Update: Hacker on a Plane: FBI Seizes Researcher’s Gear

Equipment seized from security researcher Chris Roberts by the FBI. (Photo courtesy of Chris Roberts and Twitter.)
Equipment seized from security researcher Chris Roberts by the FBI.

In-brief: The FBI seized equipment from noted security researcher Chris Roberts on Wednesday, alleging that Roberts may have tampered with the systems aboard a United flight to Chicago. Roberts denies the claim. 

Chris Roberts (a.k.a sidragon1), a leading researcher delving into the security of airplanes, was pulled off a plane in Syracuse, New York, on Wednesday by the FBI and questioned, apparently over concerns that he attempted to hack into critical systems aboard a United flight earlier in the day. [Updated to add comments from Mark Rasch. 4/17/2015 11:20]

In an interview with The Security Ledger on Thursday, Roberts said that he was questioned by FBI agents for four hours Wednesday evening and then released. (A text message conversation, however, suggests he was detained for around two hours.) His laptop and a variety of external storage devices were confiscated by the FBI, which said it wanted to determine whether Roberts, an authority on security vulnerabilities in modern aircraft, may have accessed sensitive systems on a flight from Colorado to Chicago earlier in the day.

Roberts is the founder and Chief Technology Officer of One World Labs, a security research firm.

In response to mentions of his earlier research on Twitter, Roberts, using the @sidragon1 handle, had tweeted about his ability to hack into in-cabin control systems on the Boeing 737.

“Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)”

An SMS conversation with Roberts from Wednesday evening.
An SMS conversation with Roberts from Wednesday evening.

EICAS refers to the Engine Indicating and Crew Alerting System, critical in-flight systems.

That apparently got the attention of federal authorities, who were waiting for Roberts when he arrived in Syracuse that evening for a scheduled talk – ironically, to an audience made up of law enforcement.

“Two officers got on, two regular Syracuse PD. They walked back there, and past me. The FBI agents walked on, they walked past me and turned around at which point, I said ‘so, should I get my bags now?’ and they said ‘yes, please, Mr. Roberts,” he told Security Ledger on Thursday.

Roberts has been demonstrating vulnerabilities in the avionics systems used on modern airplanes for the past five years, warning that modern planes have converged critical systems and non-critical systems such as in-flight entertainment and wi-fi in ways that create serious security and safety risks.

He isn’t alone. Ruben Santamarta a Principal Security Consultant for the firm IOActive demonstrated at the 2014 Black Hat Briefings how satellite based communications devices (SatCom) used to provide Internet access to planes in flight could be used to gain access to cockpit based avionics equipment. Brad “RenderMan” Haines has also demonstrated methods for moving from in-flight entertainment systems to critical control systems aboard planes.

Roberts said he had met with the Denver office of the FBI two months ago and was asked to back off from his research on avionics – a request he said he agreed to. But recent weeks have seen him get high profile media attention from Fox news and CNN, who ran stories about the danger of hacking into airplanes in flight.

Those stories apparently got the attention of federal authorities, Roberts said.

“I don’t know what the logic is. They’re probably pissed that FOX picked up on it and CNN picked up on it and it’s gotten a lot more media attention,” Roberts said.

“This has been a known issue for 4 or 5 years where a bunch of us has stood up and pounded our chest and said this is an issue…Are they pissed because there are credible threats and we’re giving those credible threats more intelligence, or because we’re standing up and saying ‘there’s a problem,’ or because they can’t get anywhere with this? I don’t know.”

He described a testy but polite meeting with FBI agents, who accused him of “tampering” with systems on a United flight to Chicago. They requested that Roberts unlock his work laptop and provide a password needed to decrypt the hard drive so they could do a forensic analysis of the hard drive. Roberts says he refused the request because of proprietary information stored on the hard drive. He demanded a warrant to search the computers and hard drives. Roberts indicated via Twitter that he had not received a warrant nor had his equipment been returned.

