IOActive identifies security vulnerabilities in in-flight entertainment systems

News by Roi Perez

The vulnerabilities could be exploited to tamper with the in-flight display and steal financial credentials, and the research suggests an attacker could even worm into the wider network.

IOActive has released research detailing cyber-security vulnerabilities in Panasonic Avionics' In-Flight Entertainment (IFE) systems which are known to be used by a number of major airlines, including Emirates, United, Virgin and American.

Discovered by Ruben Santamarta, principal security consultant at IOActive, the vulnerabilities could allow hackers to ‘hijack' passengers' in-flight displays and, in some instances, access their credit card information.

An attacker may even be able to gain access to the airliner's entire IT infrastructure if the system hasn't been configured properly.

So there are some parallels with IOActive's famous remote hack of the Jeep Cherokee in 2014, in which hackers took control of the vehicle's dashboard functions, including steering, brakes and transmission, through vulnerabilities in the automobile's entertainment system.

“I've been afraid of flying for as long as I can remember,” said Santamarta. “It might sound like a sick cure to some but, as a hacker, learning everything I could about how planes work, from the aerodynamics to electronics, has reduced the fear significantly. On a flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic in-flight display. A subsequent internet search allowed me to discover hundreds of publically available firmware updates for multiple major airlines, which was quite alarming. Upon analysing backend source code for these airlines and reverse engineering the main binary, I've found several interesting functionalities and exploits.”

According to Santamarta, once an IFE system vulnerabilities have been exploited, the hacker could gain control of what passengers see and hear from their in-flight screen. For example, an attacker might spoof flight information values such as altitude or speed, or show a bogus route on the interactive map.

An attacker might also compromise the ‘CrewApp' unit, which controls PA systems, lighting, or even the recliners on first class seating. If all of these attacks are chained, a malicious actor may create a baffling and disconcerting situation for passengers.

Furthermore, the capture of personal information, including credit card details, is also technically possible due to backends that sometimes provide access to specific airlines' frequent-flyer/VIP membership data if not properly configured.

Vulnerabilities in on-board components can also create potential entry points to more important functional systems and therefore the risks are much higher.

Stephen Gates, chief research intelligence analyst at NSFOCUS told SC Media UK: “In the light of this research, physical separation between in-flight entertainment systems and aircraft control systems could never be more important. As airlines continue to add new customer-based entertainment and information technologies, airlines need to ensure that an impenetrable barrier is in place protecting aircraft control systems.”

This new research together with Ruben's previously published work on Satellite Communications (SATCOM) terminals clearly demonstrates that aircraft systems are vulnerable to being hacked.

Aircraft's data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger owned devices, airline information services and aircraft control.

Physical control systems are usually located in the aircraft control domain, which should be physically isolated from the passenger domains. Despite the advice, this doesn't always happen. This means that as long as there is a physical path that connects both domains, there is potential for attack.

As for the ability to cross the “red line” between the passenger entertainment and owned devices domain and the aircraft control domain, this relies heavily on the specific devices, software and configuration deployed on the target aircraft.

“I don't believe these systems can resist solid attacks from skilled malicious actors,” continued Santamarta. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft's security posture is carefully analysed case by case.”

Alex Cruz-Farmer, vice president at NSFOCUS, told SC: "This will be a huge flag to all manufacturers to review their underlying platforms, and whether their integrated infrastructure has the necessary security around it to protect us, the passengers. If anything did happen it could at worst be life threatening leading this to be considered as major negligence across the multiple parties involved."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews