We live in shitty knee-jerk reactionary times, but did anyone else see his tweet at the time? At best, it seemed in poor taste. At worst, the outcome seems depressingly predictable.
I don't know what I'm trying to contribute here, except that whilst I have no problem with EFF working on this, their article here seems overly shrill and over-reactionary at how shrill and over-reactionary the airline was in their response to what (admittedly, in hindsight) could have easily been interpreted as a threat by an over-zealous corporate drone blind to smily-face emoticons.
This isn't exactly a new phenomenon - even before 9/11, a careless joke at baggage check-in ("Did you pack your own luggage today, Sir?" - "No, my wife probably put a bomb in there.") would often result in the joke not being recognised or treated as such. Said jokester gets taken to one side, scrutinised by the boys in blue, and eventually told that they "will not be flying today, sir."
In the age of Twitter, such hijinks are amplified further due to their world-readable nature. The problem with innocent, uncomfortable-but-well-intentioned jokes is that you have to consider how it will play with someone whose job it is to flag up and respond to any and all threats, no matter how credible.
Fundamentally it's your joke versus a member of staff who is not in a position to deviate from the procedure and brush it aside.
Plus, who'd want to be the guy who gets their face on the news after an incident because they ignored a threat and thought it was a joke? They won't, and often CAN'T, take that risk - they are simply not in a position where they are allowed to do so.
As you say, we live in shitty knee-jerk reactionary tines, but whatever the rights and wrongs, in this kind of situation it's prudent to moderate one's comedy appropriately.
I think the infosec community needs to grow up. We all hate when legislators use the word 'cyber.' Title 18 is a mess. The new computer crime proposals are worse. Every couple of years we get the occasional story about licensing security professionals. It is because of exactly this type of clownish behavior.
There are consequences for the attention seeking type of behavior. This idiot is catnip for government regulation.
It isn't exactly his fault though. Our community has been doing this to garner press attention for the sake of the attention. He is following the pattern that has long been set. Stunt hacking scares the shit out of normal people. Eventually people will demand regulatory intervention.
I absolutely think the EFF is making poor use of their funds defending someone who was doing penetration testing on live planes with people aboard.
If the security is as bad as he claims, the risk his testing might inadvertently put people in danger could be pretty high. And he was a repeat offender, as by his own admission he'd hacked planes 15-20 times so far in a live environment. That's incredibly dangerous, and it takes an incredible amount of ego and an incredible lack of consideration to fail to realize that he could be putting people at risk himself.
This is the world we live in. Question, detain, and let the courts handle the interpretation of the law. Whether it's the NSA, FBI, CIA, it matters very little to them. After 9/11 we as a country wrote them a blank check. And while this guy shouldn't have taken to twitter to say planes can be hacked pretty easily, it's not shocking to see what happened after he did.
Yes, it's a stupid tweet. But essentially saying "I could bring this plane down with my laptop hackery" is a statement about security, not about intent.
The guy has bad judgment, but he's not saying anything that should trigger any action against him (they should investigate the basis for his claim, not him as an individual).
I clicked on the word "tweeting" in the article twice before realizing it wasn't a hyperlink. I totally assumed it would be. And now I see why EFF didn't link to this.
I'm sorry, but that tweet actually is threatening in my eyes. Note that I know __nothing__ about airplane-system-security, but that looks to me like he gained some kind of cmdline and/or admin-tool access and "PASS OXYGEN ON" looks like something that would cause the oxygen masks to drop down for all passengers. And he did this while on the plane with other passengers while it was flying? If so, he got what was coming to him. Sorry.
Could someone be so kind as to translate this tweet so that those of us that aren't security experts can understand what was said? Or perhaps point me in the direction of some recommended, intro-level reading? I feel distinctly ignorant at the moment!
I have a problem with the often used phrase "legitimate researchers", because it suggests that certain freedoms should only apply to certain people.
"legitimate researcher" is not a specific job, researching is an activity any citizen can and should be free to conduct within the confines of the law, and all of that is "legitimate".
The whole "legitimate researcher" creates a huge loophole through which the powers that be can create some kind of registered researcher status, with the obvious consequences for everyone else.
I agree with your problem with the phrase "legitimate researcher". I'm usually supportive of the EFFs position on most issues, but sending a Tweet like this guy did was pretty dumb. Even the disruption from a "overreaction" is a problem.
Also, the gateway between the aircraft safety systems and the CANBUS is one-way. The worst he could have done is shutdown the In-Flight Entertainment system, and inconvenienced a bunch of passengers.
