Though the issues Chris Roberts, alleged plane hacker and co-founder of security research firm One World Labs, has raised in recent weeks are bigger than just one man, looking through his past tweets provide all in the industry with a timely reminder of what maybe shouldn’t be said in public, or even private, discussions.
Going back through Roberts’
Sat on Airbus A320... Broken....promise it's not my fault(ish)
— Chris Roberts (@Sidragon1) September 20, 2013
787 Lands in New Orleans, nice of Boeing to drop one off where I'm presenting..especially as it's about them, and hacking the damm thing :-)
— Chris Roberts (@Sidragon1) December 5, 2012
(To remain impartial to either candidate) Air Force One is a 747-200 to be replaced by a 787...anyone guess what we can do with the FADEC's
— Chris Roberts (@Sidragon1) September 23, 2012
Roberts is also a self-proclaimed petrolhead. But according to his Twitter activity, he doesn’t mind hacking into vehicles he doesn’t own. In two messages he claims to have breached the infotainment systems on rental cars systems, including one in a Ford, much to the annoyance of the rental companies.
Gave Back the Ford
Box
thing to the rental counter with Linux running on Center Entertainment Console...Hope they don't mind the Penguin :-)
— Chris Roberts (@Sidragon1) September 29, 2012
Arrived for @GrrCON ...apparently the rental car companies remembered the last few years and I'm "only allowed" non-infotainment wheel ;-))
— Chris Roberts (@Sidragon1) October 15, 2014
Then there are some tweets about trying to hack into the Large Hadron Collider and the Mars Rover…
Mars Rover Curiosity, hack in and change music playlist...challenge accepted! :-)
— Chris Roberts (@Sidragon1) October 1, 2012
I think I'm in love, just found Cern's LHC Configuration page, along with all the beam injectors..man I know what I'm doing for the 4th now!
— Chris Roberts (@Sidragon1) July 4, 2012
Not to mention a collection of ammo and what appears to be amateur bomb-making material (thermite being a mixture of powdered aluminum and iron oxide that is used in incendiary bombs). I'm told there is a get together every year at a firing range during Defcon, where attendees bring ammo and thermite exploding targets, so it's all harmless fun...
Prep work for Vegas continues, current shopping list includes .223, .40, 9mm, .45, 5.56 and other assorted stuff :-)) Oh and Thermite.
— Chris Roberts (@Sidragon1) July 31, 2014
Some of the Defcon supplies.... pic.twitter.com/1zgzNM4mPt
— Chris Roberts (@Sidragon1) August 1, 2014
Roberts’ LinkedIn page isn’t your typical anodyne affair either. Backing up claims from former co-workers who wished to remain anonymous, it appears Roberts has had a turbulent time with ex-employers. His description of his time at anti-virus firm Webroot reads: “Tried to do lots of things… Management challenges.” As for his employment at Sports Authority, he says: “Interesting, yet challenged company.......... [long ellipsis is Roberts’] Their focus is IT as a mechanism rather than an enabler.”
Over on YouTube, one can find a host of presentations by Roberts on attacks on physical systems. Some of the claims are dubious, though startling if true.
He gave a talk, entitled "Planes, Trains and Automobiles", about hacking into various forms of public transport back in 2010, at the Las Vegas B-Sides conference, which he rehashed for GrrCon 2011 conference, viewable below. He talks about using Bluetooth to hack into cars, attacking planes and other transport attacks, including on helicopters. At one point, just before and after the 30 minute mark, Roberts talks about taking over flight control and autopilot systems. He says: "My idea was to basically just fly the aeroplane up, drop the engines and watch it come down and see what happened. Chris [Nickerson, a fellow security researcher] figured that was a little too drastic and figured out we should probably land the aeroplane and preserve some life. Emphasis on 'some life'." Again, perhaps not advisable comments, if not exactly clear.
In a later talk, from the 2012 GrrCon conference, he talks about breaking through the firewall of a Boeing 787, the same model of aircraft he had previously tweeted about hacking, saying attendees should "have some fun" with flights using Gogo wireless. Later in that talk, as originally noticed by Ars Technica, he claims to have “messed around with the [International] Space Station”, saying he and some colleagues (some of whom may now be losing their jobs) “adjusted the temperature on it. It was quite fun”. He also talks of hacking someone else’s Volvo car, apparently “shutting off some cylinders”, and other peoples’ Mercedes vehicles over Bluetooth to put them all in neutral, as well as some buses in Oslo, the Norwegian capital he says he is unlikely to ever be invited back to. And he claims he was previously interviewed by law enforcement officials after researching military missiles.
If any of these claims are true, Roberts has been hacking transport systems and others’ vehicles the world over, with little regard for the potential physical impact, even if he’s only trying to highlight insecurities in critical systems (a worthy pursuit when done responsibly). There may be some embellishment involved, perhaps to make manufacturers wake up to the issues.
Regardless of the factual accuracy of Roberts’ public claims, it’s apparent such public statements could come back to haunt him, especially if charges are filed by the authorities in Denver who are looking into his past activities. For now, Roberts is offering no comment, according to an email from Hanni Fakhoury, senior staff attorney at the Electronic Frontier Foundation, who is now working with the researcher’s legal representatives at Keker and Van Nest.
Not all his tweets have been risqué, far from it. Indeed, though Roberts apparently commandeered and manipulated a plane’s controls at some point in the last few years, according to the FBI affidavit, he does have some concerns about flight safety. In particular, the adherence to the flight safe mode rules on take-off and landing.
@Sidragon1 Er.... is this is the worst thing someone can do on a plane? ;)
— mike kemp (@clappymonkey) May 22, 2014
