The in-flight entertainment (IFE) and communications systems manufactured by Panasonic Avionics are among the most common components in the aviation industry.
According to data provided by the company, it has delivered more than 8,000 in-flight entertainment and communications systems and 1,300 in-flight connectivity solutions to major airlines.
Older models of Panasonic IFE systems (e.g. 3000/3000i) rely on Linux, but the newer ones belonging to the X Series products run on Android OS.
The security of IFE systems is crucial, the Panasonic Avionics recently launched a private bug bounty program offering rewards ranging between $100 and $10,000 to the participants.
Main components of the IFE systems are:
Ruben Santamarta, a security researcher from IOActive decided to participate the bug bounty program. He analyzed the latest firmware updates for the IFE systems used by major airlines, including Emirates, Air France, United, American, KLM, Scandinavian, Aerolineas Argentinas, Virgin, Iberia, Singapore, FinnAir, Qatar, and Etihad.
Santamarta found several flaws in the firmware updates, including a SQL Injection flaw and a bug that allows bypassing credit card checks.
Below the video PoCs published by the researcher that demonstrate how to bypass credit card checks, to trigger arbitrary file access issues and a SQL injection flaw. In the video the hacker interacted with the IFE systems using the touchscreen and PCU.
According to Santamarta, the hack of the IFE system could allow the attacker to interfere with flight operations and to steal sensitive information. It is important to highlight that if the IFE system is physically separated from aircraft control system, such kind of attacks will have no impact on the flight safety.
“On the IT side, compromising the IFE means an attacker can control how passengers are informed aboard the plane. For example, an attacker might spoof flight information values such as altitude or speed, and show a bogus route on the interactive map. An attacker might compromise the CrewApp unit, controlling the PA, lighting, or actuators for upper classes. If all of these attacks are chained, a malicious actor may create a baffling and disconcerting situation for passengers.” reads the analysis published by IOActive.
“The capture of personal information, including credit card details, while not in scope of this research, would also be technically possible if backends that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data were not configured properly.”
Unfortunately, in some cases, the lack of a physical separation between IFE systems and control systems could allow an attacker to threaten the flight safety.
“In some scenarios such an attack would be physically impossible due to the isolation of these systems, while in other an attack remains theoretically feasible. The ability to cross the ‘red line’ between the passenger entertainment and owned devices domain and the aircraft control domain relies heavily on the specific devices, software and configuration deployed on the target aircraft,” Santamarta added.
IOActive reported these findings to Panasonic Avionics in March 2015, but there is no information about their fix.
(Security Affairs – Ukrenergo, hacking)