I'm not saying that the possibility of security flaw isn't there, only that this CANBUS issue isn't it.
A legitimate researcher would arrange a ground test, or even a test flight, and not experiment on an airliner with passengers. They can do "hardware in the loop" tests on the ground, with minimal risks. The FAA are actually involved in requesting security assessments on airline systems with safety implications.
IMHO This guy come very close to crossing the line of "interfering with the safety of an airliner" when he conducted previous tests, and that is most certainly is illegal. People have gone to prison for less.
The EFF should be pushing for further evaluation of the actual issues, whatever they may be, in an appropriate manner. If Boeing/Airbus blow off the EFF, push back harder.
A well trained crew can operate a 737 quite safely using the Standby Flight Instruments for an emergency landing, even if some sort of compromise shut down the primary Flight Management System and Primary Flight Displays.
I happen to know several computer programmers/security researchers who are also test pilots. More than one called the CANBUS risks "inconvenience" and not safety of flight.
I don't think they mean legitimate as professional or industry recognized, but more as a way to distinguish from an actual bad guy hacking for criminal intents and then claiming he is a researcher and should have carte blanche.
Reminds me of this 2012 story about two British tourists being barred from their flights for tweeting they were going to "destroy America" (slang for "having a blast"):
I wonder how they connect the tweets to the persons? Do they actually actively search Twitter for keywords, and when they hit they dig into it until they have found a name, which they check against their passengers lists? There's probably some shortcuts they can use, but it still seems weird to me.
I would guess they go off passenger list first, then expand from there. Find Facebook, twitter, other social accounts. Then scour for keywords. "So I saw you threatened to 'Bomb that test' when you were in college in 2001, Mrs/Mr tripzilch, please step over here and follow this officer to the enhanced interrogation area".
The way we keep airplanes full of passengers from falling out of the sky is that we talk openly about the risks up front, so that the people who created those risks get fired or demoted, and their bosses (or, failing that, regulatory authorities) make sure the risks get fixed. It isn’t a smart idea to short-circuit that process; that’s how we ended up with things like the Ukrainian famine, the Great Leap Forward, Lysenkoism, and presumably Windows Vista. Use a bit of judgement; we’re trying to have a civilization here, Nero.
So for aspiring infosec people, can someone explain how he can crack the encryption of EICAS? Different commenters on different site articles claim that the 737 never had EICAS, or maybe they mean that the Oxygen Mask On light is of course not connected to the internal avionics network.
Are there people who know this stuff better and have pointers? I would love to know more.
The 737NG engine instrument display is somewhat similar, except non-engine warnings are on other displays. Some warnings go on the Primary Flight Display. The 737NG also has a warning panel with lightbulbs.
Really dumb of this security consultant to have bragged about tampering with airplane control systems in the middle of a flight.
Really dumb of EFF to make a cause célèbre of him.
EFF's analysis of this situation seems to revolve around the consultant's intent. He's a security researcher, ego not a real threat, and undeserving of scrutiny.
I'd have thought that EFF would be better acquainted with pentesters by now. Anyone who spends a lot of time with pentesters knows that when it comes to disrupting or disabling critical systems, intent doesn't have much to do with the outcome of a pentest. We break shit all the time without trying. We break shit even when we're trying not to. Smart clients who have spent the last decade working with pentesters often have e-l-a-b-o-r-a-t-e rules of engagement designed to avoid prod disruption. We still break shit in prod, even when we follow the letter of the rules.
So this goofy tweet the consultant sends: is it what you'd expect right before a terrorist crashes a plane? Of course not. But is it exactly what you'd expect right before some idiot trips a bug that does something to force an emergency landing? It absolutely is.
Is it outside the realm of possibility that some control system somehow bridged to airplane wireless would have a problem that would allow a passenger to deploy the oxygen masks? It is not. Would that design flaw be idiotic? Yes it would. Does the idiocy of that design flaw mean it's unlikely to be there? No it does not. Virtually every system you interact with in the world has idiotic design flaws. Wait, that's not a question. "Does virtually every system..." YES. YES THEY DO.
So imagine that, just like in pretty much every pentest ever, this consultant is merely poking around trying to see what functionality is exposed to him through this design flaw. No intention to make anything happen at all. Now imagine he purely by accident does manage to, I don't know, deploy oxygen masks. No harm done (stipulate nobody on the flight has a severe heart condition). Plane integrity undamaged. Plane fully capable of continuing along its itinerary. Nonetheless, what's the likely outcome here? Unplanned emergency landing.
