In late December, Panasonic and IOActive, a security consultancy firm, had some public discourse after a blog was published that spurred a media driven debate: can aircraft security be breached and controlled through the inflight entertainment system? The short answer is no, but headline damage has been done. After the dust settles, the aviation and MRO industry will need to continue to be prepared to address media hyperbole and the public's security concerns.
Here’s how it started. On Dec. 20 IOActive Principal Security Consultant Ruben Santamarta published a blog title “In Flight Hacking System.”
The blog detailed Santamarta’s unplanned findings during a flight from Warsaw to Dubai. They included multiple security vulnerabilities and the related impacts of Panasonic’s inflight entertainment system.
In the blog, Santamarta explains how debug information appears on the screen during flight. He then searches and finds hundreds of publicly available firmware updates for airlines, including Emirates, Air France, KLM, Eitahad and others.
After a brief description of IFE architecture including definitions and visuals of the system control unit (SCU), the seat display unit (SDU), the personal control unit (PCU) and the cabin crew panel, Santamarta continues to assess Panasonic’s structure and also features three videos showing how he could bypass a credit card check, access arbitrary files and complete an SQL injection on the IFE.
The videos are hosted by IOActive’s YouTube account, posted Dec. 19, 2016, and Santamarta confirms he took the footage in 2015. Comments from viewers include questions for more details of how Santamarta completed the actions, surprise as to what’s happening and more discussion about what the vulnerabilities imply.
Santamarta essentially concludes with potential impacts after outlining the aircraft’s divided networks (the aircraft control domain network, which controls the aircraft, are typically physically located away from the passenger domains). While he addresses the fact that there is a physical path that connects both domains, he focuses on the “IT side,” outlining how the attacker could create passenger discomfort by compromising the CrewApp unit and modifying the lighting or actuators, for example.
Santamarta also states in the blog post that acquisition of passenger personal information would be "technically possible" if the back-end of the airline's "frequent-flyer/VIP membership data" was not configured appropriately.
Santamarta later added in comment on Dec. 30, "...it's worth mentioning that the blog post includes the credit card data as personal data, but it doesn't mean the way to steal them is the same. [Credit card] data can only be grabbed from the handset by compromising the SDU and not through the [back-end]."
Lastly, Santamarta discloses that the findings were reported to Panasonic Avionics in March 2015, and were published now with the belief that there was enough time for the vulnerabilities to be addressed and patched.
Within hours of the blog post being published, media outlets reported headlines like “Hackers could take control of a plane using in-flight entertainment system”, “This is your captain speaking…or is it? ” and “Our planes are now ‘big flying mobile devices’ and top hacking targets”.
The comments on the articles include reprimanding the media for “scaremongering tosh," frustration that developers have allowed these vulnerabilities to exist, and continued discussion on what the implications actually mean.
By 11:51 a.m. CST on Dec. 20, Panasonic Avionics released a corporate statement addressing the IOActive blog post. It stated IOActive’s misstatements and inaccuracies regarding Pansonic’s systems were “highly misleading and inflammatory” and explained which of Santamarta’s “assumptions” were incorrect, while noting that Santamarta’s testing inflight in 2015 did not compromise passenger safety.
Panasonic also mentioned its Bug Bounty program, “in which Panasonic provides unfettered access to [its] products to allow for in-depth security testing and analysis.”
When asked if IOActive or Santamarta would participate in the program, Santamarta says, “We’re always open to participate in interesting security initiatives.”
Panasonic representatives did not have any updates or comments as of Dec. 28.
In the blog, Santamarta states, “The responsibility for security does not solely rest with an IFE manufacturer, an aircraft manufacturer or the fleet operator. Each plays an important role in assuring a secure environment.”
In response to an Aviation Week query, American Airlines says, “American is one of many carriers worldwide that uses inflight entertainment (IFE) provided by Panasonic Avionics. American works with its IFE manufacturers, like Panasonic, to include the latest security improvements in our systems. We have no evidence that flight control systems or passenger credit card data can be accessed through Panasonic’s IFE system. Our IFE team has been collaborating with Panasonic to ensure that our IFE systems are not susceptible to the theoretical risk described in the blog post.”
Etihad Airways and United Airlines have not yet responded to requests for comment.
This isn’t the first time Santamarta has spoken out about cyber security in the aviation industry. During the Black Hat security conference in August 2014, Santamarta presented on satellite communications vulnerabilities in aviation and other transportation sectors titled “SATCOM Terminals: Hacking by Air, Sea, and Land.” This includes the same aircraft data networks domain model diagram used in the most recent blog post, as well as FAA’s special condition for Boeing 787-8s to address the data network design and integration architecture, which could allow for security vulnerabilities, released in January 2008.
Santamarta expected media coverage after the initial released findings in December: “I was expecting a wide coverage as it happened in 2014, when I presented the SATCOM research in BlackHat USA, which also affected aircraft. Unfortunately some headlines are basically made up, they are saying exactly the opposite [of what] our research is describing.”
Santamarta has also pinned a tweet from 10:27 a.m. Dec. 20, saying that in-flight entertainment cannot “bring down” a plane.
At MRO Europe in October, Aviation Week Network published an Aviation cybersecurity study with Rockwell Collins to explore the importance of cyber security in aviation, establish specific security concerns and display initiatives that have been put in place by the aviation industry. The respondents were made up of mostly airline or air cargo operators, manufacturing organization and MROs within the commercial, business and MRO sectors.
According to Aviation Week’s Fleet and MRO Forecast 2016, modifications and IFE component work is expected to generate more than $18 billion globally by 2025.