Amanda Cox, a spokeswoman for the Albany division of the FBI declined to comment.

Mark Rasch, a former Department of Justice Lawyer and now head of Rasch Technology and Cyberlaw said that Roberts’s tweet was “borderline” and that the FBI would almost certainly obtain a warrant to search the devices. Still, he questioned why the agency was following the social media posts of a security researcher  closely enough to track down his flight in real time and apprehend him.

“If this guy is going on Fox and CNN and talking about this, they know for certain that he is not a threat,” Rasch said.

Roberts says the real issue is not his research, but the failure of firms like Boeing and Airbus to respond to issues raised by security researchers. Roberts said the airline manufacturers hadn’t learned the lessons of technologies companies like Cisco and Microsoft about the proper response to responsible disclosure by security researchers.

“It feels like this industry is going through the same issues. The problem is, if I break a F5 device or a Cisco device, I’m not harming anybody. I screw around with an airplane, I’m taking 100 to 400 people out of the sky and you’re not recovering from that.”

The FAA and authorities should be taking a more assertive stand in forcing airlines to address known security issues he said.

Spread the word!

79 Comments

  1. Pingback: 1p – FBI seizes equipment, alleges plane hacking | Profit Goals

  2. not a police state moppet

    This is precisely the sort of thing he shoild not have been doing. I generally do not side with the feds but what he did was ethically irresponsible and ignoring that and encouraging shit like this is precisely how and why police states come to exist in thebfirst place. If the feds had NOT responded what do you think would have happened? He probably would not have brought down a plane (also because he is a self-aggrandising dude who wants attention) even accidentally but there is a social precedent and it is the same sort of precedent that anti-disclosure was about years ago: it wasn’t about giving the gov more power, it was about not giving them excuses to take it.

    Tl;dr: with power comes responsibility to act appropriately. Expect to be held to standards. Do not ezpect it’s okay for you to peetend to do shit that anybody else would get harrassed for doing.

    Also he doesn’t really understand aeronautical networks but that’s okay. A lot of bugs require real world conditions that only seem to exist. I am sure this press will get his company more business. It usually does. Can’t people just stop FUDding?

    • No doubt that making idle and maybe threatening sounding comments about a plane in flight is not a good idea. That said: Chris’s point is that he’s merely talking about research that he has been talking about for 4+ years. In other words “there’s nothing new here.” A bigger question may be whey the FAA and federal government have been unable to address the issues raised by independent researchers in a systemic way. So, rather than ‘killing the messenger’ maybe help deliver the message to airline manufacturers that its time to get serious about cyber risk to planes in flight. Agree?

    • “This is precisely the sort of thing he shoild not have been doing.” Wrong, wrong, wrong. This is what he was “allegedly” doing and this is EXACTLY what he SHOULD be doing in order to determine HOW to fix the potential problem from those that WOULD DO the WRONG thing with the information!

      Would you rather he do the research (whether sanctioned or not) or have some group with malevolent intent beat him to the punch?

      • not a police state moppet

        Proof of Concept via terroristic threat, even if intended as a joke, is not in any way, shape, or form ethical. That guy who got pulled by the feds for his tweet about ‘destroying New York’ absent even the slughtest bit of context? Ridiculous overreach. Mentioning manipulating specific flight-critial systems, true or not, probably (as Rasch later said) WILL get a warrant. And it probably should. I am not sure he should be convicted of anything (at least not anything with a permament record) but things are getting out of hand if you really believe there is an Us or a They. Especially considering the faxt that someone who IS dissatisfied about their research being ignored actually does wind up fitting a knkwn past profile of someone who MIGHT act. And I am not at all saying he did, would have, or could have. I am stating that people are getting pissed and Chris is getting support for something no ethical security researcher should condone or excuse. Frankly if he got charged and the EFF took his case on I would stop my yearly donation. Thus wasn’t overreach. If they come at him with piled indoctments, sure, maybe. But there are actual gross injustices occuring. You’re just making Chris famous and setting an example (and this is one of my points) that if you don’t get your way (and if he was on his eay to speak at a conference to feds about this he was on his way to getting it ffs) it’s perfectly acceptable to make dubious half-threats to get a response. You know who does that? Five year olds.

