
United Airlines Stops Researcher Who Tweeted about Airplane Network Security - ehmmm
https://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security
======
csirac2
We live in shitty knee-jerk reactionary times, but did anyone else see his
tweet at the time? At best, it seemed in poor taste. At worst, the outcome
seems depressingly predictable.

I don't know what I'm trying to contribute here, except that whilst I have no
problem with EFF working on this, their article here seems overly shrill and
over-reactionary at how shrill and over-reactionary the airline was in their
response to what (admittedly, in hindsight) could have easily been interpreted
as a threat by an over-zealous corporate drone blind to smily-face emoticons.

~~~
droopybuns
This person was an absolute clown.

I think the infosec community needs to grow up. We all hate when legislators
use the word 'cyber.' Title 18 is a mess. The new computer crime proposals are
worse. Every couple of years we get the occasional story about licensing
security professionals. It is because of exactly this type of clownish
behavior.

There are consequences for the attention seeking type of behavior. This idiot
is catnip for government regulation.

It isn't exactly his fault though. Our community has been doing this to garner
press attention for the sake of the attention. He is following the pattern
that has long been set. Stunt hacking scares the shit out of normal people.
Eventually people will demand regulatory intervention.

~~~
tptacek
Every response to this I've seen from "the infosec community" (my connection
to that community tends sharply towards vulnerability researchers, since
that's my background) has been critical of this guy. I can't think of anyone
I've seen cheerleading him. I've even seen rare glimmers of people criticizing
EFF for trying to make a cause celebre of him.

But you're taking things too far by casting aspersions on all of "stunt
hacking".

The problem with this idiotic tweet is that, if there is a vulnerability in
the electronics of an airplane, this is exactly the thing you'd expect to see
before some moron accidentally forced an emergency landing by tinkering with
it. Vulnerability researchers disrupt and disable systems _all the time_
without trying to.

The same is not true of people using logic analyzers on car CANbus systems
(the archetypical example of stunt hacking).

The real criticism I've seen of stunt hacking is that (a) we don't learn all
that much from it and (b) it's not particularly difficult ("look at this
debugger debugging", as a friend of mine summarizes most stunt hacking talks).

~~~
freehunter
I've seen a lot of people cheering for him. I've seen the man in person at
various cons, and I think he's brilliant. The problem is, what are we supposed
to do? Responsible disclosure: companies don't give a shit and will hide it.
Full disclosure: you get sued and thrown in jail. Stunt hacking disclosure:
people get scared even though it's easy to do. People demand something be done
about it. The person who did the disclosure is alternatively viewed as a hero
or a villain, but the thing is people are talking about the issue.

What's going to get people talking about security? "Target got hacked" "Oh,
what a shame, I'll replace my card then go shopping at Target again". Or what
about "I can bring down a plane while it is flying without needing a bomb. I
can shut down hydroelectric dams from my living room and flood the entire
state of Washington". Now you've got people talking.

"It's not particularly difficult" is the precise problem. It _should_ be
difficult. People should be demanding that gaining access to flight control
and SCADA systems be made impossible by the general public. Dismissing a hack
as "easy" means you're forgetting that it's a hack. It's not supposed to be
_possible_ , let alone trivial.

~~~
tptacek
How about this: don't publish a message to the world on Twitter saying that
you are tinkering with what you believe to be flight control systems _on an
actual aircraft in transit_?

~~~
freehunter
The problem is, he's done it before. And reported it to the airlines. And
they've done nothing about it.

I've heard him talk for years. Same thing every year. So seeing what I saw on
Twitter was no surprise. He's not publishing an exploit on Twitter, he's
making a joke to the followers he has that all know what he's done. He's
making the joke that this year, again, the flight control systems are still
vulnerable to literally anyone with a laptop and an ethernet cable.

It's not that he's saying he's tinkering with what he believes to be flight
control systems on an actual flight in transit. Of course he wouldn't do
that... again. He's already done it once, years ago. Why was there no outrage
then?

~~~
tptacek
Choose your own adventure:

(a) There is no real flaw here, other than the potential for maybe sending
scary messages to people's In Flight Entertainment screens, and so the
disruption he's causing by suggesting that there might be a flaw has no
upside.

(b) There is a real flaw here, for instance a message he can send across in-
flight wireless that would deploy an oxygen mask, and his broadcast that he
intended to tinker with that system is actually threatening.

Am I missing a case (c) here?

------
narsil
The tweet in question:
[https://twitter.com/Sidragon1/status/588433855184375808](https://twitter.com/Sidragon1/status/588433855184375808)

~~~
briandear
Could someone be so kind as to translate this tweet so that those of us that
aren't security experts can understand what was said? Or perhaps point me in
the direction of some recommended, intro-level reading? I feel distinctly
ignorant at the moment!

