probably have that, too.

NSA looks heavily for that kind of functionality, and I would be surprised if they do not mandate analysis for airplane systems. But, as the guy could get on so easily on a flying plane, it sounds like they have not even looked at these systems, at all.

(The NSA, one of the good parts of that organization, perhaps, mandates security code reviews for all applications which will operate on DoD systems. However, that mandate goes further and includes many infrastructure systems often used or relied on by DoD. It could very well be - for some reason - passenger plane security simply was not in their realm of analysis.)


Andrew WallaceMay 20, 2015 3:09 PM

"Full disclosure movement" was chased out of the United Kingdom.

Now on the run in the United States.

When it is chased out of the Untied States where will it go next... Russia?

Andrew

Vulnerability ResearcherMay 20, 2015 3:17 PM

@Carlos, Nick P, Sancho

Nick P:

I doubt it's a honeypot. You're right about things playing out predictably in exactly the opposite way it should.

Carlos:

After all the fuss, the IES may just have been a honeypot made too real.

A bit off-topic, but a honeypot is more effective the more real it is. This is why traditional cover companies and cover divisions of legitimate companies make such outstanding honeypots. They are already faking all of their daily traffic and work, why not put in highly stealth security mechanisms to play off all interested parties who might investigate? Dual purpose technology.

It can kind of work like mate selection: you want to discourage the weak, such a poorly skilled hackers. And you want to encourage, subtly, the strong, such as nation states. Especially teams with exceptional funding and resources.

You want to say, perhaps, it is a honeypot. Because claiming that is a good security alert. But very often that can be taken as a bluff. That it forces them to consider the possibility it is a bluff reinforces their willingness that the target has treasure.

Bluffs are actually far from uncommon in security. You can find a plethora of fake video cameras and signs against a variety of forms of tresspassing which make claims that are not true.

In this case, I strongly doubt they would use active airplanes as a honeypot of detection of would be terrorists. But that would definitely be a very good idea.

Either the Airlines security team was actively watching the poster personally, or they had a firm watching them. The later is a thriving business and has been for a good ten years now.

Sancho

Don’t fall into the elite’s honeypot: Officials unofficially accuse someone until he’s guilty.I concur with Robert Graham:( http://blog.erratasec.com/2015/05/our-lord-of-flies-moment.html#.VVpY375YxKM )“Likewise, the FBI is notoriously dishonest.” [Rem: That‘s part of their job, don’t expect otherwise] “There is a war on researchers.” [Rem: Yes, if they embarrass the powerful]

I agree with his sentiments, as well. Though of my friends who often quote and rely on him, only one is a real fan. And he works in sensitive CND capacity for the US Navy.

He studied for at least a year at the NSA facility for cryptography. He might never have really been NSA at all. He only told me his story about his study after I demanded authentication of him by him sending me an email using his official account. I then studied the headers and confirmed his claim. However, the headers were not with the Navy...... but US CENTCOM.


Like Snowden and Manning, Chris Roberts did a 'Jack Bauer' and he did it for the greater good. He was able to connect to onboard networks while flying and did admit this to Wired. I doubt he ever took control of a flying plane. Even if he did, there very unlikely is evidence of that. (A fact I have not mentioned until now.)

I realize 'Jack Bauer' is the anti-thesis of citizen rights, so I use that name ironically. (Though, personally, I view the show as symbolic for the difficult decisions and struggles everyday people have to go through.)

(Torture is reprehensible. It is better to lose lives then to destroy entire institutions with such activity.)

I strongly doubt Mr Roberts will be unemployed or have significant financial problems in the long term. Even Kevin Mitnick - and Poulson - have had ample financial opportunities post-jail.


I think, with Roberts, he found himself in an unique position. He realized that there was a severe problem that could be exploited by dangerous individuals. He felt that word was not getting out about these problems. He did not intellectually plan out a process for raising awareness of those problems. But, the stress of his unique position forced him to seize the moment.

Manning was more impulsive, Snowden was far more deliberate.

Cautious.

Of the three, I do believe Snowden deserves special praise for the thoughtfulness and cunning of his actions.

But essentially, all three are the same sort of individual. Willing to sacrifice their own well being for the good of many more people.

I only wish individuals like Snowden had been in charge during the planning phase of the Iraq War.

It never would have happened.

ZenzeroMay 20, 2015 4:21 PM

"All we need is a crazed attention seeker like the male to post something" I guess talking about yourself again.

It's in the public domain that John just had enough when people like you and the just as lame nicholas lemonias spamming, trolling, harassing, derailing, and been just plain crazy and self obsessed.

Also you spent 4 years posting there, including putting up what you called at the times 0 days (which had in fact already been known about in both cases). Nice move asking google to remove posts about you by the way duckduckgo will help others see the nature of n3td3v

Gordon Lyons is not on the run, why slander and imply that about him?

"low level irrelevant bugs of no substance", actually that was you and lemonias (and some other who were were quickly shot down, remember the email you posted as yahooinsider@yahoo.com saying how great Andrew n3td3v Wallace was)

Ethical full disclosure has it's place when projects are no longer maintained or the vendor is too much of an ass to admit a problem, especially if it's been actively exploited. But of course as a non technical security "researcher" you knew that right, or is your opinion that the general public should be exploited no matter what the vendor does.

If by some miracle you decide to reply without histrionics , reply in the squid post to keep this post on track.


MarkHMay 20, 2015 4:38 PM

@Walt Boyes:

How did you come by that account of a Boeing debate?

The notion of changing avionics software in-flight is extremely bizarre, and is absolutely opposed to everything I've learned about how avionics engineering is done.

Andrew WallaceMay 20, 2015 4:43 PM

Zenzero

Personal attacks on me have no place here I suggest you refrain from it as it just disrupts the discussion and upsets everyone.

Andrew

Andrew WallaceMay 20, 2015 4:49 PM

Zenzero

I'm against the publication of unpatched technical software vulnerabilities without the permission of the Government or vendor.

Live with it and move on.

Andrew

Nick PMay 20, 2015 5:22 PM

@ MarkH

Stupid has nothing to do with it. That's a strawman you're bringing up. Our concern is that smart engineers have to follow orders and create solutions within parameters *defined by management*. Management wants maximum consolidation of hardware with the hardware and software logic replacing prior protections using hardware isolation and interfaces. The question is: does the specific design of the networks or internetwork allow a smart attacker to bypass it via software, firmware, or hardware attack? So far, many *brilliant* engineers have failed to stop this in network devices if traffic flow was anything past one-way UDP and there were bad ideas there, too.

Back to the case at hand. You say that you think they'd go the extra mile to do everything they could. They certainly do that for many aspects of avionics. Yet, those are regulated and this has an exemption of sorts. Yet, they might go the extra mile to reduce liability by sacrificing profit. Also, you quote a guy who says he knows there's a data diode in a specific plane. So, if one believes the witness, they can believe hackers couldn't ever breach an A380 and traveling on it is quite safe. One can similarly doubt the risks and reject attacks on any plane via IFE if we trust your claim that airplane manufacturers will choose risk reduction over profit. So, there's some confidence there.

However, this is great news for Chris Roberts: he can just get an aerospace engineer to testify planes use data diodes and strong security that make what he allegedly did impossible. They simply can't be taken down by hackers targeting IFE. He gets to be embarrassed a bit for his lies. Yet, he avoids that serious conviction and only has to fight lesser ones.

re updates

NASA installs such functionality for its space missions to handle catastrophic failures in flight. The airline industry might consider something like that. They already monitor systems for fault prediction. Fixing simple, but damaging, faults in flight is one step away from that. I doubt they'd implement it, though, as the risk is too high for a tiny benefit. IVE's are considered a competitive advantage and so they were implemented.

Sancho_PMay 20, 2015 5:48 PM

@ MarkH

You had a great song about aviation technology, I’d love to sing along with you, seriously.
There’s only one sore point:
In case someone claims our (safety) control system is vulnerable we’d say “Challenge accepted, 50k if you show it to us”.

Instead there is - exactly what - from Boeing / Airbus?
Did the sue that guy for defamation?
Or are they singing “Silence is golden, golden” instead?

@ Skeptical

The question whether he did or did not access is the smokescreen for the public.
”…and fired it in our direction” reveals your thirst for retaliation.

I’m not amazed that he could access the IFE but would be shocked if he could have accessed safety critical parts / control systems.

