Hackers can access airline in-flight systems via entertainment displays

Worrying security flaw in system used by 13 major carriers revealed by researchers

Cyber

By Lucy Hook

The entertainment system used by a number of major commercial airliners, including Qatar Airways, Emirates and Virgin, could be used to hack into airplanes’ in-flight systems, it has been claimed by researchers.

The security flaw within the Panasonic Avionics system, used by 13 major airlines, was discovered by investigators at IOActive – who were able to infiltrate aspects of the in-flight system via the entertainment displays.

Security consultant Ruben Santamarta, was able to change the display, hijack announcements and access credit card details of frequent flyer passengers, Newsweek reported this week.

He did not use the flaw to take control of the plane’s controls.

Santamarta discovered the flaw during a flight from Warsaw to Dubai, realising he could “access debug codes directly from a Panasonic in-flight display.”

“I don’t believe these systems can resist solid attacks from skilled malicious actors,” he said. “As such, airlines must be incredibly vigilant when it comes to their [in-flight] systems.”

The vulnerability works by ‘injecting’ malicious code into the in-flight system, IOActive’s research states.

Depending on how isolated the airline has made the in-flight entertainment system, the hacker would then have different control possibilities.

Santamarta said that IOActive had alerted Panasonic to the flaw, but could not say whether the technology firm had addressed the issue, as access to the system has since been restricted.

“We were unable to verify if Panasonic has fixed the flaws because the access to the systems we looked at to identify the vulnerabilities has been shut down since we disclosed the findings to them in March of 2015,” he said.

In an emailed statement, Panasonic called the claims “highly misleading and inflammatory.”

It said that the claims were theoretical, adding that it disagrees with any suggestion by IOActive that such an attack is possible, and calls upon IOActive to clarify that its research does not support any such inference.


Related stories:
CFC Underwriting: Cyber claims soaring to more than one per day
Cyber insurance to disrupt businesses  

 

Keep up with the latest news and events

Join our mailing list, it’s free!