Network Security, Vulnerability Management

IOActive identifies security vulnerabilities in in-flight entertainment systems

Security consultancy IOActive released research on Tuesday detailing apparent cybersecurity vulnerabilities in Panasonic Avionics' In-Flight Entertainment (IFE) systems, which are used by a number of major airlines, including American, United, Emirates and Virgin.

Discovered by Ruben Santamarta, principal security consultant at IOActive, the vulnerabilities could allow hackers to ‘hijack' passengers' in-flight displays and, in some instances, access their credit card information.

An attacker may even be able to gain access to the airliner's entire IT infrastructure if the system hasn't been configured properly.

There are some parallels with IOActive's famous remote hack of the Jeep Cherokee in 2014, in which hackers took control of the vehicle's dashboard functions, including steering, brakes and transmission, through vulnerabilities in the automobile's entertainment system.

“I've been afraid of flying for as long as I can remember,” said Santamarta in his blog post. “It might sound like a sick cure to some but, as a hacker, learning everything I could about how planes work, from the aerodynamics to electronics, has reduced the fear significantly. On a flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic in-flight display. A subsequent internet search allowed me to discover hundreds of publicly available firmware updates for multiple major airlines, which was quite alarming. Upon analyzing back-end source code for these airlines and reverse engineering the main binary, I've found several interesting functionalities and exploits.”

Cesar Cerrudo, CTO of IOActive, told SCMedia that Santamarta was able to pull up the debug codes from the touchscreen display with no additional technological assistance. "Nothing was connected and no external devices were used, debug information was obtained playing around with the screen and the personal control," said Cerrudo in an email interview with SC Media.

According to Santamarta, once an IFE system's vulnerabilities have been exploited, the hacker can gain control of what passengers see and hear from their in-flight screen. For example, an attacker might spoof flight information values such as altitude or speed, or show a bogus route on the interactive map.

An attacker might also compromise the Cabin Management System, which controls PA systems, lighting, or even the recliners on first-class seating. If all of these attacks are chained, a malicious actor may create a baffling and disconcerting situation for passengers.

Furthermore, the capture of personal information, including credit card details, is also technically possible due to back-ends that sometimes provide access to specific airlines' frequent-flyer/VIP membership data, if not properly configured.

Santamarta embedded three videos in his blog post that purport to show him safely testing IFE vulnerabilities during a flight by bypassing a credit card check, accessing arbitrary files and performing a SQL injection.

Vulnerabilities in on-board components may also create potential entry points into more important functional systems, raising the risk factor considerably.

An aircraft's data networks are divided into four domains: passenger entertainment, passenger owned devices, airline information services and aircraft control. Physical control systems are usually located in the aircraft control domain, which should be physically isolated from the passenger domains. However, this doesn't always happen – meaning that as long as there is a physical path that connects both domains, there is potential for attack.

For instance, Santamarta previously published work that showed how Satellite Communications (SATCOM) terminals can potentially break physical separation between domains.

Stephen Gates, chief research intelligence analyst at NSFOCUS, told SC Media UK that in light of Santamarta's latest findings, "physical separation between in-flight entertainment systems and aircraft control systems could never be more important. As airlines continue to add new customer-based entertainment and information technologies, airlines need to ensure that an impenetrable barrier is in place protecting aircraft control systems.”

The ability to cross the “red line” between passenger domains and the aircraft control domain relies heavily on the specific devices, software and configurations deployed on the target aircraft, Santamarta's blog post continues.

“I don't believe these systems can resist solid attacks from skilled malicious actors,” wrote Santamarta. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft's security posture is carefully analysed case by case.”

Alex Cruz-Farmer, vice president at NSFOCUS, told SC: "This will be a huge flag to all manufacturers to review their underlying platforms, and whether their integrated infrastructure has the necessary security around it to protect us, the passengers. If anything did happen it could at worst be life-threatening, leading this to be considered as major negligence across the multiple parties involved."

Panasonic Avionics adamantly contested the report in a sharply worded statement that has appeared on various websites.

"The allegations made to the press by IOActive regarding in-flight entertainment (IFE) systems manufactured by Panasonic Avionics Corporation (“Panasonic”) contain a number of inaccurate and misleading statements about Panasonic's systems. These misstatements and inaccuracies call into question many of the assertions made by IOActive," the statement reads.

The statement continues: "Most notably, IOActive has chosen to make highly misleading and inflammatory statements suggesting that hackers could 'theoretically' gain access to flight controls by hacking into Panasonic's IFE systems. Panasonic strenuously disagrees with any suggestion by IOActive that such an attack is possible, and calls upon IOActive to clarify that its research does not support any such inference.

In turn, IOActive released a statement in defense of its findings, stating, "...we have absolute confidence in the accuracy of the technical findings and the merit of observations and opinions contained in the research documentation, including the technical feasibility of the theoretical references."

"We believe that it is in the long-term best interests of the public, the aviation industry, aviation product security teams, and the manufacturer in this case to publicly disclose this example of cybersecurity risk in the aviation industry," IOActive continues in its statement.

Asked for a comment, United Airlines sent the following statement to SC Media: “At United, we take all security matters very seriously and regularly add new safeguards to ensure our systems are protected. We support the responsible disclosure of potential security issues and will work with our technology partners, outside experts and the aviation community to carefully examine these claims.”

Additionally, American Airlines told SC Media that it works with IFE manufacturers such as Panasonic to "include the latest security improvements in our systems."

"We have no evidence that flight control systems or passenger credit card data can be accessed through Panasonic's IFE system," said American in a statement. Our IFE team has been collaborating with Panasonic to ensure that our IFE systems are not susceptible to the theoretical risk described in the blog post.

Santamarta said in his blog that IOActive alerted Panasonic of the vulnerabilities on March 2015, and waited until now to go public with the findings. "We believe that has been enough time to produce and deploy patches, at least for the most prominent vulnerabilities," Santamarta explained. However, "we believe that in such a heterogenous environment, with dozens of airlines involved and hundreds of versions of the software available, it's difficult to say whether these issues have been completely resolved."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.