On Friday May 15th, a Canadian news outlet published a copy of the application for a search warrant filed by the FBI after Chris Roberts was removed from a United flight for tweeting about hacking a plane. If you’ve never read a search warrant for electronic devices, it’s an educational read. The purpose of the warrant was to allow the FBI to search the electronic devices they had confiscated from Roberts during this incident, but what made the headlines was the material included from previous interactions with the FBI to justify the search. From this material, it seems that Roberts has not only researched these vulnerabilities, but exploited them on in flight aircraft, including executing a change in thrust on a specific engine.
The responses have been fast and varied, from ‘this guy should be in jail’ to ‘what do you expect after ignoring his warnings for years?’ Robert’s response is that this information is out of context (as part of a search warrant application it is, by definition) and that he’s been advised not to say more on the topic at this time.
This isn’t a new pattern for information security, though it’s new for the aviation industry in particular. When an industry doesn’t address information security research programmatically and through partnership, researchers become frustrated with their inability to make a positive impact through responsible disclosure. If that’s not the case with Roberts, then it will be with someone else in the future. Rather than debating the disposition of this specific individual, we should be discussing how to validate and address the vulnerability conditions that are on the table. These aren’t new concerns, but they are newly in the spotlight. Let’s use that spotlight to make progress.