Seattle, WA – December 20, 2016 – IOActive, Inc., the worldwide leader in research-driven security services, today released research detailing several cybersecurity vulnerabilities found in Panasonic Avionics In-Flight Entertainment (IFE) systems used by a number of major airlines including United, Virgin, American Airlines, Emirates, AirFrance, Singapore, and Qatar, among others. The vulnerabilities in these systems could allow hackers to ‘hijack’ passengers’ in-flight displays and, in some instances, potentially access their credit card information. These vulnerabilities could also potentially act as an entry point to the wider network, depending on system configurations on an airplane.
The full research, “In-Flight Hacking System,” is authored by IOActive principal security consultant, Ruben Santamarta, and is now available here.
“On a flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic in-flight display,” said Santamarta. “A subsequent internet search allowed me to discover hundreds of publically available firmware updates for multiple major airlines, which was quite alarming. Upon analyzing backend source code for these airlines and reverse engineering the main binary, I found several interesting functionalities and exploits.”
According to Santamarta, once IFE system vulnerabilities have been exploited, a hacker could gain control of what passengers see and hear from their in-flight screen. For example, an attacker might spoof flight information values, such as altitude or speed, or show a bogus route on the interactive map. An attacker might also compromise the ‘CrewApp’ unit, which controls PA systems, lighting, or even the recliners on first class seating. Furthermore, the capture of personal information, including credit card details, is also technically possible due to backends that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data.
Added Santamarta, “If all of these attacks are chained, a malicious actor could at least create a confusing and disconcerting situation for passengers.”
Aircraft’s data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger owned devices, airline information services, and finally aircraft control. Avionics is usually located in the aircraft control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen. This means that as long as there is a physical path that connects both domains, there is potential for an attack. As for the ability to cross the “red line” between the ‘passenger entertainment and owned devices domain’ and the ‘aircraft control domain,’ this relies heavily on the specific devices, software, and configuration deployed on the target aircraft.
“I don’t believe these systems can resist solid attacks from skilled malicious actors,” continued Santamarta. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft’s security posture is carefully analyzed case by case.”
“Ruben’s discovery of these vulnerabilities in Panasonic Avionics in-flight entertainment systems echoes IOActive’s remote hack of an automobile, where our researchers took control of the vehicle’s dashboard functions, including steering, brakes, and transmission, through vulnerabilities existing in the on-board entertainment system,” said Cesar Cerrudo, CTO of IOActive Labs. “Our research once again points to the fact that all IP-based systems today must be continuously tested for vulnerabilities so that they can be addressed immediately. This is of utmost importance, especially when it comes to critical infrastructure and transportation systems where vulnerabilities in on-board components can create potential entry points to more important functional systems and therefore the risks are much higher. This new research together with Ruben’s previously published work on Satellite Communications (SATCOM) terminals clearly demonstrates that aircraft systems are vulnerable to being hacked.”
Due to heightened sensitivities regarding the security of commercial passenger airlines, IOActive has given Panasonic adequate time to resolve these issues before making them public, first alerting Panasonic of the vulnerabilities in March 2015.
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Read the IOActive Labs Research Blog: http://blog.ioactive.com. Follow IOActive on Twitter: http://twitter.com/ioactive.