The real question is vulnerable or not from what he claims.
They could have answered that question since years (?).

Nick PMay 20, 2015 6:10 PM

@ Sancho_P

There is a semi-response here. They claim IFE is connected via ARINC-429 and AFDX/Ethernet. ARINC-429 is uni-directional and should not cause problems so long as the uni-directional part is implemented correctly. AFDX, on the other hand, seems to have everything connect to redundant switches which police the system in software. That makes it subject to attack in similar ways as prior firewalls. Its better design will certainly help reduce risk but how much?

The problem is that the GAO report said FAA officials and industry experts told them the opposite of what the Boeing guy says publicly. Key details start at p 22. Keep in mind that the security professionals talking about specific risks are actually generalizing and are unlikely to understand avionics architectures. Their comments may or may not be applicable. Even filtering them out, the rest is still troubling.

SkepticalMay 20, 2015 6:13 PM


@Justin: The FBI can't very well say, "Either he hacked into an airplane or he lied to us," and lock him up. They can't just take "measures" to prove or disprove whatever they want. They need actual evidence.

Either (1) Roberts actually and without authorization accessed networks and computer systems on board an aircraft in commercial operation, or (2) Roberts actually lied about doing so to the FBI.

In either case, he committed at least one felony. And while I'm willing to entertain the possibility that there was an error in transcribing his claim about accessing the flight management system, he made numerous claims about accessing aircraft networks. I doubt they were all errors.

As I said, I'm not sure he realized the difference between boasting on Twitter and boasting to federal agents interrogating him. You can lie on Twitter without committing a federal offense. But the same lies, when made to federal agents, may cause you to fall afoul of 18 USC 1001. Note to those fond of big fish stories: your reward for bullshitting federal agents is likely to be the dubious of honor of becoming the focal point of a federal criminal investigation.

The "measures" that the FBI are taking to prove or disprove his claims are aimed at gathering precisely what you described as needed: actual evidence. Hence the search warrant. Hence the examination of aircraft on which Roberts has recently flown. We can imagine that the FBI has also interviewed certain relevant experts and potential witnesses, and that their digital forensics teams are engaged.

Make no mistake: this appears to be a full investigation, and barring some rather extraordinary cooperation and honesty from Roberts, along with a very good attorney, I'm doubtful that Roberts will escape from this without pleading guilty to criminal charges. The only question is how severe those charges will be, and that's within the discretion of the federal prosecutors who are likely already involved.

Needless to say, his ability to travel by air is also likely in jeopardy, if not already terminated.

This guy seems to have been real careful in the claims he made, as outlined by MarkH.

I don't think he could have been more self-destructive, actually. He has ensured that, should a prosecutor so desire, he can be successfully charged with one or more felony counts.

More unfortunately, that self-destructive recklessness is of a piece with the kind of recklessness that might lead a researcher to poke around a plane's computer systems while the plane is in flight.

As to how he escaped notice of other passengers and the flight crew while allegedly tampering with the aircraft, depending on his technique and the knowledge/degree-of-attention of anyone with line of sight, it's plausible that he escaped scrutiny at the time. And in this he was quite fortunate. On another aircraft, or seated with different passengers, he may have at best found himself restrained while the pilots made an unscheduled stop, and at worst an angry passenger might have found creative uses for any cables he was attempting to connect to the SEB.

Andrew WallaceMay 20, 2015 6:37 PM

"Make no mistake: this appears to be a full investigation, and barring some rather extraordinary cooperation and honesty from Roberts, along with a very good attorney, I'm doubtful that Roberts will escape from this without pleading guilty to criminal charges."

The male deserves the book thrown at him. I have no sympathy at all. I doubt anyone apart from John McAfee will try and defend the individual.

Andrew

MarkHMay 20, 2015 7:37 PM

@Nick P:

A propos of straw men:

Where did I "claim that airplane manufacturers will choose risk reduction over profit"? That is pure fabrication: shame on you!!! To my recollection, I've never done that to anybody on this blog, and I consider it unconditionally wrong conduct in any forum of discussion. You're out of bounds, son.

According to my analysis of aviation stats for recent years, airliner designs brought into service during since 1995, as operated by North American and European airlines, are presently experiencing one fatal accident per approximately three million departures.

As far as I'm concerned, there is some Mighty Righteous Engineering going on somewhere. I dunno, maybe some of the people who write comments here could do better?

Airplane manufacturers maximize profit: that is their sole business objective, as is normal for large commercial enterprises. So, why don't they simply cut costs until shards of aluminum daily rain down onto us from the stratosphere?

In my opinion, their mysterious failure to make their products wretchedly unsafe has two principal causes:

1. Each new aircraft design undergoes a type certification process, which is under the control of a government agency (which is not answerable to the stockholders of the airframe manufacturer more than it is to the passengers). Insofar as I understand this certification process, it is rigorous and conservative.

2. The manufacturers have determined that defects resulting in accidents tend to impair profits, so that their maximal profit is consistent with maintaining not only a strong safety record, but a record of steadily improving safety.

ZenzeroMay 20, 2015 8:01 PM

@ MarkH

"Where did I "claim that airplane manufacturers will choose risk reduction over profit"?"

So are you saying airline manufactures do choose profit over risk reduction or am I missing your meaning?

65535May 20, 2015 8:03 PM

@ Nick P

I went back and re-read Ken’s posts. I did not find them fully persuasive. You could be right.

“… search for "AFDX" on Google - stands for Aircraft Full Duplex Ethernet - standardized as ARINC 664. The avionics data networks on those two planes are built on this technology. One of its main characteristics is that all message flows are pre-declared, and their bandwidths pre-allocated. The source/destination of all message flows (called Virtual Links in AFDX-parlance) are statically stored in the switches, which validate the source/destination/port # of every frame that flows through them. With this architecture you cannot get an arbitrary frame onto the network. If you try to inject one, the switch you are connected to will reject it unless it is a predeclared message."-Ken

[Ken]

"...you working on one of the HACMS teams? I have some former colleagues who are working that project. I am about to start on one of the related projects out of the same contracting office."

https://www.schneier.com/blog/archives/2015/04/hacking_airplan.html#c6694153

https://www.schneier.com/blog/archives/2015/04/hacking_airplan.html#c6694127

“Interesting links. I cut my teeth in avionics working on the B777 and a variety of biz jets and commuter jets. I agree with your observation that there aren't enough people who are both competent in safety critical and security critical technologies.” –Ken

http://www.artist-embedded.org/docs/Events/2007/IMA/Slides/ARTIST2_IMA_Itier.pdf

https://www.schneier.com/blog/archives/2015/04/hacking_airplan.html#c6694154

Ken makes some good points about fire-walling off the IFE system with the navigation system. But, I cannot make a judgment.

It still appears those two system use the same antenna and modem which is not separated. I would assume that is not 100% secure.


Andrew WallaceMay 20, 2015 8:36 PM

NSA want to listen into what a passenger is saying: the in flight entertainment system would be desirable to compromise...

and how would the NSA do this,,,

Via the cockpit.

Through the navigation system that is connected to the engineering team on the ground,,,

Where there is a known data channel sending data back and forth on plane performance known as diagnostic data.

" The male " may have stumbled upon a select few planes that NSA have chosen to have rogue in flight entertainment and cockpit connectivity.

Andrew

FigureitoutMay 20, 2015 8:58 PM

MarkH RE: strawmen
--Nick P like most everyone else gets defensive if you call them out a little, perhaps applying some of that "peer review". Sometimes there's some lengthy, messed up reasons for that...but it needs to be said. There still doesn't appear to be many avionics engineers clearing the air here; maybe some of them are in shock/freak-out mode.

No, it is indeed indicative of the state of for-profit engineering (the term "over-engineer" comes to mind, the company will go broke unless you specialize in one small aspect of a market and become essentially a monopoly) and the security industry that can't dispel myths immediately (barring a hack you've never heard of, which is, well..makes this annoying). Many old-school engineers not familiar w/ the new risks of new age attackers, malware and APT's will scoff at some of the scenarios brought up too.

