A major airline operating in New Zealand has assured customers it has "extremely stringent security measures in place" after reports a US hacker and security researcher claimed to be able to hack into an aircraft's controls and make it swerve.

The allegations emerged in an affidavit filed by an FBI agent in the US, claiming Chris Roberts, founder of One World Labs, admitted repeatedly hacking planes' in-flight entertainment systems while on board an aircraft.

Citing one case, he reportedly claimed to have overwritten the plane's thrust management computer code and issuing a climb command, sending the plane in a sideways swerve.

However, Qantas Group, which operates both Qantas and Jetstar flights in New Zealand and Australia, said it was confident such attacks could not take place on its aircraft.

Advertisement

"Like everything we do, safety and security are our top priorities," Steve Jackson, Qantas Group head of security, facilitation and resilience, said.

"The Qantas Group has extremely stringent security measures in place which are continually reviewed as part of normal business practice - these are measures that are more than enough to mitigate any attempt at remote interference with aircraft systems.

"The Qantas Group complies with, and in many cases exceeds, all regulatory requirements and manufacturers' recommendations when it comes to the safety and security of our fleet."

Air New Zealand chief flight operations and safety officer Captain David Morgan said the airline took the security of their aircraft very seriously.

"Air New Zealand complies with all regulatory and manufacturer requirements and protocols and we are confident in the security systems of all aircraft across our fleet."

Boeing had also released a response regarding the issue.

The company said it was committed to designing airplanes that were both safe and secure - "meeting or exceeding all applicable regulatory requirements for both physical and cyber security. For security reasons, we do not discuss specific airplane design features."

It had also developed recommended operating procedures for airlines, which had been coordinated with the airlines and regulatory agencies.

Advertisement

"Boeing has put in place, and demonstrated to the airlines and regulatory agencies the appropriate cyber security safeguards, both hardware and software.

The claims in the FBI agent's affidavit - seen by APTN News, and Wired - come after Roberts was held for four hours last month after he was kicked off a United Airlines flight for tweeting about hacking into on-board systems of the plane he was travelling on.

He has since been banned from travelling with the airline.

The FBI search warrant application shows Roberts was questioned a number of times this year by the agency, and had two of his laptops confiscated, along with several hard drives and USB sticks.

Roberts, whose company aims to uncover security risks before they are exploited, was not charged with anything.

According to the affidavit, Roberts told the FBI he had "identified vulnerabilities" with a number of aircraft, including Boeing 737-800, 737-900, 757-200 and Airbus A320.

Advertisement

He told the agent he had "exploited" those vulnerabilities in the in-flight entertainment systems "15 to 20 times" from 2011 to 2014, using the video monitors installed on the back of seats.

He also claimed he could hack into the seat electronic box under his seat, and connect to "other systems on the airplane network", and then re-write code on the plane's thrust management computer.

"He stated he successfully commanded the system he had accessed to issue the 'CLB' or climb command. He stated that he thereby caused one of the airplane engines to climb, resulting in a lateral or sideways movement of the plane during one of these flights," the document states.

However, Roberts has since posted on Twitter that the allegations made in the affidavit had been "taken out of context".

"Over last 5 years my only interest has been to improve aircraft security...given the current situation I've been advised against saying much," he said.

Roberts apologised for the "generic" statement, saying: "There's a whole 5 years of stuff that the affidavit incorrectly compressed into 1 paragraph....lots to untangle."

Advertisement