Cybersecurity

Alleged plane hacker said he ‘messed with’ space station, satellites

A computer expert under scrutiny for allegedly hacking a commercial plane bragged in 2012 that he and his colleagues “messed around with” the International Space Station via cyberspace. 

Chris Roberts, a security professional with One World Labs, told an audience that he “got into trouble for playing with” the Space Station eight or nine years prior. 

{mosads}“We adjusted the temperature on it,” he told the GrrCON Hacker Conference in response to a question from an audience member. “It was quite fun. We got yelled at by NASA.” 

Roberts added that if NASA is “going to leave open shit that’s not encrypted that’s their own damn silly fault.” He went on to discuss how best to take over a satellite, and acknowledged trying to take control of the Curiosity Rover on Mars. 

“[Satellites] would be fun to play with even more,” he said. “We might need to come back next year and see how many satellites we could actually take control of … Your homework for the next 12 months: see who can f—k with the most satellites.” 

Roberts initially gained media attention last month after he tweeted a joke mid-flight about releasing the plane’s oxygen masks by taking control of its on-board communications systems. 

When he arrived at his destination, Roberts was detained by the FBI and questioned for several hours. He was later banned from boarding a United flight. 

At first, the incident caused concern in the cybersecurity world about the potential for researchers to be punished for finding and revealing security vulnerabilities.

But details now emerging about Roberts’s activities and past comments have cast the episode in a different light. 

A search-warrant application published over the weekend stated that Roberts told the FBI that he had successfully caused a plane to climb and fly sideways by breaking into its systems. 

Roberts admitted to similar efforts during the 2012 conference talk, according to Ars Technica, which first reported his remarks. 

“Sitting on a 737 going down to San Antonio on Tuesday we made friends with the firewall. We overrode the firewall and made friends with the second firewall. Once we were on the second firewall we ran into an Apache Tomcat sitting on [port?] 1433. It’s not patched. Have fun with it – carefully. Simple stuff,” he said. 

Roberts described the hacking as “having some fun with [planes’] environments.” 

“How many of you guys fly on the planes that have the Gogo wireless running on them?” he asked security experts in the audience. 

“I challenge you next time you’re on the airplane that has Gogo wireless, see how far through the firewall you can get. See if you can get to the ground-based communication that they use … Please don’t take the airplane out of the sky. And for those of you who are in the airline industry listening to this, fix it please,” he said. 

Roberts’s case is earning him a strong measure of skepticism in the cybersecurity world. 

“There’s little to no debate that Roberts’s research is motivated by a genuine desire to improve the security of aviation and aeronautics computer systems,” wrote Ars Technica Security Editor Dan Goodin on Monday night. 

“But that’s largely where the agreement ends … Roberts’s defenders claim his comments are being taken out of context and that many of the things he’s describing aren’t technically feasible. Taken another way, however, the comments portray a researcher who either embellished the hacks he described to fellow researchers or felt no compunction or remorse for the potential danger they may have posed to others.”