A cybersecurity analyst who was removed from a United Airlines flight after tweeting about the airplane's security vulnerabilities told an FBI agent he had previously hacked into the in-flight entertainment system on a different flight and was able to take command of the plane long enough to make it fly sideways, according to a recently-released search warrant filed by the agency.
Chris Roberts, founder of One World Labs, was questioned by the FBI on April 15 upon landing at an airport in Syracuse after his flight from Chicago. According to the search warrant, Roberts told the FBI in February he had taken control of an aircraft, overwriting the code on the plane's "Thrust Management Computer" and issuing a "CLB," or command to climb.
“He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI Special Agent Mark Hurley wrote in the warrant application filed in the U.S. District Court for the Northern District of New York and published by a Canadian media outlet. “He also stated that he used Vortex software after compromising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.”
According to the warrant, Roberts — who for years has warned airplane manufacturers of their vulnerability to hackers — said he had accessed in-flight networks more than 15 times between 2011 and 2014 by connecting a modified ethernet cable to a box under the passenger seat in front of him, and had discovered vulnerabilities in three types of Boeing aircraft as well as the Airbus A-320. But he did not indicate which flight he was able to briefly commandeer.
Roberts was not charged with a crime, but the FBI seized his computer equipment — including a laptop, several hard drives, flash drives and black iPad with a "Death Wish Coffee Co." sticker — because they believed he "had the ability and the willingness" to hack into in-flight entertainment systems and "possibly the flight control systems" on future flights.
According to the FBI, agents warned Roberts in February that "accessing airplane networks without authorization" is a violation of federal laws and that he could be prosecuted.
But on April 15, United Airlines alerted the FBI to a tweet Roberts published while on a flight from Denver to Chicago:
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)— Chris Roberts (@Sidragon1) April 15, 2015
@RafalLos There IS a distinct possibility that the course of action laid out above would land me in an orange suite rather quickly :)— Chris Roberts (@Sidragon1) April 15, 2015
According to the affadavit, a subsequent FBI search of Roberts's seats on that plane “showed signs of tampering."
Roberts did not immediately respond to a request for comment. But he told Wired he did not connect his laptop to the box on that flight.
“Those boxes are underneath the seats," Roberts said. "How many people shove luggage and all sorts of things under there? I’d be interested if they looked at the boxes under all the other seats and if they looked like they had been tampered [with]. How many of them are broken and cracked or have scuff marks?”
He also told Wired that the allegation of commandeering in the FBI warrant application is being taken out of context.
"It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others," Roberts said.
Sorry it's so generic, but there's a whole 5 years of stuff that the affidavit incorrectly compressed into 1 paragraph....lots to untangle— Chris Roberts (@Sidragon1) May 17, 2015
Over last 5 years my only interest has been to improve aircraft security...given the current situation I've been advised against saying much— Chris Roberts (@Sidragon1) May 17, 2015