Security expert pulled off flight by FBI after exposing airline tech vulnerabilities

Discussion in 'privacy general' started by Justintime123, Apr 17, 2015.

  1. Justintime123

    Justintime123 Registered Member

    Joined:
    Jun 15, 2013
    Posts:
    99
    Security expert pulled off flight by FBI after exposing airline tech vulnerabilities

    One of the world’s foremost experts on counter-threat intelligence within the cybersecurity industry, who blew the whistle on vulnerabilities in airplane technology systems in a series of recent Fox News reports, has become the target of an FBI investigation himself.

    Chris Roberts of the Colorado-based One World Labs, a security intelligence firm that identifies risks before they're exploited, said two FBI agents and two uniformed police officers pulled him off a United Airlines Boeing 737-800 commercial flight Wednesday night just after it landed in Syracuse, and spent the next four hours questioning him about cyberhacking of planes.

    What so startling about this is the fact that he worked on security projects requested by the FBI as a consultant. The idiom of the left hand, not knowing what the right hand is doing applies here. They confiscated all his encrypted laptops, thumbdrive demanding that he allow them access to their hard drives.

    If they can do that with one of the 'good guys' what does that say for all of us?
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Don't travel with encrypted stuff?
     
  3. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Travel with printed copies of all of your emails (in binary) and give them to the TSA to save them time ;)
     
  4. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    511
    Location:
    Earth .... occasionally
    Very worrying to read ..... disturbing even ..... but sad to say , not surprising.

    I wonder if it would be a workable strategy to send ahead all sensitive data , encrypted on a back-up SSD , by Fed-Ex ,
    assuming that you have to cross international borders for work , and need to have that stuff at your destination ?

    I've no idea what the parcel companies do with international packages .
    I think we can assume that they will be scanned in someway ...... possibly low intensity X-Rays .
    Is that going to cause damage ? ..... I don't know.
    And if Customs or other agencies notice that there is encrypted data on a drive , what might be their policy ?
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    http://www.click2houston.com/news/m...fbi-pulls-security-expert-off-flight/32422496
     
  6. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,426
    Location:
    U.S.A.
    Removed Off Topics Posts. Let's Focus Only on the Technical Aspects of it. Thank You!
     
  7. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    We have a pretty good idea what the TSA and many other boarder crossings policy is.
    If it is encrypted content they can compel you to provide your password and if you refuse you are likely to be subject to additional security precautions and denied access to the flight and charged. Other countries have additional rules. Canada is just testing out a case on this issue and it will be some time before it is clarified here. While they are copying your material they probably do have the ability and legislative backing to insert spyware onto your computer.

    The best policy is to travel with devices that are clean (nothing on them at all except an OS to boot from). Willingly provide them access to the computer if they ask. I run Linux so I easily download another copy and format the drive if needed.

    Many people here are likely to be on various watch lists so better not to antagonize boarder agents. Unfortunately this is the price of boarder travel into and out of the US and Canada and many other countries.

    Tried to keep this technical and non-political. Technically this is where the law stands.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Better, I think, is archiving and encrypting with GnuPG, and then putting it online somewhere. But not somewhere obviously linked to you personally. Maybe on a corporate site, or maybe just on Dropbox or whatever. Although access control is good, it doesn't matter so much if someone gets a copy.
     
  9. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Just started using Duplicati and think it would be great for this purpose.
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Happy to focus on the technical, and this is in the context of political and legal "weather". It's important to understand that weather in order to assess your threat model, so technical-only isn't useful. But I think it's fine to avoid the overtly political, as is done here, it's not fruitful to rant at the weather, although I know the temptation!

    I do not agree that the legal position is clear - after all, there is the Canadian case to think of, and more generally, the legal wheels grind exceedingly slowly when it comes to protection of Human Rights and Constitutional things. So it's quite possible for activities to be unlawful yet law enforcement and politicians will claim legality when it is later shown that they are wrong. Of course, that does not help the poor sap going through customs, where clearly, in most countries, they can seize any goods they feel like without justification.

    Of course, in the case of inspection of data, that's a nonsense because competent people can use other methods to side-channel the information over, and most businesses these days will give travellers a clean disk or no disk at all when taking their machine around. Data travelling with the person is clearly vulnerable. Of course it's annoying because it's arbitrary security theatre.
     
  11. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    511
    Location:
    Earth .... occasionally
    ..... edited.

    Yes indeed deBoetie , two very important points there !

    The policy these days seems to be that it's far better to be seen to be doing "something" than to be seen to be doing nothing....
    .....however pointless and idiotic that "something" may be ....... eg. shoes off at airports , after the arrest of "The Shoe Bomber" .

    ..... strange that they didn't adopt a similar policy after " The Underpants Bomber " .... :)
     
  12. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    I agree deBoetie, but boarder agents do have a huge amount of power where they can compel you to provide your password to decrypt the volume. At the very least they can deny access to the country, interrogate you for hours, decide a cavity search is required. To me it is the Stanford Prison Experiment in real life. In the US, you do have more rights as a US citizen, but a non-US citizen does not get the same level of protection.

    The law may not say that you have to provide the decryption key but in reality you dont have an option.

