Twitter Joke Exposes Serious Flaw In Airline Security, FBI Memo Says
The FBI detained a security expert last week for joking on Twitter about hacking a plane’s communications systems, and now the agency has revealed why it is so skittish.
In a “private industry notification” posted Tuesday, the FBI and TSA urged airline personnel to guard against the possibility of hackers attempting to access airplane communications systems through on-board Wi-Fi networks, according to Wired. The agencies say they have no evidence that such a vulnerability actually exists, but are nonetheless taking the possibility seriously.
“Although the media claims remain theoretical and unproven, the media publicity associated with these statements may encourage actors to use the described intrusion methods,” the warning explains.
The issue began to attract attention last week, when Chris Roberts, a founder of the security intelligence firm One World Labs, was detained by the FBI for questioning based on a tweet he had sent during a flight to Syracuse, New York on April 15. (RELATED: Twitter Joke Gets Security Expert Kicked Off Flight, Detained by FBI)
The tweet in question read: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)”
In layman’s terms, Roberts was referencing his familiarity with the plane’s communications systems, and suggesting that he could manipulate them to the point of making oxygen masks deploy.
Although he was released without charges, Roberts had several electronic devices confiscated by the FBI, and was subsequently prevented from boarding a United Airlines flight to San Francisco because the company was concerned about his comments.
The inspiration for Roberts’ fateful tweet came from a report released by the Government Accountability Office the day before his flight, which identified cybersecurity weaknesses related to the Next Generation Air Transportation System (NextGen), a modernization effort initiated in 2004 by the Federal Aviation Administration.
NextGen involves shifting from older computer systems, which connect planes directly with air traffic controllers and the FAA, to an interconnected system that allows communication over the internet. (RELATED: Hacking X-Ray Machines Could Get Guns Through Airport Security)
Previously, GAO says, aircraft “functioned as isolated and self-contained units, which protected their avionics systems from remote attack.” With the shift to NextGen, however, aircraft are increasingly connected to the Internet, which “can potentially provide an attacker with remote access to aircraft information systems.”
The FAA requires planes to have firewalls to protect against such attacks, but cybersecurity experts who spoke to GAO pointed out that, “because firewalls are software components, they could be hacked like any other software and circumvented.” (RELATED: Airport Security Breached 25,000 Times Since 2001)
Roberts told Wired that he sent the offending tweet out of exasperation, explaining that he has been making similar warnings for years, and that the GAO report underscores how little credence those warnings were given by airlines and the FAA.
Roberts also said that while he never attempted to access his plane’s network on the Syracuse flight, he and a colleague have successfully done so on more than a dozen other flights as part of their research into potential vulnerabilities.
Top 6 on BarbWire.com