And no doubt, the airline industry overall does solid engineering (I think they're forced by law to not shave costs and cut corners in some areas, so they'll cut the free peanuts and sh*tty blankets). No, the skills between finding vulnerabilities and making a secure system are quite different; I bet many people here would fail like everyone else (b/c it only takes 1 fail to fail in defense, attack only takes finding or inducing 1 fail to win) due to the all too familiar "killer bugs" found deep in firmware you didn't write; or god-forbid a hardware issue which takes more money if you can't hack on your dev. boards w/ chips that now-a-days have pads underneath them instead of pins.

Coyne TibbetsMay 20, 2015 9:36 PM

@Vulnerability Researcher "Either the Airlines security team was actively watching the poster personally, or they had a firm watching them. The later is a thriving business and has been for a good ten years now."

I would buy that, since it appears the airline industry has unlimited money to keep a watch on web, and not only that but to suppress undesirable thoughts.

In this blog, and another one I frequent, there are posters who seem to be fairly obvious shills for the industry. They coordinate around one central argument: "ARINC 664 is secure; airplane networks are secure." Anyone who suggests otherwise (whether the challenge is specific or based in security industry expertise) is wrong, wrong, wrong.

Watching some of the arguments here, and based on the arguments I encountered in the other blog, they are prepared with counters for a wide variety of arguments, and can sometimes even seem to be considering reasonable arguments. But, ultimately, it always comes back to the core argument.

It's a little disquieting: there are thought police.


Nick PMay 20, 2015 10:13 PM

@ MarkH

I think you're taking my post a bit too personally. I'm not even saying you're intentionally misleading anyone. You just keep bringing whether engineers or companies are stupid. I called it a strawman for reasons I indicated: smart managers and smart engineers will rationally choose options that increase risk if they think benefits are great enough and liability is low. They don't have to be stupid in a business or technical sense. It's a tangent you're bringing up that distracts from what my side is really concerned about: management's priorities, their requirements, and what engineers did about them.

"claim that airplane manufacturers will choose risk reduction over profit"

They have two options: put more electronics in for all the competitive advantages that equal more sales (i.e. profit) or keep the complexity down where possible to increase safety. We've seen them lean much more toward complexity and profit in recent designs than safety. You said, though, that without a regulation for *security* that you were confident that management and engineers made the sacrifices for security anyway. Those sacrifices would cost considerable money and extra fuel usage while working against some of their integration goals. The implication was that you thought they'd choose the lowest risk option even if it cost a shitload of money over all their plane sales. The implication equals the quote above.

"airliner designs brought into service during since 1995, as operated by North American and European airlines, are presently experiencing one fatal accident per approximately three million departures. As far as I'm concerned, there is some Mighty Righteous Engineering going on somewhere. "

I've covered their incredible work here before and in this thread to a degree. Yet, you didn't mention those results came via the regulations for safety-critical engineering and proven liability for failures. They also have plenty to build on with engineers that live and breathe it in a field with decades of experience applying that knowledge. Then, there's this new thing they're trying to do: security. It's something they don't know, haven't tested, and even asked for special treatment (read: waivers) for. Whatever they did for safety in regulated, safety-critical systems doesn't tell us what they'll do for security in poorly-regulated, security-critical systems.

"The manufacturers have determined that defects resulting in accidents tend to impair profits, so that their maximal profit is consistent with maintaining not only a strong safety record, but a record of steadily improving safety."

And now you finally get to my point. The manufacturers *management* does a cost-benefit analysis of each thing they do. They tell the engineers what they want done. The engineers tell them it won't happen, they should be able to do it, or it's done. Management wants consolidated networks, IFE, and so on for all the profit it will bring per their publicly-stated goals. They also know there's no security certification, liability for security flaws isn't a sure thing, and there's plenty of regulatory wiggle room. What will they do? Turn down the profit and risk getting left behind by competition because their engineers said it might get hacked? Or take the profit along with their engineers word that they applied rigorous protections?

Looking at how Boeing and Airbus are battling it out along with their new planes' reliability record... I'm leaning in one direction more than another.

Stealth MonsterMay 20, 2015 11:10 PM

@Skeptical

Either (1) Roberts actually and without authorization accessed networks and computer systems on board an aircraft in commercial operation, or (2) Roberts actually lied about doing so to the FBI.

This has already been said multiple times above, but the researcher admitted to Wired magazine that he has accessed airplane systems on active airplane flights.

From the article:

He [Chris Roberts, the researcher in question] told WIRED that he did access in-flight networks about 15 times during various flights but had not done anything beyond explore the networks and observe data traffic crossing them.

http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/


This new paragraph which has been thrown out to the press is from a leaked snippet from a multi-hours long discussion with the FBI.

Why they decided to leak that - and other information about the case - truly boggles my mind.

However, it makes a good point: maybe he could have. And that should scare the crap out of people.

The researcher, Chris Roberts, denies that the leaked snippet of the conversation is in context. Yet, he has admitted to violating the law in accessing systems not his own and without proper authorization. Why would he admit to '15 instances' of that crime, and deny this other crime?

The prosecutor probably, rightly, felt the case was too risky to pursue from that leaked snippet of the conversation. I would have to agree, especially if it was wildly out of context as it appears to be.

The prosecutor may also believe that merely accessing a network for passive observation does not constitute clear violation of the law forbidding unauthorized access to computer systems. I think they may have a point there. It is sketchy.

The real problem lies not with the researcher, but with the airlines. And, I am sure, other airlines. Why can any passenger access their onboard networks? That... is... insane.

If he goes to jail or not really does not matter. Putting him through the process of a trial would mean a lot of negative publicity for the DoJ and that specific prosecutor.

No prosecutor likes a lot of negative publicity.

In my opinion, Chris Roberts acted poorly, but he was aware of dangers and felt a pressing need for others to be aware of the same dangers. He did not hurt anyone and genuinely meant well. Prosecution of him would be pointless.

What is necessary to be investigated and followed up on, in this situation, is "can passengers access plane networks". That should be the government's priority. And they should get on it fast.

Before, say, some ISIS asshole decides to try and outsmart the US law enforcement, intelligence, safety, and transportation infrastructure and make everyone involved look like complete idiots asleep on the job.

Stealth MonsterMay 20, 2015 11:28 PM

@MarkH

As far as I'm concerned, there is some Mighty Righteous Engineering going on somewhere. I dunno, maybe some of the people who write comments here could do better?

That seems like quite a cocky comment. My read on the regular posters here is that they work for a living and have intelligent comments to share. They may mix socializing with their job, but who can fault them for that.

In my opinion, their mysterious failure to make their products wretchedly unsafe has two principal causes

A passenger was able to access onboard flight networks 'around 15 times'.

A concern was expressed by the FBI regarding this. That this was possible. That it was also possible that person may have been able to take over control of the inflight aircraft.

Correct me if I am wrong: but I think plane engineering and maintenance is a very different field from computer software.

I mean, I have known some people who are pilots and who are accomplished in flying planes. Or investigating plane crash sites for insurance companies. Which is a job and kept him well employed.

One crash can mean an extremely significant business hit on an airlines.

I think that there are a lot of times where we can applaud the airline industry for their rigorous vigilance.

But? An airline passenger was able to access onboard networks during a flight 'around 15 times'.

I am not sure about all that "safety and transportation" stuff. It bewilders me. Almost rocket science, right? But, I know computer vulnerabilities well (though just my "day job"), and I got to say: my confidence meter is really drained from this incident.

Like 'holy shit'. Did anybody test any of this, at all?


GaryMay 20, 2015 11:37 PM

My first reaction is why have an inflight entertainment console at all? For the purpose of safety, I can fly without being fed movies, tv shows, news, music, games, and or other amusements from a tv screen. What's wrong with getting to know your fellow passengers, stirring up conversations with flight attendants, telling and hearing from them (fake?) personal stories about their lives. etc. etc. etc. or just bring a few good books to read during flight. The whole concept of needing to be "entertained" by a tv screen isn't very appealing to me.

This is probably a case where risk vs. profit shouldn't even be a discussion, but I'm not an avionics engineer nor do I own an airline and I very seldom travel, so please just read it like another internet comment.

Stealth MonsterMay 21, 2015 12:04 AM

@Coyne Tibbets

I would buy that, since it appears the airline industry has unlimited money to keep a watch on web, and not only that but to suppress undesirable thoughts.

In my job, sometimes I do interviews with companies, just to talk to them. For instance, I interviewed Heartland Payment Systems after they got hacked, and I interviewed NASDAQ after they got hacked.