    One concern from my opinion is that my line of work deals with patient records. Our employees do take work laptop on travel and I am a little worried that if a government copies that data there is no control over what they do with it or how they protect it.

    Id also like to know what companies you work for, as I have never heard of them providing clean laptops for travel. All companies I have worked for encrypt laptop data but take no additional precautions.

    Just playing a little Devils Advocate here deBoetie. :)
     
  13. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Oh, I think I agree - and using the side channel methods means that there is no encrypted data, no password, no key. Or rather, there is a password to an anodyne account. All that leaves you fully cooperative with the border officials.

    My wife used to work with a smart-alec sales guy who was rather cocky and messing around with border officials (nothing to do with data), and he was subject to a couple of merry hours including cavity search. So yes, I'm advocating full cooperation based on zero information on your person.
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    http://arstechnica.com/security/201...acking-a-jet-plane-barred-from-united-flight/
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Wow :eek:

    That man deserves a Darwin Award in the air-travel category.
     
  16. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Yeah that is pretty dumb. It should be well assumed that multiple governments are monitoring all tweets.
     
  17. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    People who know a lot, or think they know a lot, love to show off how clever they are. I fear this is not restricted to this chap, the whole cadre of securocrats appear to be in a self-serving bubble of self-congratulation.

    There is a pervasive idea around that breaking our "terrifically weak" clients is somehow at all difficult - it's not, it's embarrassingly easy and we should assume it's possible and being done.

    Of course the "hard" problem of securing our systems and applications is way too boring for these smart people and in any case, wouldn't suit their careers.
     
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm willing to bet that certain government agencies already know about these airplane vulnerabilities and that they've been "tested" on at least one jet liner that hasn't been recovered. I'd bet those agencies are afraid of what this guy could reveal and that doing so would expose their activities.

    That aside, it is amazing how so many of these "intelligent" people can demonstrate a total lack of common sense. I'm becoming convinced that "intelligence" as defined by our current system and "sense" are opposing forces.
     
  19. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
  20. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Not the smartest move. If it is true it put peoples lives at risk and changes the public view of security researchers from savior to potential terrorists.
    Mind you the government could have fabricated this to justify clamping down on security researchers. Although the tweet from the researcher makes me think the government may not have had to work too hard to spin this.
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Actually, it's worse.
    http://aptn.ca/news/2015/05/15/hack...e-fly-sideways-cracking-entertainment-system/

    He's been trolling hard on this issue. And that's a good thing, given the serious vulnerabilities that he's exposed. But actually hacking planes in flight is crossing the line, no?

    Some have claimed that there's been confusion between what he did in simulations vs what he did in real life. I can't tell.
     
  22. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    I didn't know that the Duck Dynasty guy was a hacker too :argh:

    I am dumbfounded how somebody with obvious talent (however misapplied) and intelligence, would tell the FBI that he hacked a plane! Of all the things you could tell a cop, that's the very last thing! I'd like to stress how important it is to keep your mouth shut, especially when you have nothing to gain, and everything to lose...

    Regardless, it's the airline's fault for being dumb enough to connecting the plane's control to TCP/IP or some entertainment system. You would think that critical systems like this are treated in a similar fashion to nuclear power plants and such- totally disconnected (and sometimes that's not enough, as evidenced by the attack in Iran via USB's). If there's anything the TSA and NSA should be doing to prevent terrorism, it should be ensuring that every airline isn't vulnerable to any sort of cyberattack.
     
  23. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    511
    Location:
    Earth .... occasionally
    Sorry to take issue with terminology , but in my opinion , there is no such thing as "common sense " ... it's a myth.
    Good sense is uncommon , there is only common stupidity !

    For many years I have been working on a design for a power station that runs on stupidity .... sadly , progress has been disappointing.
    Frank Zappa gave me the idea ..... " The Universe must be built out of stupidity ..... it's the most abundant thing "

    I might switch my attention to mindless chatter as a fuel ..... there's no shortage of that either :)
     
  24. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    @krustytheclown2 "You would think that critical systems like this are treated in a similar fashion to nuclear power plants and such".

    Sadly, they are - one only has to think of Chernobyl, 3 Mile island, Fukushima to know that there is a lot of fudge, cost-cutting and complacency going on because of all the reasons we know too well here - security is hard and expensive and non-sexy. Breaking it is easy, gives you quick wins and the guilty do not pay the costs.

    And if only a fraction of what this guy says is true, it also applies to military nuclear facilities:

    http://www.bbc.co.uk/news/uk-scotland-32791755

    And there were obviously big worries with the state of Russia's nuclear weapons after the Wall came down.

    In any case, Snafu and Fubar rule human endeavor.
     
  25. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This makes me wonder if something similar was done with the lost Malaysian flight. If someone hacked into a plane in flight and inadvertently did damage or caused the system to lock up, .....
    What can I say? I'm old school. Sense used to be a lot more common than it is now. It seems that the more specialized people get, the less they're able to see or understand a bigger picture.
    If that were possible, Facebook and Twitter would be WMDs. You might get better results by relocating the plant closer to a major source of senselessness, like a national capitol.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.