The officials from the European Aviation Safety Agency (EASA) were not at all happy about what they were hearing. An unshaven 32-year-old from Spain, his hair pulled back in a ponytail, was talking about cockpit computers and their weaknesses and security loopholes. Specifically, he was telling the EASA officials how he had managed to buy original parts from aviation suppliers on Ebay for just a few hundred dollars. His goal was to simulate the data exchange between current passenger-jet models and air-traffic controllers on the ground in order to search for possible backdoors. His search was successful. Very successful.
The Spaniard's presentation took place two years ago in an EADS conference room looking over the rooftops of Cologne. He had been invited after, in accordance with the hacker ethic, he had notified the agency that he was planning to release the results of his years-long study at a hacker conference. Engineers from airlines and airplane manufacturers were also following the Spaniard's presentation via video. After he had finished, he recalls, they all wanted to know the same thing: "You aren't really planning on making all of that public, are you?"
Their concern focused on his central finding, which he continues to repeat to this day. "In modern airplanes, there are a whole series of backdoors, through which hackers can gain access to a variety of aircraft systems."
The Spaniard's name is Hugo Teso, and he now works for a data security firm based in Berlin. For the past several years, he has been commissioned by various companies to try to break in to their computers and networks. But because Teso is also a pilot and continues to hold a valid license, he has developed a reputation in the aviation industry as someone whose tech-security warnings should be taken seriously.
Teso has demonstrated that you don't even need a computer to hi-jack a plane remotely. A smartphone equipped with an app called PlaneSploit, which Teso himself developed, could be enough. In theory cyber-terrorists could use such an app, or something similar, to take over a plane's steering system and, in a worst-case scenario, cause the plane to crash.
Danger Facing Airlines and Passengers
Attacks on cockpit computers have been an issue at hacker conferences for years. But airlines and airplane manufacturers have long sought to play down their warnings -- or they have ignored them altogether. Last week, though, the debate intensified. The US Federal Bureau of Investigation (FBI) is looking into whether a US-based IT expert named Chris Roberts actually implemented -- at least in part, from on board an aircraft -- the things that Teso has been warning about and simulating. He claims to have penetrated the entertainment system of a normal passenger jet several times and even to have manipulated the plane's engines during a flight.
The claims and ensuing investigation have triggered a new debate about a danger potentially facing airlines and passengers. The Government Accounting Office in the US had already pointed to potential problems in air-traffic control in January, saying that the technology used for communication between pilots and controllers on the ground is outdated. For as long as the problem remains unaddressed, the GAO report noted, "the weaknesses that we identified are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk."
Graphic: Potential hacker targets on passenger planes.Foto: DER SPIEGEL
In an additional study, published in April, the agency took a closer look at planes themselves and explicitly warned against the increasing connectivity of individual components. "This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems," the report reads. One of the study's co-authors said on US television that the findings are particularly applicable to newer planes such as the Boeing 787 Dreamliner and long-haul Airbus models such as the A350 and A380.
If the recent claims by Roberts, the American IT expert, are confirmed, it would essentially remove any remaining doubts about the vulnerability of passenger aircraft and provide practical proof that common airplane models are hackable.
Roberts is said to have provided his testimony to a special FBI agent in February and March. The agent included transcripts of those conversations in a court application in which he requested permission to analyze hardware that had previously been confiscated from Roberts.
Hacking Into Sensitive Systems
According to the FBI document, which was first made public by the Canadian news website APTN, Roberts was able to hack into the onboard entertainment systems -- manufactured by companies such as Panasonic and Thales -- of passenger planes such as the Boeing 737, the Boeing 757 and the Airbus A320. He did so a total of 15 to 20 times between 2011 and 2014. To do so, he hooked his laptop up to the Seat Electronic Box (SEB) -- which are usually located under each passenger seat -- using an Ethernet cable, which is unsettling enough.
But Roberts may also potentially have used the SEB to hack into sensitive systems that control the engines. In one case, he may even have been able to manipulate the engines during flight. He says that he was able to successfully enter the command "CLB," which stands for "climb," and the plane's engines reacted accordingly, he told the FBI, according to the document.
