Security firm IOActive published research yesterday detailing security flaws in the in-flight entertainment systems developed by Panasonic Avionics, used by multiple airlines such as United, Emirates, Virgin, KLM, Etihad, Scandinavian, Air France, and many other more.
IOActive researcher Ruben Santamarta revealed that he found several security flaws, such as an SQL injection, an arbitrary file access issue, and a credit card check bypass.
Videos of Santamarta exploiting the bugs are available on YouTube [1, 2, 3]. Santamarta said he reported his findings to Panasonic, but never received an answer.
Bugs allow an attacker to take over infotainment systems, not airplanes
The researcher argued that an attacker could be in a position to collect user details and even hijack the airplane's infotainment system, and possibly other systems on the plane if the IFE (in-flight entertainment) system was not properly separated from other plane components.
Santamarta called the attack as "theoretically feasible due to the physical connectivity," albeit he never carried one in practice.
"The ability to cross the 'red line' between the passenger entertainment and owned devices domain and the aircraft control domain relies heavily on the specific devices, software and configuration deployed on the target aircraft," Santamarta also said.
Media overblows security flaws
Nevertheless, most of the world's media reporting on his findings didn't understand how far-fetched a full plane hijacking scenario would be, and many outlets ran extremely alarmistic headlines [1, 2, 3, 4, 5, 6, 7].
In a statement released online a few hours after IOActive published its security report, Panasonic criticized the security firm and the researcher for their approach, but mainly for mixing hypothetical hacking scenarios within a bug report.
The full statement is available here, but a few selected excerpts are available below.
The allegations made to the press by IOActive regarding in-flight entertainment (IFE) systems manufactured by Panasonic Avionics Corporation (“Panasonic”) contain a number of inaccurate and misleading statements about Panasonic’s systems. These misstatements and inaccuracies call into question many of the assertions made by IOActive.
IOActive has presented no evidence that its examination of Panasonic’s systems would support any such suggestion, and its statement that its “research revealed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, including the aircraft controls domain” will only serve to falsely alarm the flying public.
Furthermore, IOActive employee Ruben Santamarta’s statement regarding credit card theft is simply not true. Mr. Santamarta makes incorrect assumptions about where credit card data is stored and encrypted within Panasonic’s systems.
It is important to note that, during the course of this unauthorized, in-service testing, the safety, security and comfort of passengers of the aircraft were never in danger or compromised due to the system segregation and robust security design of our inflight entertainment and communications (IFEC) product, and of all commercial aircraft as well. His exploit itself was limited to a single seat and information gathering; control override of the IFEC seat and system did not occur.
It is also very important to note that, in its communications to the press, IOActive made unfounded, unproven conclusions. The basis for many of these conclusions would first necessitate that an attacker gained a physical connection within the IFE network. During the unauthorized testing, network penetration, or even network connection to Panasonic’s product, did not occur.
The conclusions suggested by IOActive to the press are not based on any actual findings or facts. The implied potential impacts should be interpreted as theoretical at best, sensationalizing at worst, and absolutely not justified by any hypothetical vulnerability findings discovered by IOActive.
IOActive, in statements to the press, inappropriately mixed a discussion of hypothetical vulnerabilities inherent to all aircraft electronics systems with specific findings regarding Panasonic’s systems, creating a highly misleading impression that Panasonic’s systems have been found to be a source of insecurity to aircraft operation.
Panasonic Avionics also said that they did receive Santamarta's bug reports, which the company fixed last year, apparently without notifying IOActive.
Furthermore, Panasonic invited security researchers to use their bug bounty program, launched at the start of August, where they can benefit from access to authorized testing equipment, and carrying out experiments on IFE systems deployed on real airplanes.