One company I talked to was in Virginia. They did a lot of government work, as one can imagine. But, they also provided a service for companies to watch 'the web' for mentions of their name and products and services. Big companies depend on these sort of watchers. It is a service.

Some South Korean and Taiwanese firms go even further. Not so unlike China's vast system of people who frequent forums and try and watch anti-'China regime' conversation. Maybe that is an Asian thing? But they not only watch web traffic, including 'the dark web' and irc channels, and other side channels... but they jump in and try and operate as propaganda artists.

Anyway, in the West, it is a common and popular service which big companies buy into...

But, in the West, they tend to be passive, and not engage.

I often make honestly critical comments on western companies (as well as foreign nations and foreign companies) and see if anyone suspicious jumps in. It is an amusing endeavor. Of course, these sorts of individuals are poorly paid and effectively amateurs.

I really have not studied Chris Robert's resume, so I am not sure if the airlines' security firm might have relied on such a service, or if he had not personally piqued their airlines' security department already...

In this blog, and another one I frequent, there are posters who seem to be fairly obvious shills for the industry. They coordinate around one central argument: "ARINC 664 is secure; airplane networks are secure." Anyone who suggests otherwise (whether the challenge is specific or based in security industry expertise) is wrong, wrong, wrong.

Really? I will have to pay more attention. I do not see many posts about airline security.... so figure you must be mentioning a poster in this thread. :-)

I think that this incident raises some righteous alarm. People need to get their act together and fix the problems.

Watching some of the arguments here, and based on the arguments I encountered in the other blog, they are prepared with counters for a wide variety of arguments, and can sometimes even seem to be considering reasonable arguments. But, ultimately, it always comes back to the core argument.It's a little disquieting: there are thought police.


Personally, I rarely pay mind to the airlines industry, so I do not have much comment there. Metaphorically, airplanes are important to me. I like the whole idea of flying above it all. A lot of my friends are pilots.

What comes to mind for me, foremost, however, is I love and encourage shills. They are typically low IQ individuals that do not make much money and have very little power or influence. I would love to find one who actually is challenging to engage with. I get migraines from unused brain cycles.

Unfortunately, however, for a paid shill, they are just not going to be that good at their job. Even ... one unnamed poster here... two... I think that they just operate as a 'devil's advocate' to keep positive conversations flowing. :-)

I mean, as fun as it is to always listen to the choir, it is often nice to hear from true adversaries with some manner of vested stake in things.

Nothing quite like gunning down a sophisticated, super intelligent adversary who is deeply invested in their malicious ... projects.

But, then, my own wife says 'I live for outsmarting'.

Without any villain - and here I must credit Nietzsche - there is no heroics.

Still, I look forward to the day when such dirty efforts must not be maintained any longer.

Doctors live to cure people, what are we without our precious diseases?

Or, what is fire without fuel?

If we want anything really interesting, we need a really interesting villain. Where are they?

Cowering in theirs schemes, I suppose. Shaking in holes in the ground. Confused about the changing times. Dread, missing bravery, they hide under rocks. Who can blame them, I suppose? No one wants to die.

My own company suffers enormous slander, consistently, and of a very sophisticated sort. Dealing with the low dollar shills is not worth much, besides for identifying one's self to their bosses as a threat. They are all part of the same organization, they will never change. Nor will their bosses. You just can not fix some people who are broken. It is who they are. Even if you do, they would come out as entirely different ... people.


Stealth MonsterMay 21, 2015 12:17 AM

@Gary

For the purpose of safety, I can fly without being fed movies, tv shows, news, music, games, and or other amusements from a tv screen.
...
This is probably a case where risk vs. profit shouldn't even be a discussion, but I'm not an avionics engineer nor do I own an airline and I very seldom travel, so please just read it like another internet comment.
...
What's wrong with getting to know your fellow passengers, stirring up conversations with flight attendants, telling and hearing from them (fake?) personal stories about their lives. etc. etc. etc. or just bring a few good books to read during flight.

A lot of times, passengers do not want to strike up any kind of conversation. They are tired and do not want to hear the boring details of people next to them with their boring lives.

"Fake stories", I think only sociopaths with severe mental problems are glib with fake stories. Sometimes, for security reasons, I start to attempt to tell 'fake stories', but I just find I can not do it.

I have some friends who tell stories that resound, on one level, as 'fake'. But, on closer inspection, it is just that they are trying to communicate, and end up being forced to use metaphor which is deep to do so. I am not them, but I understand. Because I get the underlining meaning behind the metaphor.

Have not been flying much recently, but when I do, I definitely appreciate some good television, though I always have a book handy.

I think, to isolate the problem, you have to get at the facts. A passenger was able to access the internal networks of the flight system. Very possibly, they could have circumvented control of the plane. Having entertainment systems did not make that happen. Poor separation of networks allowed that to happen.

As Schneier said, and I agree with, the entertainment systems and the flight control systems simply should have no connection.

Not 'rocket science'. Maybe lower stratosphere science... I guess...

Stealth MonsterMay 21, 2015 12:41 AM

@Skeptical

Note to those fond of big fish stories: your reward for bullshitting federal agents is likely to be the dubious of honor of becoming the focal point of a federal criminal investigation.

Oooh, such muscles. I would not say I lie for a living. I consider it acting. In fact, I believe I am incapable of telling a lie. What I do, instead, is simply manipulate the facts so I do not tell people the whole story. I am deceptive, like a small hole in the ground that actually goes all the way to China.

Thankfully, I rarely have to deal with special agents of the FBI. The last time I did I got extremely angry at them and really tore them a new asshole. The good reason for that was because they found my stories I was telling them funny and laughed about them. In context, I was actually meeting key new coworkers for the first time at a core infrastructure company you probably do not want to know I had access to.

I was extremely nice to them during the interview, despite the fact that we took the conversation outdoors due to my preference, and we were followed by some individuals who clearly were suspicious.

Admittedly, in both getting angry at them, and at getting bothered at the followers, I was overacting.

My dad does the same thing. He would make critical statements to my wife. My wife would get deeply bothered. My sister would try to explain he does not mean what he says and 'just says things'. She did not understand. I am the same way.

My point is, I suppose, that as amusing as it is to hear someone defending the federal government for lying to them, that the reality is: anyone who really gets anything done is effectively a professional liar.

We may consider such terms as "actor" or "actress", but fuck yeah, we lie to federal investigators if we ever have to cross paths with them. And that for their own good.

Like me, we usually do not have to do this directly. We just do not have to tell them the full story. Like, uh, 'okay, so me stating that I am this? I am really that. But I do have a job as this, so you should just keep to this level. Not that.'

Five million in the US with clearance. More like fifty thousand who actually do anything.

We provide the product. Everyone else analyzes it. To death. Replicative like all hell, and frankly, they do not have the slightest clue as to what is really going on.

If you want to know.

Which? I guess you do. Because that is exactly why people like your self make bold accusatory statements like you have made here, online.

As tuned in and as patriotic as you claim to be, the reality is that anyone with any manner of secrets at all will always lie to federal investigators by at the very least not giving them information which they simply can not handle.

No offense. But, everyone else, is just a jerk off. They are simply being jerked off and simply jerking their own selves off. They are completely useless for anything but a diversion.

This case is exceedingly simple: Fix the God Damned airplanes so passengers can not access the onboard network control systems. Stop fucking around and get the fuck to it.

Apologies are not necessary and worst then useless.

As for 'us', if you ever meet any of us, everything we tell you is hundred percent true. Just not the full truth. And? How else do you consistently tell lies congruently and get away with it?

Nobody wants to know the full and complete truth anymore then they go to psychics and want to know the time and circumstances of their own death.

Want to know the future? The near term future? America's economy collapses after engaging ISIS in a full time exercise. Extreme and extraordinary military activity is called in the Middle East because of significant failures in Syria and Egypt. Yes, the global economy implodes. Those who were rich now will find themselves penniless.

Globral psychological and emotional trauma will be extremely severe.

That is the truth.

Did you really want to know that.


Stealth MonsterMay 21, 2015 1:11 AM

@Skeptical

Actually, I suppose I should leave here with some valuable life lessons. The American government, as all for God forsaken mighty as they appear to be, actually does not know fuck shit of anything. :-)

My smile there is because I actually have to force vulgar language to communicate with people.