Roberts is currently keeping a low public profile, taking to Twitter last week to say that his "legal team are still requesting I wait on saying anything." He did, however, write that "over last five years my only interest has been to improve aircraft security." He says that the FBI "incorrectly compressed" that work into a single paragraph in its affidavit.
The FBI, it would seem, is taking Roberts and his efforts to hack into airplane computer systems extremely seriously. The FBI document helps explain an incident in mid-April which initially landed Roberts, a native of Colorado, in the headlines. He was on board a United Airlines 737 and logged onto Twitter via the passenger Wi-Fi network. "Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)," he wrote. EICAS is the Engine Indicator Crew Alert System, which sends real-time data from the plane's engines to the cockpit.
The FBI, in conjunction with United, reacted to the Tweet in record time. After Roberts changed planes in Chicago, on his way from Denver to Syracuse, FBI agents boarded the plane he had just left to examine the SEB under his seat. The two nearest boxes, the FBI document notes, showed signs of attempts to manipulate them. In WIRED, Roberts denied being responsibility for the manipulation marks.
When Roberts arrived in Syracuse, he was taken off the plane by the FBI and his electronic equipment was seized. At the time, it looked as though the FBI were only reacting to Roberts' Tweet. But the FBI document that has now been made public makes it easier to understand the agents' nervousness -- the FBI document notes that Roberts, during his February interrogation, promised to never again seek access to airplane networks.
Airlines and manufacturers have been largely silent on the incidents and on possible consequences. A Lufthansa spokesperson, for example, said: "As a matter of policy, we don't comment on such events." Airbus merely insisted that its systems and procedures are robust and that they are equipped to withstand potential cyber-attacks. The company declined comment, saying it didn't talk publicly about its security systems.
Among pilots, though, the issue is both urgent and unsettling. "The industry and the airline companies cannot continue to sit this out," says Markus Wahl, spokesman for Vereinigung Cockpit, a German pilots' union. "We have always assumed that the captain would be able to defend against a cyber-attack," the spokesman said. He added, however, that the danger cannot simply be dismissed out of hand and shouldn't be trivialized. A pilot himself, Wahl said that the airlines have thus far not treated the issue with the proper degree of urgency.
Last year, Vereinigung Cockpit invited Hugo Teso to their annual convention. "After his presentation, everyone was rather contemplative," says Wahl. Part of the reason, Wahl says, was his expertise. "That man knows his way around a cockpit," Wahl says.
The Danger of Modifications
Indeed, such concerns help explain the angry reaction to a proposal that gained currency in the wake of the recent Germanwings crash -- which saw a co-pilot fly his plane into a mountain, killing himself and the other 149 people on board -- to fly passenger planes remotely from the ground. The idea has the support of Klaus-Dieter Scheurle, head of the German air-traffic control company Deutsche Flugsicherung. "That would create a huge new target for cyber-attacks," says Wahl.
Teso shares Wahl's opinion. He even recently identified several additional security risks. When a plane is delivered from the factory, he says, they are much less vulnerable. He says problems are created when the planes are modified later -- by installing on-board WiFi and entertainment systems, for example, or equipping of pilots with tablets for pre-flight operations which are then brought into the cockpit.
German authorities such as the Federal Office for Information Security (BSI), take Teso's concerns seriously. His investigations, says a spokesperson, have been "intensively analyzed. "His approach is realistic and he has exposed weaknesses that have to be eliminated." The BSI does not, however, agree with Teso that such weaknesses can easily be exploited. "Even a successful attack, we believe, might be enough to annoy the pilots, but not enough to take over control of the aircraft."
In the US, the Roberts case seems to have already had consequences. Until now, laptops were primarily seen as a danger because of their weight: Strong turbulence during takeoff or landing could cause them to fly around the cabin and injure people. But now, crew members have been asked to do more than just ensure computers are stowed during takeoff and landing -- the FBI and air-traffic authorities have issued a warning to all airline personnel that they should also keep an eye out for passengers attempting to hook their laptops into devices on board.