      • not a police state moppet

        tl;dr if he wants to do the research don’t do it on a plane full of people. he didn’t allegedly tweet. he tweeted. let forensics decide if he did get access (on the plane and on his computer if need be… though if he is refusing to give up his encryption keys (and I would too) the problem is he is basically going to contribute to tearing down the right to refuse to hand over keys. If you don’t want to be investigated for hacking an in-flight system when you obviously have the self-proclaimed ability to do so it’s easy: don’t do it OR pretend to do it AND TWEET about it. Better yet don’t do it. How is he investigating these “faults” if he lacks access to jumbos? Either he isn’t doing it or he has access in which case why is he even pretending to do this? clear enough?

      • His actions are for the good, not bad. He brings to light serious vulnerabilities that need to be taken care of by authorities. Test flights should be conducted to determine vulnerabilities and fixes with various aircraft.

      • He could have been doing his “tests” with the plane landed or within a hangar, NOT ON THE AIR, risking 150+ lives, just for the fun of it. If he is a serious researcher, he knows he can work with the communication systems with a plane on the ground and without passengers!

        • Yeah, right. Do you see the airlines giving him time on a plane in the hanger (@ XX thousand $/hr) to show up their weaknesses. And it is obvious that Boeing and Airbus don’t want to do it either since they have had over 4 years to react. No, everybody will stick their heads in the sand until some terrorist uses this weakness to take down a plane and then the media will be shouting “why did we not do anything before now?” And the lawyers will be licking their chops
          I applaud this brave researcher for daring to show how stupid and negligent the aircraft manufacturers, airlines and the Government/FAA are.

    • I disagree with the moppet’s comments. I am a security researcher and this is absolute BS to be honest. There are so many of us that do our research to protect critical infrastructure only to be ignored when the threats are very real. Anyone that thinks us not doing this research will “not” find those wholes is just a d+++a++. The reason being that stopping encryption, research does nothing as don’t you think terrorists are going to do this anyway? What the FBI SHOULD BE DOING is engaging the security community, not pushing it away.

      Maybe we should be talking to the CIA or NSA, at least they know why we do research and also do the same research I may add. FBI you’re doing it all wrong and failed. Its time to wake up and engage a community you will never stop, if you did try to stop it, you jeopardize every American’s security and protection. We need to discuss exploits and holes so that these get plugged, not side with corporations that are not doing a fantastic or even “good” job at creating solid and secure code.

      Think about it and for heavens sake get someone in that actually knows and understands security and how this community works, we are friends not threats. You should learn from your mistakes because up to now, you obviously didn’t.

      I am reaching out, giving you that chance, you should take it. Our nation and our citizens depend on us working together, we have a common enemy…. ISIS and all the other dingbats out there, we don’t have any more time for pissing contests.

      (Sorry for the rant, just can’t hear this crap anymore, we don’t have time for this….)

      • not a police state moppet

        You live in a delusional fantasy world of black and white, good and evil, not realising you’re no more the good guy than the very people you are railing against. This isn’t an epic battle of Them versus You, bucko. Those are fun til you wind up ‘inexplicably’ on the other side.

        There are only sides.

        • You state that their is no black and white … just sides right/wrong, left,right front,back.

          So black\white seems to work pretty well in this case.

          • not a police state moppet

            sides are never only and always 180 degrees apart. or even numbrrs divisible by 90. so no. wrong.

      • Idiot (this is your ID, not an offensive term from me),

        If you are serious researchers, why don’t you fill up a plane with your family members, and play with your security tests while flying with them (your family members), and not with innocent people that can die because of a stupid “research” error that can bring the plane down?

