Biz & IT —

Researcher who joked about hacking a jet plane barred from United flight

United's move comes three days after FBI detained white hat hacker for 4 hours.

A Boeing 737-800
A Boeing 737-800

A researcher who specializes in the security of commercial airplanes was barred from a United Airlines flight Saturday, three days after he tweeted a poorly advised joke mid-flight about hacking a key communications system of the plane he was in.

Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane's engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft's functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? 'PASS OXYGEN ON' Anyone ? :)" FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices.

On Saturday night, Roberts faced more fallout, this time from the airline itself. Shortly after passing TSA screening and arriving at the gate to board a San Francisco-bound flight, members of United Corporate Security were there to stop him from getting on the plane. They told him United officials would inform him by mail of the reason within the next two weeks. Roberts was able to book last-minute travel on a Southwest flight and arrived in San Francisco late Saturday night, three days ahead of a presentation he's scheduled to present at next week's RSA security conference.

"Nevertheless, United’s refusal to allow Roberts to fly is both disappointing and confusing," wrote attorneys from the Electronic Frontier Foundation, who are providing Roberts with legal representation. "As a member of the security research community, his job is to identify vulnerabilities in networks so that they can be fixed. Indeed, he was headed to RSA speak about security vulnerabilities in a talk called 'Security Hopscotch' when attempting to board the United flight."

The EFF attorneys went on to decry "kneejerk responses to legitimate researchers pointing out security flaws," comparing Roberts's recent travails with responses authorities have had to other legitimate research, including a 2008 federal lawsuit a New England transportation agency filed to stop MIT undergraduates from speaking at the Defcon hacker conference about security holes in two of the agency's electronic payment systems.

Overblown

The reactions the FBI and United had to Roberts are no doubt overblown. But it's also true that the security researcher showed extremely poor judgment making the tweet that was the flash point for all the drama. There's no evidence Roberts's research itself played any role in the FBI detaining Roberts and seizing most of his electronics, or in United barring him from a flight. What seemed to touch off both incidents was his tweet, which made a joke out of him taking unauthorized control of a key computer system of a plane as it was in mid flight.

Such humor is a major part of the whitehat culture that is regularly ignored and occasionally persecuted by the companies they privately report vulnerabilities to (almost always for free, by the way). Roberts recently noted the lack of response he's had from manufactures in the aviation industry for the past five years. What he hasn't yet said—at least publicly so it's plain to people outside the security profession—is that he's sorry and that his tweet was purely a joke, a poorly advised one at that. If people can and are regularly detained for making bomb-related jokes while in airports or on aircraft, why is it surprising Roberts is facing a similar reaction for his tweet?

No doubt, the response by the FBI, and especially by United Airlines, is an overreaction, but Roberts also overstepped a line when he joked about hacking a specific plane as it was in mid flight. All three parties would do well to stand down, apologize, and move on now that it's clear to everyone there's no credible threat.

Channel Ars Technica