Security experts are warning that vulnerabilities in aircraft on-board computer systems could allow hackers to steal personal and financial data from passengers and interfere with on-board displays.
Ruben Santamarta, principal security consultant at pen testers IOActive, studied Panasonic Avionic IFE (In-flight Entertainment) systems used by a number of airlines including Virgin Atlantic, Emirates, United, Iberia and American Airlines.
After playing around with his IFE screen on a flight two years ago, Santamarta found he could access debug information.
Once on terra firma he used those keywords as a starting point and was able to find hundreds of firmware updates for the systems – which vary somewhat from airline to airline – publicly available online, including the latest versions deployed on aircraft.
After reverse engineering, he discovered several vulnerabilities which could theoretically allow hackers to remotely control IFE systems “in some scenarios.”
He explained:
“On the IT side, compromising the IFE means an attacker can control how passengers are informed aboard the plane. For example, an attacker might spoof flight information values such as altitude or speed, and show a bogus route on the interactive map. An attacker might compromise the CrewApp unit, controlling the PA, lighting, or actuators for upper classes. If all of these attacks are chained, a malicious actor may create a baffling and disconcerting situation for passengers.”
Santamarta also claimed that it’s “technically possible” for hackers to obtain personal information including credit card details thanks to back-ends which tie back to frequent flyer and similar data.
However, the ability to “cross the ‘red line’ between the passenger entertainment and owned devices domain and the systems controlling the aircraft itself is heavily dependent on “the specific devices, software and configuration” used, he claimed.
“We cannot definitively say if an attacker could or could not get to the aircraft controls domain as a result of the vulnerabilities identified, as it would depend on the specific configuration of the system on a plane,” Santamarta told Infosecurity. “In theory all aircraft/airlines should have physical domain separation.”
He added that the IFE systems studied can’t resist “solid attacks from skilled malicious actors.”
“However, Avionics is usually located in the Aircraft Control domain, which should always be physically isolated from the passenger domains,” Santamarta claimed. “Where that’s the case, there’s absolutely no chance of hackers hijacking main flight controls. However, this doesn’t always happen. This means that as long as there is a physical path that connects both domains, there is potential for attack.”
The issues highlighted in the research were reported to Panasonic in March 2015, although IOActive is unsure whether improvements have been made to mitigate the risks in all software versions and airlines.
It should also be clarified that this paper differs from the now famous IOActive research from 2014 detailing how a Jeep could be remotely hacked in that the latter featured a practical demo of exactly this.