In what can only be described as truly terrifying thought, IOActive today revealed news that there are cyber security vulnerabilities in Panasonic Avionics In-Flight Entertainment (IFE) systems.
These Panasonic systems are known to be used by a number of major airlines, including Emirates, United, Virgin and American.
The vulnerability was discovered by Ruben Santamarta, principal security consultant at IOActive, and the discovery suggested that hackers could ‘hijack’ passengers’ in-flight displays and, in some instances, potentially access their credit card information.
The research revealed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, depending on system configurations on the airplane.
>See also: Another day, another hack: Deutsche Telekom
There are some parallels with IOActive’s remote hack of the Jeep Cherokee in 2014, in which hackers took control of the vehicle’s dashboard functions, including steering, brakes, and transmission, through vulnerabilities existing in the automobile’s entertainment system.
“I’ve been afraid of flying for as long as I can remember,” said Santamarta. “It might sound like a sick cure to some but, as a hacker, learning everything I could about how planes work, from the aerodynamics to electronics, has reduced the fear significantly. On a flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic in-flight display. A subsequent internet search allowed me to discover hundreds of publically available firmware updates for multiple major airlines, which was quite alarming. Upon analysing backend source code for these airlines and reverse engineering the main binary, I’ve found several interesting functionalities and exploits.”
According to Santamarta, once an IFE system vulnerabilities have been exploited, the hacker could gain control of what passengers see and hear from their in-flight screen.
For example, an attacker might spoof flight information values such as altitude or speed, or show a bogus route on the interactive map.
An attacker might also compromise the ‘CrewApp’ unit, which controls PA systems, lighting, or even the recliners on first class seating.
If all of these attacks are chained, a malicious actor may create a baffling and disconcerting situation for passengers.
Furthermore, the capture of personal information, including credit card details, is also technically possible due to backends that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data if not properly configured.
>See also: Yahoo data leak: the biggest on record
Vulnerabilities in on-board components can also create potential entry points to more important functional systems and therefore the risks are much higher.
This new research together with Santamarta’s previously published work on Satellite Communications (SATCOM) terminals clearly demonstrates that aircraft systems are vulnerable to being hacked. Aircraft’s data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger owned devices, airline information services, and finally aircraft control.
Physical control systems are usually located in the Aircraft Control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen. This means that as long as there is a physical path that connects both domains, there is potential for attack.
As for the ability to cross the “red line” between the ‘passenger entertainment and owned devices domain’ and the ‘aircraft control domain’, this relies heavily on the specific devices, software and configuration deployed on the target aircraft.
“I don’t believe these systems can resist solid attacks from skilled malicious actors,” continued Santamarta. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft’s security posture is carefully analysed case by case.”
The connected age
The rising number of connected systems is allowing hackers additional routes into networks and why this exploit is not limited to planes.
In recent research it was demonstrated that most IoT devices can be hacked in less than 3 minutes and it is evident that cyber security solutions need to be more stringent and offer more visibility.
Myles Bray, Vice President, EMEA at ForeScout Technologies Inc said “the concept of hackers being able to take control of a plane through the in-flight entertainment system is not new. Last year a prominent hacker claimed he made a plane “climb” and move “sideways” after infiltrating its in-flight entertainment system”.
“While the current claims to take control of lighting systems and make in-flight announcements sounds unsettling rather than fatal they set a worrying precedent.”
“As the number of connected systems grow the risk of hackers gaining full access to the network through them rises exponentially. Without adequate security systems in place to automate the process of identifying and quarantining an infected system users and businesses will continue to be at risk.”