There probably is no such vulnerability. But then you have to ask yourself: who in United's flight operations chain of command is qualified to assess whether there is? Really, who in the entire flight safety chain of command, from flight captain through FAA to DOJ, is? There aren't that many people in the world who know how EICAS messages work. All they have to work with is the hypothetical. "Unexpected behavior found in in-flight wireless. Tinkering in process!" That's a threat!
I think the thing that frustrates me most about this story is the fact that it's probably not possible to launch anything more than nuisance attacks from the vantage point of a passenger. And yet because of our (admirable and effective) attitude with regard to flight safety, those nuisance attacks are all economically devastating. In other words, this kind of "research" is unhelpful.
Where EFF made me flip out this time: Nevertheless, United’s refusal to allow Roberts to fly is both disappointing and confusing. As a member of the security research community, his job is to identify vulnerabilities in networks so that they can be fixed. Wat. United's decision here is extremely easy to understand: they do not want to offer service to someone who was willing to disrupt a flight to make a point. Meanwhile: the "security research community" does not deputize its members, make them swear an oath, and given them a little tin badge. No part of this guy's "job" gave him the right to tamper with the computer systems on an aircraft. If EFF thinks that's what it means to be a vulnerability researcher, they are broken. They cannot advocate effectively for legitimate research while promoting the idea of special rights for people who call themselves security researchers.
I second the motion that this is dumb. But weakness of airplane security is not unknown. Numerous presentations had been done at BlackHat and DefCon over the last few years, and people generally received good responses. But does anyone know if these presenters ever contacted the airline authority before they went on stage?
'Corporate types' have a lack of humour at the best of times, but that isn't what is going on here.
It's the 1 in 100, 1 in 1,000,000 chance that the tweet wasn't a joke, but a real threat. They can't take the risk that they knew about it, and didn't take it seriously and 100's died.
I don't get what happened. The airline put up a sign saying don't go past this curtain. You went past the curtain. You were surprised when they told you off?
The people in business class (or whatever it was in front of you) have paid more to be less crowded. Therefore the airline puts up a curtain and asks you not to cross it. That seems super reasonable to me.
You don't like the curtain and sign. A reasonable response might be to fly a different airline or pay to get in that section next time.
Deliberately ignoring the sign, going out of your way to tell them that you're going to do that, and then filming the poor guy when he stops you, that seems pretty far off into psycho land to be honest.
In fact, I'm glad that they went out of their way to protect the people in the seats in front of you from being unnecessarily bothered by people like you hiking past.
[+] [-] csirac2|11 years ago|reply
I don't know what I'm trying to contribute here, except that whilst I have no problem with EFF working on this, their article here seems overly shrill and over-reactionary at how shrill and over-reactionary the airline was in their response to what (admittedly, in hindsight) could have easily been interpreted as a threat by an over-zealous corporate drone blind to smily-face emoticons.
[+] [-] jamesbrownuhh|11 years ago|reply
In the age of Twitter, such hijinks are amplified further due to their world-readable nature. The problem with innocent, uncomfortable-but-well-intentioned jokes is that you have to consider how it will play with someone whose job it is to flag up and respond to any and all threats, no matter how credible.
Fundamentally it's your joke versus a member of staff who is not in a position to deviate from the procedure and brush it aside.
Plus, who'd want to be the guy who gets their face on the news after an incident because they ignored a threat and thought it was a joke? They won't, and often CAN'T, take that risk - they are simply not in a position where they are allowed to do so.
As you say, we live in shitty knee-jerk reactionary tines, but whatever the rights and wrongs, in this kind of situation it's prudent to moderate one's comedy appropriately.
[+] [-] droopybuns|11 years ago|reply
I think the infosec community needs to grow up. We all hate when legislators use the word 'cyber.' Title 18 is a mess. The new computer crime proposals are worse. Every couple of years we get the occasional story about licensing security professionals. It is because of exactly this type of clownish behavior.
There are consequences for the attention seeking type of behavior. This idiot is catnip for government regulation.
It isn't exactly his fault though. Our community has been doing this to garner press attention for the sake of the attention. He is following the pattern that has long been set. Stunt hacking scares the shit out of normal people. Eventually people will demand regulatory intervention.
[+] [-] mentat|11 years ago|reply
[+] [-] ehmmm|11 years ago|reply
[+] [-] Confusion|11 years ago|reply
[+] [-] ocdtrekkie|11 years ago|reply
If the security is as bad as he claims, the risk his testing might inadvertently put people in danger could be pretty high. And he was a repeat offender, as by his own admission he'd hacked planes 15-20 times so far in a live environment. That's incredibly dangerous, and it takes an incredible amount of ego and an incredible lack of consideration to fail to realize that he could be putting people at risk himself.
