A flaw in an in-flight entertainment system used by major airlines including Emirates, Virgin and Qatar could let hackers access a planes’ controls. It security experts from NSFOCUS, Synopsys, NSFOCUS, IOActive and Tripwire commented below.
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS:
“In the light of this research, physical separation between in-flight entertainment systems and aircraft control systems could never be more important. As airlines continue to add new customer-based entertainment and information technologies, airlines need to ensure that an impenetrable barrier is in place protecting aircraft control systems. This research demonstrates that hackers could cause all sorts of issues that could impact a customer’s “experience” while flying, but have yet to prove they could impact flight control systems. Let’s all hope that remains the case, long-term.
“It’s not too far of a stretch to suggest that flight entertainment systems could even be hacked from the ground, via the Internet access on the plane. If remote access was gained while the plane was on the ground, or by way of a hacker planting a backdoor via an infected device while in flight, hackers could cause all kinds of disruption that would not directly impact them – since they’re not even on the plane. Now that’s a scary thought…”
Mike Ahmadi, Global Director – Critical Systems Security at Synopsys:
“Any system that gets the attention of the hacking/research community will eventually be found vulnerable. There are literally an infinite number of ways to compromise any system. Organisations need to constantly monitor and test their systems in order to keep up with security issues. Moreover, organisations should assume compromise will happen and plan accordingly.”
Alex Cruz-Farmer, VP at NSFOCUS:
“Previous hacks and vulnerabilities have always been on the ground, but we’re now in the realms of something extremely scary – hacks in mid-air with no escape. The active threats will be growing, and with thousands of planes in the air, the remediation of this is going to be extremely complicated and time consuming. This will be a huge flag to all manufacturers to review their underlying platforms, and whether their integrated infrastructure has the necessary security around it to protect us, the passengers. If anything did happen it could at worst be life threatening leading this to be considered as major negligence across the multiple parties involved.”
Ruben Santamarta, Principal Security Consultant at IOActive:
“I’ve been afraid of flying for as long as I can remember,” said Santamarta. “It might sound like a sick cure to some but, as a hacker, learning everything I could about how planes work, from the aerodynamics to electronics, has reduced the fear significantly. On a flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic in-flight display. A subsequent internet search allowed me to discover hundreds of publically available firmware updates for multiple major airlines, which was quite alarming. Upon analysing backend source code for these airlines and reverse engineering the main binary, I’ve found several interesting functionalities and exploits.”
According to Santamarta, once an IFE system vulnerabilities have been exploited, the hacker could gain control of what passengers see and hear from their in-flight screen. For example, an attacker might spoof flight information values such as altitude or speed, or show a bogus route on the interactive map. An attacker might also compromise the ‘CrewApp’ unit, which controls PA systems, lighting, or even the recliners on first class seating. If all of these attacks are chained, a malicious actor may create a baffling and disconcerting situation for passengers. Furthermore, the capture of personal information, including credit card details, is also technically possible due to backends that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data if not properly configured.
Vulnerabilities in on-board components can also create potential entry points to more important functional systems and therefore the risks are much higher. This new research together with Ruben’s previously published work on Satellite Communications (SATCOM) terminals clearly demonstrates that aircraft systems are vulnerable to being hacked. Aircraft’s data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger owned devices, airline information services, and finally aircraft control. Physical control systems are usually located in the Aircraft Control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen. This means that as long as there is a physical path that connects both domains, there is potential for attack. As for the ability to cross the “red line” between the ‘passenger entertainment and owned devices domain’ and the ‘aircraft control domain’, this relies heavily on the specific devices, software and configuration deployed on the target aircraft.
“I don’t believe these systems can resist solid attacks from skilled malicious actors,” continued Santamarta. “As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft’s security posture is carefully analysed case by case.”
Tim Erlin, Sr. Director, Product Management at Tripwire:
“Using the in-flight entertainment system to attack an aircraft isn’t a new concept. As soon as the USB and RJ45 ports started showing up in aircraft, security researchers became very interested.
The security research community and aviation industry are clearly at odds over the feasibility and likelihood of using the in-flight entertainment system to actually affect aircraft controls. It would be a solid step forward to see cooperation instead of conflict. The majority of security researchers are interested in improving the systems they test, and partnership with industry vendors is the best way to accomplish that goal.
Now that there’s credit card data on the plane, the in-flight systems are a more attractive target for profit driven criminals. The increased interest in these systems from criminals after credit card data might result in more vulnerabilities being discovered.”
Art Swift, President at prpl Foundation:
“Travellers this holiday season will be horrified to hear that in-flight entertainment systems could be used to help hackers gain access to their favourite airline’s flight control system, but the truth is it’s something which prpl has been talking about publicly since the flaw was first disclosed – and it’s not just airplanes that are at risk. Technology plays an important role in getting us from here to there, but without separation of critical aspects within the systems that keep things like critical controls such as steering, braking or heating and cooling that could potentially cause damage apart from less critical aspects like entertainment – hackers can worm their way around systems and potentially cause real devastation. For this reason, the prpl Foundation has come up with its free “Security Guidance for Critical Areas of Embedded Computing” for developers, manufacturers and engineers that outlines exactly how this security separation is possible.”