Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Monday May 18 2015, @05:23PM   Printer-friendly
from the back-to-horse-and-buggy-we-go dept.

El Reg reports:

The FBI has accused a security researcher of hacking into the entertainment system of a United Airlines plane mid-flight, before causing the aircraft to temporarily fly "sideways".

Infosec bod Chris Roberts allegedly made that audacious claim to Feds' special agent Mark Hurley, who subsequently applied for a search warrant to examine Roberts' seized electronic devices.

Thirteen items, including thumb drives, a MacBook Pro laptop and an iPad Air were confiscated from Roberts on 15 April this year, after the researcher exited a United Airline flight in Syracuse, New York, according to the Feds' affidavit (PDF).

Roberts, who founded One World Labs, has been quizzed twice by the FBI over the course of the past few months.

He apparently told the Feds that he had hacked into the inflight entertainment systems of Airbus and Boeing aircraft roughly 15 to 20 times between 2011 and 2014.

A story from the BBC has a different perspective on the situation:

Prof Alan Woodward from Surrey University told the BBC he found it "difficult to believe" a passenger could access and manipulate flight control systems from a plug socket on an aircraft seat.

"Flight systems are typically kept physically separate, as are any safety critical systems," he said.

"I can imagine only that someone has misunderstood something in the conversation between the researcher and the FBI, someone is exaggerating to make a point, or, it is actually possible and the aircraft manufacturers have some urgent work to do."/blockquote

The researcher in question, Chris Roberts said on twitter, "There's a whole five years of stuff that the affidavit incorrectly compressed into 1 paragraph... lots to untangle".

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by FatPhil on Tuesday May 19 2015, @08:50AM

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday May 19 2015, @08:50AM (#184981) Homepage
    Both of the examples are where *data* goes from the trusted domain into the untrusted domain. In the audio case, there's also control (1 bit - "I have priority audio data available") going from the *trusted* domain to the untrusted domain.

    At no point does data need to pass from the *untrusted* domain to the trusted one. And the concept of *control* going from the *untrusted* domain to the *trusted* one is right out. (Enabling and disabling the export of certain payloads from the trusted domain can be viewed as passing data representing the state of the untrusted domain, a trivial single bit, where both values have clearly meaning, rather than control. However, there's no reason for enabling/disabling to even be a feature. The trusted domain's state machine is smaller, safer, and more predictable if everything's always on.)

    Separate control from payload sensibly, and most of these problems simply evaporate. The mindset behind html+javascript support in email is the problem. Alas most people flooding the IT job market currently are people who've grown up only knowing email clients that support html with javascript. Ahhhh, Good Times...
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by isostatic on Tuesday May 19 2015, @10:16AM

    by isostatic (365) on Tuesday May 19 2015, @10:16AM (#185000) Journal

    In an ideal world there should be an air gap between the systems, with power being the only systems they share.

    However there needs to bein formation from the airside to the cattle side, and that's where the plausibility enters. Yes there should be firewalls and proxies between the sides, ideally separate protocols (hence a gpi suggestion), however I can see a situation where you have a security-free implementation.

    Plug in to ife, break into ife server which has two network cards, one air (for the instructions from the cockpit), one cattle.

    Now most of us here wouldn't design such a dumb system, but it's plausible someone did.

    However I think it far more likely he broke into the moving map display rather than the actual cockpit. A responsible law enforcement/media/industry would issue a statement with enough details to alieviate concerns, while emphasising that breaking into a system is still a crime, no matter how insecure the system is, however in light of the gaping security hole this time charges wouldn't be pressed and someone (not the original hacker) would be contracted to ensure the system is secure.