This is your captain speaking ... or is it?
In-flight entertainment systems create hacker risk, say researchers
Updated Vulnerabilities in Panasonic in-flight entertainment systems create a possible mechanism for attackers to control in-flight displays, PA systems and lighting, say researchers.
Ruben Santamarta, principal security consultant at IOActive, said it had found vulnerabilities in Panasonic Avionic In-Flight Entertainment (IFE) systems that it claims could allow hackers to "hijack" passengers’ in-flight displays and, in some instances, potentially access their credit card information. The researchers also claimed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, including the aircraft controls domain.
We've been in touch with Panasonic, which vigorously denies the findings, and provided this statement:
The allegations made to the press by IOActive regarding in-flight entertainment (IFE) systems manufactured by Panasonic Avionics Corporation (“Panasonic”) contain a number of inaccurate and misleading statements about Panasonic’s systems. These misstatements and inaccuracies call into question many of the assertions made by IOActive.
Most notably, IOActive has chosen to make highly misleading and inflammatory statements suggesting that hackers could “theoretically” gain access to flight controls by hacking into Panasonic’s IFE systems. Panasonic strenuously disagrees with any suggestion by IOActive that such an attack is possible, and calls upon IOActive to clarify that its research does not support any such inference.
It said it had "reviewed all of the claims made by Mr. Santamarta [and] subsequently engaged Attack Research (AR) to conduct validation testing in May 2015 and again in 2016 to ensure that the few minor concerns (in no way linked to the control of an aircraft) identified by Mr. Santamarta had been fully re-mediated."
It also denies that credit card data could be compromised, saying the researcher "makes incorrect assumptions about where credit card data is stored and encrypted".
“I’ve been afraid of flying for as long as I can remember,” said Santamarta. “It might sound like a sick cure to some but, as a hacker, learning everything I could about how planes work, from the aerodynamics to electronics, has reduced the fear significantly. On a 2014 flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic inflight display. A subsequent internet search allowed me to discover hundreds of publicly available firmware updates for multiple major airlines, which was quite alarming. Upon analysing backend source code for these airlines and reverse engineering the main binary, I’ve found several interesting functionalities and exploits.”
IFE system vulnerabilities identified by Santamarta might most straightforwardly be exploited to gain control of what passengers see and hear from their in-flight screen, he claimed. For example, an attacker might spoof flight information values such as altitude or speed, or show a bogus route on the interactive map. An attacker might also compromise the "CrewApp" unit, which controls PA systems, lighting, or even the recliners on first class seating. If all of these attacks are applied at the same time, a malicious actor may create a baffling and disconcerting situation for passengers, he claimed. Furthermore, the capture of personal information, including credit card details, is also technically possible due to backend systems that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data, said the researcher.
Aircraft's data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger-owned devices, airline information services, and finally aircraft control. Avionics is usually located in the Aircraft Control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen. This means that as long as there is a physical path that connects both domains, there is potential for attack. The specific devices, software and configuration deployed on the target aircraft would dictate whether an attack is possible or not. Santamarta urged airlines to steer towards a cautious course.
“I don’t believe these systems can resist solid attacks from skilled malicious actors,” he said. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft's security posture is carefully analysed case by case.”
IOActive reported these findings to Panasonic Avionics in March 2015. It only went public this week after giving the firm “enough time to produce and deploy patches, at least for the most prominent vulnerabilities”.
Panasonic Avionic’s technology is used by a several major airlines including Virgin, American and Emirates airlines.
We had a comment from Emirates, which noted: “Emirates can confirm there is no risk to the safety of our aircraft. We have been a long-term partner of Panasonic Aviation Corporation (PAC) and we utilise their inflight entertainment (IFE) systems on our aircraft. Matters of aviation cybersecurity are of utmost importance to Emirates and we continuously work with Panasonic on robust assessments to update our IFE systems and have measures in place to resolve any issues. The safety of our passengers and crew on board is a priority and will not be compromised."
The avionics research has some parallels with IOActive’s remote hack of the Jeep Cherokee in 2014, in which hackers took control of the vehicle’s dashboard functions, including steering, brakes, and transmission, through vulnerabilities existing in the automobile’s entertainment system. Once again, it appears entertainment systems have created a potential route into sensitive systems that hackers might be able to exploit.
Stephen Gates, chief research intelligence analyst at NSFOCUS, commented: “In the light of this research, physical separation between in-flight entertainment systems and aircraft control systems could never be more important. As airlines continue to add new customer-based entertainment and information technologies, airlines need to ensure that an impenetrable barrier is in place protecting aircraft control systems.
“This research demonstrates that hackers could cause all sorts of issues that could impact a customer’s 'experience' while flying, but have yet to prove they could impact flight control systems,” he added. ®
Updated at 09.48am, 21 December: IOActive has been in touch since Panasonic issued its statement, and told The Reg: “IOActive has a stringent and thorough process by which it technically validates published research and the company stands by the accuracy and integrity of the findings with regard to the research recently published on Panasonic Avionics IFE systems.”
Sponsored: Becoming a Pragmatic Security Leader