~~~
UnoriginalGuy
> Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start
> playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)

737/800: is the type of aircraft and specific model (Boeing 737, stretched
version (800)).

Box-IFE-ICE-SATCOM: Is a theoretical (or actual?) exploitation path.

Box: I'm assuming is in-flight WiFi

IFE: Is the in-flight entertainment system

ICE: Is also part of the IFE, but I'm guessing he specifically referenced that
due to the "I" (in ICE) namely, the information that gets fed into the IFE
from the flight systems (speed, altitude, and position)

SATCOM: The uplink used by in-flight WiFi but also the IFE to provide "latest
news." If can be used to deliver information to the airline about the aircraft
so they can keep track of if its on schedule and such.

EICAS messages: Used on aircraft's secure network for flight crew alerts and
diagnostic information. Some of these may be relayed onto the insecure network
and forwarded to the airline (similar to ACARS, but over SATCOM).

PASS OXYGEN ON: The implication is he wants to cause the oxygen masks to drop
down into the passenger cabin (although in reality sending this wouldn't do
that, it would just set off a warning on the flight deck letting the pilots
know that the oxygen masks dropped, even if they physically hadn't).

If he could send EICAS messages to the aircraft's secure network, that would
be a legitimate safety concern. However if he just witnessed EICAS messages
from the insecure network, that isn't really a concern except maybe he could
send misleading ones to the airline and give them a metaphorical heart attack.

~~~
neurotech1
I'm somewhat familiar with avionics system on a 737, and that above is a
pretty accurate description. The FMS* basically forwards the messages through
CANBUS for the IFE, via a gateway.

At worst this guy could send a fake message to other passengers, and maybe
cause a IFE system warning in the cockpit. Oxygen Masks are controlled by a
completely separate system to the IFE.

* The 737NG has various displays for warnings, but its not quite the same as the Airbus EICAS

------
makeitsuckless
I have a problem with the often used phrase "legitimate researchers", because
it suggests that certain freedoms should only apply to certain people.

"legitimate researcher" is not a specific job, researching is an activity any
citizen can and should be free to conduct within the confines of the law, and
all of that is "legitimate".

The whole "legitimate researcher" creates a huge loophole through which the
powers that be can create some kind of registered researcher status, with the
obvious consequences for everyone else.

~~~
dendory
I don't think they mean legitimate as professional or industry recognized, but
more as a way to distinguish from an actual bad guy hacking for criminal
intents and then claiming he is a researcher and should have carte blanche.

~~~
sneak
Researching with criminal intent is also legitimate research provided no laws
are broken.

~~~
loup-vaillant
In France there is a crime labelled "association de malfaiteurs" (criminal's
gathering). Fantasizing about a crime is allowed. But actually laying out
plans, watching the neighbourhood, or performing concrete steps towards the
crime with the intent of actually performing it… well, _that_ is forbidden.

Makes sense to me. Mere thoughts should never be forbidden, but _acting_ on a
criminal intent, even if the acts, taken independently, wouldn't be forbidden,
is something else entirely. First, actions can be punished. Second, actions
are actual _evidence_ for the intent.

~~~
sneak
What you are describing is thoughtcrime.

Criminal intent is not illegal. Only actions.

~~~
grkvlt
Not necessarily. Otherwise it would be impossible to prosecute someone for
meticulously planning a terrorist action, who is only stopped when they are
just about to purchase the materiel required to carry out the act. No _action_
has tajen place - actual terrorism has not occurred, and there are no physical
tools or similar present. But the _intent_ (or Mens Rea, guilty mind) is
there, so you can be prosecuted.

And, of coure, there are crimes of "Conspiracy to X" that involve merely the
intent to commit a crime.

~~~
sneak
Mens rea is a required component of many crimes, yes, however it is not
sufficient alone to be criminal. Research with malicious intent is not a
crime. What you describe is not criminal.

~~~
grkvlt
And yet, people in the UK have certainly been prosecuted for looking up jihadi
websites with the intent to download bomb-making instructions... Although, the
_actual_ crime may be posession of said information? It's hard to tell,
particularly living in a country where 'glorifying terrorism' is now a crime -
[http://en.wikipedia.org/wiki/Terrorism_Act_2006](http://en.wikipedia.org/wiki/Terrorism_Act_2006)
\- as is 'encouraging terrorism' too.