  3. Just a thought, but maybe some of the airlines ought to think about hiring, possibly, some type of “leading researcher delving into the security of airplanes” to actually show them just how vulnerable their systems might be.

    • Hey – yes. You are seeing auto makers doing just this (notably Tesla). Like many things we rely on, airplanes are – more than ever – just hardware running software.

    • not a police state moppet

      Sure. But not the ones taking it upon themselves to do so without approval, in-flight, with no common sense, discretion or actual safety in mind.

  4. The only thing that this “researcher” is going to accomplish is getting the wifi system disabled on most aircraft for everyone. Any responsible researcher would work with the Aircraft manufacturers to assist them in improving their security. This guy is just looking to get attention. Say goodbye to in flight wifi. You can blame this guy and his irresponsible behavior for that.

  5. Chris roberts ya got that right I like it it’s all cool to me so ya got me I love this add proud to be. The first to like this thanks chris roberts

  6. I had this exact same discussion re. SCADA systems.
    Lesson 1: Security through obscurity is… No security at all!!
    Lesson 2: Airgapped systems are only as secure as the weakest link.
    Lesson 3: If you are serious about security, get everything vetted by multiple independent
    third parties armed with the latest tools and methods.
    Lesson 4: NEVER, EVER “Shoot the Messenger”. A falling king does that as a last desperate act.

    Here endeth the lessons.

    • Agreed 100%. As Roberts says: software and hardware vendors learned the “don’t shoot the messenger” lesson 10 years ago and now work with researchers, including offering bounties for vulnerabilities in their products. There’s no reason an Boeing or Airbus couldn’t follow suit. Lesson 5 for researchers: don’t make threatening sounding statements about critical infrastructure, even in jest!!

    • not a police state moppet

      He wasn’t being a messenger here. He was tweeting to all and sundry in a ridiculously irresponsible manner. So let me get this clear according to some people here’s sentiments: it is okay for HIM to do this sort of thing because he is a ‘researcher’ but how do people know who is serious and who isn’t? for that matter, how many people who have been shouting for attention WILL go down for a ship if they don’t get it ‘to prove their point’?

      Someone mentioned scada. For shits and giggles let’s say you started tweeting about how someone like the POTUS or an ex were on an elevator and you had control over that elevator. What is the appropriate response? Let’s say you’re a researcher studying how insulin pumps can be remotelt controlled… and then you tweet that at a diabetics conference after having a blog entry saying you dislike fat people for eating the SAD and becoming lazy diabetics (nb not my opinions, making a point here). Let’s say you get access to a nuclear energy facility and can find you can manipulate the… ha. Right. That’s been done.

      There is nothing ETHICAL about using even a hypothetical use case to bully someone or scare or threaten them. If you don’t like shit, change it. You aren’t being witty. You aren’t being clever or smart. And you don’t know shit about unforseen consequences.

      BTW what if it was someone who had read his ‘research’ or watched a talk on it and tweeted the same thing?

      He wasn’t *arrested*. He was being given (perhaps a rude) triage. Or do you think surveilling everyone constantly so they can always ‘know intent’ (they can’t btw) because someone says they are a whitehat is perfectly peachy keen? “Aww damn dawg, I got clearance to tweet I can crash this plane.”?!

  7. One consideration is that avionics software requires extensive certification. Unlike router or desktop software that can be released with minimal regression testing, avionics hardware and software requires a comprehensive test suite and certification documentation that a Designated Engineering Rep (DER) must approve. The EICAS software would by certified to a higher level than the in-flight wifi and satcom systems. It may not be as simple as installing a commercial firewall between the two aircraft systems to address any potential network security holes. But, it does appear that this issue should be investigated.

