Yesterday, security research company IOActive released research detailing several cybersecurity vulnerabilities found in Panasonic Avionics In-Flight Entertainment (IFE) systems used by a number of major airlines including United, Virgin, American Airlines, Emirates, AirFrance, Singapore, and Qatar, among others. The vulnerabilities in these systems could allow hackers to ‘hijack’ passengers’ in-flight displays and, in some instances, potentially access their credit card information. These vulnerabilities could also potentially act as an entry point to the wider network, depending on system configurations on an airplane.
The full research, “In-Flight Hacking System,” is authored by IOActive principal security consultant, Ruben Santamarta, and is now available at http://blog.ioactive.com/2016/12/in-flight-hacking-system.html.
“On a flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic in-flight display,” said Santamarta. “A subsequent internet search allowed me to discover hundreds of publically available firmware updates for multiple major airlines, which was quite alarming. Upon analyzing backend source code for these airlines and reverse engineering the main binary, I found several interesting functionalities and exploits.”
According to Santamarta, once IFE system vulnerabilities have been exploited, a hacker could gain control of what passengers see and hear from their in-flight screen. For example, an attacker might spoof flight information values, such as altitude or speed, or show a bogus route on the interactive map. An attacker might also compromise the ‘CrewApp’ unit, which controls PA systems, lighting, or even the recliners on first class seating. Furthermore, the capture of personal information, including credit card details, is also technically possible due to backends that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data.
Added Santamarta, “If all of these attacks are chained, a malicious actor could at least create a confusing and disconcerting situation for passengers.”
Aircraft’s data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger owned devices, airline information services, and finally aircraft control. Avionics is usually located in the aircraft control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen. This means that as long as there is a physical path that connects both domains, there is potential for an attack. As for the ability to cross the “red line” between the ‘passenger entertainment and owned devices domain’ and the ‘aircraft control domain,’ this relies heavily on the specific devices, software, and configuration deployed on the target aircraft.
“I don’t believe these systems can resist solid attacks from skilled malicious actors,” continued Santamarta. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft’s security posture is carefully analyzed case by case.”
“Ruben’s discovery of these vulnerabilities in Panasonic Avionics in-flight entertainment systems echoes IOActive’s remote hack of an automobile, where our researchers took control of the vehicle’s dashboard functions, including steering, brakes, and transmission, through vulnerabilities existing in the on-board entertainment system,” said Cesar Cerrudo, CTO of IOActive Labs. “Our research once again points to the fact that all IP-based systems today must be continuously tested for vulnerabilities so that they can be addressed immediately. This is of utmost importance, especially when it comes to critical infrastructure and transportation systems where vulnerabilities in on-board components can create potential entry points to more important functional systems and therefore the risks are much higher. This new research together with Ruben’s previously published work on Satellite Communications (SATCOM) terminals clearly demonstrates that aircraft systems are vulnerable to being hacked.”
Due to heightened sensitivities regarding the security of commercial passenger airlines, IOActive has given Panasonic adequate time to resolve these issues before making them public, first alerting Panasonic of the vulnerabilities in March 2015.
The Guru reached out to the industry to get their reactions.
Stephen Gates, chief research intelligence analyst at NSFOCUS:
“In the light of this research, physical separation between in-flight entertainment systems and aircraft control systems could never be more important. As airlines continue to add new customer-based entertainment and information technologies, airlines need to ensure that an impenetrable barrier is in place protecting aircraft control systems. This research demonstrates that hackers could cause all sorts of issues that could impact a customer’s “experience” while flying, but have yet to prove they could impact flight control systems. Let’s all hope that remains the case, long-term.
“It’s not too far of a stretch to suggest that flight entertainment systems could even be hacked from the ground, via the Internet access on the plane. If remote access was gained while the plane was on the ground, or by way of a hacker planting a backdoor via an infected device while in flight, hackers could cause all kinds of disruption that would not directly impact them – since they’re not even on the plane. Now that’s a scary thought…”
Mike Ahmadi, global director – critical systems security at Synopsys:
“Any system that gets the attention of the hacking/research community will eventually be found vulnerable. There are literally an infinite number of ways to compromise any system. Organisations need to constantly monitor and test their systems in order to keep up with security issues. Moreover, organisations should assume compromise will happen and plan accordingly.”
Alex Cruz-Farmer, VP at NSFOCUS:
“Previous hacks and vulnerabilities have always been on the ground, but we’re now in the realms of something extremely scary – hacks in mid-air with no escape. The active threats will be growing, and with thousands of planes in the air, the remediation of this is going to be extremely complicated and time consuming. This will be a huge flag to all manufacturers to review their underlying platforms, and whether their integrated infrastructure has the necessary security around it to protect us, the passengers. If anything did happen it could at worst be life threatening leading this to be considered as major negligence across the multiple parties involved.”
Tim Erlin, Sr. Director, Product Management at Tripwire:
“Using the in-flight entertainment system to attack an aircraft isn’t a new concept. As soon as the USB and RJ45 ports started showing up in aircraft, security researchers became very interested. The security research community and aviation industry are clearly at odds over the feasibility and likelihood of using the in-flight entertainment system to actually affect aircraft controls. It would be a solid step forward to see cooperation instead of conflict. The majority of security researchers are interested in improving the systems they test, and partnership with industry vendors is the best way to accomplish that goal.
“Now that there’s credit card data on the plane, the in-flight systems are a more attractive target for profit driven criminals. The increased interest in these systems from criminals after credit card data might result in more vulnerabilities being discovered.”
Myles Bray, Vice President, EMEA at ForeScout Technologies Inc:
“The concept of hackers being able to take control of a plane through the in-flight entertainment system is not new. Last year a prominent hacker claimed he made a plane “climb” and move “sideways” after infiltrating its in-flight entertainment system. While the current claims to take control of lighting systems and make in-flight announcements sounds unsettling rather than fatal they set a worrying precedent. As the number of connected systems grow the risk of hackers gaining full access to the network through them rises exponentially. Without adequate security systems in place to automate the process of identifying and quarantining an infected system users and businesses will continue to be at risk. Our own research has found that common IoT devices can be hacked in as little as three minutes and its impact can be devastating, and in a very connected world the number of entry points to a systems is growing quickly. But it is preventable. All vital systems need total visibility of the devices and the users accessing them. Without visibility and a degree of automation to control the access levels granted there can be no timely defence against serious threats like destabilising an aircraft.”
Art Swift, president at prpl Foundation:
“Travellers this holiday season will be horrified to hear that in-flight entertainment systems could be used to help hackers gain access to their favourite airline’s flight control system, but the truth is it’s something which prpl has been talking about publicly since the flaw was first disclosed – and it’s not just airplanes that are at risk. Technology plays an important role in getting us from here to there, but without separation of critical aspects within the systems that keep things like critical controls such as steering, braking or heating and cooling that could potentially cause damage apart from less critical aspects like entertainment – hackers can worm their way around systems and potentially cause real devastation. For this reason, the prpl Foundation has come up with its free “Security Guidance for Critical Areas of Embedded Computing” for developers, manufacturers and engineers that outlines exactly how this security separation is possible.”