IOActive has disclosed several vulnerabilities found in Panasonic Avionics in-flight entertainment (IFE) systems and warned that such security holes could, under certain circumstances, pose a serious risk to an aircraft.
Panasonic Avionics is one of the world’s largest suppliers of in-flight entertainment and communications systems. The company says it has delivered more than 8,000 IFE systems and 1,300 in-flight connectivity solutions to major airlines.
Panasonic Avionics recently announced the launch of a private bug bounty program whose goal is to enhance the security of IFE systems, with rewards ranging between $100 and $10,000.
Many months before the launch of the bug bounty program, IOActive researcher Ruben Santamarta, who has also analyzed ship data recorders and satellite telecommunications systems, decided to conduct an investigation in an effort to determine just how secure Panasonic Avionics’ IFE systems were.
A Google search helped Santamarta find the latest firmware updates for the devices used by more than a dozen major airlines, including Emirates, Air France, United, American, KLM, Scandinavian, Aerolineas Argentinas, Virgin, Iberia, Singapore, FinnAir, Qatar and Etihad.
One of the components of the IFE system is the seat display unit (SDU), an embedded device that allows passengers to watch movies, buy items and connect to the Internet via a touchscreen. The SDU can also come with a personal control unit (PCU), a controller typically found in the armrest.
The IFE system also includes the cabin crew panel, which crew members use to control lights and other features, and the system control unit (SCU), the server that provides flight information, chat features and on-board shopping capabilities. Panasonic’s legacy IFE systems (e.g. 3000/3000i) rely on Linux, but the newer X Series products use Android.
An analysis of the firmware update files found by Santamarta revealed some potentially serious vulnerabilities, including weaknesses that can be exploited to bypass credit card checks, arbitrary file access issues, and an SQL injection flaw. The researcher has published videos demonstrating how these vulnerabilities can be exploited in-flight using only the available touchscreen and PCU.
According to the expert, an attacker who hijacks the IFE system could spoof flight information and feed inaccurate speed or route data to SDUs, or they could tamper with the crew unit and control lights or other systems. However, if the IFE system is physically separated from aircraft control and other critical systems, attacks should only result in passenger discomfort.
In another possible scenario described by the white hat hacker, the attacker gains access to frequent-flyer data, including payment card details, through the entertainment system.
Aircraft systems are not always physically separated, which could, in theory, turn IFE systems into an attack vector, Santamarta said.
“In some scenarios such an attack would be physically impossible due to the isolation of these systems, while in other an attack remains theoretically feasible. The ability to cross the ‘red line’ between the passenger entertainment and owned devices domain and the aircraft control domain relies heavily on the specific devices, software and configuration deployed on the target aircraft,” the expert said.
The researcher reported his findings to Panasonic Avionics in March 2015, but it’s unclear if the issues have been addressed by the vendor. SecurityWeek has reached out to the company and will update this article if it provides any information.
Several security experts and government organizations have warned recently about the risks posed by vulnerable IFE systems. While some researchers conducted their analysis offline, others reportedly exploited IFE flaws while in flight. The most widely known case is the one involving researcher Chris Roberts, who the FBI claimed had hacked into entertainment systems more than a dozen times.
Aircraft manufacturers such as Airbus and Boeing have insisted that the risk is low, arguing that entertainment systems are isolated from flight and navigation systems.
UPDATE. Panasonic Avionics has provided the following statement to SecurityWeek:
“The allegations made to the press by IOActive regarding in-flight entertainment (IFE) systems manufactured by Panasonic Avionics Corporation (“Panasonic”) contain a number of inaccurate and misleading statements about Panasonic’s systems. These misstatements and inaccuracies call into question many of the assertions made by IOActive.
Most notably, IOActive has chosen to make highly misleading and inflammatory statements suggesting that hackers could “theoretically” gain access to flight controls by hacking into Panasonic’s IFE systems. Panasonic strenuously disagrees with any suggestion by IOActive that such an attack is possible, and calls upon IOActive to clarify that its research does not support any such inference.”
The company said Santamarta made incorrect assumptions as to where payment card data is stored and encrypted within Panasonic’s systems, and condemned IOActive for making its products appear to be the source of insecurity to aircraft operation.
Panasonic said it addressed the “minor” issues reported by the IOActive researcher last year and encouraged security experts to take part in its bug bounty program, in which the vendor provides unfettered access to products for in-depth testing and analysis.
“Panasonic does not condone unauthorized security testing during aircraft operation in uncontrolled environments, such as those conducted by IOActive. Panasonic strongly supports legislation that should be enacted to make on-board electronic intrusion a criminal act,” the company said.
UPDATE 2. IOActive has provided the following statement in response to Panasonic Avionics:
“IOActive has a stringent and thorough process by which it technically validates published research and the company stands by the accuracy and integrity of the findings with regard to the research recently published on Panasonic Avionics IFE systems.
As with virtually all security-related research, the findings are made up of both documented technical findings regarding the vulnerabilities described, as well as statements of opinion, theory and/or feasibility by the researcher that were developed based on both the merits of the technical findings, as well as the researcher’s vast domain expertise, experience, and knowledge on the subject matter presented – as evidenced by current and past research published.
While we cannot control how the information presented is precisely interpreted, represented, or disseminated across all outlets, we have absolute confidence in the accuracy of the technical findings and the merit of observations and opinions contained in the research documentation, including the technical feasibility of the theoretical references. In some cases, direct access to files and systems is no longer available to extend the research and validate or discount the actual feasibility of things such as the IFE system being used as an entry point to other systems not detailed in the research. Additionally, some of the opinions and references to theoretical scenarios referenced in the research have little or nothing to do with the IFE system itself and more to do with the configuration, or potential misconfiguration, of other systems inherent in an airplane’s IT ecosystem.
Quite simply, if an attacker is able to exploit vulnerabilities acknowledged to be resident (and claimed to be subsequently addressed) by the manufacturer in a technology component within a connected ecosystem (i.e., say an IFE on board a plane), and the ecosystem is not configured appropriately to segment and isolate the respective domains as they should be, then exploiting the vulnerabilities in that component to gain access to other domains in the ecosystem is technically feasible and “theoretically” quite possible. So not only are the theoretical statements in the research technically feasible and relevant to the topic of the research, but they are important in explaining the potential extent and possible implications of vulnerabilities within a component in such an ecosystem and the need for a holistic approach to managing and maintaining the highest security measures at all levels throughout that ecosystem.
We believe that it is in the long-term best interests of the public, the aviation industry, aviation product security teams, and the manufacturer in this case to publicly disclose this example of cybersecurity risk in the aviation industry. Our intent with publicly describing these vulnerabilities is to create informed, fact-based public awareness about the presence of cybersecurity risks in aviation and demonstrate the risks in a responsible manner to ensure that senior management and stakeholders within the aviation industry allocate appropriate levels of resources to deal with these risks.”