Pen testing firm IOActive has been forced to defend its findings after Panasonic Avionics reacted angrily to a new report highlighting potential weaknesses in aircraft computer systems this week.
Report author and IOActive principal security consultant, Ruben Santamarta, revealed several vulnerabilities which he said could theoretically allow hackers to remotely control IFE systems “in some scenarios.”
He added that it could be possible for hackers to steal passenger card information because of back-ends which tie back to frequent flyer and similar data.
Most controversially, he claimed that if aircraft do not have physical separation between aircraft control domains and in-flight entertainment (IFE) system domains on board, a hacker could pivot from IFE systems into the heart of the plane – potentially controlling its course.
Panasonic Avionics, which makes the IFE systems Santamarta tested, immediately hit out at the research, claiming it contained “a number of inaccurate and misleading statements” about its systems.
It added, in a statement sent to Infosecurity:
“Most notably, IOActive has chosen to make highly misleading and inflammatory statements suggesting that hackers could ‘theoretically’ gain access to flight controls by hacking into Panasonic’s IFE systems. Panasonic strenuously disagrees with any suggestion by IOActive that such an attack is possible, and calls upon IOActive to clarify that its research does not support any such inference.”
The firm also argued that the report mixes discussion of hypothetical flaws present in all aircraft systems with specific findings related to its products, which unfairly paints a negative picture of the electronics giant.
However, IOActive refused to back down, in a lengthy retort of its own which Infosecurity has obtained.
The firm said it stands by the “accuracy and integrity” of the report’s findings and claimed all such reports are based on a mix of documented technical findings and “statements of opinion, theory and/or feasibility.”
It explained:
“Quite simply, if an attacker is able to exploit vulnerabilities acknowledged to be resident (and claimed to be subsequently addressed) by the manufacturer in a technology component within a connected ecosystem (i.e., say an IFE on board a plane), and the ecosystem is not configured appropriately to segment and isolate the respective domains as they should be, then exploiting the vulnerabilities in that component to gain access to other domains in the ecosystem is technically feasible and ‘theoretically’ quite possible. So not only are the theoretical statements in the research technically feasible and relevant to the topic of the research, but they are important in explaining the potential extent and possible implications of vulnerabilities within a component in such an ecosystem and the need for a holistic approach to managing and maintaining the highest security measures at all levels throughout that ecosystem.”
IOActive argued that while some news outlets may have taken its research out of context and sensationalized it to get more clicks, the report was compiled in good faith and with the goal of raising cybersecurity awareness.