The researcher, Chris Roberts, who worked for One World Labs, told the FBI in February that he hacked into the in-flight entertainment system (IFE), according to an application for a search warrant filed by an agent. He also said he compromised the plane's Thrust Management Computer, giving it a command that momentarily changed the plane's direction, though Roberts has contested the agent's story.
"He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights," Special Agent Mark Hurley wrote in the application. "He also stated that he used Vortex software after comprising/exploiting or 'hacking' the airplane’s networks. He used the software to monitor traffic from the cockpit system."
In April, Roberts tweeted about hypothetically exploiting the plane's network while aboard a United Airlines flight. Roberts later said it was a joke in light of a recently published Government Accountability Office report warning that just such a hack was possibly, through exploitation of the the networks that allow passengers to use their phones and laptops in-flight.
— Chris Roberts (@Sidragon1) April 15, 2015
"According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors," the report stated. A Boeing spokesperson, however, told Sputnik at the time that the report was inaccurate.
Roberts' tweet, nevertheless, caught the attention of federal authorities who then interviewed him about his activities for several hours. They also confiscated electronic devices like his laptops and USB drives. A few days later he was banned from a boarding a flight in California.
"We can still take planes out of the sky thanks to the flaws in the in-flight entertainment systems," Roberts had told FoxNews.com, about the potential vulnerabilities he was researching. "Quite simply put, we can theorize on how to turn the engines off at 35,000 feet and not have any of those damn flashing lights go off in the cockpit."
As a consequence of the media attention that the GAO report got, the FBI felt it necessary to send an alert to airlines, clarifying that no reports of actual hacks had been confirmed and that the reports circulating might encourage would-be hackers.
"Although the media claims remain theoretical and unproven, the media publicity associated with these statements may encourage actors to use the described intrusion methods," the alert for companies read as quoted by Sky News
— Chris Roberts (@Sidragon1) May 17, 2015
It appears that Roberts has some quibbles with how his interviews are being reported in the document, however.
Previous to the release of this warrant application, Roberts had not indicated that he had actually taken control of a real flight. According to WIRED magazine, he told them that he and a colleague took control of a simulated system at one point, but not a real, flying plane. He had also said that while he had entered IFE networks before, he had limited his activities to exploring and learning about the systems.
— Chris Roberts (@Sidragon1) May 17, 2015
"That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about," he told WIRED. "It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others."
Roberts has spent years studying transport security systems and speaking on the topic and other cyber security issues at conferences, and to the media.
It is unclear if authorities will take legal action against him, but under the circumstances, Roberts has opted to remain silent for the time being.
There has been some professional fallout however, and Roberts told WIRED that significant investors had decided to pull out of the company he helped to found — One World Labs — leading to layoffs of about a dozen employees, roughly half the staff.
— Chris Roberts (@Sidragon1) May 16, 2015