Case in example one: my daughter told me today how kids at her school were saying 'Bush is behind 911'. I corrected her. Bush was not behind 911 but he was behind the Iraq War which was based on a fraud.

Now, a halfway intelligent human being would wonder about that. Why would the American authorities expend all of their vast might and intelligence on a fraudlent war. This same day I was book shopping and considering purchasing a book by John Poindexter. I read the reviews and realized he made the case for "Operation Desert Storm" based on another level of fiction. Which I knew was complete bullshit.

America, like Cyrus of old, is but an useful idiot.

Their leaders, like their personnel know 'not the fuck of what is going on'.

Lotsa boasting, lotsa of posturing... by a lot of folks who are getting exceedingly old and shrunken up like grapes in their old age.

Withering, drying grapes on the vine good only for vinegar, and never for wine. Bow down and worship your gods, humanity, they have spoken! Lol. The cannibals and portent worshippers of the priests of human sacrifice have spoken. And see how they are dying, warped with age, transforming into their true form. May we all clap and celebrate their passing. Because they are the very ones who demanded whoreship and lied to everyone, to have their sons and daughters maimed and killed for their monetary profit.

Sadly, I can not emphasize, being immune to the disaster that effects their soul. I can only fear their example.

Plastic surgery does them no justice.

The United States of America, like their allies, were cajoled into activities for minor and very short term profits by entities far beyond their own understanding. Why? To motherfucking transform the Middle East into our own making by forcing a day of reckoning.

I state this not merely to gloat, however, but to point out just how blind that vast infrastructure is. It did not have the intelligence, the knowledge, to know that Saddam Hussein did not have either WMD nor ties to Al Qaeda. Saudi Arabia and the rest of the Middle Eastern world were definitively correct. You should not have removed him.

So, in consideration, of such incredibly massive blindness unknown to the precious ruling nations of the world, except for Ramses... why on earth, today, would anyone continue to worship such a clear monstrosity?

As glorious as the founding papers and sentiment were... the very worship they engage in today demands complete and total negation of all of that and full embracement of the sort of fascism best seen in Hitler and Stalin.

Surely, there must be some rung of truth in such deeply treasonous belief systems?

Just a little?

How more of a fraud and how more deeply of a liar can hypocrites ever possibly hope to be?

Well. I hope the moderator feels that someway, and somehow, as strong as my language is it might hope to have some manner of relevance and stay.

Maybe it is not a direct answer to specific questions regarding airline security, but I believe it is a very direct answers in regards to the manner of ... failure of intelligence... which is symptomatic with the current system of the United States of America.


BuckMay 21, 2015 2:00 AM

A TX-only 'ether-diode' is still a complete circuit. A strong enough counter-current could easily fry some chips in that firewall (if the CAT cables don't catch fire first)... I don't know anything about this, but I'd imagine that some very well timed electrical signals could indeed interfere with the device's expected operational constraints. To me, it would seem more difficult if the data-diode were IR or otherwise optical in nature, but I'm sure others smarter than myself (@Clive Robinson) know better! Besides, it's not as if the cockpit is a SCIF... I mean, the door can open in-flight, right?

Whatever -- the easy route is leveraging known vulnerabilities... Who has the authentication/authority to patch/upgrade those avionics firmwares..? Which vulnerable endpoint software do they use for this task? How likely are they to *never* have any of their personal devices hacked??

The bigger questions have been ignored here so far...

Who could possibly benefit from a loss of confidence in airline travel? Even the 'terrorists' need our drugs/money/recruits to survive... If it's a matter of security by (NDA) obscurity, I hear there are some failed states with spare planes laying around...

Who stands to gain the most from this widespread media speculation?
Chris Roberts for potential future career opportunities, FAA for proving themselves competent, FBI for another successful bust, DHS/TSA for not looking too bad, insurance companies because it's business, terrorists for the terror, the rest of us for real additional security..?

SkepticalMay 21, 2015 5:50 AM


@Stealth: This has already been said multiple times above, but the researcher admitted to Wired magazine that he has accessed airplane systems on active airplane flights.

You haven't read the search warrant.

The FBI interviewed Roberts in February, in which he stated that he had accessed the IFE systems on multiple aircraft, and in which he described what he judged to be vulnerabilities to the FBI and asked that they be fixed.

The FBI warned him that accessing those systems was illegal, and warned him not to do it again. Roberts called the warnings "very civilized."

A couple of months later, in April, Roberts made his now infamous tweets, which were detected by United Airlines and reported to the FBI. Being well aware of Roberts's previous claims and capabilities, the FBI again interviewed Roberts, and further examined the SEBs close to Roberts's seat on his most recent flights. Evidence was found indicating that the SEBs had been tampered with so as to allow access.

At that point, the FBI were in possession of the following facts:

(1) Roberts had claimed in February to have accessed the IFEs of aircraft, and had claimed to be able to access flight systems.

(2) Roberts was warned against doing so again, and warned that he may be prosecuted for doing so. He was warned that doing so could endanger the aircraft.

(3) Notwithstanding those warnings, there is evidence that Roberts did again access the IFE without authorization via the SEB.

So, Roberts had been given a warning, had been told of the possible consequences of his actions, and appeared to have ignored the warnings and continued with his actions.

Result: he is now an excellent candidate for criminal prosecution, and his statements to the FBI in February can certainly be used in such a prosecution.

The prosecutor probably, rightly, felt the case was too risky to pursue from that leaked snippet of the conversation. I would have to agree, especially if it was wildly out of context as it appears to be.

Roberts likely escaped with a warning in February because of the good faith he had shown, though I have little doubt that charges were considered. He apparently went to them voluntarily to disclose his actions with the hope of aiding in the improvement of security. Good faith and good intentions actually do matter in a decision whether to prosecute someone.

The prosecutor may also believe that merely accessing a network for passive observation does not constitute clear violation of the law forbidding unauthorized access to computer systems. I think they may have a point there. It is sketchy.

What will bury Roberts is the flaunting - if he did - of the warnings he was already given. That takes him from "well-meaning but misguided in method" to "someone whose unlawful conduct cannot be deterred by mere warnings." The next step is criminal prosecution.

If he goes to jail or not really does not matter. Putting him through the process of a trial would mean a lot of negative publicity for the DoJ and that specific prosecutor.

No it wouldn't.

Sadly, I can not emphasize, being immune to the disaster that effects their soul. I can only fear their example.

Interesting locution.

The United States of America, like their allies, were cajoled into activities for minor and very short term profits by entities far beyond their own understanding. Why? To motherfucking transform the Middle East into our own making by forcing a day of reckoning.

"To transform the Middle East into our own making"? I'm not sure what that means.

I state this not merely to gloat,

It's curious that you would want to "gloat" about an unnecessary war.

however, but to point out just how blind that vast infrastructure is. It did not have the intelligence, the knowledge, to know that Saddam Hussein did not have either WMD nor ties to Al Qaeda. Saudi Arabia and the rest of the Middle Eastern world were definitively correct. You should not have removed him.

Most of the world believed Hussein to have WMD, or a WMD program.

That is a separate question from whether such a problem is best remedied by an invasion. On the question of remedy, there was quite serious disagreement both among and within governments.

If you wish to conclude from the mistake of the war that the US is "blind", feel free to do so. It's a conclusion so obviously ridiculous that I'm not going to waste energy beyond this sentence in contradicting it.

So, in consideration, of such incredibly massive blindness unknown to the precious ruling nations of the world, except for Ramses... why on earth, today, would anyone continue to worship such a clear monstrosity?

You're simply confused. It's not a question of worship. Some of us understand that though the US, like every other country, makes mistakes, it actually does believe in democracy and human rights, and it actually does spend significant blood and treasure defending those things. For European allies - for those who actually train with US forces, who have fought with US forces, who receive aid and intelligence from US forces, who know all too well how essential US forces are to their own security - this is a fact made clear beyond all doubt through decades of joint efforts in some of the most perilous periods of humanity's existence. This is why the bonds between Western and democratic allies run deeper than some in Russia and China will ever understand.

Andrew WallaceMay 21, 2015 6:29 AM

"Andrew Wallace • May 20, 2015 8:36 PM

The male may have stumbled upon a select few planes that NSA have chosen to have rogue in flight entertainment and cockpit connectivity."

It could be that his seat and row was compromised for the purpose of listening into *him* and he reversed the hack intended to target him.

NSA or a private sector company would have had a heads up about his row and seat number to target him for surveillance.

