IFEC hack spat – Panasonic denies alleged inflight security flaws
By cameron in Uncategorized
Panasonic Avionics has reacted strongly to a “highly misleading and inflammatory” report from a cybersecurity team which suggested that an airline’s controls can be accessed by hackers via vulnerabilities in the inflight entertainment and communication (IFEC) systems.
IOActive made the bold claim that:
The vulnerabilities in these systems could allow hackers to ‘hijack’ passengers’ inflight displays and, in some instances, potentially access their credit card information.
These vulnerabilities could also potentially act as an entry point to the wider network, depending on system configurations on an airplane.
Its press release suggests hack scenarios from the comedic, such as being able to take over the “Crew App” and remotely change the angle on the reclining seats in first class, to the criminal, such as being able to steal personal and financial details from other passengers using the inflight internet.
But in terms of a passenger being able to take over the controls in the cockpit by hacking the IFE, IOActive says that the various systems on a plane are usually discrete and that even if the IFE was hacked then access to the main controls “relies heavily on the specific devices, software, and configuration deployed on the target aircraft” but is “theoretically feasible”.
Panasonic Avionics responded with a strongly worded denial of the report, drilling down into what was said in IOActive’s release, but also referencing an accompanying blog post which went into specific details of how its researcher attempted to access the back-end on a flight from Warsaw to Dubai.
Its statement pointed out that “during the course of this unauthorized, in-service testing, the safety, security and comfort of passengers or the aircraft were never in danger or compromised due to the system segregation and robust security design of our IFEC product.”
In fact, Panasonic dismisses the research out of hand, noting that for any of the theoretical hack scenarios to occur the first step is actually getting into the IFEC systems – and that didn’t happen.
It is less dismissive of the potential that the research has to “alarm the flying public” – the tech and computer press are generally reporting the story along the lines of Panasonic disagrees with IOActive” while the consumer headlines are “Hackers can fly planes”.
Panasonic now wants “onboard electronic intrusion” to be made a criminal act and added that it has its own Bug Bounty programme for authorised testing of its systems.
Panasonic Avionics’ IFEC products are used by airlines including United, Virgin, American Airlines, Emirates, AirFrance, Singapore, and Qatar, all of whom get a namecheck at the beginning of IOActive’s release.
The Hollywood B-movie disaster movie scenario of a hack on a plane means that stories like these are always likely to be picked up by the consumer press and sensationalised. Most security experts insist that there is no such things as a 100% secure system but Panasonic and the other IFEC providers appear to be doing a good job in keeping airline systems secure, so far.