Some in-Flight Entertainment Systems May Be Vulnerable to Hacking, New Report Suggests
Expert doubts "systems can resist solid attacks from skilled malicious actors."
— -- A new report released today by security research firm IOActive says in-flight entertainment systems on some major airlines may be susceptible to hacking, including those on American carriers American Airlines and United Airlines.
The research claims that in-flight entertainment (IFE) systems made by Panasonic could ultimately be "hijacked" so that the hacker could control what a passenger sees, hears or experiences on a flight. This could include a false altitude or speed of the plane on the IFE's display, an incorrect route on the IFE's interactive map, illicit use of the PA system, or the ability of the hacker to control lighting in the cabin or reclining seats in first class.
The attacker could potentially access credit card information as well, the report stated. According to the author of the report, passengers who swipe their credit cards using a handset located on their seats to pay for entertainment transmit this information to the IFE's display unit on the seat. From there, the report says hackers could possibly control the binary system running there and steal the passenger's credit card information.
"I don’t believe these systems can resist solid attacks from skilled malicious actors,” explained IOActive Principal Security Consultant Ruben Santamarta, who researched what he says is the IFE's vulnerability.
"As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft's security posture is carefully analyzed case by case," he added.
IOActive is also known for its successful hack of a 2014 Jeep Grand Cherokee, where two of its experts remotely hijacked the vehicle from the comfort of their living room. Hackers Charlie Miller and Chris Valasek say they were able to access the SUV's computer system via the Internet and rewrite firmware that allowed them to control the car's steering, brakes and transmission.
The security research firm never actually hacked the system, but only said it was theoretically possible.
IOActive, which told ABC News it funded this IFE study, explained it cannot rule out that hijacking an IFE could potentially give a hacker access to an aircraft's avionic controls. But it's not the first time the question has been raised.
Just last year, the FBI investigated a computer security expert Chris Roberts, who alleged that he hacked into an aircraft's IFE and made the plane turn sideways. At the time, law enforcement sources told ABC News there was no evidence a hacker could gain control of an plane's controls in the way that Roberts claimed, which included breaking into the IFE through "boxes under the seat."
"While we will not comment on specific allegations, there is no credible information to suggest an airplane's flight control system can be accessed or manipulated from its in-flight entertainment system," one senior law enforcement official told ABC News in 2015. "Nevertheless, attempting to tamper with the flight control systems of aircraft is illegal and any such attempts will be taken seriously by law enforcement."
IOActive told ABC News it disclosed its findings to Panasonic in March 2015, and said it was told by the tech company that it would notify its airline customers. IOActive said it has been unable to verify if the problem has been completely resolved.
"The access to the systems we looked at to identify the vulnerabilities has been shut down since we disclosed the findings to them," IOActive told ABC News.
Panasonic Avionics Corp. said in a statement today, “The allegations made to the press by IOActive regarding in-flight entertainment (IFE) systems manufactured by Panasonic Avionics Corporation (“Panasonic”) contain a number of inaccurate and misleading statements about Panasonic’s systems. These misstatements and inaccuracies call into question many of the assertions made by IOActive.”
“Most notably, IOActive has chosen to make highly misleading and inflammatory statements suggesting that hackers could “theoretically” gain access to flight controls by hacking into Panasonic’s IFE systems. Panasonic strenuously disagrees with any suggestion by IOActive that such an attack is possible, and calls upon IOActive to clarify that its research does not support any such inference.”
In its statement, Panasonic Avionics also said that “Ruben Santamarta’s statement regarding credit card theft is simply not true" and that he "makes incorrect assumptions about where credit card data is stored and encrypted within Panasonic's systems."
Here's Panasonic's complete statement.
IOActive, in a statement responding to Panasonic, said in part it had "absolute confidence in the accuracy of the technical findings and the merit of observations and opinions contained in the research documentation, including the technical feasibility of the theoretical references."
"Quite simply, if an attacker is able to exploit vulnerabilities acknowledged to be resident (and claimed to be subsequently addressed) by the manufacturer in a technology component within a connected ecosystem (i.e., say an IFE on board a plane), and the ecosystem is not configured appropriately to segment and isolate the respective domains as they should be, then exploiting the vulnerabilities in that component to gain access to other domains in the ecosystem is technically feasible and “theoretically” quite possible," IOActive said.
"So not only are the theoretical statements in the research technically feasible and relevant to the topic of the research, but they are important in explaining the potential extent and possible implications of vulnerabilities within a component in such an ecosystem and the need for a holistic approach to managing and maintaining the highest security measures at all levels throughout that ecosystem."
American Airlines, one of the carriers that uses Panasonic IFEs, told ABC News it has seen no evidence that flight control systems or passenger credit card data has been accessed through Panasonic's IFE.
"American is one of many carriers worldwide that uses in-flight entertainment (IFE) provided by Panasonic Avionics. American works with its IFE manufacturers, like Panasonic, to include the latest security improvements in our systems," American Airlines Spokesperson Ross Feinstein told ABC News.
"Our IFE team has been collaborating with Panasonic to ensure that our IFE systems are not susceptible to the theoretical risk described in the blog post," Feinstein added.
United Airlines also released a statement to ABC News in response to IOActive's report.
"At United, we take all security matters very seriously and regularly add new safeguards to ensure our systems are protected," the statement said. "We support the responsible disclosure of potential security issues and will work with our technology partners, outside experts and the aviation community to carefully examine these claims."
ABC News' Erin Dooley and Whitney Lloyd contributed to this report.