Although have unwittingly given him cockpit access.

Andrew

Nick PMay 21, 2015 7:24 AM

@ Buck

That's actually worth considering. You'd have to be able to control the voltage from the receive-only computer that you hacked. I think the Ethernet circuits operate in a fixed range of voltage that's acceptable. I could be wrong, though.

Clive RobinsonMay 21, 2015 8:06 AM

@ Universal Datagram Person,

You've written a lot about safety system communications for no reason because you seem to have misunderstood the sentence you quoted.

Err no I guess your POV is off.

I've made it very very clear that timing in terms of both latency and skew are of importance to control systems. Having worked on industrial and avionic control systems at one point or another it's a problem I've butted up against on more than one occasion.

I've also made it clear that in general IP networks are unreliable and random in sending data to networks. I further made it clear that the issue of data collisions effects the network by adding extra data in the form of repeates, and whilst this is generaly not of consiquence to entertainment systems it is for control systems. Further I've pointed out that things get worse in a nonlinear way with increasing load on the comms network and can lead to "perfect storms" where the actual transmission of data drops to zero and it is very dificult to the point of being impossible with normal test rigs to predict or simulate such events.

What is being discussed is a shared network with control endpoints being issolated by a data diode or pump/sluice etc. The simplest and most reliable in terms of issolation is to cut either the TX or RX pairs in a network cable. Whilst this works for a very limited subset of uses such as passive RX it tends to not function with control systems where data needs to be primarily reliable and timely.

Other ways by using routers and firewalks are not reliable in terms of issolation as god alone knows how many hacks have shown.

But on the very big assumption you could find an active device that had software that does not have exploitable code, you still have the timelyness and reliability issues.

I could go on at length but I realy do not want to write "Secure Control Networking 101" to the blog, as long posts tend to annoy other readers unless the thread isnearly dormant.

Andrew WallaceMay 21, 2015 10:57 AM

I'm hoping to hear any day now that the male has been taken back into custody and charged with a series of civil aviation offences otherwise I will have lost confidence in FBI Cyber Division.

Questions will need to be asked to how FBI came to their decision to release without charge.

As an industry this incident has been too important to ignore and brush to the side.

Andrew

MarkHMay 21, 2015 11:24 AM

@Buck:

If I understand correctly the vulnerability you have proposed, the effect would be that the seat-back screens would stop showing their moving-map displays of the plane's position correctly.

Not a very dramatic security break, it would seem.

Or did I miss something?

MarkHMay 21, 2015 12:30 PM

THESIS: ROBUSTNESS AND SECURITY ARE CLOSE COUSINS

A key concept of security engineering, is that engineering systems to be "reliable" (by whatever presumed criteria) is very different from engineering them against active malicious attack. This is plainly true, but can be misleading.

I define here "robustness" to mean the capacity to retain functional integrity (or at least, to minimize the reduction thereof) under abnormal conditions. Robustness is one pillar of designing systems for reliability.

In general robustness enhances security, and lack of robustness impairs security.

Example 1: In the 70's, I had a friend who was a hacker, cracker and penetration researcher before these terms became part of the language. [Later, he worked as an NSA consultant, adding to their system-specific catalog of penetration recipes.] I remember distinctly his telling me, "if you can make a computer crash, you can break into it," because I was startled by the connection he drew -- it wasn't intuitive to me. In the decades since, this connection has been demonstrated thousands of times. Making software more robust makes it more secure, even if you aren't designing against malicious attack.

Example 2: The general architecture of the internet and all of its early protocols, were security disasters in waiting, because of a (presumably unstated) assumption that all of the nodes were benign and well-behaved. No thought was given to malicious intervention. However, even if the architects had made the weaker assumption that nodes can be "insane" (chaotic but not malicious), the resulting security level would have been Very Much Better. A specific: if standard design and testing had always assumed some probability of insane* nodes on the network, exhibiting chaotic behaviors like sending messages of arbitrary length, then almost all server buffer-overruns would have been prevented or exposed. This precaution alone would probably have prevented the majority of server exploits that have been carried out in the history of the internet. Making networks more robust makes them more secure, even if you aren't thinking about malicious attack.

Example 3: In Bruce's book "Practical Cryptography," he makes the point strongly that when you are creating an infosec system -- no matter how good your security algorithms and protocols -- if the architecture, interfaces, and coding practices are not robust, the system will surely be insecure. If a system isn't robust, it will be insecure even if it's a "security system."
___________________________________

Now, consider the case of a large passenger aircraft, in which it is proposed to create a data link between a network critical to safety of flight, and a network provided to amuse the self-loading freight.

Although some of you obviously don't believe this, airliner safety engineering is cautious, conservative, analytical and worst-case to a degree never witnessed in most other branches of engineering.

Even if there are no infosec security engineers involved in the analysis, an inevitable question will be, "what if one of the In-Flight Entertainment computers starts spitting out floods of arbitrary* network messages?" For a variety of reasons, it would be very expensive, and as a practical matter probably infeasible, to hold the IFE boxes to the same standard of design, analysis, testing, review, audit, and configuration control applied to the critical avionics boxes needed for safe flight. For Christ's sake, some of these IFE boxes run MS Windows! Their integrity cannot be presumed.

Accordingly, the link between these networks is likely to be designed in an extremely defensive manner.

Surely, such "paranoia" is not a perfect guarantee of security against malicious tampering. At the same time, it biases the system design toward higher security, and elevates the attractiveness of Very Dependable Solutions like data diodes that simply block hacking (in the manner Chris Roberts warns of).


In sum, robustness is not a substitute for security engineering. However, it generally enhances security, and is usually a necessary precondition to security.
___________________________________

* For the purposes of robustness engineering, it would not work to say "we don't need to worry about insane nodes, because our protocol has a data integrity check." The arbitrary node failure could occur at a stage before the CRC (or whatever) is applied; therefore, robustness requires the ability to withstand arbitrary messages that appear to be valid.

Andrew WallaceMay 21, 2015 1:00 PM

I think this case is serious and important enough for a press conference from FBI.

Every news channel in the western world has reported on it.

Andrew

Nick PMay 21, 2015 2:01 PM

@ MarkH

Excellent write-up on the connection between safety and security. The former is a pre-requisite for the latter usually. I've argued for leveraging DO-178B certified drivers and libraries in secure systems for that reason. As a starting point, that is.

Such thinking could certainly improve resistance to certain attacks. The problem is where that ends. For instance, the new Ethernet switches don't assume a malicious threat: just passive failures. Malicious threats usually take more precautions, features, and code to stop. Further, the avionics in Boeing (maybe Airbus) use a Level C development process: two levels below the most rigorous process.

I just looked up Level C to see what it represents. Catastrophic loss requires Level A. Hazardous loss, which may kill a few people, requires Level B. Major loss, expected to injure but not kill, uses Level C. I would think control of the avionics system by a hacker could kill people just by what industry writes. I hope I'm wrong about that: a level C rating indicates they thought hackers controlling avionics couldn't kill a passenger and shaved off over a dozen safety requirements.

Hopefully, they used good solutions like diode on the AFDX connections they both claim to use. Not even sure if it works with AFDX or if they meant diodes on older ARINC cabling. Anyway, if they didn't, the attackers getting through might smash that mid-grade avionics software. Here's hoping.

Note: All I'm going to say on the topic as I doubt we'll agree further. A good discussion, though, as we've covered a lot of ground on the two perspectives. Made me update my thinking a bit, too.

Paul RobichauxMay 21, 2015 3:13 PM

I'm really surprised at the uncritical acceptance I see here, and elsewhere, of both Roberts' claims and the reporting thereon. It's pretty clear that many of the people opining and/or reporting on this don't have even a layman's understanding of the systems in modern transport-category aircraft; if they did, the claims made both by the FBI and by Roberts would have received a much more skeptical, and discerning, evaluation.

Andrew WallaceMay 21, 2015 3:26 PM

Paul Robichaux,

If the male is nothing but a Twitter troll then that should be announced. According to record he is a serious security researcher???

Andrew

MarkHMay 21, 2015 3:49 PM

@Nick P:

You inspired me to do some digging on DO-178. You expressed understandable surprise at the idea of Boeing applying Level C to avionics. From what I have found, it appears (as common sense would suggest) that Boeing uses differing DO-178 levels depending on avionics function.