I bet the prosecutors are kicking themselves for not thinking of that one
earlier, as well - they could have simply rocked up to certain pubs in Belfast
and arrested and jailed everone singing IRA songs ;)

------
tripzilch
Reminds me of this 2012 story about two British tourists being barred from
their flights for tweeting they were going to "destroy America" (slang for
"having a blast"):

[http://www.bbc.com/news/technology-16810312](http://www.bbc.com/news/technology-16810312)

I wonder how they connect the tweets to the persons? Do they actually actively
search Twitter for keywords, and when they hit they dig into it until they
have found a name, which they check against their passengers lists? There's
probably some shortcuts they can use, but it still seems weird to me.

~~~
rdtsc
I would guess they go off passenger list first, then expand from there. Find
Facebook, twitter, other social accounts. Then scour for keywords. "So I saw
you threatened to 'Bomb that test' when you were in college in 2001, Mrs/Mr
tripzilch, please step over here and follow this officer to the enhanced
interrogation area".

------
itg
What an overreaction from the EFF. Use a bit of judgement and realize it isn't
a smart idea to talk about hacking an airplane full of passengers.

~~~
kragen
The way we keep airplanes full of passengers from falling out of the sky is
that we talk openly about the risks up front, so that the people who created
those risks get fired or demoted, and their bosses (or, failing that,
regulatory authorities) make sure the risks get fixed. It isn’t a smart idea
to short-circuit that process; that’s how we ended up with things like the
Ukrainian famine, the Great Leap Forward, Lysenkoism, and presumably Windows
Vista. Use a bit of judgement; we’re trying to have a civilization here, Nero.

~~~
ghshephard
What would your response be to the person who "joked" that they were pissed
off with United Airlines, and would like to remind them that his house was on
the approach path to SFO, and the next time United lost his luggage, he would
be more than happy to repay them by taking a few potshots at their 747s with
his trusty .22?

Sometimes the way we keep airplanes full of passengers from falling out of the
sky, is by looking for, and engaging, potential bad actors. The way to
determine if someone is a bad actor, is by looking for signals of such intent.
And, I think all things equal, this guy probably was throwing off signals that
he was a bad actor, even if it's obvious to anyone who knows him, that he's
just being a jackass.

~~~
simoncion
Me? I would laugh at him. Everyday FOD [0] will do far more damage than an
impact with a .22.

[0] Foreign Object Damage. In this case, at-speed impacts with grit, ice, and
whatever.

~~~
ZanyProgrammer
Way to miss the point.

~~~
simoncion
One can't investigate every threat. You _have_ to prioritize. Part of
prioritizing is determining how much damage can be done with the resources
available to the person.

If someone says "I'm gonna bring down the Golden Gate Bridge with this 12"
stick of balsa wood." you don't give them a second thought. They _may_ have
hostile intent, but they clearly lack the understanding of how to, or the
means to[0], cause harm to the bridge.

If someone says "I'm the operator of this container ship full of high
explosives and I'm going to ram it into the GG Bridge and detonate the
explosives.", then you investigate that, as the person very probably has both
the intent and means to cause actual harm.

We -as a society- used to refuse to be terrorized. We used to laugh off
incredible[1] threats as the insanity, bluster, or cathartic ranting that they
clearly were. We (or maybe just our investigative and enforcement
organizations) freak out much more over much smaller things these days. Our
society is poorer and weaker because of this.

I hope that encouraging people to learn to put threats into perspective will
help reverse this trend. Perhaps a calm, level-headed populace will calm its
over-reactionary leaders, investigators, and enforcers.

[0] Or both.

[1] I mean this in the "in-credible" sense.

------
616c
So for aspiring infosec people, can someone explain how he can crack the
encryption of EICAS? Different commenters on different site articles claim
that the 737 never had EICAS, or maybe they mean that the Oxygen Mask On light
is of course _not_ connected to the internal avionics network.