    • But then we need to start looking at the verification process and parties involved. If these concerns have been raised for 4+ years and the certification organizations haven’t made the changes we need to follow the money. Who makes money in the certification process? Who loses money when if something doesn’t pass certification? Why would airlines and the FAA not work on these problems seriously? Because there is financial motivation to not take care of the problem. Has anyone looked into how much money the airlines are making from in-flight entertainment systems and how much they would loose if it had to be disabled until fixed?

      If this prompts the FAA to take steps to correct these security problems will anyone regard Roberts as a hero?

  8. This is not the way to go about doing this. From his tweet, if it is reported accurately, he should be arrested and charged with tampering with an aircraft.
    The only reason I say this is, you do not do this on an airplane full of passengers. What if he unintentionally caused some type of interruption within the systems. It is the “what if”, the unknown. These types of things can be tested on the ground, never, never in flight with passengers.
    Suppose he does manage to trigger an EICAS message. The flight crew is going to have to deal with it. What if it causes the crew to take action that is not warranted, because of a fake message. Hopefully the redundancy of the systems on the aircraft would help them determine a false reading, but what if it doesn’t.
    I won’t go into all the other issues that may occur when the plane arrives at its destination.

    • not a police state moppet

      If he actually did get into the system and they do forensics and show it is true he should absolutely be charged with a few felonies (and this from someone who generally believes a lot of comp crime charges are utter and complete bs and should never exist in the first place).

      To toss a shitty CEH requirement out he had no agreement with the compamy, he had no permission to do what he did, and he put lives at risk.

      If he did NOT get access then it was just pure irresponsibility and I would suggest he not get hired to do pentests legitimately since he clearly lacks respect for potential clients. Then again most back corriders are full of fuckheads talkkng about their client engagements and sharing privileged information about client networks because, hey, gotta brag.

      I have met blackhats with tighter lips and more acruples who’d never ever even consider to fucking joke about doing thus sort of thing. (Invectives judiciously included at times to make my point).

      • not a police state moppet

        Sorry, bad thumb typing. Most of the typos are obvious so I won’t bother correcting them, but acruples in my last paragraph should read scruples (perhaps less obvious… perhaps ironically)

      • not a police state moppet

        Oh and in case there are misunderstandings here, saying he should be charged with a few felonies does NOT mean I think he should be pounded by the legal system or punished in some remarkably outsized manner. I am certainly not saying he should go to prison for 8-10 years or even have a felony record. I AM saying he should NOT be accorded special status. If he got in to an in-flight system (and I have some doubts given airgaps) and was actually accessing it in a live case scenario then he hubristically and without giving a shit about anyone else decided his ego mattered more than the actually very tipping-point-prone airplane he was on – or more specifically the lives of those on board. So much could have gone wrong if he was on those systems regardless of his intention that the fact people are taking his side in this literally boggles the shit out of me. Is it because I worked toward a pilot’s license? When to an engineering school? It certainly isn’t my years of experience in security apparently.

        I think people are part of a big group delusion. Then again I think that’s what shit has devolved into and was built up into too. Quit being rockstars. You aren’t. If you care about security act like it.

  9. Clyde Kenneth Clark

    I agree with Mark completely. When I read the news release I figured the “expert” was either probing the aircraft’s electronics to see if he could get in to satisfy his own (professional?) curiosity OR
    he was showing off for a friend (which explains his Tweets) or both. In any case he showed not only unprofessionalism but recklessness. In other words the jack-off could have fucked up everything and brought the plane down. Who knows? Maybe that’s what happened to that Malaysian aircraft that disappeared a little over one year ago and no trace of it has yet been found. (?)