For example, in Boeing's early 2000s-vintage avionics architecture, one module is the "data conversion gateway (DCG), which transfers bus signals between the various types of links ... signals from various digital buses, analog lines and discrete connections enter the system once (apart from deliberate redundancies) and are distributed to the different AIMS-hosted avionics functions over the SAFEBus (ARINC 659) deterministic backplane." The DCG software was developed under DO-178 Level A, which would certainly be my preference.

At the other end of the scale, the system that logs maintenance information for ground crew is developed under Level D.

I've been able to find very few examples of DO-178 levels for specific avionics, but it appears that safety-critical items like flight control computers and engine controllers are developed under Level B or Level A (as Nick will know, the difference between A and B requirements is relatively small).

Importantly, with A or B processes, every change to software must be reviewed and approved by an independent person or office whose responsibility is safety management, not software development.

I'm indebted to David M Cooper of Australia for this online comment:

You need to remember that:
* DO-178B is not a standard, it's a guideline.
* Certification is of a system, not a single component.

All the FAA (or whoever) says is that the system must be safe. You need to convince the certification authority your design is safe enough for the level of criticality it embodies. DO-178B provides guidance in this area, however it's a DER [FAA Designated Engineering Representative] who needs to give the designer the assistance as to whether their design and process is acceptable for the purpose.
In general, the cost to develop Level A software is only about 5% more than developing Level B software - basically implying that you should always develop to Level A (so there aren't any surprises). Adding redundancy and independence to a design (i.e. alternatively designed FADECs working together) may help to swing the certification authority's confidence in your favour. Certainly some aircraft use the same trick for Flight Control Units.
In short - there's no fixed rule. A DER will provide you with guidance, but it will only be valid for your specific design.

And from the mouth of the FAA (by way of Advisory Circular 20-115B):

An applicant [for certification] for any electronic equipment or system employing digital computer technology may use the considerations outlined in ... DO-178B as a means, but not the only means, to secure FAA aproval of the digital computer software. The FAA may publish advisory circulars for specific [regulations], outlining the relationship between the criticality of the software based systems and the appropriate "software level" as defined in ... DO-178B. Those may differ from and will take precedence over the application of ... DO-178B.

Andrew WallaceMay 21, 2015 4:15 PM

I've looked through the male's tweets @Sidragon1 and it looks like he is just trolling.

Very few of his tweets is technical discussion about his research or anything like that.

Does he have a web site where his technical papers can be downloaded?

Andrew

BuckMay 21, 2015 4:50 PM

@MarkH

If I understand correctly the vulnerability you have proposed, the effect would be that the seat-back screens would stop showing their moving-map displays of the plane's position correctly.
Hopefully, but not necessarily... Your friend's statement: "if you can make a computer crash, you can break into it," seems true enough to me. If the data diode could be fried, it's also possible that its electrical/physical properties could be used to subvert the logical behavior of the hardware. (Like Hardware Bit-Flipping) Though, this is highly theoretical, and I seriously doubt any parties have both the desire and resources to pull that off... Well, maybe some defence contractors looking to market their own highly secure product..?

Andrew WallaceMay 21, 2015 4:59 PM

My theory is the NSA have all major airlines hard wired through the diagnostic data channel that goes to the Boeing data centres.

NSA had enabled his row number to listen into his conversation and electronic activities and hadn't realised that this had also enabled him to access flight navigation.

This has merely been a surveillance blunder.

Andrew

Sancho_PMay 21, 2015 5:53 PM

@ Nick P

By far not a “semi-response” (?).

I repeat:
Award honest + successful hackers.
Honest capitalism would be the only chance to improve.
But that’s an oxymoron, I know.

Andrew WallaceMay 21, 2015 6:16 PM

A secret agreement between Boeing and the NSA gives the agency unfettered access to any row and seat number on its next generation planes through the diagnostic data channel.

The agency hover up the data at a facility in England called GCHQ Bude.

Andrew

BuckMay 21, 2015 9:00 PM

I really got a kick out of this:

In a post 9/11 world, the further claim that Roberts tried to hack IFE systems multiple times by direct physical interface also seems fantastical, says IFE industry consultant Michael Planey. "We have seen multiple instances of passengers being restrained by fellow passengers or flights diverted because a passenger is behaving abnormally. I find it nearly impossible to believe Roberts could have done this type of an act over a dozen times and never had a flight crew or fellow passenger notice - that part stretches the imagination..."
While it may indeed boggle the imagination of some engineers with a bit of terrorism-induced paranoia, most average Janes and Joes know what an Ethernet port is. They may have seen them at their workplace or university, or maybe even their own homes! It boggles my mind why there would even be Ethernet ports under every seat if they weren't meant to be used... I mean, some people prefer not to use WiFi, right..?

Andrew WallaceMay 21, 2015 9:31 PM

"Roberts tried to hack IFE systems multiple times by direct physical interface also seems fantastical."

Unless there is a secret agreement between Boeing and NSA which the male has stumbled upon.

The IFE guys would be out of the loop wouldn't they?

Finding an implementation ment only for the 5 Eyes is not out of range of decent theory.

The male spoke of being able to watch traffic.

This could be an interface ment for the spy agencies at GCHQ Bude.

Andrew

Andrew WallaceMay 21, 2015 9:59 PM

This is a far bigger story outwidth the realm of the male who has inadvertedly uncovered a top secret programme of the FIVE EYES.

Usually you would need a SNOWDEN release to uncover this stuff but our male may have done so completely by accident.

NOW every spy agency and terrorist organisation outside of the FIVE EYES will be all over this to check out various theories.

Andrew

gordoMay 21, 2015 11:10 PM

Paul's Security Weekly TV

Episode 417: Interview With Chris Roberts [35:00]
Published May 7, 2015

Regarded as one of the world’s foremost experts on counter threat intelligence within the cybersecurity industry, Roberts constructs and directs One World Labs’ comprehensive portfolio of cyber defense services designed to improve the physical and digital security posture of both its enterprise and government clients.

[interview w/intro starts at: 03:45]

Early-on in the 'recent headlines' segment [04:57 - 15:37] there's this exchange:

Paul Asadoorian: So, did you actually plug in to something under your seat?

Chris Roberts: No. No I did not. ...

https://www.youtube.com/watch?v=oo1sb0kYiJc

Interview segments:
- Intro [03;45]
- Recent headlines [04:57]
- Threat intelligence [15:37]
- Small-talk/chit-chat [19:20]
- Internet of Things [20:18]
- Speaking engagements [28:40]
- Segue to more chit-chat [29:10]
- Recent bill on security research [30:18]
- Playing five questions with security weekly [32:37]
- Outro [33:54]

Andrew WallaceMay 22, 2015 5:44 AM

gordo,

" Paul Asadoorian: So, did you actually plug in to something under your seat?

Chris Roberts: No. No I did not. ... "

There was a lot of sarcasm in the interview so it is hard to tell.

Andrew

LukasMay 22, 2015 6:30 AM

"Experimenting on a live aircraft full of passengers when you cannot be sure of the consequence is endangering an aircraft."

The plane is already endangered if there are security issues like this one. If his behavior causes the companies to fix this problem, it's clearly a net-positive.

Andrew WallaceMay 22, 2015 6:59 AM

Lukas,

He did not know the position of other aircraft in the sky before he is alleged to "climb" and "turn" sideways the aircraft.

Andrew

Andrew WallaceMay 22, 2015 7:07 AM

gordo,

Paul Security Weekly interview was conducted before we knew he had taken control of the aircraft per FBI warrant.

At the time of the interview the industry only knew of the OXYGEN ON tweet.

Andrew

Billy MunnyMay 22, 2015 7:10 PM

There'd too much bragging and bunk from the defendant, and the Feds are falling for it.

First, there's no EICAS on the Boeing 737NG. It has an older type of master caution / warning system.

Next, the flight management computer, thrust management computer, electronic engine controls, and other vital goodies are NOT interconnected to the IFE (inflight entertainment system). They are separate systems, for goodness' sake.

As for Airbus, well, they air gap their systems too...

Coyne TibbetsMay 24, 2015 2:17 AM

@MarkH - "Importantly, with A or B processes, every change to software must be reviewed and approved by an independent person or office whose responsibility is safety management, not software development."

A safety officer had to sign off on the flight of Challeger; another had to sign off on the flight of Columbia.

