Future Tense

United Should Thank, Not Ban, Researcher Who Pointed Out a Major Security Flaw

Two United Airlines planes are parked at the terminal at San Francisco International Airport on Aug. 24, 2012, in San Francisco.

Photo by Justin Sullivan/Getty Images

I’m about to board a United Airlines 747 in Frankfurt, on my way to San Francisco. Last night, the airline sent me an email saying that the flight would be equipped with Wi-Fi. Until last week I’d have been glad for that, as I have a lot of work to do and could use the roughly 11-hour flight to get some of it done. I’m wishing United would turn off the wireless connection altogether.

Here’s why: Last week, Chris Roberts, a highly respected security researcher, alerted the world to what sounded like incredibly lax digital security on the carrier’s Wi-Fi–equipped planes. He taunt-tweeted this from a United flight: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? :)” Translation: He basically suggested that he could play with the engine indicators and crew alerts, and might be about to deploy the oxygen masks. (I’ve seen nothing to suggest that he had access to critical flight-control systems.)

The feds, who appear to have Twitter and other public networks under massive real-time surveillance, met his plane in Syracuse and grilled him for hours. FBI agents confiscated his computer gear before letting him go. Then United compounded the response by refusing to let Roberts board a flight to San Francisco for—no kidding—a security conference. In fact, according to news accounts, the airline has banned him.

It’s entirely fair to say that passengers shouldn’t be probing these systems during flight. I’d also call Roberts’ sarcastic tweet somewhat ill-conceived, but that’s in part a reflection on our culture, not just his judgment. America is still in the grip of 9/11 paranoia, and officials in government and companies that worry about terrorism usually seem to make their decisions on the basis of one motivation: “Don’t let me be blamed the next time there’s an attack.”

Zero tolerance (or the pretense of it; see the Transportation Security Administration’s “security theater”) hasn’t just led to zero sense of humor. It’s also generated zero common sense. If the FBI overreacted—and I don’t think it did in a major way, except by confiscating Roberts’ gear—the airline’s banning of a researcher who was doing it a favor was way, way over the top. (Another carrier, declining to join United’s freakout, took him to his destination.)

United’s explanation for banning Roberts strikes me as just weird. It told the Washington Post: “Given Mr. Roberts’ claims regarding manipulating aircraft systems, we’ve decided it’s in the best interest of our customers and crew members that he not be allowed to fly United. However, we are confident our flight control systems could not be accessed through techniques he described.”

The illogic of this statement is obvious. If the second sentence is true, then nothing Roberts was doing could harm anyone. So why ban him?

If United and the aviation industry as a whole want to earn customers’ confidence in this situation, they should put Roberts and a bunch of other white-hat hackers on retainer. These very smart folks should be invited to probe at the systems, to help prevent the scenarios described in a new federal General Accountability Office report, which noted the very real potential for aviation system penetration by bad people.

The airlines probably do some of this already. Smart companies realize they can be more safe when they look for vulnerabilities instead of hoping that their almost certainly insecure networks can stand up to experts. The industry, increasingly an oligopoly, is making profits now that an improving economy has led to more demand for seats. I hope the carriers will put more of that cash into digital security—one of many American industries that clearly needs to care more about this. And I hope we’ll inject enough common sense back into our society to stop vilifying security researchers who go public with their concerns, often after being ignored when they try to alert the victims privately.

Meanwhile, United’s uninspiring approach to customer information—such as its insistence that its mileage-account holders still have four-digit passcodes—definitely doesn’t give me the warm fuzzies. When it comes down to deciding whether to have confidence in United’s “trust us” statement or Roberts’ reputation for knowing what he’s talking about, I know which way I lean: not toward the airline, despite being a longtime (and generally satisfied) customer. The airline should strike a deal with Roberts, who’s now being represented by the Electronic Frontier Foundation, to resume flying and help make its data security the best in the business.

I’ll be heading to the gate in a few minutes. I won’t twiddle with any systems, I promise. (Not that I have the technical ability to do so in any case.) But I find myself wishing the airline would just turn the Wi-Fi off for the time being. When they talk about being cautious, this is one example I’d endorse.