[+] [-] patcon|11 years ago|reply
I totally disagree and am confused how that could be your reading
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] pla3rhat3r|11 years ago|reply
[+] [-] appleflaxen|11 years ago|reply
The guy has bad judgment, but he's not saying anything that should trigger any action against him (they should investigate the basis for his claim, not him as an individual).
[+] [-] narsil|11 years ago|reply
[+] [-] smtddr|11 years ago|reply
I'm sorry, but that tweet actually is threatening in my eyes. Note that I know __nothing__ about airplane-system-security, but that looks to me like he gained some kind of cmdline and/or admin-tool access and "PASS OXYGEN ON" looks like something that would cause the oxygen masks to drop down for all passengers. And he did this while on the plane with other passengers while it was flying? If so, he got what was coming to him. Sorry.
____
EDIT: Screencap in case someone(s) decide to delete tweets http://i.imgur.com/Uqfh0oL.png
[+] [-] briandear|11 years ago|reply
[+] [-] grkvlt|11 years ago|reply
> "I'm on an Amtrak train, which, for the record, I'm pretty sure I can't take over via the wifi." - https://twitter.com/mattblaze/status/589153697910935552
[+] [-] arthurcolle|11 years ago|reply
Edit: https://news.ycombinator.com/item?id=9403693
[+] [-] makeitsuckless|11 years ago|reply
"legitimate researcher" is not a specific job, researching is an activity any citizen can and should be free to conduct within the confines of the law, and all of that is "legitimate".
The whole "legitimate researcher" creates a huge loophole through which the powers that be can create some kind of registered researcher status, with the obvious consequences for everyone else.
[+] [-] neurotech1|11 years ago|reply
Also, the gateway between the aircraft safety systems and the CANBUS is one-way. The worst he could have done is shutdown the In-Flight Entertainment system, and inconvenienced a bunch of passengers.
I'm not saying that the possibility of security flaw isn't there, only that this CANBUS issue isn't it.
A legitimate researcher would arrange a ground test, or even a test flight, and not experiment on an airliner with passengers. They can do "hardware in the loop" tests on the ground, with minimal risks. The FAA are actually involved in requesting security assessments on airline systems with safety implications.
IMHO This guy come very close to crossing the line of "interfering with the safety of an airliner" when he conducted previous tests, and that is most certainly is illegal. People have gone to prison for less.
The EFF should be pushing for further evaluation of the actual issues, whatever they may be, in an appropriate manner. If Boeing/Airbus blow off the EFF, push back harder.
A well trained crew can operate a 737 quite safely using the Standby Flight Instruments for an emergency landing, even if some sort of compromise shut down the primary Flight Management System and Primary Flight Displays.
I happen to know several computer programmers/security researchers who are also test pilots. More than one called the CANBUS risks "inconvenience" and not safety of flight.
[+] [-] dendory|11 years ago|reply
[+] [-] tripzilch|11 years ago|reply
http://www.bbc.com/news/technology-16810312
I wonder how they connect the tweets to the persons? Do they actually actively search Twitter for keywords, and when they hit they dig into it until they have found a name, which they check against their passengers lists? There's probably some shortcuts they can use, but it still seems weird to me.
[+] [-] rdtsc|11 years ago|reply
[+] [-] itg|11 years ago|reply
[+] [-] kragen|11 years ago|reply
[+] [-] cm2187|11 years ago|reply
[+] [-] 616c|11 years ago|reply
Are there people who know this stuff better and have pointers? I would love to know more.
[+] [-] neurotech1|11 years ago|reply
The 737NG engine instrument display is somewhat similar, except non-engine warnings are on other displays. Some warnings go on the Primary Flight Display. The 737NG also has a warning panel with lightbulbs.
[+] [-] appleflaxen|11 years ago|reply
[+] [-] tptacek|11 years ago|reply
Really dumb of this security consultant to have bragged about tampering with airplane control systems in the middle of a flight.
Really dumb of EFF to make a cause célèbre of him.
EFF's analysis of this situation seems to revolve around the consultant's intent. He's a security researcher, ego not a real threat, and undeserving of scrutiny.
