A security researcher revealed dangerous vulnerabilities in an in-flight entertainment system that could let hackers hijack several flight systems and even take control of the plane.
Hacker Shows How Easy In-flight Entertainment System Can Be Hacked
A security expert said to have found flaws that allowed them to gain control of entertainment systems of the cockpit. He said this could allow attackers to shut off the lights, change altitude readings, display false maps and disseminate messages through the PA.
But the systems maker rejected the findings as “hypothetical at best.”
The weaknesses were discovered in the flight systems Panasonic Aero by Ruben Santamarta, a researcher at security firm IOActive. Aero in-flight systems are used by many airlines, including Virgin, Emirates, AirFrance, American Airlines and KLM.
“Security is not one of the main strengths of the system,” Santamarta said, adding that the network of screens seats and servers on board would not be able to bear “strong attack” expert opponents.
Mr. Santamarta said he began investigating Panasonic systems two years ago when, during a flight to Dubai, he accidentally caused the screen corresponding to his seat to show debugging data.
“Chained together this could be an unsettling experience for passengers,” said Santamarta. “I don’t believe these systems can resist solid attacks from skilled malicious actors. This only depends on the attacker’s determination and intentions, from a technical perspective it’s totally feasible.”
Through online searches, gradually accumulated a good amount of information about the Aero system that included the code that runs on the units seatback and onboard computers that keep everything running.
“I ended up having all components in my computer to emulate the whole system,” he said. Run a copy of the network Aero enabled Mr. Santamarta correct defects and other errors, he said, could “compromise the entire system.”
Panasonic said it had reviewed all the statements made by Mr. Santamarta and commissioned tests in 2015 and 2016 to ensure that their concerns had been remedied. While, Emirates is working with Panasonic to resolve these issues and regularly update its systems. Emirates said, “The safety of our passengers and crew on board is a priority and will not be compromised”.
The company rejected claims that credit card information was accessible, saying that Mr. Santamarta made “incorrect assumptions about where credit card data is stored and encrypted.” Panasonic also rejected any suggestion that hackers could access the flight controls through the entertainment system in flight.