The FBI is reporting that Chris Roberts, the security researcher who was removed from a plane for tweeting about hacking, admitted during interviews to 20 other attacks on planes and flights.
Roberts, who was removed from a plane in the spring and interviewed by the FBI, admitted that he was able to penetrate the flight's computer system through the entertainment software.
The information was published by Canadian news organisation APTN, which said that Roberts admitted during two interviews that he had successfully accessed the plane's thrust management system, changing its course briefly, and had made between 15 and 20 other intrusions into aviation software systems. The reaction to his 'work' has been critical.
You cannot promote the (true) idea that security research benefits humanity while defending research that endangered hundreds of innocents— Alex Stamos (@alexstamos) May 16, 2015
"He stated that he successfully commanded the system he had accessed to issue the ‘CLB' or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights," said an affidavit signed by FBI agent Mike Hurley.
"We believe Roberts had the ability and the willingness to use the equipment then with him to access or attempt to access the (inflight entertainment system) and possibly the flight control systems on any aircraft equipped with an (inflight entertainment system) and it would endanger the public safety to allow him to leave the Syracuse airport that evening with that equipment."
Roberts works for a vulnerability tracking organisation called One World Labs. He came to the attention of United Airlines after suggesting that he might be able to hack in to the oxygen mask system, and was barred from a flight.
He reportedly got himself onto another flight but was removed by FBI agents who did not share his sense of humour.
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)— Chris Roberts (@Sidragon1) April 15, 2015
United Airlines told the BBC that, while the company is confident in its systems, it did not feel compelled to carry Roberts on his travels.
"Given Mr Roberts's claims regarding manipulating aircraft systems, we've decided it's in the best interest of our customers and crew members that he not be allowed to fly United," the airline said.
"However, we are confident that our flight control systems could not be accessed through the techniques he describes."
United Airlines added that it will contact Roberts directly within the next fortnight. In the meantime the company explained that the action to remove Roberts was in line with United policy.
"We made this decision because Mr Roberts has made comments about having tampered with aircraft equipment, which is a violation of United policy and something customers and crews should not have to deal with," the firm added.
The US Government Accountability Office warned about the possibility of such attacks last week, explaining that the Federal Aviation Authority should replace proprietary systems as a matter of urgency.
Now the FBI and the Transportation Security Agency have underlined this, releasing a note to the industry, though not the community, about the risks and the threat indicators.
According to Wired magazine, a note was shared on FBI site Infragard as a private industry notification and details the warning signs and the most appropriate responses.
"Although the media claims remain theoretical and unproven, the media publicity associated with these statements may encourage actors to use the described intrusion methods," it said.
"Attempting to gain unauthorised access to the onboard networks of a commercial aircraft violates federal law."
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away