Are there people who know this stuff better and have pointers? I would love to
know more.

~~~
neurotech1
EICAS is the Airbus terminology.

The 737NG engine instrument display is somewhat similar, except non-engine
warnings are on other displays. Some warnings go on the Primary Flight
Display. The 737NG also has a warning panel with lightbulbs.

------
tptacek
Really dumb.

Really dumb of this security consultant to have bragged about tampering with
airplane control systems in the middle of a flight.

Really dumb of EFF to make a _cause célèbre_ of him.

EFF's analysis of this situation seems to revolve around the consultant's
intent. He's a security researcher, ego not a real threat, and undeserving of
scrutiny.

I'd have thought that EFF would be better acquainted with pentesters by now.
Anyone who spends a lot of time with pentesters knows that when it comes to
disrupting or disabling critical systems, intent doesn't have much to do with
the outcome of a pentest. We break shit _all the time_ without trying. We
break shit even when we're trying not to. Smart clients who have spent the
last decade working with pentesters often have e-l-a-b-o-r-a-t-e rules of
engagement designed to avoid prod disruption. We still break shit in prod,
even when we follow the letter of the rules.

So this goofy tweet the consultant sends: is it what you'd expect right before
a terrorist crashes a plane? Of course not. But is it exactly what you'd
expect right before some idiot trips a bug that does something to force an
emergency landing? It absolutely is.

Is it outside the realm of possibility that some control system somehow
bridged to airplane wireless would have a problem that would allow a passenger
to deploy the oxygen masks? It is not. Would that design flaw be idiotic? Yes
it would. Does the idiocy of that design flaw mean it's unlikely to be there?
No it does not. _Virtually every system you interact with in the world has
idiotic design flaws_. Wait, that's not a question. "Does virtually every
system..." YES. YES THEY DO.

So imagine that, just like in pretty much every pentest ever, this consultant
is merely poking around trying to see what functionality is exposed to him
through this design flaw. No intention to make anything happen at all. Now
imagine he purely by accident does manage to, I don't know, deploy oxygen
masks. No harm done (stipulate nobody on the flight has a severe heart
condition). Plane integrity undamaged. Plane fully capable of continuing along
its itinerary. Nonetheless, what's the likely outcome here? Unplanned
emergency landing.

There probably is no such vulnerability. But then you have to ask yourself:
who in United's flight operations chain of command is qualified to assess
whether there is? Really, who in the entire flight safety chain of command,
from flight captain through FAA to DOJ, is? There aren't that many people in
the world who know how EICAS messages work. All they have to work with is the
hypothetical. "Unexpected behavior found in in-flight wireless. Tinkering in
process!" That's a threat!

I think the thing that frustrates me most about this story is the fact that
it's probably not possible to launch anything more than nuisance attacks from
the vantage point of a passenger. And yet because of our (admirable and
effective) attitude with regard to flight safety, those nuisance attacks are
all economically devastating. In other words, this kind of "research" is
unhelpful.

Where EFF made me flip out this time: _Nevertheless, United’s refusal to allow
Roberts to fly is both disappointing and confusing. As a member of the
security research community, his job is to identify vulnerabilities in
networks so that they can be fixed._ Wat. United's decision here is extremely
easy to understand: they do not want to offer service to someone who was
willing to disrupt a flight to make a point. Meanwhile: the "security research
community" does not deputize its members, make them swear an oath, and given
them a little tin badge. No part of this guy's "job" gave him the right to
tamper with the computer systems on an aircraft. If EFF thinks that's what it
means to be a vulnerability researcher, they are broken. They cannot advocate
effectively for legitimate research while promoting the idea of special rights
for people who call themselves security researchers.

------
yeukhon
I second the motion that this is dumb. But weakness of airplane security is
not unknown. Numerous presentations had been done at BlackHat and DefCon over
the last few years, and people generally received good responses. But does
anyone know if these presenters ever contacted the airline authority before
they went on stage?

------
notduncansmith
As someone who's flying United today, this is a bit disconcerting. Note to
self: don't crack jokes.

~~~
mml
Milos Kundera has an entire book "The Joke", about this very thing. I often
think about it when contemplating saying something ill-advised.

------
velox_io
'Corporate types' have a lack of humour at the best of times, but that isn't
what is going on here.

It's the 1 in 100, 1 in 1,000,000 chance that the tweet wasn't a joke, but a
real threat. They can't take the risk that they knew about it, and didn't take
it seriously and 100's died.

------
billpollock
United Airlines is THE worst.

[http://www.nytimes.com/2013/01/29/business/passenger-vs-
airl...](http://www.nytimes.com/2013/01/29/business/passenger-vs-airline-
policy-stand-offs-in-the-air.html)

In my case they _almost_ apologized for having had Federal Air Marshals detain
me.

~~~
getsat
Why do you think your selfish and egotistical (and apparently unlawful)
actions should have no consequences?

>Mr. Pollock conceded that he told the flight attendant he planned to ignore
the sign, which other travelers had questioned in online travel forums.

Do you also drive around on public roads without a licence stating the "Right
to Travel" like people also talk about online?

------
h4x3r
The War against security researchers "hackers" has began, and I think the
reason is because in "information war" the hackers are a threat.

[http://blog.erratasec.com/2015/01/obams-war-on-
hackers.html](http://blog.erratasec.com/2015/01/obams-war-on-hackers.html)

Note: They keep saying "HACKERS" and not criminals!