  10. Pingback: Χάκινγκ εν πτήσει; Ούτε γι’ αστείο! | deltaHacker

  11. Pingback: FBI Accosts Security Researcher Over Fear That He Hacked His Flight | I World New

  12. Pingback: FBI Accosts Security Researcher Over Fear That He Hacked His Flight | Gizmodo Australia

  13. Pingback: FBI Accosts Security Researcher Over Fear That He Hacked His Flight | The Fat Cat Collective

  14. Pingback: Researcher who joked about hacking a jet plane barred from United flight - The Best Tech News

  15. not a police state moppet

    Incidentally it is his braggadoccio and apparent ignorance that what he did was both reckless and unethical that pisses me off more than anything else (even his recklessness). Or more specifically it compounds his actions. He saw so little wrong with it that he basically made a stink about the feds, apparently lied about how long he was questioned (forgivable; we all go through time dilation and I am sure fed questioning felt twice as long), blasted his story for fame and pity, desired to be the victim, and acted pissed off the feds were basically doing their job.

    So, money on it being one of his twitter friends who contacted an agent, not the FBI (or at least only the FBI) keeping tabs out of concern for the possible unintended consequences?

    I accepted, in so much as I could, that he may have screwed up. Ehat I find galling is that he doesn’t see it as a f-up and is painting himself as the victim. The only person he is the victim of is himself for making bad choices. Just man up and accept responsibility for makkming a mistake or taking it too far. Don’t think you’re some sort of poster child for a cause. You aren’t. Well, unless your cause is making it so anyone could tweet this stuff on a plane. This is not a matter of free speech. Free speech is saying there is a problem. This is not that

  16. Pingback: Researcher who joked about hacking a jet plane barred from United flight | The other line moves faster.

  17. That’s outrageous, he shouldn’t point out that the manufacturers of airplanes took stupid short-cuts in the design of their onboard digital comms systems, and rely on ignorance to stop their security short-comings from become a serious danger to their passengers!
    /sarcasm

    For some reason I am reminded of the Ford Pinto and how Ford thought it would be cheaper to pay a few claims for injuries:
    http://en.wikipedia.org/wiki/Ford_Pinto#Fuel_tank_controversy

    • not a police state moppet

      You’re being ridiculous. Let’s put aside the computer itself for a minute. I was only ever (barely) rated for single engine aircraft and anybody with a far higher rating than mine would vehemently exclaim how dangerous it is to even imply something capable of causing panic on any airplane. What exactly do you think this could have done had a fellow passenger seen it? Or a friend/family member on the ground that was in communication with someone on the plane? Never mind the gross irresponsibility amd unethucal nature of what he did, even if he NEVER had ANY access whatsoever he was actually capable of taking down that plane *accudentally*. There is a reason you also don’t say “why yes there is a bomb in this bag” as a joke when the checkin does their rote questioning. If you have ever even joked about THIS you will have a miserable time. And that is before even making it onto the plane and in the air.

      Would you feel safe on a flight where this was done? Do you understand just how delicate flights are, especially involving multiple engines? It’s pretty damn close to magic and too much can go wrong to fuck around. Do I hold airlines accoubtable for security? Sure. But this shit isn’t CSI:Cyber or Scorpion. He isn’t in the movie Blackhat. And his move was far far more blackhat than he thinks.

      If you want to be treated like a responsible citizen act like one. Don’t expect to have special standards. Don’t think “oh they know who I am” whether they do or not like everyone should and that gives you a pass. It doesn’t.

      I could see a 20 year old thinking this is okay (even though it is emphatically not) but seriously, Chris, you’re TWICE that age. I have been around as long as you have but even if I weren’t I would wonder what the hell made you think that was a brilliant move and that you deserve someone else to pay for your defense. At least acknowledge you’re at fault.

  18. Pingback: Researcher who joked about hacking a jet plane barred from United flight | infopunk.org

  19. Conundrum earlier summarized the issues in clear outline. Ultimately it is the same issues whether we are talking about cars, planes, trains, natural gas pipelines, or chemical plants. The industrial security community has been sounding this klaxon for many years with little response. Some have even taken to popular fiction in the hopes of getting the public’s attention (e.g., the recent Flight Track novel about a digital hijacking or Web Games, which anticipated stuxnet-style attacks.

