Do planes need better cyber security? Chris Smith explains how ethical hacker Chris Roberts hacked an aeroplane engine using nothing but his laptop... and how your dinner might be spoiled by hackers!
Chris - Something that’s doing the rounds is this whole idea about people hacking into aeroplane computer systems and taking control of aeroplanes while they're up in the air. And there's a gentleman who’s an ethical hacker. He’s called Chris Roberts. He actually founded something called One World Labs. It’s a Colorado based organisation and what he basically does is hacks into things or he and his organisation hack into systems and expose vulnerabilities and then they tell people, “This is where you have a vulnerability, you should do something about it.” Anyway, he’s had a bit of a run in with the FBI over in the states because he apparently was on an aeroplane in April and he tampered with the inflight system, the entertainment system and was caught subsequently apparently having done this allegation. I don’t know if they can prove it yet, but they’ve said, certainly, the seat he sat in and had the inflight entertainment system having been tampered with and what they found is that or he has told the FBI he has managed to connect to the inflight entertainment system using his laptop, override the security on that, get into the main plane control system. And then to prove his point, actually got into the engine management system and issued a climb command to the engine, making the aeroplane change course. He says, he only did it for a little while, but it was enough to put the aeroplane into a slightly different trajectory than it would’ve been. He said, “I've told them about this on a number of occasions and actually, nothing has yet been done.” But they’ve now basically had him in for questioning a few times because of this tampering with this other aeroplane on a flight to New York. They’ve confiscated loads of his gear but I think this I think highlights a very important point which is why are aircraft entertainment systems still in connection with the rest of the aircraft’s computer system. Shouldn’t they automatically be ring-fenced from each other? I mean, it’s frightening, isn’t it?
Richard - It does seem absolutely extraordinary that they're not too completely separate systems. They're not designed separately. They’ve evolved separately, but to coordinate them altogether seems just incredible to me. Do you wonder though about the ethics of this, the ethics of telling people or making this sort of information public? It’s the same ethics I suppose, the people who put, “This is how to make a bomb or this is how to "do this…” I do wonder about that.
Chris - Well, I don’t think he’s going out there putting a “How-to guide” on the internet. I think what he’s saying is, “I've gone to the authorities and said I think this is a very big vulnerability. If I can sit in an aeroplane seat A3 on this flight from Chicago to New York and I manage to access the engine management system, so could anybody.” How do we know that people haven't? we’ve had these aeroplanes disappear. I mean, this Malaysia Airlines flight that disappeared, no one has located it yet. Could this be a victim of something like this? We know something nefarious happened.
Kat - It’s very, very weird. I think that it’s important. I mean, clearly, he’s not really got anywhere so he’s blowing the whistle and saying, “They're not taking this seriously.” I do find it worrying that their answer is to just confiscate stuff and slam him in for questioning.
Chris - Yeah. I mean, there are lots of comments on the website fora I had a look at. I was just interested in what other people’s opinion were of this because the people I thought might have the same opinion you do Richard, we shouldn’t be doing this. Why are people hacking into things? this is bad. But actually, lots of people are saying what Kat’s saying that in fact, if it wasn’t for people going out there and highlighting these vulnerabilities and making them public, it certainly makes people do something about them quick because at the end of the day, he’s saying that Boeing and Airbus aeroplanes – and there's quite a few of them – are vulnerable. There's quite a few of them in the air. So therefore, if he’s capable of doing it, lots of other people will be.
Richard - I wonder if this is as a result of the way the technology has evolved. If someone set out to make an aircraft today, they wouldn’t do something like this. But entertainment systems have evolved. They probably became a bolt on to the main system. There's probably some power linking there, it’s probably the way the whole power of the aircraft is controlled, something like that.
Chris - It’s just the security because James Lyne who works for the company Sophos. We had him on this programme last September and he said to me, “I’ve just bought myself a sort of meat cooker,” one of these slow cookers that you can plug in. He said, “Like all modern gadgetry, it’s part of the internet of things. it’s on the internet. So, I can dial in from work and I can activate my slow cooker. So being the security online specialist that he is, he thought, well, I wonder if they’ve been sloppy with their security. I wonder if I can identify a lot of these online cookers and therefore, can I manipulate them? He found absolutely, they hadn’t changed the admin password, it was a default system. It’s a default log in, with the default password. He said, “I was able to find loads and loads of people who have all these cookers.” He said, “If I wanted to, I could go into their kitchen online and I could ruin their dinner for them.”