I'd have thought that EFF would be better acquainted with pentesters by now. Anyone who spends a lot of time with pentesters knows that when it comes to disrupting or disabling critical systems, intent doesn't have much to do with the outcome of a pentest. We break shit all the time without trying. We break shit even when we're trying not to. Smart clients who have spent the last decade working with pentesters often have e-l-a-b-o-r-a-t-e rules of engagement designed to avoid prod disruption. We still break shit in prod, even when we follow the letter of the rules.
So this goofy tweet the consultant sends: is it what you'd expect right before a terrorist crashes a plane? Of course not. But is it exactly what you'd expect right before some idiot trips a bug that does something to force an emergency landing? It absolutely is.
Is it outside the realm of possibility that some control system somehow bridged to airplane wireless would have a problem that would allow a passenger to deploy the oxygen masks? It is not. Would that design flaw be idiotic? Yes it would. Does the idiocy of that design flaw mean it's unlikely to be there? No it does not. Virtually every system you interact with in the world has idiotic design flaws. Wait, that's not a question. "Does virtually every system..." YES. YES THEY DO.
So imagine that, just like in pretty much every pentest ever, this consultant is merely poking around trying to see what functionality is exposed to him through this design flaw. No intention to make anything happen at all. Now imagine he purely by accident does manage to, I don't know, deploy oxygen masks. No harm done (stipulate nobody on the flight has a severe heart condition). Plane integrity undamaged. Plane fully capable of continuing along its itinerary. Nonetheless, what's the likely outcome here? Unplanned emergency landing.
There probably is no such vulnerability. But then you have to ask yourself: who in United's flight operations chain of command is qualified to assess whether there is? Really, who in the entire flight safety chain of command, from flight captain through FAA to DOJ, is? There aren't that many people in the world who know how EICAS messages work. All they have to work with is the hypothetical. "Unexpected behavior found in in-flight wireless. Tinkering in process!" That's a threat!
I think the thing that frustrates me most about this story is the fact that it's probably not possible to launch anything more than nuisance attacks from the vantage point of a passenger. And yet because of our (admirable and effective) attitude with regard to flight safety, those nuisance attacks are all economically devastating. In other words, this kind of "research" is unhelpful.
Where EFF made me flip out this time: Nevertheless, United’s refusal to allow Roberts to fly is both disappointing and confusing. As a member of the security research community, his job is to identify vulnerabilities in networks so that they can be fixed. Wat. United's decision here is extremely easy to understand: they do not want to offer service to someone who was willing to disrupt a flight to make a point. Meanwhile: the "security research community" does not deputize its members, make them swear an oath, and given them a little tin badge. No part of this guy's "job" gave him the right to tamper with the computer systems on an aircraft. If EFF thinks that's what it means to be a vulnerability researcher, they are broken. They cannot advocate effectively for legitimate research while promoting the idea of special rights for people who call themselves security researchers.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] yeukhon|11 years ago|reply
[+] [-] notduncansmith|11 years ago|reply
[+] [-] mml|11 years ago|reply
[+] [-] throwaway232|11 years ago|reply
[+] [-] liffingford|11 years ago|reply
[deleted]
[+] [-] rdlecler1|11 years ago|reply
[deleted]
[+] [-] velox_io|11 years ago|reply
It's the 1 in 100, 1 in 1,000,000 chance that the tweet wasn't a joke, but a real threat. They can't take the risk that they knew about it, and didn't take it seriously and 100's died.
[+] [-] billpollock|11 years ago|reply
http://www.nytimes.com/2013/01/29/business/passenger-vs-airl...
In my case they almost apologized for having had Federal Air Marshals detain me.
[+] [-] getsat|11 years ago|reply
>Mr. Pollock conceded that he told the flight attendant he planned to ignore the sign, which other travelers had questioned in online travel forums.
Do you also drive around on public roads without a licence stating the "Right to Travel" like people also talk about online?
[+] [-] liffingford|11 years ago|reply
The people in business class (or whatever it was in front of you) have paid more to be less crowded. Therefore the airline puts up a curtain and asks you not to cross it. That seems super reasonable to me.
You don't like the curtain and sign. A reasonable response might be to fly a different airline or pay to get in that section next time.
Deliberately ignoring the sign, going out of your way to tell them that you're going to do that, and then filming the poor guy when he stops you, that seems pretty far off into psycho land to be honest.
In fact, I'm glad that they went out of their way to protect the people in the seats in front of you from being unnecessarily bothered by people like you hiking past.
Am I missing part of the story?
[+] [-] h4x3r|11 years ago|reply
http://blog.erratasec.com/2015/01/obams-war-on-hackers.html
Note: They keep saying "HACKERS" and not criminals!