    The biggest risks in the airline scenario are not even from onboard access but another level of attack via internet links, the details of which have yet to be disclosed or discussed. All aircraft intrusion scenarios are extremely unlikely, but they are also highly tempting to certain parties, which makes it only a matter of time before the intrusion is not from a bonafide security researcher.

    • not a police state moppet

      Do you believe Chris’ research is real-world applicable?

      • The work that Roberts, Santamarta, and others has real-world implications even if the specific vulnerabilities identified so far and their scenarios for use are only remote possibilities. Knowing something is there increases the chances of finding it. What terrorist group would not love to be able to hack into aircraft and bring them down. Most groups will not have the sophistication to work the hack themselves, but the wealthier ones can buy or hire what they lack themselves. And then there’s the ransom scenarios.

        AS far as I am concerned, it is not about whether such things are likely to happen but about designing critical systems right in the first place, not cutting corners by putting everything on the same buss or leaving bridges intact or making everything full-time accessible to (from) the Internet.

        I no longer consult actively in this area, but my fiction (e.g., Flight Track) is about precisely such potentials. Like Roberts, I am just trying to get public attention on issues that need to be fixed.

        –Prof. Larry Constantine (pen name, Lior Samson)

        • not a police state moppet

          This in no world fits a least harm possible standard. Tom (tqbf) Ptacek – who also has consistently and for decades (been around for a long time, as I have) spoke directly to this in the ycombinator thread on this subject so I won’t reiterate his points; we think a lot alike about this entire debacle. I highly encourage you to read what he wrote.

          One thing that drives me nuts about so many “pentesters” is theur utter and apparent inability to understand that not all consequences are intended, especially when it comes to “testing”. In fact from a fuzzing standpoint, it is rarely the bugs we think we find that can cause the most damage. It is often an idiosyncrasy that can cause the most harm. There are a few great books out about this. For a real world example look at the Challenger disaster (not comparing the incident, comparing the investigation): it took Feynman a simple experiment with an O-ring to prove little things not totally understood can have major ramifications when it comes to safety.

          I am arguing so much n this thread because people need to realise not having a standard set of ethics is ridiculous. I am not arguing for special status. I am arguing AGAINST special status. Which means people need to think about what they do before doing it, respond appropriately when somebody doesn’t (especially one’s own peer group), and take responsibility if they do fuck up. And by that I don’t mean excusing it either. Trust needs to be earned.

          Earning trust, btw, Chris, if you’re reading this, doesn’t mean passing TSA pre-screening. If anything you sort of prove pre-screening has no ability to predict a lack of judgment.

  20. Sorry. This is a lesson that white-hats need to really learn, since this isn’t 1999 anymore and these “lessons” have already been learned the hard by others for going on two decades now.

    Don’t joke on the internet about vulnerabilities that could be taken to imply a threat. Its really that simple. If you want to? Fine, but understand that the Alphabet agencies will be around shortly, they will seize your gear, detain you, your name will be leaked to the press, your reputation damaged, etc, etc, etc… None of this is new territory. Its old. Way, way old.

    With that being said:
    Companies that run critical infrastructure need some sort of responsible disclosure mechanism so engineers who either discover- or just ‘realize’- some major flaw about their system can let them know without having to endure the ensuing indignity of being ‘investigated’ by hysterical cops who struggle comprehending that someone who discloses something is no threat. There are probably a ton of vulns out there that people just don’t bother disclosing because they don’t want the BS drama it would bring into their life.

    Awful, awful way to go about things.

  21. Pingback: ste williams – Security researcher barred from United Airlines flight after hack tweet

  22. Pingback: Hacker Detained by FBI After Tweeting About Airplane Software Vulnerabilities. | Tfun

  23. not a police state moppet

    And now Wired is taking everything Chris says at face value, down to the amount of time he was questioned.

