Risky business: Cyber experts claim whistleblowing brings retaliation

Network Security Group CEO John Lucich on Airline cyber security and defensing airlines Wi-Fi systems against hackers.


The risk of exposing risk is on the minds of top cybersecurity experts gathered for major conferences here, just days after one of their leading brethren was pulled off a plane by the FBI, banned by an airline and grilled for four hours after warning that passenger planes are vulnerable to hackers.

Several international tech security experts attending the annual, week-long RSA Conference 2015 said what happened last week to Chris Roberts of the Colorado-based One World Labs is not unusual given the "shoot-the-messenger" mentality they claim dominates law enforcement and some segments of industry. Roberts, who in March told that commercial and military planes are vulnerable to hackers, was pulled from a United flight in Syracuse, N.Y. after tweeting, "Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)”

“Security researchers are allies, not opponents, and their work makes us all more safe, not less.”

- Nate Cardozo, Electronic Frontier Foundation

Roberts, who has been a cyber-security consultant to the FBI, said it was out of frustration at his and others' warnings going unheeded, but authorities took the digital missive seriously. The Electronic Frontier Foundation, a nonprofit legal organization defending Roberts and others who say they have been harassed for sounding the alarm, said United's actions will cause a real chilling effect, and that researchers will be less likely to help United improve their security in the future.

“Security researchers are allies, not opponents, and their work makes us all more safe, not less,” said Nate Cardozo, staff attorney for the organization, who also is attending the RSA Conference, focused on Internet security and now in its 25th year. RSA is the security arm of the Massachusetts-based computer technology firm EMC.

According to Roberts and Cardozo, many other researchers on the cutting edge have been hassled for their research, and the Electronic Frontier Foundation has long been concerned that knee-jerk responses to legitimate researchers pointing out security flaws can create a chilling effect in the infosec community, Cardozo said.

One example of researchers whose activities drew the attention of the authorities happened in Boston in the summer of 2008, when a group of MIT students were scheduled to give a presentation at a security conference in Las Vegas regarding vulnerability in the MBTA's fare card system.

“The MBTA wildly overreacted to the students' proposed presentation, and obtained an 11th hour injunction from a federal court in Boston, preventing them from going on stage,” Cardozo said. “Electronic Frontier Foundation represented the students, and 10 days later we convinced the judge to reverse the earlier gag, as it was blatantly unconstitutional.”

In the summer of 2013, the UK's High Court banned security researchers from publishing an academic paper detailing a critical flaw in Volkswagen's keyless entry system that can allow a bad actor to crack any wireless key.

“Instead of working with the researchers to fix the problem, Volkswagen chose to bury its head in the sand and pretend that banning academic discussion of the flaw would somehow prevent thieves from learning of it and exploiting it,” Cardozo said. “Because of Volkswagen's refusal to engage with the security researcher community, their cars may still be vulnerable to the attack and their customers are less secure.”

The organization would like to see companies recognize that researchers who identify problems with their products in order to have them fixed are their allies, Cardozo said.

“It would avoid a whole lot of trouble for researchers and make us all more secure,” he added.

As for Roberts, Cardozo said he had offered to work with United and the rest of the airline industry, as he has in the past, to improve their security.

“United should take this opportunity to improve the security of their systems, rather than punish those who have tried to work to make us safer,” Cardozo said.

A United official said Roberts is not welcome on the company's planes.

"Given Mr. Roberts' claims that he has manipulated aircraft systems while inflight, a clear violation of United policy, we've decided it's in the best interest of our customers and crew members that he not be allowed to fly United,” said Luke Punzenberger of United Airlines Corporate Communications. “Notwithstanding his attempts, we are confident our flight control systems could not be accessed through techniques he described.”

Besides Roberts’ findings, along with those of another security expert quoted in an exclusive report, the federal General Accounting Office also published a report on cyberhacking of planes released earlier this month that said the same Internet access now available on most commercial flights makes it possible for hackers to bring down a plane.

"According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors," the GAO report states.

Ruben Santamarta, principal security consultant for IOActive, told he also discovered a "back door" that allowed him to gain privileged access to the Satellite Data Unit, the most important piece of SATCOM equipment on aircraft.

Roberts has consulted with numerous government and private clients to identify threats to financial and intellectual property, customer data and other protected information and has served as both an in-house security expert and consultant on IT security, engineering and architecture and design operations for scores of Fortune 500 companies across the finance, retail, energy and services sectors and the FBI.

“Those of us who do threat research are doing it for the right reasons, and we work to build relationships with the intelligence community because we want to help them identify weaknesses before they become a problem,” Roberts said. “If you don’t have people like me researching and blowing the whistle on system vulnerabilities, we will find out the hard way what those vulnerabilities are when an attack happens.”

Cris Thomas, a well-known technology expert who uses the name “Space Rogue” online, told the information researchers produce focusing on vulnerabilities in hardware and software can be extremely valuable, but can make the government suspicious of the researcher, particularly if there is concern that the information will be used by opposing nation states.

"Unfortunately that concern is manifesting itself in what some researchers feel is government overreach. This overreach is having a chilling effect on researchers many of whom have decided to no longer publish their findings or even worse stop researching all together,” said Thomas. “In some cases security researchers have taken to selling their information to anyone that will pay for them instead of openly publishing information.”

Malia Zimmerman is an award-winning investigative reporter focusing on crime, homeland security, illegal immigration crime, terrorism and political corruption. Follow her on twitter at @MaliaMZimmerman