Safety officers and offices only work where the culture doesn't make refusing an action a career decision. In the case of NASA, the culture was "can do or else," turning the NASA safety office into a rubber stamp. That culture tends to predominate in corporations as well.

Jonathan WilsonMay 24, 2015 10:28 AM

"Who stands to gain the most from this widespread media speculation?
Chris Roberts for potential future career opportunities, FAA for proving themselves competent, FBI for another successful bust, DHS/TSA for not looking too bad, insurance companies because it's business, terrorists for the terror, the rest of us for real additional security..?"

How about the media outlets themselves for selling more ads?

BuckMay 24, 2015 10:49 AM

@Jonathan Wilson

Yup! Your suggestion definitely seems more likely than any of the above.

MarkHMay 24, 2015 6:38 PM

@Coyne Tibbets:

The "space shuttles" were so much "space junk" from the inception of the program to its end. They were in a different universe from 14 CFR Part 25 airliners.

As I wrote before, modern scheduled passenger services operated by non-third-world countries now make about three million departures for every one that involves a fatal accident -- more than 50,000 times better than NASA's ghastly white elephant.

As a matter of serious intellectual inquiry, we have an important question: how did the aviation system (comprising manufacturers, suppliers, operators, and regulators) achieve a 0.000033 percent fatal accident rate?

Unless this outcome is a matter of inherent inevitability, or the expected operations of chance, its cause or causes are of enormous importance.

Can anyone cite an example in all of history, in which a comparable level of reliability has been achieved in operations so inherently fraught with hazard?

Is this outcome consistent with cultures of cutting any corner to save a penny, masculine bravado, naive reliance on novel technologies, or head-in-the-sand denial?

Is the aviation system actually lax about safety, and protected from a miserable record only by luck or the intervention of some guardian angel?

I shall read reality-based replies to any of these questions with great attention.

Nick PMay 24, 2015 7:27 PM

@ MarkH

I'll step back in to say that what you said and quoted on DO-178B are all true from my reading on the subject. Although guidelines, many are reasonable enough that they're often followed and sometimes exceeded. Level A is certainly better to target but for an extra reason: getting a solid, reusable component certified saves on future certifications that include it. And Level A can be use in lower levels, too.

Far as space, you're right that they're in a different ballpark. Feynman criticized the QA and engineering practices in a detailed report after Challenger. An excellent paper on Japan's high assurance railroad scheme mentioned the lack of Shuttle reliability with a numericsl comparison. And that's the easiest proof: percentage of crashed shuttle launches or re-entries vs other vehicles. I guarantee airplanes are better.

@ Johnathan Wilson

That's always worth considering anytime the media talks about a risk. Any risk.

Clive RobinsonMay 24, 2015 7:46 PM

@ MarkH,

Can anyone cite an example in all of history, in which a comparable level of reliability has been achieved in operations so inherently fraught with hazard?

Err yes, "energy distribution".

In the UK there are around 25million homes with an average occupancy of 2.8 people. On average each home has four habitable rooms a hall/passage, bathroom and kitchen. With the exception of the bathroom all of these areas have ~220V 13A three pin outlets averaging 20 per home. Then there are offices with around four outlets per worker (aprox 120million).

Thus there are in the UK around 70million people with access to around 600million electrical outlets the majority of which have equipment pluged in these days. The number of deaths and injuries due to electrical shock from domestic or office electricity is very small each year (6 at work 22 home/leisure in 2010) . Of these the majority are from people who are doing things they should not be, such as operating known to be dangerous equipment or operating equipment in a known to be dangerous way, where due to wear, tampering or other factors electrical conductors/contacts have become exposed in a way that people can come into contact with them.

So 28/70million is 0.00004% which is about the same.

vinodhMay 25, 2015 10:44 AM

great post.
its scary to know that a plane can be hacked by a person inflight

Clive RobinsonMay 26, 2015 5:04 PM

@ MarkH,

I suppose as a man I should fein supprise, or should it be the other way around ;-)

katzatzJanuary 17, 2016 12:16 PM

Wow, lots of comments on this blog. I am writing a chapter on ethical hacking and am using Chris Roberts as an example of how not to be, and to demonstrate how, as soon as your ego gets involved, there go the ethics.

That being said, I hope that what I am about to say has not already been hashed out in the comments above (which are too numerous to read), but has it occurred to anyone that the network connection between the flight system and the entertainment system might be there for a reason? In the event that the cockpit is compromised by terrorists, what better way for a Federal Marshal to retake control of the plane, or possibly even plug in a device that he can hide under his seat. A device that, once activated, will allow someone on the ground to take control?

Thanks, hope that doesn't seem to far-fetched. Certainly, though, any such system that exists should be secure and should have been penetration tested so that you need proper credentials to access it. However, we know the challenges associated with keeping a bunch of passwords and systems up to date in a medium sized office with a few hundred computers. Imagine the logistics behind keeping flight systems up to date...

Clive RobinsonJanuary 17, 2016 1:06 PM

@ katzatz,

...or possibly even plug in a device that he can hide under his seat. A device that, once activated, will allow someone on the ground to take control?

Bearing in mind that the passenger compartment is a metal tube, with few openings, so getting close to being a Faraday screen, how do you envisage such a plug in device getting control signals from somebody on the ground?

If you are writing a "chapter" in a book etc and include the idea, it's one of thoughs things people are going to ask and if you can not produce a credible answer then they are not going to find the idea particularly credible...

Also bear in mind when you have come up with an answer you need to sanity check it against other methods that might be used. If other methods are simpler, more effective and more reliable then your idea again becomes less credible.

However that is not to say that in the real world where there is a lot of turf and revenue to protect somebody will not actually propose some "bat shit crazy idea" which also happens to divide the pie nicely and thus a committee of vested interests will give a majority vote for it... that as they say is just the way things work.

Jim MantleApril 27, 2017 7:26 AM

So, two years later, let's have an update. What happened to this guy?

Opinion: Being a pilot, and having seen some of the depth of thinking and analysis that goes into an aircraft, I find it beyond belief that Airbus, Boeing or any other manufacturer would interconnect anything that controls the aircraft with anything that entertains the cargo.

Second opinion: If opinion #1 is true, he hacked the entertainment system, got a woody, and ran off his mouth at what a terrific security researcher he is.

Clive RobinsonApril 27, 2017 11:30 AM

@ Jim Mantle,

Opinion: Being a pilot, and having seen some of the depth of thinking and analysis that goes into an aircraft, I find it beyond belief that Airbus, Boeing or any other manufacturer would interconnect anything that controls the aircraft with anything that entertains the cargo.

Well you'ld be wrong. You stick to "steering the bus" and let the engineers worry about geting things working normaly, whilst the security engineers let them know where they are going wrong when it comes to induced abnormal behaviour.

Oh and perhaps surprisingly for some Boeing employes some very good
security engineers... But there is a problem, they are generaly not alowed to talk about what they do and how they go about it. Because in the US the likes of TEMPEST / EmSec is surprise surprise classified...

To give you an idea of what's involved the SOBs entertainment systems require power, therefore they are connected to the aircraft power source. Funnily much of the avionics also require power, so at the very least there is one point of commonality. Secondly The intetnet and phone systems the SOBs get to play with, they need a data system to a gateway on the ground somewhere. Thus they, the avionics, engine managment systems and a whole variety of other things share a radio system.

Whilst people think Data Diodes are "one way" in many cases they are not because the systems behind them need synch and error signals. As a general rule of thumb most data systems are highly responsive to error signals. Thus if two systems are effectivly joined because they multiplex data into a transmission system, one system by generating lots of error signals can send a signal backwards through the other piece of equipment.

Few systems engineers ever think about this or the consequences especially when as most systems are transparent to error signals, such a path can go backwards deep inside a piece of equipment.

Thus the question is not are the systems connected, but are they sufficiently robustly designed to withstand a fault injection attack via the error handling mechanisms?

The number of systems I've looked at over the years where engineers have missed this sort of "transparancy" issue still supprises me. It crops up all the time in Real Time Systems with common busses and is starting to be of concern to automobile systems designers using the likes of the CAN bus and Industrial Control System engineers using a whole host of other shared busses.

The connectivity is there one way or another, it's just the question of if it's exploitable or not. Hopefully the answer is no, but life tends not to work that way when it comes to security engineering.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.