Security researcher Chris Roberts is in the news again, a month after he was denied access to a United Airlines flight after posting a tweet about hacking into a plane while in-flight.
The reason Roberts is in the news is because the FBI search warrant has been publicly posted.
According to the warrant, Roberts had advised the FBI that he had identified vulnerabilities with the in-flight entertainment systems on Boeing 737-800, 737-900, 757-200 and Airbus A-320 aircraft. The warrant also noted that Roberts said had exploited in-flight vulnerabilities 15 to 20 times from 2011 to 2014.
To me, the most interesting bit of the warrant is this sentence: “Chris Roberts furnished the information because he would like the vulnerabilities to be fixed.”
Yes, Roberts hacked into airplane systems without permission. Yes, Roberts did make the mistake of tweeting about hacking into an airplane while in-flight. Those things are clearly bad. Hacking into an airplane in-flight puts the lives of hundreds of people at risk and is nothing that should be joked about at any time, by anyone.
That said, Roberts isn’t really the bad guy. He just took the wrong approach and made a bad situation even worse. Roberts didn’t put the vulnerabilities on the plane systems. He found them. That means that potentially someone else, perhaps someone with more malevolent intentions, could have found them as well. Instead of a joking tweet, the outcome could have been catastrophic.
I saw Roberts speak at the RSA Security conference last month, just days after the FBI questioned him. At the time, he declined to comment on the issue, but he did emphasize that he considers himself to be one of the good guys. Roberts spoke on a topic he called “security hopscotch”—that is, the ability to hop or pivot from one point to another in an Internet of things environment.
For Roberts, the question in security hopscotch isn’t just about individual vulnerabilities, but about barriers and segmentation between different devices and networks. In his RSA example, he explained how he could make use of an Internet-connected oven to hack whatever he wanted.
When it comes to airplanes, the lesson is clear—no individual passenger should ever get any access to any system that could be connected to flight systems or security. In-flight entertainment systems must be fully segregated and isolated from the rest of a plane’s operations.
While I don’t necessarily agree with Roberts’ methods, security by obscurity doesn’t work. United is now launching a bug bounty program, and I hope that other airlines follow suit, leading to responsible disclosure and safer airplane travel for us all.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.