    I am confused… what part of connecting to in-flight systems repeatedly, and without authorisation, on flights he is on as a pax — and he flatly ADMITS to doing both in the Wired article and to the FBI itself (in the past) — is legal, exactly?

    What the hell is wrong with you people?

    Does being “exasperate” serve as an excuse now for everything?

  24. Pingback: Researcher who joked about hacking a jet plane barred from United flight | TechDiem.com

  25. Pingback: Du danger de plaisanter sur la sécurité des avions | Le Diligent

  26. Pingback: Die Ohren des FBI fliegen immer mit | digichonder.ch

  27. not a police state moppet

    Linking this does NOT imply that I think people do not or cannot change. I emphatically believe they can and that our duty in life is to constantly better ourselves and the world around us. That said, this article speaks further to a history of him lacking common sense:

    http://m.bizjournals.com/denver/print-edition/2011/01/14/breaking-and-entering-part-of-the-job.html?page=all&r=full

    Note many of us who were around a long time ago were experimental back then (before the internet became connected to everything and everything was on the internet). But there’s a massive lack of judgment evidenced in this article that he no doubt thought was good press – the stuff with his father for instance – but most egregious of all was his not having the common sense to realise… oh do I even need to say it? The funny thing is I don’t have a personal grudge against Chris, per se. I have a grudge against a lack of decency, common sense and ethics. I don’t care who it is. The issue for me isn’t just how messed up this instance is. Or how he is contributing to it. People rally around stuff because they want to be part of something. Or overrelate.

    He wasn’t “targeted” for being a security researcher. What those of us who’ve been in the field long enough to know how shit works can predict though is that HE WILL CONTRIBUTE to MAKING security researchers be seen as a threat – to security – and thus cause a threat to our liberty. It already started. Why give ammunition and evidence by refusing to exhibit rational thought? Lulz?

  28. Pingback: Hacker on a Plane: FBI Seizes Researcher's Gear | The Security Ledger https://securityledger.com/2015/04/hacker-on-a-plane-fbi-seizes-researchers-gear/

  29. The BizJournals link provides insight into where Chris Roberts came from and what he is about. For whatever reason, he has chosen to be on one side rather than another. At least he is not using his talents and temperamental leanings to steal money and bring down planes. There are many ways people with a taste for adrenaline and deception can put these to good use. For my part, I write stories of intrigue and adventure rather than act them out as Roberts does. Most of his work is at the request of clients, which in my view completely legitimizes what he does. The on-board stunt would seem to be an exception, but I do not see this one action as spelling the end of freelance security research. Like all whistle-blowers, he took chances and pushed the envelope. If the airlines and OEMs are jarred into wakefulness because of the public spotlight, all the better.

    –Larry Constantine (pen name, Lior Samson, author of Flight Track)

    • not a police state moppet

      People who become self-styled whitehats to do what blackhats do with impunity do not have the interests of your security at heart. Nor do gov agencies who recruit them, or companies which think it is ok to experiment on other peoples’ systems without consent. At best that is greyhat, and while greyhat occasionally has its moments, those moments are very very easy to bend past the point of acceptability; in this case I think it goes further than that. Did you really look at the language in that article?

      Whitehats, to be good, need to likely think like blackhats to protect things… but not act like them. Or break the barrier between protecting and potentially harming. A lot now want to play both (ask me how many of these whitehats I saw cheering chaos in 2011 and supporting the very things that’d turn out to be federal operations to entrap hackers; the lines are not as clear as they should be. While I am not condemning it, I keep seeing instances where the people “normal people” rely on the protect them are basically believing themselves impervious to the law because, label. But label doesn’t mean anything. Ethics should mean something (and I mean that about the gov not just non-gov types). There are no enforced norms about what is ok or not ok. There are no in-group consequences shuttling egregious oversteps of ethical considerations. And so the feds have the ammo they need because there are no reasonable boundaries.