In-flight entertainment systems create hacker risk, say researchers
Vulnerabilities in Panasonic in-flight entertainment systems create a possible mechanism for attackers to control in-flight displays, PA systems and lighting, say researchers.
Ruben Santamarta, principal security consultant at IOActive, said it had found vulnerabilities in Panasonic Avionic In-Flight Entertainment (IFE) systems that it claims could allow hackers to “hijack” passengers’ in-flight displays and, in some instances, potentially access their credit card information.
The research revealed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, including the aircraft controls domain.
“I’ve been afraid of flying for as long as I can remember,” said Santamarta. “It might sound like a sick cure to some but, as a hacker, learning everything I could about how planes work, from the aerodynamics to electronics, has reduced the fear significantly. On a 2014 flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic inflight display.
A subsequent internet search allowed me to discover hundreds of publicly available firmware updates for multiple major airlines, which was quite alarming. Upon analysing backend source code for these airlines and reverse engineering the main binary, I’ve found several interesting functionalities and exploits.”
IFE system vulnerabilities identified by Santamarta might most straightforwardly be exploited to gain control of what passengers see and hear from their in-flight screen, he claimed.
For example, an attacker might spoof flight information values such as altitude or speed, or show a bogus route on the interactive map.
An attacker might also compromise the “CrewApp” unit, which controls PA systems, lighting, or even the recliners on first class seating.
If all of these attacks are applied at the same time, a malicious actor may create a baffling and disconcerting situation for passengers.
Furthermore, the capture of personal information, including credit card details, is also technically possible due to backend systems that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data, said the researcher.
Aircraft’s data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger-owned devices, airline information services, and finally aircraft control.
Avionics is usually located in the Aircraft Control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen.
This means that as long as there is a physical path that connects both domains, there is potential for attack.
The specific devices, software and configuration deployed on the target aircraft would dictate whether an attack is possible or not.
Santamarta urged airlines to steer towards a cautious course.
“I don’t believe these systems can resist solid attacks from skilled malicious actors,” he said. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft’s security posture is carefully analysed case by case.”
IOActive reported these findings to Panasonic Avionics in March 2015.
It only went public this week after giving the firm “enough time to produce and deploy patches, at least for the most prominent vulnerabilities”.
Panasonic Avionic’s technology is used by a several major airlines including Virgin, American and Emirates airlines. El Reg asked Panasonic Avionic to comment on IOActive’s research but we’ve yet to hear back. We’ll update this story as and when we learn more.
The avionics research has some parallels with IOActive’s remote hack of the Jeep Cherokee in 2014, in which hackers took control of the vehicle’s dashboard functions, including steering, brakes, and transmission, through vulnerabilities existing in the automobile’s entertainment system. Once again, it appears entertainment systems have created a potential route into sensitive systems that hackers might be able to exploit.
Stephen Gates, chief research intelligence analyst at NSFOCUS, commented: “In the light of this research, physical separation between in-flight entertainment systems and aircraft control systems could never be more important.
As airlines continue to add new customer-based entertainment and information technologies, airlines need to ensure that an impenetrable barrier is in place protecting aircraft control systems.
“This research demonstrates that hackers could cause all sorts of issues that could impact a customer’s ‘experience’ while flying, but have yet to prove they could impact flight control systems,” he added. ®
Sponsored: Flash enters the mainstream.
Visit The Register’s storage hub