United Airlines Hack: Fighting Vulnerabilities with Marketing

On the afternoon of April 15, 2015, security researcher Chris Roberts boarded a United Airlines flight and published a tweet that has sounded echoes around the security world. 

During Mr. Roberts' flight a United Airlines cybersecurity analyst became aware of the tweet and alerted the FBI, who met Mr. Roberts at his destination and questioned him for several hours.

The message Roberts sent refers to his research into vulnerabilities on commercial airlines’ flight control systems. He claims to have built a test environment to mimic the electronic systems of a particular type of plane, and in that environment, successfully taken control of the simulated airplane’s flight functions. Now the FBI alleges that Mr. Roberts took his research a (significant) step further – that he actually took control of a flight in progress and caused it to shift course from “cruise” to “climb.”

In the scenario described by the FBI, Mr. Roberts used his knowledge of airplane electronic diagrams to enter the systems via an Ethernet connection to the in-flight entertainment system. From there he would have been able access the satellite phone system, which is also connected to various cabin control systems. Those cabin controls are, in turn, connected to flight avionics systems. While Roberts admits to entering the network and observing traffic on multiple occasions, he claims he never commandeered a flight. The FBI alleges that, during the interviews they conducted following his April 15 tweet, Mr. Roberts did admit briefly taking control of a flight.

If true, the implications of this are somewhat unsettling. Of course, we should expect to hear from some people that this means the terrorists are next in line. And of course we should be on the lookout for that – but an attack like this is unlikely. First of all, it takes a highly skilled and knowledgeable researcher to do what Mr. Roberts (allegedly, and by his own claims) is capable of doing. We know that hackers exist everywhere, but those of this caliber are rare and valuable – and thus unlikely to deploy on a suicide mission. Second, a successful attack would need to be orders of magnitude more sophisticated in order to compromise the controls and then maintain control for long enough to do anything terrible. Certainly in the wake of this discovery, significant scrutiny will fall on the possibility of this type of attack.

What’s more unsettling is fairly mundane – the fact that we continue to receive confirmation of inadequate attention to security in systems design. There is no reason for an actor to be able to jump between the computer systems that control an airplane. Recognizing that the cost of re-fitting electronic systems on an entire legacy fleet planes – not to mention the logistics – would be nightmarish, we understand why these legacy systems persist. We hope that newer engineering will consider newer problems.

United on Friday took an interesting step toward mitigation: they offered 1 million flyer miles to ‘ethical hackers’ who are able to take remote control of an avionics system. Depending upon your valuation method, the reward amounts to between $10,000 and $25,000 – about the cost of an entry-level security assessment. Of course, this is a non-cash expense for United, and likely to have a negligible effect on profitability.

So in one sense, United has seized upon a clever way of demonstrating a proactive approach to a very high-profile problem. The media loves it, and some researchers will undoubtedly participate. However in another sense, United has opted for the cheapest (and most effort-free) approach of mitigation. The security problem promises to continue exacting a heavy toll on those who ignore it. United’s media-friendly approach to the headlines may be good PR, but it is bad practice.