What happens after a security researcher goes public with vulnerabilities he discovered in airplane in-flight entertainment systems and then goes a step further by suggesting that it is theoretically possible for hackers to control some of those systems? High drama.
IOActive security researcher Ruben Santamarta said he discovered several security flaws – SQL injection (video), a credit card check bypass (video) and arbitrary file access (video) – in Panasonic Avionics’ in-flight entertainment (IFE) systems. Panasonic’s systems are used by several airlines such as American Airlines, United and Virgin, based on publicly available firmware updates he found after some searching. Santamarta does “not believe these systems can resist solid attacks from skilled malicious actors.”
An IOActive press release reads:
According to Santamarta, once IFE system vulnerabilities have been exploited, a hacker could gain control of what passengers see and hear from their in-flight screen. For example, an attacker might spoof flight information values, such as altitude or speed, or show a bogus route on the interactive map. An attacker might also compromise the ‘CrewApp’ unit, which controls PA systems, lighting, or even the recliners on first class seating. Furthermore, the capture of personal information, including credit card details, is also technically possible due to backends that sometimes provide access to specific airlines' frequent-flyer/VIP membership data if not properly configured.
Added Santamarta, “If all of these attacks are chained, a malicious actor could at least create a confusing and disconcerting situation for passengers.”
There could be issues if the aircraft’s data networks are not correctly divided into four domains. Santamarta wrote on IOActive, that “as long as there is a physical path that connects both domains, we can’t disregard the potential for attack.”
The press release stated:
Aircraft's data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger owned devices, airline information services, and finally aircraft control. Physical control systems are usually located in the aircraft control domain, which should be physically isolated from the passenger domains; however, this doesn't always happen. This means that as long as there is a physical path that connects both domains, there is potential for an attack. As for the ability to cross the “red line” between the “passenger entertainment and owned devices domain” and the “aircraft control domain,” this relies heavily on the specific devices, software, and configuration deployed on the target aircraft.
Santamarta said the vulnerabilities were on server and client components, but he did not exploit the bugs.
The vulnerabilities were responsibly disclosed to Panasonic in March 2015. With it now being December 2016, IOActive believes Panasonic has had “enough time to produce and deploy patches, at least for the most prominent vulnerabilities.”
Panasonic issued angry retort, refuting IOActive’s report
After IOActive published its report, Panasonic immediately hit back (pdf) against the “inaccurate and misleading statements about Panasonic’s systems.” The “highly misleading and inflammatory statements” included “unfounded, unproven conclusions.” The company labeled Santamarta’s statement regarding credit card theft as “simply not true.”
Panasonic added that IOActive’s statement that its “research revealed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, including the aircraft controls domain’ will only serve to falsely alarm the flying public.”
“The conclusions suggested by IOActive to the press are not based on any actual findings or facts,” according to the statement released by Panasonic Avionics Corporation. “The implied potential impacts should be interpreted as theoretical at best, sensationalizing at worst, and absolutely not justified by any hypothetical vulnerability findings discovered by IOActive.”
IOActive stands by its report
But IOActive did not back down, telling Infosecurity Magazine:
Quite simply, if an attacker is able to exploit vulnerabilities acknowledged to be resident (and claimed to be subsequently addressed) by the manufacturer in a technology component within a connected ecosystem (i.e., say an IFE on board a plane), and the ecosystem is not configured appropriately to segment and isolate the respective domains as they should be, then exploiting the vulnerabilities in that component to gain access to other domains in the ecosystem is technically feasible and ‘theoretically’ quite possible. So not only are the theoretical statements in the research technically feasible and relevant to the topic of the research, but they are important in explaining the potential extent and possible implications of vulnerabilities within a component in such an ecosystem and the need for a holistic approach to managing and maintaining the highest security measures at all levels throughout that ecosystem.
It’s not uncommon for a firm to come out swinging after security researchers go public with vulnerabilities. The high drama might have been avoided had Panasonic informed IOActive that it conducted attack research “in May 2015 and again in 2016 to ensure that the few minor concerns (in no way linked to the control of an aircraft) identified by Mr. Santamarta had been fully remediated.”
Panasonic urged researchers to participate in its Bug Bounty program so they can gain “unfettered access” for “in-depth security testing and analysis” of Panasonic products.
As for Santamarta...he sounded really upset that so many media outlets were twisting what he said.
Some of those crazy headlines made it sound like a plane could be hijacked or crashed due to the flaws. That might have played into the strongly-worded statement issued by Panasonic.
In short, and to avoid any possible confusion, check out Santamarta's blunt tweet: